Contrail Networking

Download Datasheet

Product Overview

Simple, open, and agile, Contrail Networking solves networking challenges for multiple cloud environments. With its scale-out microservices architecture and distributed control and data planes, Contrail Networking orchestrates virtual networks and network services at the performance and scale required of the largest, most dynamic clouds. Service providers, enterprises, software-as-a-service (SaaS) providers, and hosting and cable providers use Contrail Networking to connect heterogeneous cloud environments, accelerating the deployment of innovative cloud applications and services while providing the agility, interoperability, and automation that application developers and network operators demand.

Product Description

Enterprise IT is under increasing pressure to become agile and accelerate value to the business by adopting hybrid cloud architectures and delivering Infrastructure as a Service (IaaS), Container as a Service (CaaS), and Platform as a Service (PaaS) to their stakeholder lines of business.

Service providers are also challenged to rapidly monetize new and differentiated services to generate revenue while reducing CapEx and OpEx. For many traditional network service providers as well as new cloud service providers, expanding their portfolio to meet the needs of Network Functions Virtualization (NFV) and XaaS (i.e., IT as a Service, Software as a Service, etc.) is seen as the path to increasing monetization and differentiation.

Enterprises and service providers expect to seamlessly migrate their existing physical infrastructure—incorporating millions of dollars of equipment and years of operational experience—to the cloud era without having to “rip-and-replace.”

Juniper Networks® Contrail® Networking addresses these challenges with a pure software-defined approach that spans the boundaries and use cases of most physical infrastructure, orchestration systems, DevOps tooling, virtualization runtimes, and operating systems. It unifies policy for network automation across those variables with seamless integrations for systems such as: Kubernetes, OpenShift, Mesos, OpenStack, VMware, a variety of popular DevOps tools like Ansible, and a variety of Linux operating systems with or without virtualization like KVM and Docker containers. Contrail Networking reduces the friction of migrating to cloud by providing a virtual networking overlay layer that delivers virtual routing, bridging, and networking services (IPAM, NAT, security, load balancing, VPNs, etc.) over any existing physical or cloud IP network. It also provides multitenant structure and API compatibility with multitenant public clouds like Amazon Web Services (AWS) virtual private clouds (VPCs) for truly unifying policy semantics for hybrid cloud environments.

For service providers, Contrail Networking automates network resource provisioning and orchestration to dynamically create highly scalable virtual networks and to chain a rich set of Juniper or third-party virtualized network functions (VNFs) and physical network functions (PNFs) to form differentiated service chains on demand. Integrated with a cloud IaaS stack such as OpenStack, Contrail Networking enables the agile creation and dynamic scaling of service instances with high availability and reliability. Contrail Networking also makes it really simple to onboard network functions onto the platform without requiring any API integration or modifications to third-party VNF software.

Contrail Networking is equipped with always-on advanced analytics capabilities to provide deep insights into application and infrastructure performance for better visualization, easier diagnostics, rich reporting, custom application development, and machine automation. It also supports integration with other analytics platforms like Juniper Networks Contrail Insights and streaming analytics through technologies like Apache Kafka and its API.

Contrail Networking’s control and management systems are also designed as scale-out cloud-native software with a container-based microservices architecture that supports in-service upgrades. Because of its capacity to scale, Contrail Networking can orchestrate virtualized, automated networking for the most demanding elastic cloud and NFV use cases. Based on proven open networking standards, open APIs, and the Tungsten Fabric open-source project, Contrail Networking integrates with orchestration systems through plug-ins that accompany the control and management systems; for example, Contrail’s Kubernetes CNI allows you to apply SDN equally well from Kubernetes manifests or Contrail Networking GUIs and APIs. Delivering predictable business agility and a low cost of ownership, this cloud networking platform will enhance and future-proof your investment in creating IT as a Service (ITaaS) with DevOps automation and bringing applications to the cloud.

