Contrail Platform Developers
Contrail Platform Developers

Connecting Multi-tenant VNF to Contrail

‎06-16-2017 06:47 AM

Hi,

I am trying to find out if there will be any scalability issues for the following architecutre:

- we will have a multi-tenant contrail environment (plan to get 1000's of tenants/VRF's)

- we will install a VNF that supports multi-tenancy (firewall VNF)

This VNF can get seggragate tenants by VLANs or vNICs.

On a single compute node, we will have multiple routing instances

Can multiple routing instance connect to a single VNF VM?

For example the compute node shares one vNIC for thos different routing instance where each routing instance gets assigned a different VLAN

Or that there will be one vNIC per routing instance.

If so, how many vNICs can a single compute node support?

i like to get about 250 tenants in a single compute node, so does it get me to 250 vNIC's?

 

tx,

Joseph.

 

 

 

1 REPLY 1
Highlighted
Contrail Platform Developers

Re: Connecting Multi-tenant VNF to Contrail

‎06-16-2017 03:48 PM

Hi

 

Do I understand correctly that you want to service around 250 tenants using the single VNF instance? I'd say the best practice is one VNF instance per tenant, and scale-out scenarios where multiple instances are used for tenant are supported; it looks like you want the opposite - one VNF for many tenants?

 

If it is so then it will potentially work, although about the scale you have to either discuss with Juniper SEs or maybe just test it.

 

I see 2 possibilities:

1) VNF in L2 transparent mode, having 2 interfaces (left and right). Such VNF can be used in multiple service chains for multiple tenants, the traffic will be separated using VLAN tagging.

One possible problem with such scenario that I see - VLAN tag is set by Contrail and VNF will not easily know which VLAN corresponds to which tenant. So it will work if all tenants use exactly the same service, not sure what if otherwise.

 

2) VNF in L3 ("In-Network") mode. You can create multiple pairs of interfaces on VNF, and configure multiple service chains (for different tenants) in Contrail to use different interface pairs. This is possible with what they call "service chaining v2".

 

I hope this helps somehow.

Best Regards,
PK

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
Twitter: @JuniperTrain
GitHub: https://github.com/pklimai
[Juniper Authorized Education & Support in Russia]