NEW! Mirantis Academy -   Learn confidently with expert guidance and On-demand content.   Learn More


Mirantis OpenStack with Juniper Contrail Networking Webinar Q&A

On March 19, 2015, Kamesh Pemmaraju hosted a webinar addressing Mirantis OpenStack with Juniper Contrail Networking along with guests Pedro Marques of Juniper Networks and Kyle MacDonald of Mirantis. We didn't have a chance to respond to all of your questions so we present them and their answers here.

Question: Do applications which will be migrated to OpenStack need design or architectural changes to adapt to OpenStack architecture?
Answer: This depends on application requirements. Simple apps that can run on Linux on a KVM virtual machine can usually port to OpenStack without modifications. For higher-order applications that run on multiple servers and provide their own high availability using common tools like message queues and HAproxy/load balancing, it may be appropriate to architect deployments to reflect OpenStack best-practices for availability (i.e., take in mind fault domains and availability zones to eliminate likely single points of failure), but deeper changes probably won't be needed. Only in cases where application HA is platform-dependent may deeper reengineering be needed. A good introductory text for modifying applications can be found at:

Question: What is Contrail?
Answer: Contrail is a project that implements network virtualization as an overlay network compatible with existing IETF standards. It is an implementation of the Neutron API that provides distributed routing and interoperability with network appliances.

Question: A fundamental question people might have about Contrail is whether it is really production-ready. More details.  You can find many critical bugs that still exist, e.g., Bug #1401880 caused a system crash.
Answer: There are a fair number of bugs in that list that are old duplicates that just have not been cleaned up, as well as bugs that refer to provisioning issues. There are some real bugs also in that list. As the deployment footprint grows the software is used in more situations and we do tend to find more bugs.

Question: Does Contrail work in Headless mode? Basically, I want to know what is going to happen to VMs traffic if the three config/control nodes are gone.
Answer: Yes. The Contrail compute node components can work in case all the control-nodes became unavailable. Likewise the control nodes can continue to operate in case all the config nodes become unavailable. Components are designed to operate in active-active mode.

Question: Will I need Juniper kit to run Contrail? If I do what kit? L2/L3 switches or a router?
Answer: No. You can run Contrail without Juniper network gear. The switching gear just needs to be able to pass IP packets. For gateway between overlay and external networks you can use the software gateway included in Contrail or any L3VPN-compatible appliance that supports MPLS over GRE.

Question: Does Contrail require Juniper switches or is it compatible with other vendors’ hardware?
Answer: No, Contrail does not require Juniper hardware (or any specific hardware unless anticipated traffic requires the additional throughput of a hardware solution). Mirantis and Juniper customers are presently working with several clients in production with non-Juniper hardware. The Mirantis/Juniper Reference Architecture contains instructions for configuring both Juniper and Cisco example hardware.

Question: How do you interoperate with the switches? (Layer 2 level). (My question was more: how do you work with other networking vendors, on the different levels?)
Answer : The job of the switches is to deliver IP packets between any 2 servers without the need for dynamic configuration. There is no need to dynamically provision the switches.

Question: What is the main differentiation for Contrail compared to NSX?
Answer : Dynamic routing. Contrail is built around the concept of being able to federate clusters managed by potentially different admin authorities via BGP. That is what it uses to federate its control-nodes internally and to interoperate with existing L3VPN network equipment.

Question: Is it possible to run OpenStack in IPv6-only mode using OpenContrail, i.e., no IPv4 at all, neither in the underlay nor the overlay network?
Answer: No. Contrail implements an IPv6 overlay. No plans at the moment to work on an IPv6 underlay.

Question: Do both the Horizon UI and Contrail WebUI integrate with each other or do you have to go to each UI?
Answer: Currently most deployments use Horizon as a tenant UI and the Contrail UI as a network admin/secops UI. There are Horizon extensions for API extensions, but admin-centric API extensions plus analytics are only visible through the Contrail UI. In practice each type of user interacts with a single UI.

Question: For legacy DC to Cloud IaaS (based on OpenStack), how does OpenStack provide HA for the VMs?
Answer: Typically via a tool such as Heat that is doing application management. There are other open source and commercial alternatives also.

Question: What is the best way to deploy Mirantis OpenStack plus OpenContrail? Which tool should I use to do that?
Answer: Please see the published reference architecture.  

Question: How does the licensing work? Who owns the support?
Answer: OpenContrail is an Apache v2 licensed project. Juniper Networks offers commercial support for OpenContrail.

Question: Is Contrail a substitute/alternative to Neutron/Nova network?
Answer: Contrail implements the Neutron API. It can be seen as an alternative to the reference implementation of Neutron through OVS.

Question: Is there a Contrail "check box" in Fuel?
Answer: Not yet.

Question: Is there a dependency between OpenStack versions and Contrail versions? Do we have to worry about getting with the right version mapping between the two?
Answer: Contrail includes a Neutron plugin. There are dependencies when the API to that Neutron plugin changes in a non-backwards-compatible way.

Question: When can qfx5100 be used to break out into the real network l3vpn style? l3 attach of vrouter to ip fabric via ospf instead of at l2 via lacp?
Answer: N/A.