Contrail Networking manages networking policies to control traffic flows within and across virtual networks, implementing advanced services such as service chaining (e.g. forcing specific flows across the boundaries of virtual networks) and managing physical workload lifecycle (e.g. bare metal servers, PXE boot/reimaging, and appliance software imaging and configuration).

In the data center, Contrail Networking works with any standard IP Clos architecture, leveraging open, scalable, and standardized protocols such as netconf/rpc to perform configuration operations (whether related to Day 0 operations or service configurations). Contrail Networking also uses BGP EVPN to peer with data center devices, receiving and advertising routes that influence traffic forwarding across virtual networks or workloads/appliances. A centralized Contrail Controller, which sits in the data center management network, provides:

a) Configuration via netconf/rpc, tftp/sftp for ZTP/image transfer, BGP (evpn,ip-vpn) for route leaking, analytics collection via SNMP, jflow/sflow, and gRPC (for devices)

b) Configuration and route leaking via XMPP and analytics via Contrail Sandesh (for vRouter computes)

Figure 1: Juniper Networks Contrail Networking

On the journey to an agile and connected future, it’s best to work with an innovative technology leader who understands the enterprise and service provider industries intimately—a partner with significant experience in both networking and IT who builds solutions based on open principles. Contrail Networking stands out by delivering software-defined cloud networking and cloud service automation in a way that gives customers freedom of choice, intelligent automation, and always-on reliability.

Architecture and Key Components

Contrail Networking is comprised of the following key components:

Contrail Networking management Web GUI and plug-ins integrate with orchestration platforms such as Kubernetes, OpenShift, Mesos, OpenStack, VMware vSphere, and with service provider operations support systems/business support systems (OSS/BSS). Many of these integrations are built, certified, and tested with technology alliances like Red Hat, Mirantis, Canonical, NEC, and more. Contrail Networking sits under such orchestration systems and integrates northbound via published REST APIs. It can be automatically driven through the APIs and integrations, or managed directly using the Web GUI, called Contrail Command.

Contrail Networking control and management systems, commonly called the controller, have several functions. Chief among them are the following functions:Contrail Networking control and management systems, commonly called the controller, have several functions. Chief among them are the following functions:

  • Configuration Nodes: This function accepts requests from the API to provision workflows like adding new virtual networks, new endpoints, and much more. It converts these abstract high-level requests, with optional detail, into low-level directions that map to the internal data model.
  • Control Nodes: This function maintains a scalable, highly available network model and state by federating with other peer instances of itself. It directs network provisioning for the Contrail Networking vRouters using Extensible Messaging and Presence Protocol (XMPP). It can also exchange network connectivity and state with peer physical routers using open industry-standard MP-BGP which is useful for routing the overlay networks and north-south traffic through a high-performance cloud gateway router.
  • Analytics Nodes: This function collects, stores, correlates, and analyzes data across network elements. This information, which includes statistics, logs, events, and errors, can be consumed by end-user or network applications through the northbound REST API or Apache Kafka. Through the Web GUI, the data can be analyzed with SQL style queries.

Contrail Networking vRouter runs on the compute nodes of the cloud or NFV infrastructure. It gets network tenancy, VPN, and reachability information from the control function nodes and ensures native Layer 3 services for the Linux host on which it runs or for the containers or virtual machines of that host. Each vRouter is connected to at least two control nodes to optimize system resiliency. The vRouters run in one of two high-performance implementations: as a Linux kernel module or as an Intel Data Plane Development Kit (DPDK)-based process.

