East Coast OpenStack Meetups – Sept 2014

OPENCONTRAIL – SERVICE INSERTION HANDS-ON East Coast OpenStack Meetups – Sept 2014

DEMO / HANDS-ON EXERCISES:

We have a few exercises for today’s contrail hands-on session!

These exercises demonstrate some of the fundamental features that the combination of OpenStack and Contrail bring to the table in the area of Virtualized Networking.

We may not be able to finish all the exercises in today’s allotted time. So, feel free to continue these exercises on our lab setup during the rest of the week and the weekend. Feel free to catch us at the Summit and ask us further questions. You may also post your questions on opencontrail.org mailing lists.

Exercise 1: Service Insertion

Summary of exercise: Service chaining with NAT for Public Internet access

Create a virtual network ("Enterprise-<yourname>") with a private block of IP addresses meant for a new department (or group of users). Spawn virtual machines in this newly created virtual network. Since a private IP block is assigned to this network, clearly, the VMs in this virtual network will not be able to communicate to the internet. 

We have pre-created a virtual network called "Public" in your sandbox, which contains a block of IP addresses having routes to reach the internet. 

Therefore, if the private IP addresses in the newly created "Enterprise-<yourname>" network are NATted to the public block, the VMs in the private network will be able to communicate to the internet. 

So, in the hands-on exercise, we will first connect the Enterprise-<yourname> Virtual Network with the Public Virtual Network via a policy and then include application of the NAT security service in that policy so as to apply source-NAT on the outbound traffic.

Figure 1: Below is the logical view of the network being built in this exercise.

ENTERPRISE NETWORK

PUBLIC NETWORK

© Juniper Networks, Inc. 1

VM1

NAT

Bay Area Network Virtualization – May 2014Sunnyvale, CA

-Figure 1: NAT service Insertion

Step-by-step instructions to build above topology are described below.

1) Virtual Network Creation using Contrail WebUI

Create Enterprise-<yourname> Virtual Network with subnet block 192.168.11.0/24  The "Public" network is a block of IP addresses, which has routes to reach the internet. This network should

already exist in the sandbox allocated to you and you shouldn't need to create it.

2) Virtual Machine Creation using OpenStack Horizon UI

Launch an instance using the Ubuntu image Under Networking tab choose Enterprise-<yourname> Virtual Network to put the vNIC into

3) Connect the two Virtual Networks using Contrail Web UI

Create Network policy: Go back to the Contrail Web UI, Configure Tab, Networking Policies sub-tab. Create a policy, select the "Enterprise-<yourname>" network as the "Source", "Public" network as the "Destination", and allow all bidirectional traffic between the two networks and save.

Attach policy: Attach the policy to the above two networks for it to be effective by editing the virtual network configuration.

4) Try pinging 8.8.8.8 from the Ubuntu Virtual Machine console. Clearly you will not be able to, because the NAT service is not yet applied to traffic from the Enterprise network to the Public network. 

5) Service Template Creation using Contrail Web UI

In the "Configure" tab under "Services" sub-tab, select "Service Templates". Click the "Create" button. o Service-mode = In-network-NAT

o Image = nat-service

o Add three interfaces (One for management and one each for the left and right networks)

6) Service Instance Creation using Contrail Web UI

Create service instance based on the above template.o Select the correct service template to spin the instance off

o Leave "Management" interface "auto-configured"

o Assign "Left-interface" to "Enterprise-<yourname>" network

o Assign "Right-interface" to the "Public" network

7) Service Insertion using Contrail Web UI

Now you need to embed this running Service Instance inside a policy. So go to the Policies sub-tab under "Networking" and edit the Policy you created earlier.

Check the "Apply Service” checkbox. This will bring up a dropdown. Select the recently created Service Instance. 

Bay Area Network Virtualization – May 2014Sunnyvale, CA

- This allows for all traffic going from the Enterprise network to the Public network will be first sent to the

Service Instance before being forwarded to the Public network. 

8) Now go back to your Ubuntu VM instance and try pinging 8.8.8.8 again. (If the Service Instance VM has booted and necessary routing protocols have converged), you should be able to ping 8.8.8.8 successfully.

Exercise 2: Virtual Network Creation, Policy, Floating IP

Summary of exercise: Earlier exercise saw an example of how an NFV service - NAT - was inserted into a flow of traffic via a Service Instance VM between virtual networks. The NAT in that case was applied at the network level. 

In this exercise, we will see the use of the concept of "Floating IP" and the resultant distributed NAT being applied at the VM/host level as opposed to being applied to the entire network.