Question: What is possible with OpenStack/Contrail in terms of orchestration for NFV in a telco cloud environment (provisioning, chaining, ... of NFs)?
Answer: OpenStack + Contrail is being used by several carriers to deploy NFV applications. It allows NFVs to be deployed and processes IP traffic that transits between external networks.

Question: When will you release the OpenContrail Fuel plugin?
Answer: The OpenContrail Fuel plugin is scheduled for release with Mirantis OpenStack 6.1.

Question: l3 attach of vrouter to ip fabric via ospf instead of at l2 via lacp?
Answer: Support for multiple L3 interfaces (as opposed to LACP bond pairs) is planned.

Question: What's the status of the Intel dpdk implementation of vrouter, and what's the speed?
Answer: Development branch has merged into mainline.

Question: Is it possible to deploy Openstack and OpenContrail architecture crossing WAN? Meaning, can the OC controller be at Datacenter A while vrouter is deployed in Datacener B, in a different city?
Answer: Yes, it is possible within reasonable latency intervals.

Question: Can Contrail be used without OpenStack, i.e., as a solution to network Docker?
Answer: Yes, it can. It doesn't depend on OpenStack. It is a supported plugin in CloudStack, for instance.

Question: For virtual applications that require an "external" network without the floating ip concept, meaning without NAT, would it be possible to use Contrail to allow such a custom networking configuration?
Answer: Yes. Most of the Contrail production deployments do this.

Question: Do we need to have hardware in the datacenter that understands MPLS/BGP/L3VPN? DC won't have them as these are WAN technology/protocols?
Answer: There is a software gateway implementation that is provided as part of Contrail. It becomes more efficient to use hardware appliances once you cross a certain threshold of external traffic (e.g. 10G).

Question: What does Contrail offers that Neutron is not already providing today?
Answer: Dynamic routing and service chaining. We also believe that it is a more scalable implementation when compared to the reference implementation.

Question: Can OpenContrail work without OpenStack Orchestration? if yes, what Contrail functionalities do we miss?
Answer: One example:

Question: Is this available with DevStack to test?
Answer: You can use in conjuntion with DevStack.

Question: If you already have a Mirantis distro, do you have a cookbook to get Contrail on the current installation?
Answer: We developed internal runbooks for integrating earlier versions of Contrail/OpenContrail components to Mirantis OpenStack 5 (Icehouse), but these are now deprecated and not supported.

Question: Are overlays such as vxlan supported?
Answer: vxlan is supported with an EVPN control plane.

Question: Can Mirantis 6.0 now upgrade Icehouse nodes to Juno or is it still just the Fuel server that is upgraded?
Answer: Mirantis 6.0 does not support the upgrade of OpenStack itself, but it does upgrade the Fuel Master. An upgraded Fuel Master can deploy new environments (6.0) while continuing to manage older environments such as 5.1. We will be releasing functionality to deliver Mirantis OpenStack patches from a Mirantis-hosted repository in 6.1.

We will also provide an upgrade guide for in-place upgrade of environments in the 6.1 timeframe. The upgrade guide is limited and will not cover all deployment configurations. We are taking a careful, pragmatic approach to document a process for upgrade, test it, and identify gaps. In our 7.0 release, we plan to expand the coverage of upgrade and deliver tooling to support the process. Upgrade of Contrail-based deployments will not be supported by the upgrade guide.

Question: Does the MX80 Router (Edge Router) hold all the states of tenant VMs from entire cloud?
Answer: No. It only holds routes for floating-ip addresses.

Question: Does this use vxlan for the overlay or some other protocol?
Answer: It defaults to using MPLS-over-UDP as encapsulation for IP traffic; it also supports MPLS-over-GRE and VXLAN>.

Question: Does the IF-MAP integration rely on a specific commercial implementation of an IF-MAP server or is there a packaged version of an open source IF-MAP implementation with OpenContrail?
Answer: No. We currently use an open source project (irond).

Question: Do you need the Contrail controller nodes to be on bare metal to scale? If so, is there any guidance on the recommended HW (similar to what Mirantis provided for OpenStack nodes)?
Answer: No. Several production deployments use VMs to run the controller components.

Question: Does a deployment of Contrail on exclusively Juniper gear provide any config or performance advantage?
Answer: Juniper can provide configuration guides for deployments with Juniper Network equipment; it is also how we validate the solution. So it is easier to guarantee that it works.

Question: How does Contrail handle network partition in the datacenter?
Answer: We can deal with partition of multi-facility deployments across a WAN with a design in each local compute node’s peer with local control-nodes. This is based on the fact that control nodes peer with BGP.

Question: When will OpenContrail cooperate with OS version Juno?
Answer: There are deployments based on Juno.

Question: Is the Contrail UI integrated into the OpenStack dashboard only for admins or also for end-users?
Answer: See above.

Question: Any plans to upstream OpenContrail plugin/extensions into Neutron OpenStack?
Answer: OpenContrail is an independent project that works with other orchestrators.


These are the answers to webinar questions. You can also access the video.

Choose your cloud native journey.

Whatever your role, we’re here to help with open source tools and world-class support.


Subscribe to our bi-weekly newsletter for exclusive interviews, expert commentary, and thought leadership on topics shaping the cloud native world.