Isolated Network VLANs

By default, bare metal nodes on each Chameleon site share the same local network (shared VLAN and IP subnet). However, some experiments may require more network isolation, which is now supported by Chameleon.

Chameleon’s implementation of network isolation is based on dynamically managed VLANs (network layer 2) associated with user-configured private IP subnets (network layer 3). This means that all network communications local to the IP subnet or the broadcast domain (such as Ethernet broadcast, ARP, IP broadcast, DHCP, etc.) will be restricted to the user-configured network and its associated VLAN. This feature enables a range of experiments in networking and security. For example, this allows running your own DHCP server to configure virtual machines running on bare metal nodes, without impacting other users.

Note

  • Strong network isolation is provided at network layer 2 only. Even using separate IP subnetworks, any bare metal node can still communicate with each other and with the Internet through the network’s router. We are investigating solutions to provide stronger isolation at network layer 3.
  • Network isolation works on all nodes, including our low-power HP Moonshot nodes (low-power Xeon, Atom, ARM64).

To use this feature, you will need to create a dedicated network and router. You can use a Heat template, use the Network panel of the GUI, or use the CLI.

Configuring Networking using a Heat template

  1. Go to Project > Orchestration > Stacks.

  2. Click the Launch Stack button to open an interactive dialog.

  3. Select URL as Template Source and paste https://raw.githubusercontent.com/ChameleonCloud/heat-templates/master/network-isolation/network-isolation.yaml to Template URL.

  4. Click the Next button to navigate to the Launch Stack dialog.

  5. Provide a name for your stack, enter your password, and set a private IP range, such as 192.168.1.0/24.

  6. Set the first and the last IP addresses of DHCP range.

    Important

    The first IP adddress in the DHCP range should never be *.1 and *.2. The last IP address in the range must be less than *.255.

  7. Start creating the network and router by clicking the Launch button.

Creating a Network using the GUI

To create a Network from either the Network Topology page or the Networks page, click the +Create Network button to open the Create Network dialog.

The Create Network dialog

The Create Network dialog

In Create Network dialog, name your network. In general, you will also want to create a Subnet for your new Network, so make sure you have Create Subnet checked. Click the Next button.

The Subnet tab

The Subnet tab

When creating a Subnet, you must specify a Subnet Name and a CIDR Network Address that contains a private IP address and a subnet mask length. For example, you may create a Class C subnet with a 24-bit mask by entering 192.168.1.0/24. You may set a Gateway or leave it blank to use the default. Then, click the Next button.

Attention

Do not select the Disable Gateway checkbox!

Subnet details

Subnet details

You may specify DHCP and static Route information at Subnet Details section:

  • Allocation Pools section allows you to specify DHCP address ranges in the format of <first address>,<last address>. For example, entering 192.168.1.2,192.168.1.100 will create a Subnet with IP ranges from 192.168.1.2 to 192.168.1.100.

  • DNS Name Servers section allows you to specify a list of DNS servers.

    Note

    At CHI@TACC, use 129.114.97.1 and 129.114.97.2 for your DNS servers At CHI@UC, use 130.202.101.6 and 130.202.101.37 for your DNS servers

  • Host Routes section allows you to specify static routing information for the subnet in the format of <subnet CIDR>,<router IP address>. For example, 192.168.3.0/24,10.56.1.254 means all traffic from this Subnet to 192.168.3.0 will be forwarded to the Router Interface at 10.56.1.254.

Note

All three sections above are line separated.

Click Create button and a new Network will be created. Check if the network is created without error.

Creating a Router

To create a Router from either the Network Topology page or the Routers page, click the +Create Router button to open the Create Router dialog.

The Create Router dialog

The Create Router dialog

In this dialog, specify a Router Name. Optionally, you may select public as the External Network if you want to have external access. Click Create Router to complete the process.

Adding a Router Interface

A Router may have multiple Interfaces, each connected to a Network. You may add an Interface to an existing Router by clicking on Add Interface from either the Network Topology page or the Routers page to open the Add Interface dialog.

The Router interface in the Network Topology page

The Router interface in the Network Topology page

The Interfaces tab in the Router detail page

The Interfaces tab in the Router detail page

The Add Interface dialog

The Add Interface dialog

First, select a network and subnet you have created. You can specify an IP address; otherwise, Chameleon will attempt to assign an IP address automatically. The gateway IP you assigned to the subnet will be automatically picked.

