Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Creating a Network Policy with Juniper Networks Contrail

    The Contrail Controller makes creating network traffic policies very simple. You work from the self-service user interface to define a policy, then define a rule or rules to be applied in that policy. You can define such parameters as the type and direction of traffic for the rule, the source and destination of that traffic, traffic originating from or destined for specific ports, the sequence in which to apply a rule, and so on.

    To create a network policy when using Juniper Networks Contrail:

    1. In the Contrail Web user interface, select Configure > Networking > Policies. The Policies window is displayed. See Figure 1.

      Figure 1: Policies Window

      Policies Window
    2. Click the+ icon.

      The Create Policy window is displayed. See Figure 2. Click the + icon in the Create Policy window.

      Figure 2: Create Policy Window

      Create Policy Window
    3. Enter the policy name and select the values from the menus in the Create Policy window. Table 1 describes the selections.

      Table 1: Create Policy Fields

      Field

      Description

      Name

      Enter a name for the policy you are creating.

      Policy Rules

      Use this area to define the rules for the policy you are creating. Click the + (plus sign) to open up the fields for defining the rules. Click the (minus sign) to delete any rule. Multiple rules can be added to a policy. Each policy rule field is described in the following table rows.

      Action

      Define the action to take with traffic that matches the current rule. Select from a list: Pass, Deny.

      Protocol

      Define the protocol associated with traffic for this policy rule. Select from a list of available protocols (or ANY): ANY, TCP, UDP, ICMP.

      Source

      Select the source network for traffic associated with this policy rule. Choose ANY or select from the menu list of all available sources. Sources are displayed in the form: domain-name:project-name:network-name.

      Ports

      Use this field to specify that traffic from particular source ports are associated with this policy rule. Identify traffic from any port or enter a specific port, a list of ports separated with commas, or a range of ports in the form nnnn-nnnnn.

      Direction

      Define the direction of traffic to match the rule. For traffic moving in and out, select <> (bidirectional). For traffic moving in one direction, select > (unidirectional).

      Destination

      Select the destination network for traffic to match this rule. Choose ANY or select from the menu of all available destinations. Destinations are displayed in the form: domain-name:project-name:network-name.

      Destination

      Select the destination port for traffic to match this rule. Enter ANY for any destination port or enter a specific port, a list of ports separated with commas, or a range of ports in the form nnnn-nnnnn.

      Services

      Select this check box to open a field where you can select from a list of available services to apply to this policy. The services are applied in the order in which they are selected. There is a restricted set of options that can be selected when applying services. For more information about services, see Service Chaining.

      Mirror

      Select this check box to open a field where you can select from the list of configured services that you want to mirror in this policy. You can select a maximum of two services to mirror. For more information about mirroring, see Configuring Traffic Analyzers and Packet Capture for Mirroring.

    4. When you are finished selecting the rules for this policy, click Save.

      The policy you just defined is displayed in the Policy column.

    Next, you can associate the policy to a network, see Associating a Network to a Policy—Juniper Networks Contrail.

    Modified: 2016-07-13