News Stay informed about the latest enterprise technology news and product updates.

Juniper Contrail's open source SDN will change the enterprise network

Glen Kemp discusses Juniper's open source SDN controller and the impact the OpenContrail project and NFV may have on enterprise customers.

After completing a $176 million acquisition of Contrail Systems in December 2012, Juniper Networks Inc. announced in September the release of its SDN controller and vRouter under the Apache 2.0 license. To the enterprise administrator, this might seem to be another nebulas "game-changing" announcement from Silicon Valley, but moving this project to open source may have a profound impact on the industry as a whole. 

Open source SDN unbinds hardware and software

Fundamentally, the technology available for "free" will allow the enterprise to break the cycle of vendors selling, deploying and then selling and deploying more stuff to fix the problems the last pile of stuff didn't fix.

It allows you to think more about applications and the network as a whole:  overlay virtual networks built on top of an abstracted physical infrastructure (the underlay). Well-understood standards, such as Multiprotocol Label Switching (MPLS) and the Border Gateway Protocol (BGP), are used to stitch together the underlay components (such as switching and routing), which are configured using southbound protocols such as NETCONF, the Extensible Messaging and Presence Protocol (XMPP) and BGP.

OpenContrail gives the enterprise access to network functions virtualization (NFV) capabilities, which abstracts the functions of the network (such as security, caching and bandwidth management) from the physical hardware. Although the implementation is different, x86 hypervisors have already broken the link between the operating system and tin in the same way. Inevitably, this will lead to commoditization in the network fabric space. (Given the number of switch vendors betting the farm on the Trident 11, you could argue that we are already far down this road.)

For a clearer picture, it is worth describing the individual components of the Contrail solution. The controller takes a high-level view of end-user services (such as a logical network, a firewall security policy or a group of applications) and compiles them into commands that are pushed to the underlay (via NETCONF, XMPP, etc.). This process implements the virtual network as defined by the administrator by creating the required Layer 2 links, pushing security policies and updating the vRouter as required.

The vRouter is deployed on the virtual server hypervisor in a way similar to a virtual switch; its job is to manage Layer 2 and Layer 3 links between servers within the host and across the physical underlay network using the MPLS or VXLAN protocols.

Escape vendor lock-in … if you want to

Although the applicability of this service provider technology to enterprise networks is not immediately obvious, NFV will yield benefits for many organizations in the near future. With OpenContrail, Juniper could create the NFV space the same way that VMware did with the server virtualization market, but with a twist. Right now, if you want to virtualize servers, you can either go with "off the shelf" with products like VMware ESX or Microsoft Hyper-V; if you need to "roll your own" open source projects like Xen and KVM are available. But in the network virtualization space, things will play out differently. Contrail as a commercial product is not going away; if you want the safety net of a support contract, just talk to your local partner. On the other hand, if the current release doesn't quite fit your use case, you can just download the source and get on with it.

More on open source SDN

Can hardware vendors really lead open source SDN?

Open Daylight program: Get involved

This gives OpenContrail significant gravity in both the commercial and open source worlds; it will be harder for others vendors to push closed controllers in this space. OpenContrail's future is assured with a thoroughly invested patron with a large portfolio to push. Additionally, the enterprise version may benefit from a "trickle up" of community developed features. 

Much of the risk already eliminated for enterprises looking into NFV. By adopting an open architecture, NFV is not tied to a specific vendor's use case or even a specific vendor. Sure, Juniper would be delighted to sell you switching, routing and security platforms as part of a fully orchestrated solution, but it really isn't necessary. What's more, this model will change the networking sales game. Just like your HP server sales rep knows that tomorrow you could ditch his butt and go to Dell with minimal operational impact, your network sales rep will soon be in the same position. The network vendors that have also figured this out are adjusting their portfolios to suit, and it's painfully apparent the ones that have not. Ultimately, this should force further competitiveness and innovation in the network marketplace.

It goes without saying that an open source approach to SDN isn't going to be for everyone. Many will prefer the warm, fuzzy feeling of going to a single vendor for deploying exactly what they want to sell you this week. However, if you are prepared to take a cold hard look at your network and remodel it as an extensible services architecture, then it's time to seriously look at the OpenContrail project and what NFV in general can do for you.

About the author:
Glen Kemp is an enterprise solutions architect for a U.K.-based managed services provider. He designs and deploys network and application security tools, including access control, remote access, firewalls and other "keep the bad guys out" technologies. He is also an experienced professional services consultant, delivering elephants and not hunting unicorns. His blogs can be found at and at the Packet Pushers Podcast. Follow him on Twitter@ssl_boy.

This was last published in November 2013

Dig Deeper on Open source networking