Naveen, Do you know why this could be happening?
Sachin From: Douglas Lardo <dla...@riotgames.com> Date: Saturday, July 29, 2017 at 2:01 PM To: Anda Nicolae <anico...@lenovo.com> Cc: Sachin Bansal <sban...@juniper.net>, "dev@lists.opencontrail.org" <dev@lists.opencontrail.org> Subject: Re: [opencontrail-dev] Ping Working Between 2 Virtual Networks Connected via an Unidirectional Network Policy Anda, I recall discovering the same thing back when I was doing my initial testing. I recall getting a "not implemented yet" or "the GUI is misleading" type of answer when I asked about it, but I can't remember the specifics, sorry. The vRouter tracks TCP headers at the flow level (https://github.com/Juniper/contrail-controller/wiki/Flow-Handling) but I'm not sure if it is currently possible for the vRouter to act like an SRX with inside/outside stateful interface tracking, which is what I think you are expecting / asking for. What worked for us was that we setup our policies like traditional stateless ACLs, much like the kind you would put on an outside interface of a router. I just ignore the <>, since it's misleading. Ex: pass protocol tcp network local ports any <> 10.100.50.5/32<http://10.100.50.5/32> ports [ 443 ] If you need SRX or IPS functionality, it's probably best to spin up a vSRX or vIPS in a VM and use service chaining to protect your backend services. HTH, Doug On Wed, Jul 26, 2017 at 9:17 AM, Anda Nicolae <anico...@lenovo.com<mailto:anico...@lenovo.com>> wrote: Of course. I have just used the unidirectional network policy between the 2 networks. Thanks, Anda From: Sachin Bansal [mailto:sban...@juniper.net<mailto:sban...@juniper.net>] Sent: Wednesday, July 26, 2017 7:14 PM To: Anda Nicolae; Douglas Lardo Cc: dev@lists.opencontrail.org<mailto:dev@lists.opencontrail.org> Subject: Re: [opencontrail-dev] Ping Working Between 2 Virtual Networks Connected via an Unidirectional Network Policy Did you try without the logical router? From: Anda Nicolae <anico...@lenovo.com<mailto:anico...@lenovo.com>> Date: Wednesday, July 26, 2017 at 12:55 AM To: Sachin Bansal <sban...@juniper.net<mailto:sban...@juniper.net>>, Douglas Lardo <dla...@riotgames.com<mailto:dla...@riotgames.com>> Cc: "dev@lists.opencontrail.org<mailto:dev@lists.opencontrail.org>" <dev@lists.opencontrail.org<mailto:dev@lists.opencontrail.org>> Subject: RE: [opencontrail-dev] Ping Working Between 2 Virtual Networks Connected via an Unidirectional Network Policy Hi Sachin, Thanks for the clarification, I have also arrived at this conclusion after Doug's reply. What I still don't understand is why ping, tcp and udp traffic (the last 2 being sent with iperf) initiated from VM2 to VM1 work. The network policy is unidirectional, allowing traffic from VN1 to VN2 only. I have sent traffic in the reverse direction and it works. I don't understand why. Before sending traffic from VM2 to VM1, I have deleted and re-created the virtual networks with other subnets, the network policy and the virtual machines to make sure that there are no existing flow rules for the subnets of VN2 and VN1. Thanks, Anda From: Sachin Bansal [mailto:sban...@juniper.net] Sent: Wednesday, July 26, 2017 8:48 AM To: Anda Nicolae; Douglas Lardo Cc: dev@lists.opencontrail.org<mailto:dev@lists.opencontrail.org> Subject: Re: [opencontrail-dev] Ping Working Between 2 Virtual Networks Connected via an Unidirectional Network Policy Anda, If you connect two networks with a logical router, you don’t need to use any network policy. Network policy and logical routers are two alternate ways to enable communication between two networks. Sachin From: Dev <dev-boun...@lists.opencontrail.org<mailto:dev-boun...@lists.opencontrail.org>> on behalf of Anda Nicolae <anico...@lenovo.com<mailto:anico...@lenovo.com>> Date: Monday, July 24, 2017 at 12:00 AM To: Douglas Lardo <dla...