Configuring the simplest service chain step-by-step

In a previous post I introduced the concept of Service Chain in Contrail.
Today, I’m going to show how a chain can be configured via GUI. This time it will only be about configuration; next, we will look at how routing is configured and what’s going on under the hoods!
First, we create 2 virtual networks:
conf_nets
We are going to use the following mapping:
– VN Fourcade is the LEFT network
– VN wierer is the RIGHT network
Next, we create 3 virtual machines:
conf_3vms
VM “priv” acts as a client while VM “pub” emulates a server on the Internet. The third VM, “si1” will be part of the service instance of our service chain.
VM “priv” is attached to the left network while VM “pub” is connected to the right network. The third VM, the service VM, has a leg on both networks (this is required to create a service chain).
Now, I create the service template:
conf_create_svctmpl
Configuration is pretty straightforward. Version MUST be v2. We are not performing NAT so in-network will be just fine. Traffic will go through a virtual machine so “Virtualization Type” is an obvious choice. The service VM won’t be a DPI so “service Type” is set to Firewall, instead of analyzer.
Last, we specify 2 interfaces: left and right.
Next, based on that template, I create the service instance:
conf_create_svcinst
Here, we reference the service template and map interfaces to actual virtual networks:
– Fourcade is left
– wierer is right
Last, we configure the port tuple by referencing VM ports. In particular, we reference the interfaces of VM si1, our service VM. Left interface is mapped to si1 VMI connected to Fourcade VN while right interface is mapped to si1 VMI connected to wierer VN.
Creating a service instance is not enough.
I need to define a network policy between left and right networks:
conf_policy
This policy simply allows communications between the two networks.
Policy has to be applied to both virtual networks:
conf_vns_pol
Last step is to include the service instance within the network policy configuration:
conf_svcinst_in_pol
and that’s it! Service chain is ready!
Next time we will see how this configuration translates in terms of routing inside Contrail
ciao
IoSonoUmberto

3 thoughts on “Configuring the simplest service chain step-by-step”

  1. Pingback: Behind a service chain: how Contrail manages routing and hides the complexity – IoSonoUnRouter
  2. Pingback: Some advanced Service Chain settings – IoSonoUnRouter
  3. Pingback: Designing a PBR+NAT service chain – IoSonoUnRouter

Leave a comment