Key Features

  • Routing and Bridging: The forwarding plane provides line-rate L3 routing and L2 bridging in multitenant and virtualized or containerized environments. It is based in the software vRouter and hence completely agnostic to the underlay network.
  • Load Balancing: Equal-cost multipath (ECMP) load balancing with session affinity is built right into the vRouter’s forwarding plane. It distributes traffic across endpoints like VNF network services, such as virtualized firewalls for example. There is also an application-layer load balancing function built-in, as well as integrated with several external providers like F5 and Avi Networks.
  • Security and Multitenancy: The use of tenant domains and L3 VPNs to create virtual networks inherently provides a secure segregated environment, where virtual networks cannot talk to each other without policies. The vRouter has built-in distributed L3 and L4 firewall capabilities that allow users to define simple and abstract security policies between virtual networks. The policies can specify additional VNF services in the path to create what are commonly called service chains; for example, the Juniper Networks vSRX virtual firewall can sit between a public network and a private network or between two networks that need tight security supervision. Networking can also scale out instances of such VNFs with load balancing as the service chain traffic load requires it. Contrail also allows for security intent to be specified in plain English via tag expressions without needing to specify networking constructs. The Contrail Security Controller translates this high-level intent into specific security ACLs.
  • Elastic, Resilient VPN: L3VPN, Ethernet VPN (EVPN), and site-to-site IPsec are all delivered in software.
  • Gateway Services: Contrail interoperates with most physical or VM-based routing and switching equipment that supports L3VPN or EVPN with the appropriate overlay network encapsulation standards (VXLAN, MPLSoGRE, MPLSoUDP). This includes interoperability with Juniper Networks MX Series 3D Universal Edge Routers and QFX Series switches, as well as other vendors’ devices to seamlessly connect to the WAN or legacy networks and workloads.
  • High Availability: Contrail Networking components are made highly available and offer active/active redundancy.
  • Analytics Services: Insightful visualization and diagnostics of virtual overlay and physical underlay networks enable real-time and historical infrastructure analytics that can be consumed through REST APIs or Apache Kafka. Users can also very easily set up live packet captures of traffic between virtual networks using built-in GUI features.
  • API Services: REST APIs for configuration, operation, and analytics provide seamless integration with popular or customized orchestration systems. This includes AWS VPC API compatibility for seamless deployment of applications in a hybrid cloud platform.

Key Benefits

  • Simple: Contrail Networking is built with simplicity in mind. It is easy to learn, intuitive to use, and well automated for a simple day-1 setup with most cloud orchestration systems.
  • Open: Contrail Networking is developed in the Tungsten Fabric open-source project and community of developers and users. Furthermore, by design it eliminates the risk of lock-in by leveraging long-standing, well-proven open industry standards.
  • High Scale and Performance: Contrail Networking is in production, standing up to the challenge of some of the most massive data center clouds.
  • United Multicloud Policy: Hybrid cloud is the ideal platform, but to achieve one IT platform, there must be functional and nonfunctional similarity between application platforms in both private and public cloud. Contrail Networking is an excellent choice of SDN solution to implement private cloud with software-defined infrastructure, and it can also be deployed atop any cloud, private or public, to create parity of environments, maximizing DevOps automation and application portability within the hybrid cloud platform.
  • Seamless Integration: Contrail Networking is well integrated, tested, and certified with a wide variety of software for orchestration, automation, operating systems, and virtualization or containerization. This means it is one SDN solution for all of your needs, cutting down the variables and assuring you compatibility with common legacy, current, and future technologies. Contrail Networking is also interoperable with industry-standard routing and switching systems to bridge from the overlay virtual networks to any other networks you have.

Key Functionality

Open Source, Open Standards for Seamless Interoperability: Contrail Networking eliminates the need for rip-and-replace by supporting many standards-based protocols, enabling interoperability in a multivendor physical infrastructure to maximize investment protection. Contrail Networking’s only requirement of the underlay network is IP connectivity, which is simple to design at scale in an interoperable way. In addition, complete source code and product binaries are available under the Apache v2.0 open-source license for all customers and partners. For more details, please visit

Network Virtualization: Contrail Networking provides a robust network virtualization solution by leveraging the L3VPN standard for L3 IP overlays, the EVPN standard for L2 overlays, and a multitude of data encapsulation standards like MPLS over generic routing encapsulation protocol (MPLSoGRE), MPLS over User Datagram Protocol (MPLSoUDP), Virtual Extensible LAN (VXLAN), etc. The virtual network segments provide a clean approach to microsegmentation and multitenancy and alleviate the challenges associated with a VLAN-based or L2-based segmentation approach.