Adding a Firewall

A Router can have a Firewall optionally configured to allow you to control ingress/egress to/from your Subnet. This has the desirable effect of allowing you to control which services you are exposing over the public Internet when you have assigned Floating IP addresses to your instances. To do this, you must create a Firewall Group that associates a Firewall Policy to an Interface on your Router. You can access the Firewall GUI under the Firewall Groups section under the Networks sidebar.

The Firewall Groups panel

The Firewall Groups panel

Note

There is a default ingress policy named “chameleon default ingress” shared with all Chameleon projects. It provides some basic security rules such as allowing SSH and HTTP(s), as well as ICMP, and can be a good policy for most cases.

To customize your Firewall, you should first add some Firewall Rules. To do that, click the Firewall Rules tab, and then click the Add Rule button to bring up the Add Rule modal. This modal allows you to configure the rule, such as for which protocols it should be active, as well as source and destination addresses.

The Firewall Rules Add Rule model

The Firewall Rules “Add Rule” modal

Once you have rules defined, the next step is to create a Firewall Policy that has rules assigned. Click the Firewall Policies tab, and then click Add Policy to bring up the Add Policy modal. This modal allows you to name the policy and assign Firewall Rules via the Rules tab. The ordering of rules matters; the first match will apply.

The Firewall Policies Add Policy modal

The Firewall Policies “Add Policy” modal

Finally, associate your Firewall Policy to a Router Interface by creating a Firewall Group. Click the Firewall Groups tab, and then click Create Firewall Group to open the Add Firewall Group modal. Here, you can select your ingress and egress Firewall Policies to apply. Click the Ports tab and assign the port for your Router Interface to apply the firewall to the Subnet associated with that interface. You may need to re-visit the Routers page to get the ID of your Router Interface.

The Firewall Groups Add Firewall Group modal

The Firewall Groups “Add Firewall Group” modal

Important

You need to check the Admin State box when creating the Firewall Group, or else the firewall will never be activated. “Admin State” is a way for the owner of the firewall to say that it should be enabled or disabled quickly.

Once a port is added to your Firewall Group, it will be activated and applied. You can modify your Firewall Policy while it is associated with a Firewall Group and any changes will be automatically applied to traffic immediately.

Deleting Networking Objects

Attention

Network objects such as Routers and Networks must be deleted in the reverse order of which they were created. Objects can not be deleted while other objects are depending on them.

Attention

Before starting to delete network objects, make sure all instances using them are terminated!

  1. Go to Project > Network > Routers, and click on the router you would like to delete.

  2. Go to Static Routes tab, and click on the Delete Static Routes button in the Action column. The Static Routes will be deleted after confirm.

  3. Go to Instances tab, delete the Gateway interface by clicking on Delete Interface button in the Action column and confirm the deletion.

  4. Now you can safely delete the router by clicking on the dropdown on the upper right corner. Then, click on Delete Router. Finally, confirm your deletion of the router.

    Dropdown for deleting router

    Dropdown for deleting router

  5. Go to Project > Network > Networks, and delete the network by using the dropdown in the Action column. Alternatively, you may delete the network by selecting the network using the checkbox and click on Delete Networks button on the upper right corner. Confirm your deletion to finish the process.

Configuring Networking using the CLI

Tip

Reading The Command Line Interface is highly recommended before continuing on the following sections.

Before using the CLI, make sure you have configured environment variables using The OpenStack RC Script.

Creating a Network

You can create an Isolated VLAN Network using the command:

openstack network create --provider-network-type vlan --provider-physical-network physnet1 <network_name>

The output should look like the following:

+---------------------------+--------------------------------------+
| Field                     | Value                                |
+---------------------------+--------------------------------------+
| admin_state_up            | UP                                   |
| availability_zone_hints   |                                      |
| availability_zones        |                                      |
| created_at                | 2018-03-23T23:45:19Z                 |
| description               |                                      |
| dns_domain                | None                                 |
| id                        | 21ed933c-323d-4708-930c-d5f82c507430 |
| ipv4_address_scope        | None                                 |
| ipv6_address_scope        | None                                 |
| is_default                | None                                 |
| is_vlan_transparent       | None                                 |
| mtu                       | 1500                                 |
| name                      | MyNetwork                            |
| port_security_enabled     | False                                |
| project_id                | d5233415ee0b467baec14cbd2d0e1331     |
| provider:network_type     | vlan                                 |
| provider:physical_network | physnet1                             |
| provider:segmentation_id  | 2018                                 |
| qos_policy_id             | None                                 |
| revision_number           | 2                                    |
| router:external           | Internal                             |
| segments                  | None                                 |
| shared                    | False                                |
| status                    | ACTIVE                               |
| subnets                   |                                      |
| tags                      |                                      |
| updated_at                | 2018-03-23T23:45:19Z                 |
+---------------------------+--------------------------------------+

