Exclusives Featured Tech Field Day Events

Getting Out From Under the Policy Boulder with Juniper’s Contrail Policy Framework

Scale puts strain on almost any system. In IT terms, we think about how otherwise reliable networking architectures and scheme suddenly fall on their face when deployed at scale. This isn’t too surprising. Scale makes small flaws exponentially glaring. Sadly, solutions to those flaws often don’t scale nearly as effectively. Far too often, these solutions are deployed individually, with lots of manual intervention needed. This is inefficient. Indeed, the inefficiency actually scales while the solution remains inadequate.

Now consider this issue when it comes to network policy management, and you can easily appreciate the challenges this has for an organization. Poorly configured policy can lead to business outages, security vulnerabilities, or just bad end-user experience. As organizations add more applications, test/dev environments, and sites, it can seem like a Sisyphean task

Policy in Contrail

Juniper Networks’ Contrail SDN management platform has some interesting capabilities to make policy creation and enforcement more manageable.

Contrail was developed to provide an evolved policy framework, one that’s focused not just not network topology, but rather to be application centric.

To this point, Contrail provides a visualization of application topology, to easily see flows between applications across the network. This is paired with the ability to easily enter in policy requirements in relatively easy to understand language.

A Game of Tags

This application topology is tagged based, rather than looking strictly at packets and networking destinations. The rationale for this is that the network destination often need to change, but the intent surrounding an application rarely does. This tag-based approach lets the workload live anywhere and still not fall through the cracks.

Proscriptive tags include application, deployment, site, tier, and labels. Most of these are self explanatory. In the case of labels, these are more freeform tags, which become useful when working with an application manifest in something like Kubernetes.

Tags can be attached at different levels of the application topography, from global application all the way down through the interface. All of this is enforced at the interface level, built into the router. It’s essentially a collection of tags that will map to a set of policies and define the workloads security posture. The process of forwarding packets contains the policy enforcement in real time.

Contrail also makes visualizing policy interactions very simple. Not only does it come with a sensible UI, it also exposes all underlying data via APIs. So if you have a specific visualization tool or other apps you want to feed directly, it’s easy to do. Out of the box, Contrail visualizations use a ring metaphor. The outer ring represents the combined application and deployment environment: Test/dev, production, etc. The inner ring are the application tiers. The spaghetti of connections represent the flows between application components. Flows marked in blue are explicit protected by policy, while red ones aren’t specifically set. This is an incredibly powerful tool to not only see which application application components are networked, but also where the gaps in your policy fall.

From there, each flow can be clicked into to view all policy information in detail. Again, this isn’t a historic look at flows, but a virtually real-time aggregation.


Being able to offer an information-rich high level visualization with the ability to drill down means you get the best of both worlds. It’s not a single pane of glass, but it allows you to quickly identify where policy is actively stated, where it isn’t, and what application components and sites are implicated. Policy around networks and application are still challenging, but Contrail gives you the tools to meet the needs of scale for policy management.



About the author

Rich Stroffolino

Rich has been a tech enthusiast since he first used the speech simulator on a Magnavox Odyssey². Current areas of interest include ZFS, the false hopes of memristors, and the oral history of Transmeta.

Leave a Comment