Creating a Network Policy—Juniper Networks Contrail
The Contrail Controller makes creating network traffic policies very simple. You work from the self-service user interface to define a policy, then define a rule or rules to be applied in that policy. You can define such things as the type and direction of traffic for the rule, the source and destination of that traffic, traffic originating from or destined for specific ports, the sequence in which to apply a rule, and so on. The following procedure shows how to create a network policy when using Juniper Networks Contrail.
- In the Contrail Web user interface, select Configure
> Networking > Policies. The Policies window is displayed.
See Figure 1.
Figure 1: Policies Window
- Click the+ icon.
The Create Policy window is displayed. See Figure 2. Click the + icon in the Create Policy window.
Figure 2: Create Policy Window
- Enter the policy name and select the values from the menus
in the Create Policy window. Table 1 describes the selections.
Table 1: Create Policy Fields
Field
Description
Name
Enter a name for the policy you are creating.
Policy Rules
Use this area to define the rules for the policy you are creating. Click the + (plus sign) to open up the fields for defining the rules. Click the - (minus sign) to delete any rule. Multiple rules can be added to a policy. Each policy rule field is described in the following table rows.
Action
Define the action to take with traffic that matches the current rule. Select from a list: Pass, Deny.
Protocol
Define the protocol associated with traffic for this policy rule. Select from a list of available protocols (or ANY): ANY, TCP, UDP, ICMP.
Source
Select the source network for traffic associated with this policy rule. Choose ANY or select from the drop-down menu list of all available sources. Sources are displayed in the form: domain-name:project-name:network-name.
Ports
Use this field to specify that traffic from a particular source port(s) are associated with this policy rule. Identify traffic from any port or enter a specific port, a list of ports separated with commas, or a range of ports in the form nnnn-nnnnn.
Direction
Define the direction of traffic to match the rule. For traffic moving in and out, select <> (bidirectional). For traffic moving in one direction, select > (unidirectional).
Destination
Select the destination network for traffic to match this rule. Choose ANY or select from the drop-down menu of all available destinations. Destinations are displayed in the form: domain-name:project-name:network-name.
Destination
Select the destination port for traffic to match this rule. Enter ANY for any destination port or enter a specific port, a list of ports separated with commas, or a range of ports in the form nnnn-nnnnn.
Services
Check the box to open a field where you can select from a list of available services to apply to this policy. The services are applied in the order in which they are selected. There is a restricted set of options that can be selected when applying services. For more information about services, see Service Chaining.
Mirror
Check the box to open a field where you can select from the list of configured services that you want to mirror in this policy. You can select a maximum of two services to mirror. For more information about mirroring; see Configuring Traffic Analyzers and Packet Capture for Mirroring.
- When you are finished selecting the rules for this policy,
click Save.
The policy you just defined is displayed in the Policy column.
Next you can associate the policy to a network, see Associating a Network to a Policy—Juniper Networks Contrail.
