Anda, I recall discovering the same thing back when I was doing my initial testing. I recall getting a "not implemented yet" or "the GUI is misleading" type of answer when I asked about it, but I can't remember the specifics, sorry. The vRouter tracks TCP headers at the flow level ( https://github.com/Juniper/contrail-controller/wiki/Flow-Handling) but I'm not sure if it is currently possible for the vRouter to act like an SRX with inside/outside stateful interface tracking, which is what I think you are expecting / asking for.
What worked for us was that we setup our policies like traditional stateless ACLs, much like the kind you would put on an outside interface of a router. I just ignore the <>, since it's misleading. Ex: pass protocol tcp network local ports any <> 10.100.50.5/32 ports [ 443 ] If you need SRX or IPS functionality, it's probably best to spin up a vSRX or vIPS in a VM and use service chaining to protect your backend services. HTH, Doug On Wed, Jul 26, 2017 at 9:17 AM, Anda Nicolae <anico...@lenovo.com> wrote: > Of course. I have just used the unidirectional network policy between the > 2 networks. > > > > Thanks, > > Anda > > > > *From:* Sachin Bansal [mailto:sban...@juniper.net] > *Sent:* Wednesday, July 26, 2017 7:14 PM > > *To:* Anda Nicolae; Douglas Lardo > *Cc:* dev@lists.opencontrail.org > *Subject:* Re: [opencontrail-dev] Ping Working Between 2 Virtual Networks > Connected via an Unidirectional Network Policy > > > > Did you try without the logical router? > > > > *From: *Anda Nicolae <anico...@lenovo.com> > *Date: *Wednesday, July 26, 2017 at 12:55 AM > *To: *Sachin Bansal <sban...@juniper.net>, Douglas Lardo < > dla...@riotgames.com> > *Cc: *"dev@lists.opencontrail.org" <dev@lists.opencontrail.org> > *Subject: *RE: [opencontrail-dev] Ping Working Between 2 Virtual Networks > Connected via an Unidirectional Network Policy > > > > Hi Sachin, > > > > Thanks for the clarification, I have also arrived at this conclusion after > Doug's reply. > > > > What I still don't understand is why ping, tcp and udp traffic (the last 2 > being sent with iperf) initiated from VM2 to VM1 work. > > The network policy is unidirectional, allowing traffic from VN1 to VN2 > only. I have sent traffic in the reverse direction and it works. I don't > understand why. > > > > Before sending traffic from VM2 to VM1, I have deleted and re-created the > virtual networks with other subnets, the network policy and the virtual > machines to make sure that there are no existing flow rules for the subnets > of VN2 and VN1. > > > > Thanks, > > Anda > > > > *From:* Sachin Bansal [mailto:sban...@juniper.net <sban...@juniper.net>] > *Sent:* Wednesday, July 26, 2017 8:48 AM > *To:* Anda Nicolae; Douglas Lardo > *Cc:* dev@lists.opencontrail.org > *Subject:* Re: [opencontrail-dev] Ping Working Between 2 Virtual Networks > Connected via an Unidirectional Network Policy > > > > Anda, > > > > If you connect two networks with a logical router, you don’t need to use > any network policy. Network policy and logical routers are two alternate > ways to enable communication between two networks. > > > > Sachin > > > > *From: *Dev <dev-boun...@lists.opencontrail.org> on behalf of Anda > Nicolae <anico...@lenovo.com> > *Date: *Monday, July 24, 2017 at 12:00 AM > *To: *Douglas Lardo <dla...@riotgames.com> > *Cc: *"dev@lists.opencontrail.org" <dev@lists.opencontrail.org> > *Subject: *Re: [opencontrail-dev] Ping Working Between 2 Virtual Networks > Connected via an Unidirectional Network Policy > > > > Hello Doug, > > > > Thanks for your response. > > Sorry I wasn't clear, by router I meant logical router which can be > created from Contrail GUI (from Configure -> Networking -> Routers). I know > that vrouter is installed on Contrail compute nodes. > > > > Now I understand that network policy adds forwarding rules to allow > response packets to arrive at their destination. > > > > However, after I have sent the e-mail on the Contrail dev list, I have > also sent echo requests (ping) from VM2 to VM1 and VM1 sent echo replies. > > Please remember that the network policy I have added had the following > syntax: Protocol : ANY, Source VN1, Destination VN2, unidirectional (from > VN1 to VN2 only), port: ANY. > > Therefore, ping from VM2 to VM1 shouldn't have worked, since the network > policy direction is not respected. > > > > Does anyone know why the network policy direction was not respected? > > > > Thanks, > > Anda > > > > *From:* Douglas Lardo [mailto:dla...@riotgames.com <dla...@riotgames.com>] > > *Sent:* Friday, July 21, 2017 8:50 PM > *To:* Anda Nicolae > *Cc:* dev@lists.opencontrail.org > *Subject:* Re: [opencontrail-dev] Ping Working Between 2 Virtual Networks > Connected via an Unidirectional Network Policy > > > > Anda, > > > > I don't run Openstack but I think the router you are looking for isn't > applicable with Contrail. Contrail has routers, but they are installed on > every compute node as a 'vRouter', much like a vSwitch from VMware or OVS. > The difference is that in addition to the layer 2 switching, the vRouter > also routes traffic between virtual networks. When you add a policy that > defines SRC A can talk to SRC B, the appropriate routes are automatically > imported for you. > > > > Your traffic flow sounds like it's working as intended. When you create a > permitted flow from VN1_SRV->VN2_SRV, the return flow from VN2_SRV->VN1_SRV > is automatically generated for you. > > > > HTH, > > > > Doug > > > > On Fri, Jul 21, 2017 at 2:48 AM, Anda Nicolae <anico...@lenovo.com> wrote: > > Hello, > > > > I have a setup of 4 VMs: one OpenStack node, one Contrail controller node > and 2 Contrail compute nodes. > > Contrail version I am using is 3.2.4.0 version. All the 4 VMs use CentOS > 7.2. > > > > I have created 2 virtual networks, VN1 and VN2. I have also created 2 > virtual machines, VM1 having an IP address from VN1 and VM2 having an IP > address from VN2. > > By default, ping between VM1 and VM2 is not working since VNs in Contrail > are isolated from one another. > > > > I have added a network policy : Protocol : ANY, Source VN1, Destination > VN2, unidirectional (from VN1 to VN2 only), port: ANY. > > I added the policy to both VN1 and VN2 and ping is working. > > > > My questions are: > > 1. Is it normal that echo request (from ping) arrives at its destination > since I have 2 virtual networks that are not connected via a router, but > have a network policy? > > 2. Why does echo reply (from ping) arrive at its destination, since the > network policy is unidirectional (from VN1 to VN2 only)? > > > > > > Thanks, > > Anda > > > _______________________________________________ > Dev mailing list > Dev@lists.opencontrail.org > http://lists.opencontrail.org/mailman/listinfo/dev_lists.opencontrail.org > > > > > > -- > > *Doug Lardo *// *Riot Games* // c: 818.620.7046 <(818)%20620-7046> > // summoner: Riot Antares > > Q: Why is this email 5 sentences or less? A: http://five.sentenc.es > -- *Doug Lardo *// *Riot Games* // c: 818.620.7046 // summoner: Riot Antares Q: Why is this email 5 sentences or less? A: http://five.sentenc.es
_______________________________________________ Dev mailing list Dev@lists.opencontrail.org http://lists.opencontrail.org/mailman/listinfo/dev_lists.opencontrail.org
