Chapter 13: Network Policy
Introduction
Network Policy is applying the policy(allow/deny traffic between the virtual networks) in the virtual networks.
For example: I want to allow only the HTTP,FTP traffic in between my two Virtual Networks and deny remaining all traffic.
Opencontrail Network Policy feature achieve this.
Refer this tutorial befor you read the remaining items:
https://github.com/tonyliu0592/opencontrail/wiki/Network-Security
Example:
We have created two virtual networks (N3,N4) and two instances are created VM1 - belongs to N3, VM2 belongs to N4.
N3 Network - 10.10.10.0/24
N4 Network - 10.20.20.0/24
VM1 instance - 10.10.10.3
VM2 instance - 10.20.20.3
Exercise:
Lets define the network policy to allow traffic between N3 and N4 (allow only icmp, deny tcp and udp)
- Create a network policy (using contrail API REST API)
POST http://contrail-api:8082/network-policys
{
"network-policy":
{
"parent_type": "project",
"fq_name": ["default-domain", "demo", "policy3"],
"network_policy_entries":
{
"policy_rule": [
{
"direction": "<>", "protocol": "tcp",
"dst_addresses": [{"virtual_network": "default-domain:demo:N3"}],
"action_list": {"simple_action": "deny"},
"src_addresses": [{"virtual_network": "default-domain:demo:N4"}],
"src_ports": [{"end_port": -1, "start_port": -1}],
"dst_ports": [{"end_port": -1, "start_port": -1}]
},
{
"direction": "<>", "protocol": "udp",
"dst_addresses": [{"virtual_network": "default-domain:demo:N3"}],
"action_list": {"simple_action": "deny"},
"src_addresses": [{"virtual_network": "default-domain:demo:N4"}],
"src_ports": [{"end_port": -1, "start_port": -1}],
"dst_ports": [{"end_port": -1, "start_port": -1}]
},
{
"direction": "<>", "protocol": "icmp",
"dst_addresses": [{"virtual_network": "default-domain:demo:N3"}],
"action_list": {"simple_action": "pass"},
"src_addresses": [{"virtual_network": "default-domain:demo:N4"}],
"src_ports": [{"end_port": -1, "start_port": -1}],
"dst_ports": [{"end_port": -1, "start_port": -1}]
}
]
}
}
}
- Associate the policy to Nework N3 and N4
PUT http://contrail-api:8082/virtual-network/93a5a71a-7c65-448e-97a0-e7ea609aa05a
{
"virtual-network":
{"fq_name": ["default-domain", "demo", "N4"],
"network_policy_refs": [
{"to": ["default-domain", "demo", "policy3"], "attr":{"sequence":{"major":0, "minor": 0}}}
]
}
}
PUT http://contrail-api:8082/virtual-network/93a5a71a-7c65-448e-97a0-e7ea609aa05a
{
"virtual-network":
{"fq_name": ["default-domain", "demo", "N3"],
"network_policy_refs": [
{"to": ["default-domain", "demo", "policy3"], "attr":{"sequence":{"major":0, "minor": 0}}}
]
}
}
Thats all.
- Verify the Routing Instances of N3 and N4 in contrail-control introspect
http://contrail-control:8083/Snh_ShowRoutingInstanceReq?search_string=
Both Networks will import the route target each other.
check the "import_target" column
- Verify the N3 & N4 VRF. VRF should have routing info each other. So that it can route the packets.
http://contrail-vrouter-agent:8085/Snh_VrfListReq?name=
Open the N3 Virtual Network, UC index link, to see the routing table. you can verify both networks routes must presente
- Verify the Network Policy applied in the Virtual Network.
http://contrail-vrouter-agent:8085/Snh_VnListReq?name=&uuid=&vxlan_id=&ipam_name=
1. Under the Virtual Network(N3 and N4), you can see the associated ACL.
2. Open the ACL .
You can see your defined network policies.
- Login to VM and ping each other.
References:
https://github.com/tonyliu0592/opencontrail/wiki/Network-Security