Dynamic Service Chaining: Contrail Networking provides dynamic service chaining of virtualized or physical network functions that simplifies the creation, deployment, and management of differentiated network services. Connecting these network functions through proven open networking standards, Contrail Networking simplifies integration with Juniper and third-party service software and has nurtured a rich technology ecosystem of partners who offer services on top of the platform. It is a key ingredient that enables service personalization and deployment of massively scalable and highly available VNFs for NFV.

Network Programmability and Automation: Contrail Networking implements the concept of “SDN as a compiler” by translating abstract high-level workflows into specific rules/policies to automate the provisioning of workloads and enable service chaining of network and security services. For example, you can request virtual machine connectivity without getting into the details of underlying elements like ports, VLANs, subnets, switches, routers, etc. In addition, a unified model for configuration, operation, and analytics is exposed through REST APIs, as well as libraries in various programming languages such as Python, Go, Javascript, and Java, to name a few.

Analytics and Visualization: Contrail Networking provides insights into virtual and physical networks to simplify operations and decision making through proactive planning and predictive diagnostics. The analytics engine is designed for very large-scale ingest and querying of structured and unstructured data. It is exposed using REST APIs and a GUI-based query engine. This gives the user better insights to easily diagnose issues as it provides both real-time and historical information on application usage, system logs, network statistics like flows, latencies, jitter, etc. In addition, users can employ REST APIs and modern big data frameworks like Hadoop to write custom applications for reporting and infrastructure automation.

Contrail Networking Use Cases

Contrail Networking provides both service providers and enterprises with a dynamic and scalable network architecture to provision applications in a matter of seconds. Enterprises and service providers can use Contrail Networking to:

  • Deploy private or public clouds
    • Provide multitenancy with complete isolation and role-based access control (RBAC) capabilities
    • Automate for rapid network provisioning and services like connectivity and load balancing
    • Enable self-service for application developers and DevOps teams
  • Deploy hybrid clouds and create VPCs in a service provider public cloud
    • Connect data centers and clouds and move workloads seamlessly between private and public clouds
    • Ensure virtual network services API compatibility with third-party cloud providers like AWS
  • Automate NFV through service chaining of any network and security service
    • Provide service orchestration of any Juniper or third-party network and security service (physical or virtual)
    • Enable cloud customer premises equipment (CPE) and managed network services like security, guest access, etc. for service provider IP-VPN customers
    • Enable virtualized evolved packet core (EPC) for consolidation of services such as mobility management entity/Serving GPRS Support Node (MME/SGSN), S-GW, etc.
    • Provide virtualized subscriber or business edge with chaining of services, including deep packet inspection (DPI), security (firewall, anti-DDoS), proxies, and caching


Minimum System Recommendations and Operating Environment

  • Hardware: 64-bit dual x86 processor, minimum memory 12 GB RAM
  • Storage: 30 GB Serial Advanced Technology Advancement (SATA), Serial Attached SCSI (SAS), or solid-state drive (SSD); Volume storage: 2 disks with 2 TB SATA
  • Network: 1 GB interface card (1)
  • OS: Linux OS (CentOS, RHEL, Ubuntu)

Ordering Information

Juniper Networks products are sold directly as well as through Juniper partners and resellers. Please contact your Juniper accout team or partner for licensing. For more information on how to buy, please visit:

About Juniper Networks

Juniper Networks brings simplicity to networking with products, solutions and services that connect the world. Through engineering innovation, we remove the constraints and complexities of networking in the cloud era to solve the toughest challenges our customers and partners face daily. At Juniper Networks, we believe that the network is a resource for sharing knowledge and human advancement that changes the world. We are committed to imagining groundbreaking ways to deliver automated, scalable and secure networks to move at the speed of business.