How to setup OpenContrail Gateway – Juniper MX, Cisco ASR and Software GW

Note: This blog is done with user’s own lab environment and all third party references/performance characterization needs to be verified with third party vendor in question.

OPENCONTRAIL GATEWAYS – Use Cases and Setup Guide

1 INTRODUCTION

Gateway in a virtualized network refers to an entity that allows network traffic to move back and forth between the virtual and the physical networks or between virtual networks operating on different set of technologies. In many cases, the virtual network is created using overlay (i.e. tunneling) technologies and, therefore, a gateway needs to understand the protocols of the overlay network traffic in order to allow traffic to pass back and forth through it.

OpenContrail is based on a standard-based control plane protocols and encapsulation mechanisms to operate. As a result of this approach, industry standard routing platforms can be used as gateways to the virtual networks differentiating OpenContrail from some of the available solutions. In this blog, we will see various approaches in setting up and using a Gateway to a OpenContrail Cloud. In particular, we will focus on three different gateways options which will also cover a vendor agnostic solution and a virtualized gateway as an option. Following gateway options will be covered –

  1. Juniper MX
  2. Cisco ASR 903
  3. Software Gateway
2 Use Cases that require a Gateway to a Cloud Environment
2.1 Hybrid Cloud Use Case

In this use case, a gateway is required to have an enterprise private cloud connect to a public cloud environment (like AWS)  VPC gateway

OpenContrail-Hybrid-Cloud-Use-Case-Picture-GW-Blog

2.2 Data Center Interconnect – A Distributed Cloud Scenario

In this use case, multi-site Data Centers are interconnected to create a distributed cloud environment by constructing a L3VPN domain over EBGP across the gateways

OpenContrail-Data-Center-Interconnect-Use-Case-Picture-GW-Blog

2.3 Cloud Interconnect + NFV Security Service via L3 VPN Gateway

BGP MPLS VPN capable Data Center Gateway Router device allows for providing connectivity between the Enterprise customer’s virtual network assets residing in the Data Center and the existing physical PIP L3 VPN network using a standard Inter-AS VPN connectivity methodology. The Data Center edge router will act in an Inter-AS VPN ASBR role bridging the ASN used in the Contrail virtual-network overlay topology to the ASN used in the service provider L3 VPN core.

OpenContrail Cloud Interconnect Security NFV Picture BLOGOpenContrail Cloud Interconnect Security NFV Picture BLOGOpenContrail Cloud Interconnect Security NFV Picture BLOGOpenContrail-Cloud-Interconnect-Security-NFV-Picture-for-Blog

2.4 Software Gateway to a Virtualized Cloud

OpenContrail-Software-as-a-GW-Picture-BLOG

3 What does a Gateway need?            

A L3 gateway to OpenContrail virtual cloud environment requires standard feature to be supported for control plane signaling

  1. L3VPN
  2. MBGP

And the following for Data plane functionality

3. Dynamic GRE tunnels

4 Juniper MX as a Gateway

In this section, we will cover Junos configuration elements required to enable MX as a gateway router to a OpenContrail cloud environment.

  1. Routing instance for the virtual network’s prefixes to show up
  2. Logical tunnels or Rib groups to leak route between routing instances or inet.0
  3. Dynamic tunnel to enable GRE tunnels to

Here are the MX configuration snippets:

 sroot> show configuration
 ##Enables Dynamic Tunnels on the chassis
 chassis {
 fpc 0 {
 pic 0 {
 tunnel-services;
 }
 }
 }
 interfaces {
 ## For Route leaking between Contrail VRF for Public access and  Global Routing Table
 lt-0/0/0 {
 unit 0 {
 encapsulation frame-relay;
 dlci 1;
 peer-unit 1;
 family inet;
 }
 unit 1 {
 encapsulation frame-relay;
 dlci 1;
 peer-unit 0;
 family inet;
 }
 }
 routing-options {
 static {
 route 0.0.0.0/0 next-hop 10.84.18.254;
 route 10.84.53.80/28 next-hop lt-0/0/0.0;
 }
 route-distinguisher-id 10.84.18.253;
 autonomous-system 64512;
 ## Dynamic Tunnel config with source and destination networks. For each destination network learnt over BGP, there is a dynamic GRE tunnel automatically established to the Compute node.
 dynamic-tunnels {
 dynamic_overlay_tunnels {
 source-address 10.84.18.253;
 gre;
 destination-networks {
 10.84.18.0/24;
 }
 }
 }
 }
 protocols {
 mpls {
 interface all;
 }
 ## Control path , BGP peering to each control node
 bgp {
 group Contrail_Controller {
 type internal;
 local-address 10.84.18.253;
 keep all;
 family inet-vpn {
 unicast;
 }
 neighbor 10.84.18.12; #Contrail Control node 1
 neighbor 10.84.18.13; #Contrail Control node 2
 }
 }
 }
 routing-instances {
 ## Usually, one VRF per Cluster
 public {
 instance-type vrf;
 interface lt-0/0/0.1;
 vrf-target target:64512:10000;
 routing-options {
 static {
 route 0.0.0.0/0 next-hop lt-0/0/0.1; #Default route
 }
 }
 }
 }
 Some CLI/Operation commands to verify Control and Data path:
 ##Upon  Configuring the BGP peering on Contrail Web UI
 root> show bgp summary
 Groups: 1 Peers: 2 Down peers: 0
 Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
 bgp.l3vpn.0
 78         69          0          0          0          0
 Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
 10.84.18.12           64512      22019      23624       0       1     1w0d12h Establ
 bgp.l3vpn.0: 9/9/9/0
 public.inet.0: 1/1/1/0
 10.84.18.13           64512      22023      23624       0       1     1w0d12h Establ
 bgp.l3vpn.0: 0/9/9/0
 public.inet.0: 0/1/1/0
 ## Routes being advertised by 18.13 control node
 root> show route receive-protocol bgp 10.84.18.13
 ..
 public.inet.0: 4 destinations, 6 routes (4 active, 0 holddown, 0 hidden)
 Prefix                  Nexthop              MED     Lclpref    AS path
 10.84.53.93/32          10.84.18.13                  100        ?
 bgp.l3vpn.0: 69 destinations, 78 routes (69 active, 0 holddown, 0 hidden)
 Prefix                  Nexthop              MED     Lclpref    AS path
 10.84.18.13:1:0.0.0.0/0
 10.84.18.13                  100        ?
 10.84.18.13:1:1.0.2.253/32
 10.84.18.13                  100        ?
 10.84.18.13:1:10.84.53.93/32
 10.84.18.13                  100        ?
 10.84.18.13:1:192.168.10.252/32
 10.84.18.13                  100        ?
 10.84.18.13:1:192.168.10.253/32
 10.84.18.13                  100        ?
 10.84.18.13:2:10.84.53.93/32
 10.84.18.13                  100        ?
 10.84.18.13:3:250.250.1.253/32
 10.84.18.13                  100        ?
 10.84.18.14:1:192.168.20.253/32
 10.84.18.14                  100        ?
 10.84.18.14:2:250.250.2.253/32
 10.84.18.14                  100        ?
 ## To reach 10.84.53.93 VM, dynamic GRE tunnel path from Gateway to the compute node hosting the VM
 root> show route 10.84.53.93/32
 public.inet.0: 4 destinations, 6 routes (4 active, 0 holddown, 0 hidden)
 + = Active Route, - = Last Active, * = Both
 10.84.53.93/32     *[BGP/170] 20:40:33, localpref 100, from 10.84.18.12
 AS path: ?, validation-state: unverified
 > via gr-0/0/0.32772, Push 22
 [BGP/170] 20:40:33, localpref 100, from 10.84.18.13
 AS path: ?, validation-state: unverified
 > via gr-0/0/0.32772, Push 22
5 ASR 903 as a Gateway

Configuration below covers leveraging Cisco ASR1k as a Gateway

 
asr903#show running-config 
Building configuration...