1)   Virtual Network Creation: (Contrail Web UI – Configure)

Create Redmine Virtual Network with subnet block 192.168.1.0/24

2)   Virtual Machines in Virtual Networks: (OpenStack Horizon UI)

Spawn a turnkey-redmine-12.0-squeeze-x86 VM in the Redmine VN

3)   Allocate Floating IP (Contrail Web UI – Configure)

4)   Associate Floating IP with Redmine VM (Contrail Web UI or OpenStack Horizon UI)

5)   Point browser to the Floating IP address and you should be able to see the Redmine web front end

Exercise 3: DDoS Secure as a Service Instance to protect from DDoS attacks

Summary of exercise: In this exercise, we will put a web resource in a virtual network. It will serve traffic from outside the Data Center where the web application is hosted. This external traffic may include potentially include malicious (DDoS) traffic originating from malicious users. Therefore, we will insert a DDoS Secure Service Instance inside the flow of traffic directed to the Web Resource Virtual Network. 

To simulate DDoS attacks, we will simply create another virtual network, spawn a Ubuntu Virtual Machine in the private Virtual Network and use the "hping" utility to conduct TCP SYN Flood kind of DDoS attack. We will observe how the DDoS Secure Service Instance will protect the Web resource from such DDoS attacks. 

The DDoS Secure VM has a web interface in order to configure it and view the logs, statistics and details of detected DDoS attacks. In order to view the Web UI for the DDoS Secure, we will put the management interface in a management Virtual Network and also assign a Floating IP to the Management interface of the DDoS Secure instance. 

1. Virtual Network Creation (Contrail Web UI)

Create the Virtual Network for the web resource that will be protected using the DDoS Secure Instance.  Create the Virtual Network for the attacker. The attack will be simulated using the "hping" utility from a Ubuntu

VM by running a TCP SYN flood.

2. Virtual Machine Creation (OpenStack Horizon UI)

Bay Area Network Virtualization – May 2014Sunnyvale, CA

- Spawn a Ubuntu VM in the attacker VN from the Attacker image available in the glance repository. Spawn another Ubuntu VM, this time in the WebResource VN

3. Connect the two Virtual Networks (Contrail Web UI)

Create policy: Go back to the Contrail Web UI, Configure Tab, Networking Policies sub-tab. Create a policy, select the "Enterprise-<yourname>" virtual network as the "Source", "Public" network as the "Destination", and allow all bidirectional traffic between the two networks. 

Attach policy: Attach the policy to the above two networks for it to be effective. 

4) Service Template Creation (Contrail Web UI)

In the "Configure" tab under "Services" sub-tab, select "Service Templates". Click the "Create" button.  Select Service-mode = Transparent (A DDoS Secure instance does not modify packets. It merely inspects

packets and might drop them if found to be belonging to a malicious flow. So the Service-mode needs to Transparent instead of "In-network-NAT" as was the case with the NAT service.)

Image = DDoS-Secure Add three interfaces (One for management and one each for the left and right networks)

5) Service Instance Creation (Contrail Web UI) 

Create service instance based on the above template. Select the correct template to spin the instance off of Assign "Management" interface to "Management" network Assign "Left-interface" to "Attacker" network Assign "Right-interface" to the "WebResource" network

6) Service Insertion (Contrail Web UI)

Now you need to embed this running Service Instance inside a policy. So go  to the Policies sub-tab under "Networking" and edit the Policy you  created earlier.

Check the "Apply Service "checkbox. This will bring up a dropdown. Select the recently created Service Instance. 

What this does is that for all traffic going from the Attacker network to the WebResource network will be first sent to the Service Instance before being forwarded to the WebResource network. 

7) Now go back to your Attacker Ubuntu VM instance and hping the WebResource VM. (Login credentials: "root"/"juniper")

hping3 -S -p 80 --flood <web resource VM IP address> &

8) Floating IP assignment (OpenStack Horizon UI)

From the "Instances" section of the Horizon UI, select "Associate Floating IP" from the "More" drop down associated with the Service Instance Virtual Machine. 

Select an IP from the pool or create one if one does not already exist in the pool. 

9) Now point your browser to the newly associated Floating IP. This brings up the DDoS Secure Management console.

Login using the credentials "user" and "password".  View details of the attack.  Change the mode from "Logging" to "Defending". Observe the count of the "Out Packets" drop to zero once

mode of DDoS Secure changed to "Defending".

Bay Area Network Virtualization – May 2014Sunnyvale, CA

-

Exercise 4:Analyzer and Debug

Pre-requisite: VM image with Wireshark added to Glance repositorya) Image should be named “analyzer” in the repositoryb) Wireshark in the VM must be configured to capture from eth0 interface

Log on to the Contrail Web UI, Browse to the Monitor Tab --> Debug --> Packet Capture” Click on the “Create” button to create a new analyzer. Select Virtual Network to spawn the Analyzer VM in. Leave it “Automatic” if you don’t have a preference. Select which virtual networks you like this instance of analyzer to monitor/capture traffic. Add further traffic selection using analyzer rules Based on Source/Destination Ports, Protocols, Source/Destination Networks and Direction This spawns a VM from the analyzer image in the chosen Virtual Network  Selected traffic is mirrored to the VM  Wireshark in the VM captures and interprets the traffic.