Hello Doug, Thanks for your response. Sorry I wasn't clear, by router I meant logical router which can be created from Contrail GUI (from Configure -> Networking -> Routers). I know that vrouter is installed on Contrail compute nodes.
Now I understand that network policy adds forwarding rules to allow response packets to arrive at their destination. However, after I have sent the e-mail on the Contrail dev list, I have also sent echo requests (ping) from VM2 to VM1 and VM1 sent echo replies. Please remember that the network policy I have added had the following syntax: Protocol : ANY, Source VN1, Destination VN2, unidirectional (from VN1 to VN2 only), port: ANY. Therefore, ping from VM2 to VM1 shouldn't have worked, since the network policy direction is not respected. Does anyone know why the network policy direction was not respected? Thanks, Anda From: Douglas Lardo [mailto:dla...@riotgames.com] Sent: Friday, July 21, 2017 8:50 PM To: Anda Nicolae Cc: dev@lists.opencontrail.org Subject: Re: [opencontrail-dev] Ping Working Between 2 Virtual Networks Connected via an Unidirectional Network Policy Anda, I don't run Openstack but I think the router you are looking for isn't applicable with Contrail. Contrail has routers, but they are installed on every compute node as a 'vRouter', much like a vSwitch from VMware or OVS. The difference is that in addition to the layer 2 switching, the vRouter also routes traffic between virtual networks. When you add a policy that defines SRC A can talk to SRC B, the appropriate routes are automatically imported for you. Your traffic flow sounds like it's working as intended. When you create a permitted flow from VN1_SRV->VN2_SRV, the return flow from VN2_SRV->VN1_SRV is automatically generated for you. HTH, Doug On Fri, Jul 21, 2017 at 2:48 AM, Anda Nicolae <anico...@lenovo.com<mailto:anico...@lenovo.com>> wrote: Hello, I have a setup of 4 VMs: one OpenStack node, one Contrail controller node and 2 Contrail compute nodes. Contrail version I am using is 3.2.4.0 version. All the 4 VMs use CentOS 7.2. I have created 2 virtual networks, VN1 and VN2. I have also created 2 virtual machines, VM1 having an IP address from VN1 and VM2 having an IP address from VN2. By default, ping between VM1 and VM2 is not working since VNs in Contrail are isolated from one another. I have added a network policy : Protocol : ANY, Source VN1, Destination VN2, unidirectional (from VN1 to VN2 only), port: ANY. I added the policy to both VN1 and VN2 and ping is working. My questions are: 1. Is it normal that echo request (from ping) arrives at its destination since I have 2 virtual networks that are not connected via a router, but have a network policy? 2. Why does echo reply (from ping) arrive at its destination, since the network policy is unidirectional (from VN1 to VN2 only)? Thanks, Anda _______________________________________________ Dev mailing list Dev@lists.opencontrail.org<mailto:Dev@lists.opencontrail.org> http://lists.opencontrail.org/mailman/listinfo/dev_lists.opencontrail.org -- Doug Lardo // Riot Games // c: 818.620.7046 // summoner: Riot Antares Q: Why is this email 5 sentences or less? A: http://five.sentenc.es
_______________________________________________ Dev mailing list Dev@lists.opencontrail.org http://lists.opencontrail.org/mailman/listinfo/dev_lists.opencontrail.org
