Skip to main content

Physical Network Function (PNF) service chaining with Contrail

When it comes to service functions there is a huge amount of focus on making the shift to virtualization or NFV. Virtual Network Functions (VNF) can be Firewalls, Load Balancers, routers, route reflectors, BNGs, EPCs, the list goes on. This is not without good reason as virtualization comes with many benefits such as increased agility, simpler automation, more granular scaling, licensing models that allow a true “pay as you grow” business model and in general the opportunity for Service Providers to revolutionize how they offer services to their customers. So why would we want to keep using physical network functions (PNF) and develop SDN solutions that support these PNF? Well, there are actually some pretty good reasons. Firstly, many service providers have made huge investments in these appliance based solutions and quite rightly expect to continue to realize the benefit of these investments for some years into the future. Secondly, when it come to raw throughput performance ASIC based forwarding is still far superior compared to x86 powered forwarding.  Serious improvements have been made but the gap is still wide.

As you probably know, Contrail provides the capability to insert network functions providing network services like those described above in the traffic path between two different virtual networks on demand and in a dynamic way.  There is no explicit dependency on the network function itself to allow service stitching to happen. As of the most recent Contrail releases PNF service chaining is also supported, we can now create service chains that are PNF only, VNF only or a hybrid of PNF and VNF with multiple instances of both physical and virtual in a single service chain. These PNF and VNF are included as part of network policy definition that is applied between two virtual networks as has always been the case for VNF service chaining. While using slightly different mechanisms under the hood to realize the correct route-leaking and next-hop updates that ensure traffic between the two virtual networks is correctly directed through the service appliances, the logic for PNF service chaining is the same as that used in the VNF service chaining approach. The main difference is that in the case of PNF service chaining Contrail pushes the required configuration to the MX router via Netconf rather than installing forwarding state on the vrouters running on the compute nodes. What’s really nice is that you can add many distinct chains running over the same physical appliance using the same interfaces, with each chain using different VLAN tag in order to maintain traffic segregation on the PNF.

Below is an example workflow of traffic flowing between two virtual networks/zones that is subject to a physical and/or virtual network services and an additional service chain between two different virtual networks that uses the same appliance. Some of this is covered in the video below.

This is an attempt to show how to unleash the power of automation by leveraging existing network services as well as virtual services for Cloud environments!