The answer is to apply following two policies instead of one. netA/netB - vnf(FW) - netC netC - vnf(IDS) - netD/netE
where netC has flag ALLOW_TRANSIT true. 2015-10-22 11:49 GMT+02:00 wsronek . <[email protected]>: > Hello, > > ### Use case description > > Contrail version: 2.20-64 > Openstack release: Juno > > Based on this description > https://bugs.launchpad.net/opencontrail/+bug/1365277 I'd like to create a > service chain using that scenario VN1---SC1x---VNx---SC2x---VN2. > > Exactly this bidirectional policy between netA/netB and netD/netE was set > up. > netA/netB - vnf(FW) - netC - vnf(IDS) - netD/netE > > I've created following policy: > PASS: netA/netB IP(ANY) PORT(ANY) <> netD/netE IP(ANY) PORT(ANY): APPLY > SERVICE (FW) (IDS). > > Each network netX has assigned route target. > netB has assigned flag ALLOW_TRANSIT > > Networks with appropriate configuration, VNFs and network policies were > created by contrail heat templates. > > > ### Problem description > > The packets coming from netA and received on vrouter to which vnf(IDS) is > connected to are dropped with "Invalid source" message. > > Can you let me know should this scenario work with Contrail 2.2? I need > only guidelines how to set up it. > > > ### Additional information > > I've tested below scenario with a success. > netA - vnf(FW) - netD - netA - vnf(IDS) - netD > > BUT unfortunately I need to forward traffic between more than two networks > (netA/netB <> netD/netE) without creation of another network policy and > pair of VNFs (like this one: netB - vnf(FW) - netE - netB - vnf(IDS) - > netE). > > > -- > Wojciech Sronek > -- Wojciech Sronek skype. voytekpsnc
_______________________________________________ Users mailing list [email protected] http://lists.opencontrail.org/mailman/listinfo/users_lists.opencontrail.org
