TechLibrary

Table of Contents

Guide That Contains This Content

[+] Expand All

[-] Collapse All

Creating Virtual Networks and Policies in OpenStack Contrail

Creating a Virtual Network—OpenStack Contrail

Contrail makes creating a virtual network very easy for you. You create networks and network policies at the user dashboard, then associate policies with each network. The following procedure shows how to create a virtual network when using OpenStack.

Select Project > Other > Networking. The Networks window is displayed. See Figure 1.
Figure 1: Networks Window
Verify that the correct project is displayed in the Current Project box, then click Create Network. The Create Network window is displayed. See Figure 2 and Figure 3.
Figure 2: Create Network Window
Figure 3: Create Network Window Subnet Tab

Click the Network, Subnet, Subnet Detail, and Associate Network Policies tabs to complete the fields in the Create Network window. See field descriptions in Table 1.

Table 1: Create Network Fields

Field	Description
Network Name	Enter a name for the network.
Subnet Name	Enter a name for the subnetwork.
IPAM	Select the IPAM associated with the IP block. For new projects, an IPAM can be added while creating the virtual network. VM instances created in this virtual network are assigned an address from this address block automatically by the system when a VM is launched.
Network Address	Enter the network address in CIDR format.
IP Version*	Select IPv4 or IPv6.
Gateway IP	Optionally, enter an explicit gateway IP address for the IP address block. Check the Disable Gateway box if no gateway is to be used.
Network Policy	Any policies already created are listed. To select a policy, click the check box for the policy.

Click the Subnet Details tab to specify the Allocation Pool, DNS Name Servers, and Host Routes.
Click the Associate Network Policies tab to associate policies to the network.
To save your network, click Create Network, or click Cancel to discard your work and start over.

Deleting a Virtual Network–OpenStack Contrail

You can delete any of the virtual networks in your system. However, you must first disassociate any virtual machines (instances) that are associated with that network. The following procedure shows how to delete a virtual network when using OpenStack.

To view virtual machines that are associated with a virtual network, in the OpenStack module, select Project > Other > Networking. The Networks window is displayed. See Figure 4.
Figure 4: OpenStack Networks
In the Networks window, select the network to be deleted.
The Network Detail screen appears; see Figure 5.
Figure 5: OpenStack Network Detail , Associated Instances Tab
Click the Associated Instances tab to see the instances associated with this network.
Make note of the IP addresses of any instances that are associated with this network.
In the Project tab, select Instances.
The Instances screen appears, displaying the instances associated with the current project; see Figure 6.
Figure 6: Instances
On the Instances screen, click the check box for any instance that is associated with the network that you want to delete, then click Terminate Instances to delete the instance.
When all instances that are associated with the network to be deleted have been terminated, delete the network.
To delete a network, return to the Networks screen (see Figure 4), select the network to be deleted, then click Delete Networks in the upper right.

Creating a Network Policy—OpenStack Contrail

Contrail makes creating network traffic policies very simple. You work from the self-service user interface to define a policy, then define a rule or rules to be applied in that policy. You can define such things as the type and direction of traffic for the rule, the source and destination of that traffic, traffic originating from or destined for specific ports, the sequence in which to apply a rule, and so on. The following procedure shows how to create a network policy when using OpenStack.

On the OpenStack dashboard, make sure your project is displayed in the Current Project box, click Networking, and then click the Network Policy tab to display the Network Policy screen; see Figure 7.
Figure 7: Network Policy
Click Create Policy at the upper right.
The Create Network Policy window is displayed; see Figure 8.
Figure 8: Create Network Policy
Enter a name and a description for this policy. Names cannot include spaces.
When finished, click Create Policy on the lower right.
Your policy is created and it appears in the Network Policy window; see Figure 9.
Figure 9: Network Policy
In the Network Policy window, click the check box for your new policy, then click Edit Rules for that policy.
The Edit Policy Rules window is displayed; see Figure 10.
Figure 10: Edit Policy Rules

Define the rules for your policy, using the guidelines in Table 2.

Table 2: Edit Policy Rules Fields

Field	Description
Policy Rules Details	This section of the window displays any rules that have already been created for this policy.
Id	Displays a sequential number identifier for each rule within a policy.
Rule Details	Displays a description of the rule on this line.
Actions	Available actions for the rule on this line appear in this column. Currently you can use the Delete button in this column to delete a rule.
Sequence Id	This field lets you define the order in which to apply the current rule. Select from a list: Last Rule, First Rule, After Rule.
Action	Define the action to take with traffic that matches the current rule. Select from a list: Pass, Deny.
Direction	Define the direction in which to apply the rule, for example, to traffic moving in and out, or only to traffic moving in one direction. Select from a list: Bidirectional, Unidirectional.
IP Protocol	Select from a list of available protocols (or ANY): ANY, TCP, UDP, ICMP,
Source Net	Select the source network for this rule. Choose Local (any network to which this policy is associated), Any (all networks created under the current project) or select from a list of all sources available displayed in the drop-down list, in the form: domain-name:project-name:network-name.
Source Ports	Accept traffic from any port or enter a specific port, a list of ports separated with commas, or a range of ports in the form nnnn-nnnnn.
Destination Net	Select the destination network for this rule. Choose Local (any network to which this policy is associated), Any (all networks created under the current project) or select from a list of all destinations available displayed in the drop-down list, in the form: domain-name:project-name:network-name.
Destination Ports	Send traffic to any port or enter a specific port, a list of ports separated with commas, or a range of ports in the form nnnn-nnnnn.

When you are finished selecting the rules for this policy, click Add Rule on the lower right of the Edit Policy Rules window.

Next you can associate the policy to a network, see Associating a Network to a Policy—OpenStack Contrail.

Associating a Network to a Policy—OpenStack Contrail

Associating Network Policies Overview

Contrail helps you create and manage virtual networks (VNs). By default, all traffic in a VN is isolated to that VN. Traffic can only leave a VN by means of network policies that are defined for the VN.

This procedure shows how to associate a network policy with a network when using OpenStack.

Associating a Network Policy to a Network

Using the OpenStack Networking module, select the Project tab and click Networking.
The Networks window is displayed; see Figure 11.
Figure 11: Networks Screen
Click the check box to select the network you want to associate with a policy, then click the drop-down box in the Actions column and select Edit Policy.
The Edit Network Policy window is displayed; see Figure 12.
Available network policies are listed in the Edit Network Policy window.
Figure 12: Edit Network Policy
Click the check box of any policies to be associated with the selected network.
When finished, click Save Changes.