Current configuration : 4347 bytes
!
! Last configuration change at 14:20:21 UTC Tue Aug 25 2015
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname asr903
!
boot-start-marker
boot system bootflash:Image/packages.conf
boot-end-marker
!
!
vrf definition Contrail
 rd 64512:10000
 route-target export 64512:10000
 route-target import 64512:10000
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
enable secret 5 $1$RAyL$SjMKm.r.vzr3sXehjMYNv1
!
no aaa new-model
!
ip vrf mgre
 rd 1:1
!
ip domain name englab.juniper.net
!
!         
!
ipv6 multicast rpf use-bgp
!
!
multilink bundle-name authenticated
!
!
redundancy
 mode sso
!
controller wanphy 0/0/0
!
controller wanphy 0/1/0
!
controller wanphy 0/2/0
!
controller wanphy 0/3/0
!
!
!
ip tftp source-interface GigabitEthernet0
lldp run
!         
!
!
!
!
interface Loopback10
 no ip address
!
interface Loopback30
 vrf forwarding Contrail
 ip address 30.30.40.253 255.255.255.255
!
interface Loopback100
 vrf forwarding Contrail
 ip address 10.250.250.10 255.255.255.255
!
interface Loopback102
 ip address 192.0.2.1 255.255.255.255
!
interface Loopback103
 ip address 192.0.2.2 255.255.255.255
!
interface Tunnel102
 ip address 192.168.0.129 255.255.255.252
 tunnel source Loopback102
 tunnel destination 192.0.2.2
!
interface Tunnel103
 vrf forwarding Contrail
 ip address 192.168.0.130 255.255.255.252
 tunnel source Loopback103
 tunnel destination 192.0.2.1
!
interface TenGigabitEthernet0/0/0
 no ip address
 shutdown
!
interface TenGigabitEthernet0/1/0
 no ip address
 shutdown
!
interface TenGigabitEthernet0/2/0
 no ip address
 shutdown
!
interface TenGigabitEthernet0/3/0
 no ip address
 shutdown
!
interface GigabitEthernet0/4/0
 ip address 10.84.40.190 255.255.255.224
 negotiation auto
!
interface GigabitEthernet0/4/1
 vrf forwarding Contrail
 ip address 30.30.0.3 255.255.255.0
 no ip redirects
 ip local-proxy-arp
 ip route-cache same-interface
 negotiation auto
!
interface GigabitEthernet0/4/2
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/4/3
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/4/4
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/4/5
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/4/6
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/4/7
 ip address 10.84.40.253 255.255.255.192
 negotiation auto
 cdp enable
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 ip address 10.84.61.201 255.255.254.0
 negotiation auto
!
l3vpn encapsulation ip MGRE
 transport ipv4 source GigabitEthernet0/4/7
 !
router ospf 101 vrf Contrail
 redistribute connected
 redistribute static
 network 192.0.2.130 0.0.0.0 area 0
!
router ospf 100
 redistribute connected
 redistribute static
 network 192.0.2.129 0.0.0.0 area 0
!
router bgp 64512
 bgp router-id 10.84.40.253
 bgp log-neighbor-changes
 neighbor 10.84.30.39 remote-as 64512
 neighbor 10.84.30.39 update-source GigabitEthernet0/4/7
 !
 address-family ipv4
  no neighbor 10.84.30.39 activate
  default-information originate
 exit-address-family
 !
 address-family vpnv4
  neighbor 10.84.30.39 activate
  neighbor 10.84.30.39 send-community extended
  neighbor 10.84.30.39 route-map SELECT_UPDATE_FOR_L3VPN in
 exit-address-family
 !
 address-family ipv4 vrf Contrail
  redistribute connected
  redistribute static
  default-information originate
 exit-address-family
!
no ip forward-protocol nd
!
no ip http server
ip route 0.0.0.0 0.0.0.0 10.84.40.254
ip route 10.84.40.0 255.255.255.192 10.84.40.189
ip route 10.84.40.64 255.255.255.192 10.84.40.189
ip route 10.84.40.128 255.255.255.224 192.168.0.130
ip route vrf Contrail 0.0.0.0 0.0.0.0 192.168.0.129
ip route vrf Contrail 5.5.5.0 255.255.255.0 Null0
!
cdp run
!
route-map setnh-out permit 10
!
route-map SELECT_UPDATE_FOR_L3VPN permit 10
  set ip next-hop encapsulate l3vpn MGRE
!
route-map set-nh permit 10
!
route-map set-nh permit 20
!
route-map set-nh-contrail permit 10
!
route-map set-nh-ip permit 200
!
!
!
control-plane
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 no login
line vty 5 16
 exec-timeout 0 0
 login
!
!
!
end

