Scribd Logo
Upload

Welcome to Scribd!

  • Contrail Sandbox Tutorial Script

    Uploaded by

    dhkhtn
    18 views74 pages

    Original Title

    ContrailSandbox-UserGuide

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    18 views74 pages

    Contrail Sandbox Tutorial Script

    Uploaded by

    dhkhtn

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 74

    Contrail Sandbox

    Tutorial Script
    Tutorial Flow
    • Login to lab setup • Add service template
    • Add security rules • Add service instance
    • Add IP address manager • Put service instance into policy
    • Add two networks • Add sql and wiki VMs
    • Add network policy • Configure floating IP
    • Add two VMs (can’t ping) • Test wiki available
    • Add network policy to networks (VMs can • Delete everything
    ping) • Port mirror, network analyzer
    • Configure DNS resolution in IPAM
    Accessing the Environment
    • Use RDP client to connect to RDP server address sent in email
    • Open Firefox from desktop in RDP window
    • Use bookmarks to open tabs for OpenStack and Contrail
    OpenStack – Change Zoom in Firefox

    Change zoom to 80%


    (Ensures dialogs are more visible)
    OpenStack Security Groups and Contrail Network
    Policies
    • Security groups control traffic flowing between networks
    • Contrail implements security groups in addition to its own network
    policies
    • The default security group only allows traffic to flow into a network
    from another one that is defined in OpenStack, so traffic can’t flow in
    from outside
    • Additional rules need to be added to allow this – we will use this
    when we add floating IP addresses that are accessible via a gateway
    OpenStack – Check Project

    Project "demo" needs to be selected


    OpenStack – Security Groups

    Click “Access & Security” Tab

    Click “Manage Rules” Button


    OpenStack – Add Rule

    Click “Add Rule” Button


    OpenStack – Add ICMP, TCP, UDP Rules
    Add Ingress Rules for:
    ALL ICMP
    ALL TCP
    ALL UDP
    OpenStack – Rules Added

    New Rules Added


    Take a Look at BGP Router Configuration

    • Setting up a gateway router requires entering the router IP address,


    the AS number and the supported address families to enable peering
    Contrail – Look at BGP Routers

    Monitor Button

    Click “Configure” Button

    Click “BGP Routers” Button

    Click “Expand” Button for Router


    Contrail – Gateway Router Details

    DC-dependent setting

    DC-independent setting: 65250

    BGP Peering Information


    Add an IP Address Manager

    • Each IPAM can have separate DNS, NTP and domain name
    • It’s a good idea for each project to have it’s own IPAM
    • So let’s add one
    Contrail – Add IP Address Manager (IPAM)
    Make sure you are in the demo
    project

    1. Click “IP Address Management” Tab


    2. Click “+” Button

    3. Enter Name for IPAM


    4. Click “Save” Button
    Contrail – Add Network

    1. Click “Networks” Tab


    2. Click “+” Button
    Adding Networks

    • Basic properties of a network are its address pool with subnet mask
    and its default gateway
    • Networks can be added in both OpenStack and Contrail
    • Networks in Contrail have extra parameters to enable connectivity
    with gateway routers, port mirroring and service chaining
    Contrail – Configure Front End Network

    1. Enter Name for Network


    2. Open "Subnets" Section
    3. Click “+” Button

    3. Select IPAM
    4. Add Address
    5. (Gateway Address is Automatic)
    6. Click “Save” Button
    Contrail – Configure Back End Network

    1. Enter Name for Network


    2. Click “+” Button

    3. Select IPAM
    4. Add Address
    5. (Gateway Address is Automatic)
    6. Click “Save” Button
    Contrail - Configure Management Network

    1. Enter Name for Network


    2. Click “+” Button

    3. Select IPAM
    4. Add Address
    5. (Gateway Address is Automatic)
    6. Click “Save” Button
    Floating IPs

    • Floating IP pools are addresses that can be allocated to VM interfaces


    in addition to their normal virtual IP address
    • Vrouter does NAT between the floating IP address and the normal
    address
    • Floating IPs are usually used to enable external access
    • Each sandbox is configured with a floating IP subnet which are part of
    a larger prefix that is configured on the gateway router
    • Route target is set to match that on router
    Contrail – Configure Public Network - Subnets

    DC-dependent setting:10.1.dc_number.0/24
    (dc_number is in sandbox email)
    Contrail – Configure Public Network - Subnets

    2. Click "External"
    1. Select "Advanced
    Options"
    Contrail – Configure Public Network – Route
    Targets
    Contrail – Configure Public Network – Floating
    IP Pools
    1. Select “Floating IP
    Pool(s)” drop down
    menu
    2. Click “+” Button
    3. Add Pool Name
    4. Add Project
    Contrail – Check Subnets

    Network Subnets
    Network Policies

    • Contrail network policies control traffic flow between networks


    • Policies must be applied to networks to become effective (even when
    networks are named inside a policy)
    Contrail – Add Policy

    1. Click “Policies” Tab


    2. Click “+” Button
    Contrail – Configure Policy
    1. Configure Name
    2. Add Rule
    3. Configure Source/Destination
    4. Click “Save”
    Launch VMs in OpenStack

    • VMs are instantiated by specifying an image to boot from, a flavor


    (size) and a network for each interface
    OpenStack – Launch VM Instance

    1. Click “Instances” Tab


    2. Click “Launch Instance” Button
    OpenStack – Configure and Launch
    VM1 and VM2 VMs in wizard

    Instance name: VM1 Instance name: VM2


    Source: Image Source: Image
    Image: cirros Image: cirros
    Flavor: tiny Flavor: tiny
    Network web-front Network sql-backend
    Accessing a VM console

