Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
IBM T. J. Watson Research Center 
Neutron Networking: 
Service Groups, Policies and Chains 
OpenStack Meetup - IBM OpenSta...
© 2013 IBM Corporation 
Agenda 
§ Current Neutron application programming interface 
§ Example multi tier application wi...
© 2013 IBM Corporation 
Abstract 
§ Neutron is OpenStack’s networking service. It 
defines an API, but allows different i...
Neutron application programming interface 
• Current Neutron API is somewhat low-level 
• Neutron constructs mirror physic...
Example multi tier application 
Web 
Application 
Database 
External 
Network 
(Internet) 
Firewall Load 
Balancer 
5 © 20...
Example multi tier application with current neutron CLI 
neutron net-create web_tier 
neutron subnet-create web_tier 10.0....
Application centric abstraction 
• Need a more application centric set of abstractions as well 
• More easily understood/u...
Group based policy constructs 
• Endpoint (EP) 
• Lowest unit of abstraction to which policy is applied 
• Endpoint Group ...
Example multi tier application with GBP extension 
neutron classifier-create Insecure-Web-Access --port 80  
--protocol TC...
For further information 
• Neutron wiki 
• https://wiki.openstack.org/wiki/Neutron 
• https://ibm.biz/BdFyZu 
• Blueprints...
11 © 2013 IBM Corporation
Upcoming SlideShare
Loading in …5
×

Neutron Networking: Service Groups, Policies and Chains

1,455 views

Published on

Lightning talk from the OpenStack NYC meetup on October 8, 2014.

http://bit.ly/ibm-os-meetup

By John M. Tracey for Mohammad Banikazemi

The content of this talk is a statement from the IBM Research division, not IBM product divisions, and is not a statement from IBM regarding its plans, directions or product intents. Any activities described by this talk are subject to change.

Published in: Technology
  • Be the first to comment

Neutron Networking: Service Groups, Policies and Chains

  1. 1. IBM T. J. Watson Research Center Neutron Networking: Service Groups, Policies and Chains OpenStack Meetup - IBM OpenStack Lightning Talks © 2014 IBM Corporation John M. Tracey for Mohammad Banikazemi October 7, 2014
  2. 2. © 2013 IBM Corporation Agenda § Current Neutron application programming interface § Example multi tier application with current API § Application centric abstraction § Group based policy constructs § Example multi tier application with policy extension § For more information 2
  3. 3. © 2013 IBM Corporation Abstract § Neutron is OpenStack’s networking service. It defines an API, but allows different implementations to be plugged in. § The current OpenStack Neutron API provides constructs that are closely tied to physical network entities. § To better support application developers and allow better separation of application and infrastructure concerns, a Neutron blueprint is well underway that adds a set of higher-level abstractions to Neutron, known as group-based policy. 3
  4. 4. Neutron application programming interface • Current Neutron API is somewhat low-level • Neutron constructs mirror physical devices • Network: layer-2 broadcast domain; private/shared • Port: virtual switch port on a network; has MAC and IP address properties • Subnet: CIDR IP address block associated with a network; optionally associated with gateway, DNS/DHCP servers • Router: provides IP routing among networks, supports source NAT 4 © 2013 IBM Corporation
  5. 5. Example multi tier application Web Application Database External Network (Internet) Firewall Load Balancer 5 © 2013 IBM Corporation
  6. 6. Example multi tier application with current neutron CLI neutron net-create web_tier neutron subnet-create web_tier 10.0.0.0/24 neutron router-create router1 neutron router-interface-add router1 web_tier External Network Router Q sNuebtnweot rk/ sNuebtnweot rk/ sNuebtnweot rk/ Port Q 6 © 2013 IBM Corporation
  7. 7. Application centric abstraction • Need a more application centric set of abstractions as well • More easily understood/utilized by higher layers • Declarative model • Separation of concerns (application/infrastructure) • Provide policy-based connectivity between application tiers • Enable redirection to network services and service chains • Support dynamic application of policies 7 © 2013 IBM Corporation
  8. 8. Group based policy constructs • Endpoint (EP) • Lowest unit of abstraction to which policy is applied • Endpoint Group (EPG) • Logical grouping of endpoints • Policy Rule • Specifies allowed/disallowed network access to EPGs • Policy (a.k.a. contract) • Collection of policy rules 8 © 2013 IBM Corporation
  9. 9. Example multi tier application with GBP extension neutron classifier-create Insecure-Web-Access --port 80 --protocol TCP --direction IN neutron policy-rule-create insecure-web --policy-classifier Insecure-Web-Access --actions ALLOW neutron contract-create Web-Server-Contract --policy-rule insecure-web EPG Web EPG Application EPG Database Firewall 9 © 2013 IBM Corporation EPG External Network (Internet) Policy Protocol:TCP Port:80 Action:Redirect To FW_LB_CHAIN Protocol:TCP Port:3306 Action:ALLOW Protocol:TCP Port:9080 Action:ALLOW EPG EPG (Endpoint Group)
  10. 10. For further information • Neutron wiki • https://wiki.openstack.org/wiki/Neutron • https://ibm.biz/BdFyZu • Blueprints for Neutron • https://blueprints.launchpad.net/neutron • https://ibm.biz/BdE4dC • Group-based policy abstractions for Neutron • https://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction • https://ibm.biz/BdE4dQ 10 © 2013 IBM Corporation
  11. 11. 11 © 2013 IBM Corporation

×