asr903#                                                 
asr903#show ip route vrf Contrail 

Routing Table: Contrail
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 192.168.0.129 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.0.129
      5.0.0.0/24 is subnetted, 1 subnets
S        5.5.5.0 is directly connected, Null0
      10.0.0.0/32 is subnetted, 2 subnets
B        10.84.40.131 [200/0] via 10.84.30.39, 00:22:56, Tunnel0
C        10.250.250.10 is directly connected, Loopback100
      30.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C        30.30.0.0/24 is directly connected, GigabitEthernet0/4/1
L        30.30.0.3/32 is directly connected, GigabitEthernet0/4/1
C        30.30.40.253/32 is directly connected, Loopback30
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.128/30 is directly connected, Tunnel103
L        192.168.0.130/32 is directly connected, Tunnel103
asr903# 
asr903#
asr903#sh
asr903#show ip route vrf Contrail 10.84.40.131

Routing Table: Contrail
Routing entry for 10.84.40.131/32
  Known via "bgp 64512", distance 200, metric 0, type internal
  Last update from 10.84.30.39 on Tunnel0, 00:23:08 ago
  Routing Descriptor Blocks:
  * 10.84.30.39 (default), from 10.84.30.39, 00:23:08 ago, via Tunnel0
      Route metric is 0, traffic share count is 1
      AS Hops 0
      MPLS label: 20
      MPLS Flags: MPLS Required
asr903#
asr903#

asr903#show ip cef vrf Contrail 10.84.40.131 detail 
10.84.40.131/32, epoch 2, flags rib defined all labels
  nexthop 10.84.30.39 Tunnel0 label 20
asr903#

asr903#show tunnel endpoints 
 Tunnel0 running in multi-GRE/IP mode

 Endpoint transport 10.84.30.39 Refcount 3 Base 0x3067EEF8 Create Time 00:23:56
   overlay 10.84.30.39 Refcount 2 Parent 0x3067EEF8 Create Time 00:23:56
asr903#

asr903#show l3vpn encapsulation ip MGRE 

 Profile: MGRE
  transport ipv4 source GigabitEthernet0/4/7
  protocol gre
  payload mpls
   mtu default
  Tunnel Tunnel0 Created [OK]
  Tunnel Linestate [OK]
  Tunnel Transport Source GigabitEthernet0/4/7 [OK]
asr903#
asr903#
 


6 Software Gateway

In this section, we will see configuration snippets for using Juniper a virtual SRX (firefly perimeter) as a Software gateway to OpenContrail Cloud. Additional details including configuration is published in the link below and is very similar to the Junos MX gateway configuration

http://www.juniper.net/techpubs/en_US/contrail2.21/topics/task/configuration/simple-gateway-support-vnc.html

7 CONCLUSION

OpenContrail uses truly open standard based control and data plane signaling and hence can interoperate with any standard gateway to realize real complex use cases.