    • OpenStack provides console access for each VM


    • The console is preserved even if its tab is closed and reopened

    • We will use the console of on VM to test that VMs in different


    networks can’t ping each other when there is no network policy
    applied
    OpenStack – Open VM1 Console

    1. Click “Instances” Tab


    2. Select “Console” on Menu
    OpenStack – Login to VM1 and Ping VM2

    1. Click on gray bar to put keyboard focus


    into the console
    2. Login as cirros/cubswin:)
    3. Ping VM2 – 192.168.2.3 (Fails)
    Apply Policy

    • Apply policy to both networks


    Contrail – Edit web-front Network

    1. Click “Networks” Tab


    2. Select “Edit” on Menu
    Contrail – Add Policy to Networks

    1. Select “web-to-backend” Policy


    2. Click “Save” Button

    Do Same for sql-backend Network


    Contrail – Policies Are Applied
    Contrail – Check Network Policy Diagram
    OpenStack – Check Ping Is Working

    Ctrl-c to stop the ping


    Try “ssh –l cirros 192.168.2.3
    Ctrl-d to terminate session
    Configure DNS resolution
    • Contrail can run a virtual DNS server
    • DNS has a separate view for each IPAM associated with it
    • Can set a forwarder to use if local DNS does not contain a record
    Check ping to VM2 does not work
    Add DNS server
    1. Click “Server” Tab
    2. Click on “+” button

    1. Name the DNS server


    2. Give the DNS server a dummy
    domain name
    3. Configure DNS Forwarder
    4. Select the IPAM
    5. Click on the “save” button
    Configure DNS in IPAM
    1. Click “IP Address Mgmt” Tab
    2. Select “Edit” on Menu

    3. Select “Virtual DNS”


    4. Select “DNS-hands-on”
    5. Click “Save” button
    View DNS Records
    1. Click “Servers” Tab
    2. Select “Active DNS …” on Menu
    3. View VM1, VM2 DNS entries
    Check DNS resolution working with ping/nslookup
    Service Chains

    • A service chain is when network policy specifies that traffic between


    two networks must pass through a service (like a firewall)
    • A service template describes which image should be used and the
    order of its interfaces
    • A service instance is one or more instantiated VMs with its interfaces
    associated with interfaces in a template
    • Traffic only flows through a service instance when it is included in a
    network policy
    Contrail – Add Service Template

    1. Click “Service Templates” Tab


    2. Click “+” Button
    Contrail - Configure Service Template

    1. Name “Firewall-Template-X”
    2. Version “v2”
    3. Virtualization Type “Virtual Machine”
    4. Service Mode “In-Network”
    5. Service Type “Firewall”
    6. Click “+” Button to Add 1st Interface
    7. Click “+” Button on lowest Interface
    8. Click “+” Button on new lowest
    Interface
    9. Click “Save” Button
    OpenStack- Launch VM that will become service

    Instance name: FW-inst


    Source: Image
    Image: SDN-NoNAT
    Flavor: medium
    Networks svc-mgt
    web-front
    sql-backend
    OpenStack - Open Service Instance Console
    OpenStack – Login Prompt Means Instance is Ready

    1. Login with root/c0ntrail123


    2. Type cli at prompt
    3. Type show config to take a look at the
    Contrail - Configure Service Instance Interfaces

    FW-inst

    1. Name “firewall-inst”
    2. Service Template “FW-Template”
    3. Choose networks
    4. Open Tuple
    Contrail - Configure Service Instance Interfaces

    1. Select management interface


    2. Select left interface
    3. Select right interface (hidden)
    Contrail - Complete Screen

    1. Click “Save”
    Contrail – Edit Policy
    Contrail – Add Service To Policy
    1. Check “Services” Box
    2. Select “firewall-inst” Service
    3. Click “Save” Button
    Contrail – Check Service Inserted
    OpenStack – Check Ping Still Working
    Building a Two-Tier Application

    • Deploy an SQL backend and LAMP front end into the two networks
    • Allocate a floating IP address
    • Access a wiki from your PC via the internet

    • First - delete VM1, VM2 using OpenStack GUI


    OpenStack – Configure and Launch front-end and
    sql-server VMs

    Instance name: front-end Instance name: sql-server


    Source: Image Source: Image
    Image: demo-wiki Image: demo-sql
    Flavor: small Flavor: small
    Network web-front Network sql-backend
    OpenStack – Open SQL-server Console
    OpenStack – Check SQL Running
    OpenStack – Check front-end Console
    Contrail – Configure Specific Network Policy
    Contrail – Associate Floating IP

    1. Select “Manage Floating IPs” Tab


    2. Click “+” Button
    Contrail – Pull IP from Pool

    1. Select “dc-net:public-
    pool”
    2. Click “Save” Button
    Contrail – Associate Floating IP to Port

    Select “Associate Port” Menu Item


    Contrail – Associate Floating IP to Front End

    1. In OpenStack find the IP address of front-end


    2. Select Port with front-end address
    New Browser Tab – Check Access to Wiki
    Enter Your Floating IP Address
    Deletion Exercise
    • Delete all the objects created in the tutorial so far
    • Try to do this without getting any popups complaining about
    dependencies
    Analyzer Exercise
    • Find Contrail 3.1 Documentation
    • Locate section dealing with Traffic Mirroring
    • Use Configure > Networking > Services method to put mirroring
    between VMs in two new networks with new VMs in them
    End

    You might also like