Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 

New and Changed Features

The features listed in this section are new or changed as of Contrail Release 2.22. A brief description of each new feature is included.

Flow Sampling

The Contrail vRouter agent exports flow records to the Contrail Collector when a flow is created or deleted. It also updates flow statistics at regular intervals.

Note: In releases earlier than Contrail Release 2.22, all flow records were exported from the agent. Depending on the scale of flows, some of these exported flows might be dropped due to queue overflow.

In Contrail Release 2.22 and later, flow records are sampled and exported to the Contrail Collector based on the sampling.

The flows that are exported are selected based on the following parameters used in the algorithm:

  • The configured flow export rate. This is configured as part of the global-vrouter-config object.
  • The actual flow export rate.
  • The sampling threshold. This is a dynamic value calculated internally. If the flow statistics in a flow sample are above this threshold, the flow record is exported.

Each flow is subjected to the following algorithm at regular intervals. The algorithm determines whether to export the sample or not.

  • Flows with traffic that is greater than or equal to the sampling threshold are always exported. The byte and packet counts are reported without modification.
  • Flows with traffic that is less than the sampling threshold are exported according to the probability. The byte and packet counts are adjusted upwards according to the probability.

    The probability is calculated as (bytes during the interval) / (sampling threshold).

  • The system generates a random number less than the sampling threshold. If the byte count during the interval is less than the random number, then the flow sample is not exported.
  • If none of these conditions are met, the flow sample is exported after normalizing the byte count and packet count during the interval. Normalization is done by dividing the byte count and packet count during the interval by the probability. This normalization is used as a heuristic to account for statistics of flow samples that are dropped.

The actual flow export rate is close to the configured export rate. If there is a large deviation, the sampling threshold is adjusted to bring the actual flow export rate close to the configured flow export rate.

Flow Handling

When a virtual machine sends or receives IP traffic, forward and reverse flow entries are setup. When the first packet arrives, a flow key is used to hash into a flow table (identify a hash bucket). The flow key is based on five tuples consisting of source and destination IP addresses, ports, and the IP protocol.

A flow entry is created and the packet is sent to the Contrail vRouter agent. Configured policies are applied and the flow action is updated. The agent also creates a flow entry for the reverse direction where relevant. Subsequent packets match the established flow entries and are forwarded, dropped, NAT translated, and so on based on the flow action.

When the hash bucket is full, entries are created in an overflow table. In releases earlier than Contrail Release 2.22, the overflow table was a global table, which is searched sequentially. In Contrail Release 2.22 and later, the overflow entries are maintained as a list against the hash bucket.

By default, the maximum number of flow table and overflow table entries are 512,000 and 8000 respectively. These can be modified by configuring them as vRouter module parameters. For example; vr_flow_entries and vr_oflow_entries.

(For more information about the vRouter module parameters, see https://github.com/Juniper/contrail-controller/wiki/Vrouter-Module-Parameters).

Flow Aging

Flows are aged out based on inactivity for a specified period of time. By default, the timeout value is 180 seconds. This can be modified by configuring the flow_cache_timeout parameter under the DEFAULT section in the /etc/contrail/contrail-vrouter-agent.conf file.

TCP State-Based Flow Handling

In Contrail Release 2.22 and later, the Contrail vRouter monitors TCP flows to identify entries that can be reused without going through the standard aging cycle.

All flow entries that match TCP flows that have experienced a connection tear down, either through the standard TCP closure cycle (FIN/ACK-FIN/ACK) or the RST indicator, are torn down by the vRouter and are immediately available for use by new qualified flows.

The vRouter also keeps track of connection establishment cycles and exports the necessary information to the vRouter-agent (such as SYN/ACK and a digested established flag). This allows the vRouter-agent to tear down flows that do not experience a full connection cycle.

Flows that the vRouter identifies as reuse candidates, (eviction candidates), are marked as such in the flow entry. Flows are in the evicted state when they become available for other new flows to be reused.

This two-step transition is used so that the flow entry remains valid until the packet reaches the destination. Thus preventing the flow from getting remapped to another flow entry in the interim.

Protocol Based Flow Aging

Although TCP flows are deleted based on TCP state, you are sometimes required to age out specific protocol flows more aggressively. One example is when a DNS server is run in one VM. In this case, multiple flows are set up for DNS. A pair of flows are set up to serve each query. Because the flows are no longer required after the query is served, the timeout can be lower for these flows. To handle these cases, protocol-based flow aging is used. With protocol-based flow aging the aging timeout can be configured per protocol. All other protocols continue to use the default aging timeout.

Protocol-based flow aging is supported in Contrail Release 2.22 and later.

The configuration for protocol-based flow aging can be done in the global-vrouter-config object. For example, to have all DNS flows aged out in five seconds, use the following entry: protocol = udp, port = 53 will be set an aging timeout of 5 seconds,

Fat Flow

In Contrail Release 2.22 and later, Contrail supports optimization to reduce the number of flows setup by reusing a flow. That is, a single flow pair can be used for any number of sessions between two endpoints for the same application protocol.

Any number of DNS sessions from a client to the server can use a single flow pair. The effect is that the flow hash key is reduced from five-tuples to four-tuples consisting of source and destination IP addresses, the server port, and the IP protocol. The client port is not used in the flow key.

This feature can be configured by specifying the list of fat-flow protocols on a virtual machine interface. For each such application protocol, the list contains the protocol and port pairs. In the example, the server virtual-machine-interface, protocol udp and port 53 can be configured as a fat-flow-protocol.

If you want to enable the fat-flow feature on the client side, the configuration must be applied on the client virtual machine interface as well.

vCenter Nova Compute Driver Beta

In Contrail Release 2.22, a beta version of a Nova compute driver (nova-compute-driver) for vCenter is available.

The Nova compute driver is responsible for creating the right port groups in vCenter for every port and interface with a vRouter agent on each ESXi platform.

The new driver is an extension to the open-source Nova compute driver for vCenter.

Note: The open-source Nova compute driver for vCenter does not support the pluggable architecture. Therefore, the driver is prepackaged with Contrail and dynamically loaded by the system configuration.

Supported Platforms

Contrail Release 2.22, is supported on the OpenStack Juno and Icehouse releases. Juno is supported on Ubuntu 14.04.2 and Centos 7.1.

Contrail networking is supported on Red Hat RHOSP 5.0, which is supported only on OpenStack Icehouse

In Contrail Release 2.22, support for VMware vCenter 5.5. vCenter is limited to Ubuntu 14.04.2 (Linux kernel version: 3.13.0-40-generic).

Other supported platforms include:

  • CentOS 6.5 (Linux kernel version: 2.6.32-358.el6.x86_64)
  • CentOS 7.1 (Linux kernel version: 3.10.0-229.el7)
  • Redhat 7/RHOSP 5.0 (Linux kernel version: 3.10.0-299.el7.x86_64)
  • Ubuntu 12.04.04 (Linux kernel version: 3.13.0-34-generic)
  • Ubuntu 14.04. (Linux kernel version: 3.13.0-40-generic)

Modified: 2015-12-11