Note

Note the provider:segmentation_id field in the above output. Each Isolated VLAN Network requires a unique network segment to operate. There are a finite number of valid network segments on Chameleon. If you are unable to create a network because there are no valid network segments available, then you can create a network automatically by Creating a Lease to Reserve a VLAN Segment.

Once you have created a Network, you may create a subnet with the command:

openstack subnet create --subnet-range <cidr> --dhcp --network <network_name> <subnet_name>

For example, the command:

openstack subnet create --subnet-range 192.168.1.0/24 --dhcp --network MyNetwork MySubnet

will create a subnet with the following output:

+-------------------+--------------------------------------+
| Field             | Value                                |
+-------------------+--------------------------------------+
| allocation_pools  | 192.168.1.2-192.168.1.254            |
| cidr              | 192.168.1.0/24                       |
| created_at        | 2018-03-23T23:50:11Z                 |
| description       |                                      |
| dns_nameservers   |                                      |
| enable_dhcp       | True                                 |
| gateway_ip        | 192.168.1.1                          |
| host_routes       |                                      |
| id                | 8be4e80d-ba49-4cdc-8480-ba43dd4724c2 |
| ip_version        | 4                                    |
| ipv6_address_mode | None                                 |
| ipv6_ra_mode      | None                                 |
| name              | MySubnet                             |
| network_id        | 21ed933c-323d-4708-930c-d5f82c507430 |
| project_id        | d5233415ee0b467baec14cbd2d0e1331     |
| revision_number   | 2                                    |
| segment_id        | None                                 |
| service_types     |                                      |
| subnetpool_id     | None                                 |
| tags              |                                      |
| updated_at        | 2018-03-23T23:50:11Z                 |
+-------------------+--------------------------------------+

To see more options when creating a subnet, use the following command:

openstack subnet create --help

Creating a Router

To create a router, use the following command:

openstack router create <router_name>

Your output should look like:

+-------------------------+--------------------------------------+
| Field                   | Value                                |
+-------------------------+--------------------------------------+
| admin_state_up          | UP                                   |
| availability_zone_hints |                                      |
| availability_zones      |                                      |
| created_at              | 2018-03-23T23:56:35Z                 |
| description             |                                      |
| distributed             | False                                |
| external_gateway_info   | None                                 |
| flavor_id               | None                                 |
| ha                      | False                                |
| id                      | 9b5d4516-804a-4c01-9016-3a27fc4197d1 |
| name                    | MyRouter                             |
| project_id              | d5233415ee0b467baec14cbd2d0e1331     |
| revision_number         | None                                 |
| routes                  |                                      |
| status                  | ACTIVE                               |
| tags                    |                                      |
| updated_at              | 2018-03-23T23:56:35Z                 |
+-------------------------+--------------------------------------+

Adding a Router Interface

A Router Interface can be added and attached to a subnet with the command:

openstack router add subnet <router_name> <subnet_name>

In addition, you can specify an External Gateway for your router and connect it to the public Network with the following command:

openstack router set --external-gateway public <router_name>

Adding a Firewall

To configure a Firewall, first create Firewall Rules that you would like to apply to traffic.

openstack firewall group rule create [options] --name <name>

Then, create a Firewall Policy that has rules associated:

openstack firewall group policy create \
  --firewall-rule <rule_name_or_id> \
  --firewall-rule <another_rule_name_or_id> \
  <policy_name>

Finally, create a Firewall Group that applies a policy to one or more Router Interfaces:

openstack firewall group create --ingress-policy <policy_name_or_id> \
  --port <router_interface_port_id> \
  --port <another_router_interface_port_id> \
  <group_name>

Deleting Networking Objects

To delete a router with an External Gateway and subnets associated to it, use the following commands:

openstack router unset --external-gateway <router_name>
openstack router remove subnet <router_name> <subnet_name>
openstack router delete <subnet>
openstack network delete <network_name>