Thanks to everyone who was able to join our Sept. 20 DemoFriday™ with Juniper Networks and Cloudscaling. We send special thanks to Ankur Singla, Juniper’s VP/GM for orchestration systems and founder/CEO of Contrail Systems, for his surprise appearance for the demo of the companies’ joint software-defined networking (SDN) cloud solution with network virtualization and orchestration.
The demo showcases Cloudscaling’s Open Cloud System (OCS) and how it interoperates with Amazon Web Services. Watch the full presentation, or check out the teaser video and other resources below.
Following are the questions asked by DemoFriday™ participants and fleshed-out answers provided by Cloudscaling Vice President of Product Management Azmir Mohamed and Juniper’s Singla and Senior Director of Engineering Parantap Lahiri.
Are what the products I see today in GA or still in beta?
Juniper: Both the products are generally available from Juniper (Contrail 1.0) and Cloudscaling (OCS 2.5) respectively. In addition, the Contrail product is also available through Apache v.2 open-source license at opencontrail.org.
Do you have any scaling limits with the solution?
Juniper: We believe that customers can build a scale-out cloud environment with more than 4,000 servers per cluster without any challenges.
Cloudscaling: The Cloudscaling OCS is built around a scale-out architecture to support multiple hundred racks of gear.
Are there any reference-able customers?
Juniper: Please refer to Juniper press releases on the product and visit juniper.net/sdn for customer references and case studies.
Cloudscaling: Cloudscaling customer references are on our website: LivingSocial, Ubisoft, Korea Telecom, EVault and Internap.
Can you use any virtual appliance to do service chaining? Does it have it to be a Juniper virtual appliance?
Juniper: Most virtual and physical appliances can be utilized for service chaining. Virtual appliances for service chaining can come from any vendor and are not limited to Juniper software services.
What type of license is used for OpenContrail?
Juniper: Apache v.2 for Contrail Controller and GPL v.2 for vRouter.
Is the underlying technology proprietary?
Juniper: All the important protocols used in the Contrail solution (BGP Layer 3 VPN, E-VPN, XMPP, Netconf, IF-MAP) are based on IETF standards.
What does the underlying infrastructure look like?
Juniper: The underlying infrastructure is built using Intel servers, physical switches from Juniper (QFX3500, or any other vendor’s gear, like Cisco, Arista, etc.), and gateway routers from Juniper’s MX series (or Cisco, Alcatel, etc.)
Do companies run production workloads on elastic clouds like AWS and OpenStack?
Juniper: Yes, there are many companies that run production workloads on both public clouds like AWS and private clouds like Openstack. The prominent ones being Pinterest, Netflix, Ebay, Zynga, Twitter, etc.
Can you elaborate on what you mean by “programmatic orchestration?”
Juniper and Cloudscaling: Modern orchestration systems extensively use REST APIs for programmatic interfaces rather than legacy methods like CLI, EJBs, etc.
How are the gateway and DNS getting configured on the server?
Juniper Networks: Typically, the vRouter is the default gateway for the virtual machine, but it can also be configured using APIs from the controller. The DNS information is also provided by the controller – we implement a multi-tenanted virtual DNS that can be used along with the IPAM engine built into the controller. In addition, the system administrator can programmatically interface with an external DNS and IPAM subsystem.
Would this still work under PCI?
Juniper: Yes, all the security controls needed to implement PCI compliance can be instrumented and the change management can be tracked, etc. However, actual compliance would depend on the process implementation and adherence.
Were the security policies enforced by the QFX or was there a firewall in the mix?
Juniper: Policies were enforced by the vRouter in the hypervisor. There is no tenant state in the physical fabric switches. The vRouter provides all the core networking services like switching, routing, multicast, NAT, mirroring, security policies, load balancing, etc.
In this demo, are you using the Amazon VPC capability?
Juniper and Cloudscaling: Contrail and Cloudscaling provide Amazon VPC API compatibility, and we did not get time to demo all the features of the API.
When you add an ACL on the Juniper UI, will it show up in Horizon under security groups?
Juniper: It will show up in Horizon in the Networking section – we have extended the Horizon Networking tab to add policies. In addition, we support Security Groups in OpenStack, but that is a separate concept from security policies/ACLs.
Will the UI also be open-sourced?
Juniper: Yes, we are working on removing a commercially licensed component. It is expected that this activity will be completed in the next 8 weeks.
Is all of the software open-sourced already, if not, when do you expect it to be released?
Juniper: Other than the UI, all the software components have been open-sourced. Once we complete the porting of Cloudstack and Xen support, that will also be made available in the open-source.
Why is Open Source Contrail outside of OpenDaylight?
Juniper: OpenContrail is narrowly focused on solving two important problems – network virtualization and NFV. We believe that through OpenContrail, we will be able to better steer the architecture of the controller and keep the velocity of delivering solutions to our customers.
How does one go about adding a specialized service, say, for monitoring of certain interfaces for specific control or user information? Who is involved in making that happen? Is passive monitoring possible in such a case?
Juniper: Contrail provides a built-in monitoring solution that can be controlled using a policy and service chaining framework. Both the APIs and UI provide an easy mechanism to create virtual analyzers and configure a set of rules and attach them to the virtual analyzers. Wireshark-as-a-service is provided by Contrail that plugs into the service-chaining framework to provide a scale-out analyzer. In addition, the administrator can steer all the monitoring traffic to an external appliance.
Can you do service chaining?
Juniper: Yes, we did the demo for service chaining using Juniper vSRX firewall. In addition, we allow any third party to add their virtualized (or physical) services to the service-chaining framework.
Does Contrail support only Juniper equipment? Or does it have capability of supporting other vendors?
Juniper: All third-party switching fabrics are supported out-of-the-box. In addition, the gateway router is required to support Layer 3 VPN (and/or E-VPN), and most vendors like Juniper, Cisco, Alcatel, and Huawei have been supporting these protocols for many years.
What is the advantage you see to using IPGREoMPLS over VxLAN ?
Juniper: Contrail is neutral to VxLAN or MPLSoGRE and supports both protocols. The main advantage of using MPLSoGRE is that it supported on most gateway routers that are deployed in production environment.
Do you have a physical GW for vRouter?:
Juniper: A physical gateway is only required to connect with the non-virtualized world – Juniper MX-series routers as well as competitive gear from Cisco, Alcatel, Huawei are supported as physical gateways.
What is the scale with respect to the number of tenants that is supported today?
Juniper: There are no scaling limitations on the number of tenants. There are other characteristics of the system that are far more interesting to discuss with respect to scaling (API/sec, analytics queries/sec, etc).
Find the SDN products that are right for you on our DemoFridays! Watch videos and download podcasts and PDFs about leading SDN technologies.