IBM T. J. Watson Research Center 
Neutron Networking: 
Service Groups, Policies and Chains 
OpenStack Meetup - IBM OpenSta...
© 2013 IBM Corporation 
Agenda 
§ Current Neutron application programming interface 
§ Example multi tier application wi...
© 2013 IBM Corporation 
Abstract 
§ Neutron is OpenStack’s networking service. It 
defines an API, but allows different i...
Neutron application programming interface 
• Current Neutron API is somewhat low-level 
• Neutron constructs mirror physic...
Example multi tier application 
Web 
Application 
Database 
External 
Network 
(Internet) 
Firewall Load 
Balancer 
5 © 20...
Example multi tier application with current neutron CLI 
neutron net-create web_tier 
neutron subnet-create web_tier 10.0....
Application centric abstraction 
• Need a more application centric set of abstractions as well 
• More easily understood/u...
Group based policy constructs 
• Endpoint (EP) 
• Lowest unit of abstraction to which policy is applied 
• Endpoint Group ...
Example multi tier application with GBP extension 
neutron classifier-create Insecure-Web-Access --port 80  
--protocol TC...
For further information 
• Neutron wiki 
• https://wiki.openstack.org/wiki/Neutron 
• https://ibm.biz/BdFyZu 
• Blueprints...
11 © 2013 IBM Corporation
Upcoming SlideShare
Loading in …5
×

Neutron Networking: Service Groups, Policies and Chains

1,380 views

Published on

Lightning talk from the OpenStack NYC meetup on October 8, 2014.

http://bit.ly/ibm-os-meetup

By John M. Tracey for Mohammad Banikazemi

The content of this talk is a statement from the IBM Research division, not IBM product divisions, and is not a statement from IBM regarding its plans, directions or product intents. Any activities described by this talk are subject to change.

Published in: Technology
  • Be the first to comment

Neutron Networking: Service Groups, Policies and Chains

  1. 1. IBM T. J. Watson Research Center Neutron Networking: Service Groups, Policies and Chains OpenStack Meetup - IBM OpenStack Lightning Talks © 2014 IBM Corporation John M. Tracey for Mohammad Banikazemi October 7, 2014
  2. 2. © 2013 IBM Corporation Agenda § Current Neutron application programming interface § Example multi tier application with current API § Application centric abstraction § Group based policy constructs § Example multi tier application with policy extension § For more information 2
  3. 3. © 2013 IBM Corporation Abstract § Neutron is OpenStack’s networking service. It defines an API, but allows different implementations to be plugged in. § The current OpenStack Neutron API provides constructs that are closely tied to physical network entities. § To better support application developers and allow better separation of application and infrastructure concerns, a Neutron blueprint is well underway that adds a set of higher-level abstractions to Neutron, known as group-based policy. 3
  4. 4. Neutron application programming interface • Current Neutron API is somewhat low-level • Neutron constructs mirror physical devices • Network: layer-2 broadcast domain; private/shared • Port: virtual switch port on a network; has MAC and IP address properties • Subnet: CIDR IP address block associated with a network; optionally associated with gateway, DNS/DHCP servers • Router: provides IP routing among networks, supports source NAT 4 © 2013 IBM Corporation
  5. 5. Example multi tier application Web Application Database External Network (Internet) Firewall Load Balancer 5 © 2013 IBM Corporation
  6. 6. Example multi tier application with current neutron CLI neutron net-create web_tier neutron subnet-create web_tier 10.0.0.0/24 neutron router-create router1 neutron router-interface-add router1 web_tier External Network Router Q sNuebtnweot rk/ sNuebtnweot rk/ sNuebtnweot rk/ Port Q 6 © 2013 IBM Corporation
  7. 7. Application centric abstraction • Need a more application centric set of abstractions as well • More easily understood/utilized by higher layers • Declarative model • Separation of concerns (application/infrastructure) • Provide policy-based connectivity between application tiers • Enable redirection to network services and service chains • Support dynamic application of policies 7 © 2013 IBM Corporation
  8. 8. Group based policy constructs • Endpoint (EP) • Lowest unit of abstraction to which policy is applied • Endpoint Group (EPG) • Logical grouping of endpoints • Policy Rule • Specifies allowed/disallowed network access to EPGs • Policy (a.k.a. contract) • Collection of policy rules 8 © 2013 IBM Corporation
  9. 9. Example multi tier application with GBP extension neutron classifier-create Insecure-Web-Access --port 80 --protocol TCP --direction IN neutron policy-rule-create insecure-web --policy-classifier Insecure-Web-Access --actions ALLOW neutron contract-create Web-Server-Contract --policy-rule insecure-web EPG Web EPG Application EPG Database Firewall 9 © 2013 IBM Corporation EPG External Network (Internet) Policy Protocol:TCP Port:80 Action:Redirect To FW_LB_CHAIN Protocol:TCP Port:3306 Action:ALLOW Protocol:TCP Port:9080 Action:ALLOW EPG EPG (Endpoint Group)
  10. 10. For further information • Neutron wiki • https://wiki.openstack.org/wiki/Neutron • https://ibm.biz/BdFyZu • Blueprints for Neutron • https://blueprints.launchpad.net/neutron • https://ibm.biz/BdE4dC • Group-based policy abstractions for Neutron • https://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction • https://ibm.biz/BdE4dQ 10 © 2013 IBM Corporation
  11. 11. 11 © 2013 IBM Corporation

×