netplugin icon indicating copy to clipboard operation
netplugin copied to clipboard

Published 20 hours ago verified publisher icon contiv

Connecting Multiple Networks without ACI

Open vrenjith opened this issue 7 years ago • 4 comments

We are attempting to configure contiv with multiple networks and trying to make the connectivity between networks. We do not have ACI gateway and when we check the routes within the container we do not see a route to the other network. Any hints on how to set this right? The commands used are listed below.

Rule Creation

netctl  policy rule-add test-web-policy 2  -protocol=tcp -direction=out  -action=allow  --to-group=test-app-epg
netctl  policy rule-add test-app-policy 2  -protocol=tcp -direction=out  -action=allow  --to-group=test-web-epg
netctl  policy rule-add test-web-policy 1  -direction=in -protocol=tcp  -action=allow  --from-group=test-app-epg
netctl  policy rule-add test-app-policy 1  -protocol=tcp -direction=in  -action=allow  --from-group=test-web-epg
netctl  policy rule-add test-web-policy 3  -protocol=tcp -direction=out  -action=allow  --to-network=Container
netctl  policy rule-add test-web-policy 4  -direction=in -protocol=tcp  -action=allow  --from-network=Container
netctl  policy rule-add test-app-policy 3  -protocol=tcp -direction=in  -action=allow  --from-network=ContainerEXT
netctl  policy rule-add test-app-policy 4  -protocol=tcp -direction=out  -action=allow  --to-network=ContainerEXT
netctl  policy rule-add test-web-policy 5  -protocol=icmp -direction=out  -action=allow  --to-group=test-app-epg
netctl  policy rule-add test-web-policy 6  -direction=in -protocol=icmp  -action=allow  --from-group=test-app-epg
netctl  policy rule-add test-app-policy 5  -protocol=icmp -direction=in  -action=allow  --from-group=test-web-epg
netctl  policy rule-add test-app-policy 6  -protocol=icmp -direction=out  -action=allow  --to-group=test-web-epg
netctl  policy rule-add test-web-policy 7  -protocol=icmp -direction=out  -action=allow  --to-network=Container
netctl  policy rule-add test-web-policy 8  -direction=in -protocol=icmp  -action=allow  --from-network=Container
netctl  policy rule-add test-app-policy 7  -protocol=icmp -direction=in  -action=allow  --from-network=ContainerEXT
netctl  policy rule-add test-app-policy 8  -protocol=icmp -direction=out  -action=allow  --to-network=ContainerEXT

Docker run :

docker run -it --net test-web-epg --entrypoint /bin/sh nginx
docker run -it --net test-web-epg --entrypoint /bin/sh nginx

Network create :

netctl  net create ContainerEXT -e vxlan --subnet=192.163.1.0/24
netctl  net create Container -e vxlan --subnet=192.163.2.0/24

Group creation:

netctl  group create -t default -policy=test-app-policy Container test-app-epg
netctl  group create -t default -policy=test-web-policy ContainerEXT test-web-epg

ifconfig output

eth0      Link encap:Ethernet  HWaddr 02:02:C0:A3:01:01  
          inet addr:192.163.1.1  Bcast:0.0.0.0  Mask:255.255.255.0
          inet6 addr: fe80::2:c0ff:fea3:101%32609/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1450  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:508 (508.0 B)

eth1      Link encap:Ethernet  HWaddr 02:42:AC:12:00:18  
          inet addr:172.18.0.24  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::42:acff:fe12:18%32609/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:508 (508.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1%32609/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

route output

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         172.18.0.1      0.0.0.0         UG    0      0        0 eth1
172.18.0.0      *               255.255.0.0     U     0      0        0 eth1
192.163.1.0     *               255.255.255.0   U     0      0        0 eth0

vrenjith avatar Jul 20 '17 10:07 vrenjith

By default in Non ACI mode everything is allowed. So two EPG containers , who are under same network (your case) should be able to ping each other. Please check mode in netctl global info command.

Also Please make sure you have connectivity like this http://contiv.ciscolive.com/pod1 -- see the image at the bottom of page. instead of aci leaf you can put TOR there.

gaurav-dalvi avatar Jul 21 '17 05:07 gaurav-dalvi

@vrenjith you need to specify a default gateway in netctl net create ...

rchirakk avatar Jul 21 '17 16:07 rchirakk

  • The request was not about connectivity between EPG in the same network @gaurav-dalvi , it was about connectivity between networks.
  • @rchirakk - We do not have a gateway as this is a situation when we use contiv in public clouds like AWS or Azure.

vrenjith avatar Jul 21 '17 18:07 vrenjith

@vrenjith: You do not have to create a separate gateway in the public cloud. If you mention the gateway IP with -g option in network create command, netplugin will act as a proxy gateway.

dvavili avatar Jul 21 '17 18:07 dvavili