System-Engineering | 7 min read

What Contrail is all about

ngworx Team
April 2019
written by Remi Locherer
Senior Network & Security Engineer

I recently started to look into Contrail – Juniper’s SDN solution. Juniper’s website lists several Contrail products and there is also TungstenFabric, which confused me initially. With this blog post, I try to explain what Contrail is about and what functionality the different Contrail products provide.

In the year 2012 Juniper bought Contrail Systems which laid the basis for today’s Contrail products. A year later Juniper open sourced it under the name OpenContrail. In 2017 Juniper transferred the OpenContrail project to the Linux Foundation. And in 2018 it was renamed into TungstenFabric.


To understand the functionality provided by Contrail Networking lets first start with TungstenFabric.

TungstenFabric provides networking functionality in conjunction with an orchestrator. Supported orchestrator are:

  • OpenStack
  • Kubernetes
  • Openshift
  • VMware vCenter

It is also possible to use the same Controller for OpenStack and Kubernetes pods running in VMs with TungstenFabric in nested mode.

TungstenFabric provides many networking functions and services. Among them are:

  • Routing and Bridging
  • Overlay Networks based on VXLAN or MPLS
  • Multi-tenant IP address management
  • DHCP
  • ARP proxies (to avoid flooding)
  • DNS service per tenant
  • Distributed firewall
  • Security Groups (firewall rules applied as a “bump in the virtual wire”)
  • Distributed load balancing
  • Service chaining
  • NAT
  • BGP peering with gateway routers


The main components of TungstenFabric are the vRouter and the controller. The later interacts with an orchestrator through a plugin and provisions the vRouter. A vRouter is installed on each host (hypervisor or kubernetes host) and forwards packets according to network and security policies.

Since version 5 the controller is deployed using a modern microservices architecture using Docker containers. The functions are split into the following nodes and pods:

  • Controller Nodes
    • Web UI
    • Config
    • Config DB
    • Control
  • Analytics Nodes
    • Analytics
    • Analytics DB

The vRouter consists of an agent that communicates with the controller using XMPP and a forwarder. By default, the forwarder is a Linux kernel module. In OpenStack deployments, the kernel module replaces Open vSwitch and IPtables.

Below diagram from the TungstenFabric website shows all these components.

TFA Microservices

More details can be found in the TungstenFabric Architecture document on the project website.

The talk “Living on the Edge – combining OpenStack, Kubernetes, and Tungsten Fabric to make Edge Computing a reality” from Marc Rapoport gives a bit of background information about TungstenFabric and also some insights into the current and future development.

TungstenFabric is an ideal SDN solution for organizations with high requirements regarding scalability and the ability to run this solution without support. At NANOG 70 Alexey Gorbunov from AT&T explained why and how they are using it.

To get hands-on experience with TungstenFabric you can follow the 1-step process to deploy TungstenFabric into a Kubernetes cluster (64 GB RAM and 300 GB disk recommended).

Related Service See how we help businesses with our network automation services:
Network Automation With our automation services we help you to an efficient network operation. See more

Contrail Networking

When an organization needs the functionality and scalability which TungstenFabric provides but wishes to get support then Contrail Networking is the way to go. It delivers all the features from ThungstenFabric. Juniper provides up-to-date documentation and support via their established channels.

Contrail Cloud

Contrail Cloud is a complete platform based on open source technologies such as OpenStack, TungstenFabric and Ceph. It is targeted at the Telcos that need a scalable platform to deploy NFVs and other virtualized workloads.

Contrail Security

Contrail Security adds a powerful policy framework to Contrail Networking. It allows writing network security policy in an abstract way using tags besides IP addresses, protocols and ports. The tags can be the ones originating from containers orchestrated with Kubernetes or labels applied to VMs with OpenStack. This is a powerful concept because it makes it possible to write policies once and apply them to all the different environments where an application is deployed (e.g. dev, test, prod).

The high-level policy is then compiled by the Contrail controller and pushed to the vRouter where it is then enforced. If a workload moves the controller ensures that the compiled policy is deployed in the right place.

The vRouter does not only enforce the policy but also captures metadata from all the flows and reports these back to the controller. The analytics part of the controller visualizes all the flows and marks the flows without an explicit policy. This makes it very easy to spot traffic flows that are not covered by a policy yet and extend policies based on real traffic.

Aniket Daptari from Juniper Networks explained all this and more in this presentation at Networking Field Day 17.

Contrail Enterprise Multicloud

Contrail Enterprise Multicloud is the next step in the contrail evolution. On top of Contrail Networking and Contrail Security Juniper adds AppFormix and Contrail Command.

AppFormix is an Analytics Applications which leverages telemetry streaming. It can provide deep insights into the health status and the trends of a Contrail installation and also about the underlay network.

With Contrail Command Juniper delivers a tool that manages all aspects of the physical underlay network. It can be used for brownfield and greenfield deployments. For greenfield scenarios, it comes with a complete ZTP infrastructure to set up physical devices. Under the hood, it is using Terraform and Ansible while the operator uses a clean and well organized web interface or the APIs. Command can also be used to provision a “Multi-Cloud Gateway” (MC-Gw) in the public cloud (AWS and Azure are currently supported). This MC-Gw can then be used to extend the on-premises resources to the cloud.

The “Multicloud” part of the name implies that it is easy to connect multiple public and private clouds and use Contrail as a “single pane of glass” to control the networking aspect for all of them. But it can only enforce security policies in conjunction with the Contrail vRouter. The native networking functions from public cloud platforms cannot be used for that. This makes Contrail Enterprise Multicloud useful in the public cloud if the focus is on self-managed Kubernetes or OpenShift. It would also simplify the deployment process if the vRouter could be found in the Marketplace of the public cloud platforms.

Contrail Enterprise Multicloud was designed for very large data centers and is a good solution for organizations that look for a scalable SDN solution for large OpenStack and Kubernetes deployments.

The easiest way to learn more about Contrail Networking is to just try it. Juniper makes this very easy and provides a pre-installed sandbox that can be accessed over RDP. Just register on the trial website and read the sandbox user guide. Detailed information can be found in the Contrail Getting Started Guide from Juniper.

Contrail SD-WAN

Contrail SD-WAN shares the Contrail brand but is not based on TungstenFabric. It automates the WAN edge using CSO (Contrail Service Orchestration).

It enables an organization to rapidly connect new locations by shipping an SRX or NFX there or spinning up an vSRX. When powered on these devices connect to the responsible CSO to get the correct configuration and then form a mesh between these edge devices. First, it is a hub and spoke network which then evolves based on policy and actual traffic needs. The solutions recognize about 4000 applications and can prioritize and route them according to the defined policy.

CSO can not only manage the WAN edge device but also switches that might be deployed in a branch. Also, Mist WiFi is integrated into Contrail SD-WAN. With that, it is not only an SD-WAN solution but also an SD-Branch solution.

On April 8, 2019, Juniper announced that Contrail SD-WAN is now also available as a service which makes it even simpler to start with.

To learn more about Contrail SD-WAN it is worth listening the podcast “An Inside Look At What’s New In Juniper’s Contrail SD-WAN” which was released on May 10, 2019, by the Packet Pushers.

ngworx Team
April 2019
written by Remi Locherer
Senior Network & Security Engineer

Most Popular

Network-Engineering | 8 min read

Junos upgrade – filesystem is full

Not enough storage during Junos upgrade (EX2300 and EX3400). An extension of Juniper's article…

Read more

Juniper Networks

Want to learn more about Juniper Networks? Discover their solutions, products, awards, team leaders, partners, training programs, and the latest events by clicking the button below.