@riotgames.com<mailto:dla...@riotgames.com>> Cc: "dev@lists.opencontrail.org<mailto:dev@lists.opencontrail.org>" <dev@lists.opencontrail.org<mailto:dev@lists.opencontrail.org>> Subject: Re: [opencontrail-dev] Ping Working Between 2 Virtual Networks Connected via an Unidirectional Network Policy Hello Doug, Thanks for your response. Sorry I wasn't clear, by router I meant logical router which can be created from Contrail GUI (from Configure -> Networking -> Routers). I know that vrouter is installed on Contrail compute nodes. Now I understand that network policy adds forwarding rules to allow response packets to arrive at their destination. However, after I have sent the e-mail on the Contrail dev list, I have also sent echo requests (ping) from VM2 to VM1 and VM1 sent echo replies. Please remember that the network policy I have added had the following syntax: Protocol : ANY, Source VN1, Destination VN2, unidirectional (from VN1 to VN2 only), port: ANY. Therefore, ping from VM2 to VM1 shouldn't have worked, since the network policy direction is not respected. Does anyone know why the network policy direction was not respected? Thanks, Anda From: Douglas Lardo [mailto:dla...@riotgames.com] Sent: Friday, July 21, 2017 8:50 PM To: Anda Nicolae Cc: dev@lists.opencontrail.org<mailto:dev@lists.opencontrail.org> Subject: Re: [opencontrail-dev] Ping Working Between 2 Virtual Networks Connected via an Unidirectional Network Policy Anda, I don't run Openstack but I think the router you are looking for isn't applicable with Contrail. Contrail has routers, but they are installed on every compute node as a 'vRouter', much like a vSwitch from VMware or OVS. The difference is that in addition to the layer 2 switching, the vRouter also routes traffic between virtual networks. When you add a policy that defines SRC A can talk to SRC B, the appropriate routes are automatically imported for you. Your traffic flow sounds like it's working as intended. When you create a permitted flow from VN1_SRV->VN2_SRV, the return flow from VN2_SRV->VN1_SRV is automatically generated for you. HTH, Doug On Fri, Jul 21, 2017 at 2:48 AM, Anda Nicolae <anico...@lenovo.com<mailto:anico...@lenovo.com>> wrote: Hello, I have a setup of 4 VMs: one OpenStack node, one Contrail controller node and 2 Contrail compute nodes. Contrail version I am using is 3.2.4.0 version. All the 4 VMs use CentOS 7.2. I have created 2 virtual networks, VN1 and VN2. I have also created 2 virtual machines, VM1 having an IP address from VN1 and VM2 having an IP address from VN2. By default, ping between VM1 and VM2 is not working since VNs in Contrail are isolated from one another. I have added a network policy : Protocol : ANY, Source VN1, Destination VN2, unidirectional (from VN1 to VN2 only), port: ANY. I added the policy to both VN1 and VN2 and ping is working. My questions are: 1. Is it normal that echo request (from ping) arrives at its destination since I have 2 virtual networks that are not connected via a router, but have a network policy? 2. Why does echo reply (from ping) arrive at its destination, since the network policy is unidirectional (from VN1 to VN2 only)? Thanks, Anda _______________________________________________ Dev mailing list Dev@lists.opencontrail.org<mailto:Dev@lists.opencontrail.org> http://lists.opencontrail.org/mailman/listinfo/dev_lists.opencontrail.org -- Doug Lardo // Riot Games // c: 818.620.7046<tel:(818)%20620-7046> // summoner: Riot Antares Q: Why is this email 5 sentences or less? A: http://five.sentenc.es -- Doug Lardo // Riot Games // c: 818.620.7046 // summoner: Riot Antares Q: Why is this email 5 sentences or less? A: http://five.sentenc.es
_______________________________________________ Dev mailing list Dev@lists.opencontrail.org http://lists.opencontrail.org/mailman/listinfo/dev_lists.opencontrail.org
