Creating a Network Policy—OpenStack Contrail
Contrail makes creating network traffic policies very simple. You work from the self-service user interface to define a policy, then define a rule or rules to be applied in that policy. You can define such things as the type and direction of traffic for the rule, the source and destination of that traffic, traffic originating from or destined for specific ports, the sequence in which to apply a rule, and so on. The following procedure shows how to create a network policy when using OpenStack.
- On the OpenStack dashboard, make sure your project is
displayed in the Current Project box, click Networking, and then click the Network Policy tab to display the Network Policy screen; see Figure 1.
Figure 1: Network Policy
- Click Create Policy at the upper right.
The Create Network Policy window is displayed; see Figure 2.
Figure 2: Create Network Policy
- Enter a name and a description for this policy. Names cannot include spaces.
- When finished, click Create Policy on the lower
right.
Your policy is created and it appears in the Network Policy window; see Figure 3.
Figure 3: Network Policy
- In the Network Policy window, click the check
box for your new policy, then click Edit Rules for that
policy.
The Edit Policy Rules window is displayed; see Figure 4.
Figure 4: Edit Policy Rules
- Define the rules for your policy, using the guidelines
in Table 1.
Table 1: Edit Policy Rules Fields
Field
Description
Policy Rules Details
This section of the window displays any rules that have already been created for this policy.
Id
Displays a sequential number identifier for each rule within a policy.
Rule Details
Displays a description of the rule on this line.
Actions
Available actions for the rule on this line appear in this column. Currently you can use the Delete button in this column to delete a rule.
Sequence Id
This field lets you define the order in which to apply the current rule. Select from a list: Last Rule, First Rule, After Rule.
Action
Define the action to take with traffic that matches the current rule. Select from a list: Pass, Deny.
Direction
Define the direction in which to apply the rule, for example, to traffic moving in and out, or only to traffic moving in one direction. Select from a list: Bidirectional, Unidirectional.
IP Protocol
Select from a list of available protocols (or ANY): ANY, TCP, UDP, ICMP,
Source Net
Select the source network for this rule. Choose Local (any network to which this policy is associated), Any (all networks created under the current project) or select from a list of all sources available displayed in the drop-down list, in the form: domain-name:project-name:network-name.
Source Ports
Accept traffic from any port or enter a specific port, a list of ports separated with commas, or a range of ports in the form nnnn-nnnnn.
Destination Net
Select the destination network for this rule. Choose Local (any network to which this policy is associated), Any (all networks created under the current project) or select from a list of all destinations available displayed in the drop-down list, in the form: domain-name:project-name:network-name.
Destination Ports
Send traffic to any port or enter a specific port, a list of ports separated with commas, or a range of ports in the form nnnn-nnnnn.
- When you are finished selecting the rules for this policy, click Add Rule on the lower right of the Edit Policy Rules window.
Next you can associate the policy to a network, see Associating a Network to a Policy—OpenStack Contrail.
