TechLibrary

Table of Contents

Guide That Contains This Content

[+] Expand All

[-] Collapse All

Creating Virtual Networks and Policies in Juniper Networks Contrail

Creating a Virtual Network—Juniper Networks Contrail

Contrail makes creating a virtual network very easy for a self-service user. You create networks and network policies at the user dashboard, then associate policies with each network. The following procedure shows how to create a virtual network when using Juniper Networks Contrail.

Before creating a virtual network, create an IP address management (IPAM) for your project. Select Configure > Networking > IP Address Management, then click the Create button.
The Add IP Address Management window appears, see Figure 1.
Figure 1: Add IP Address Management

Complete the fields in Add IP Address Management: The fields are described in Table 1.

Table 1: Add IP Address Management Fields

Field	Description
Name	Enter a name for the IPAM you are creating.
DNS Method	Select from a drop-down list the domain name server method for this IPAM: Default, Virtual DNS, Tenant, or None.
NTP Server IP	Enter the IP address of an NTP server to be used for this IPAM.
Domain Name	Enter a domain name to be used for this IPAM.

Select Configure > Networking > Networks to access the Configure Networks screen; see Figure 2.
Figure 2: Configure Networks
Verify that your project is displayed as active in the upper right field, then click the icon. The Create Network window is displayed. See Figure 3. Use the scroll bar to access all sections of this window.
Figure 3: Create Network

Complete the fields in the Create Network window with values that identify the network name, network policy, and IP options as needed. See field descriptions in Table 2.

Table 2: Create Network Fields

Field	Description
Name	Enter a name for the virtual network you are creating.
Network Policy(s)	Select the policy to be applied to this network from the drop-down list of available policies. You can select more than one policy by clicking each one needed.
Subnets	Use this area to identify and manage subnets for this virtual network. Click the + icon to open fields for IPAM, CIDR, Allocation Pools, Gateway, DNS, and DHCP. Select the subnet to be added from a drop down list in the IPAM field. Complete the remaining fields as necessary. You can add multiple subnets to a network. When finished, click the + icon to add the selections into the columns below the fields. Or click the - icon to remove the selections.
Host Routes	Use this area to add or remove host routes for this network. Click the + icon to open fields where you can enter the Route Prefix and the Next Hop. Click the + icon to add the information, or click the - icon to remove the information.
Advanced Options	Use this area to add or remove advanced options, including identifying the Admin State as Up or Down, to identify the network as Shared or External, to add DNS servers, or to define a VxLAN Identifier.
Floating IP Pools	Use this area to identify and manage the floating IP address pools for this virtual network. Click the + icon to open fields where you can enter the Pool Name and Projects. Click the + icon to add the information, or click the - icon to remove the information.
Route Target(s)	Move the scroll bar down to access this area, then specify one or more route targets for this virtual network. Click the + icon to open fields where you can enter route target identifiers. Click the + icon to add the information, or click the - icon to remove the information.

To save your network, click the Save button, or click Cancel to discard your work and start over.

Now you can create a network policy, see Creating a Network Policy—Juniper Networks Contrail.

Deleting a Virtual Network–Juniper Networks Contrail

You can delete any of the virtual networks in your system. However, you must first disassociate any virtual machines (instances) that are associated with that network. Use OpenStack to view and delete the virtual machines associated with a virtual network, see Deleting a Virtual Network–OpenStack Contrail When you are finished deleting the virtual machines associated with a virtual network, you can delete the network in OpenStack, or you can delete the network in Juniper Networks Contrail, using the following procedure.

To view the virtual networks in the current project, select Configure > Networks. The Configure Networks window is displayed. See Figure 4.
Figure 4: Configure Networks
Select the network you want to delete, then click the Delete (trashcan) icon at the top right. A confirm window is displayed.
Click Confirm to delete the network, or click Cancel to quit the delete activity.

Creating a Network Policy—Juniper Networks Contrail

The Contrail Controller makes creating network traffic policies very simple. You work from the self-service user interface to define a policy, then define a rule or rules to be applied in that policy. You can define such things as the type and direction of traffic for the rule, the source and destination of that traffic, traffic originating from or destined for specific ports, the sequence in which to apply a rule, and so on. The following procedure shows how to create a network policy when using Juniper Networks Contrail.

In the Contrail Web user interface, select Configure > Networking > Policies. The Policies window is displayed. See Figure 5.
Figure 5: Policies Window
Click the+ icon.
The Create Policy window is displayed. See Figure 6. Click the + icon in the Create Policy window.
Figure 6: Create Policy Window

Enter the policy name and select the values from the menus in the Create Policy window. Table 3 describes the selections.

Table 3: Create Policy Fields

Field	Description
Name	Enter a name for the policy you are creating.
Policy Rules	Use this area to define the rules for the policy you are creating. Click the + (plus sign) to open up the fields for defining the rules. Click the - (minus sign) to delete any rule. Multiple rules can be added to a policy. Each policy rule field is described in the following table rows.
Action	Define the action to take with traffic that matches the current rule. Select from a list: Pass, Deny.
Protocol	Define the protocol associated with traffic for this policy rule. Select from a list of available protocols (or ANY): ANY, TCP, UDP, ICMP.
Source	Select the source network for traffic associated with this policy rule. Choose ANY or select from the drop-down menu list of all available sources. Sources are displayed in the form: domain-name:project-name:network-name.
Ports	Use this field to specify that traffic from a particular source port(s) are associated with this policy rule. Identify traffic from any port or enter a specific port, a list of ports separated with commas, or a range of ports in the form nnnn-nnnnn.
Direction	Define the direction of traffic to match the rule. For traffic moving in and out, select <> (bidirectional). For traffic moving in one direction, select > (unidirectional).
Destination	Select the destination network for traffic to match this rule. Choose ANY or select from the drop-down menu of all available destinations. Destinations are displayed in the form: domain-name:project-name:network-name.
Destination	Select the destination port for traffic to match this rule. Enter ANY for any destination port or enter a specific port, a list of ports separated with commas, or a range of ports in the form nnnn-nnnnn.
Services	Check the box to open a field where you can select from a list of available services to apply to this policy. The services are applied in the order in which they are selected. There is a restricted set of options that can be selected when applying services. For more information about services, see Service Chaining.
Mirror	Check the box to open a field where you can select from the list of configured services that you want to mirror in this policy. You can select a maximum of two services to mirror. For more information about mirroring; see Configuring Traffic Analyzers and Packet Capture for Mirroring.

When you are finished selecting the rules for this policy, click Save.
The policy you just defined is displayed in the Policy column.

Next you can associate the policy to a network, see Associating a Network to a Policy—Juniper Networks Contrail.

Associating a Network to a Policy—Juniper Networks Contrail

Associating Network Policies Overview

Contrail helps you create and manage virtual networks (VNs). By default, all traffic in a VN is isolated to that VN. Traffic can only leave a VN by means of network policies that are defined for the VN.

This procedure shows how to associate a network policy with a network, using the Juniper Networks Contrail interface.

If you did not associate an existing network policy when you created your virtual network, you can use the Network Policy(s) field in the Edit Network window, or you can use the Associate Networks field in the Edit Policy window to associate or disassociate network policies with networks. The following procedures demonstrate both methods.

Associating a Network Policy to a Network

This procedure shows how to attach (associate) a network policy to a network when starting from the Edit Network window.

Select Configure > Networking > Networks; see Figure 7.
Make sure your project is the active project in the upper right.
Figure 7: Configure > Networking > Networks
Select the network you want to associate with a policy, then in the Action column, click the gear wheel icon and select Edit.
The Edit Network window for the selected network is displayed; see Figure 8.
Figure 8: Edit Network
Click the Network Policy(s) field to show a list of existing policies, and then select a policy to associate with the selected network.
You can also disassociate a selected policy by clicking the - next to its name when it appears configured in the Network Policy(s) field.
When you are finished, click Save, or click Cancel to undo your selections.