Group based policy

There is lot of work going on in both Openstack and Opendaylight projects on Group based policy and I will try to capture my learnings in the next few blogs.

Group based policy(GBP) is an abstracted way of specifying interactions between the applications rather than using infrastructure specifics. In the networking context, for example, rather than using terms like ip address, vlan, port numbers, the policies are specified in much higher level language in terms of what the application needs. Currently Group based policy is targeted for Networking. Eventually, it will be applicable to Compute and Storage as well. I kind of see GBP as Open source variant of Cisco’s ACI model, multiple vendors are involved in the development of GBP.

In Openstack Neutron context, following are the goals of Group based policy.

  • Abstract policy from infrastructure.
  • Consolidate all networking policy needs into 1 location. Currently, networking policy is split in different locations in Neutron for L2 and L3, L4-L7 and security groups. The goal is to include Service chaining into the GBP.
  • Make the policies reusable and keep it automation friendly.

Following block diagram from Cisco white paper mentions the different blocks involved.


  • Different VMs can be placed in groups.
  • VM’s L2 requirements are integrated into the policy.
  • Policy rules are applied to groups. The policy rules consist of classifier and action. The action can be simple actions like allow, drop or a complex operation like redirect into service chain.

Following picture from Openstack summit illustrates where GBP fits in.


  • Group based policy can be integrated as a plugin into existing Neutron as well as Opendaylight and other Vendor plugins.
  • The work going on in Openstack project is for GBP orchestration and the work ongoing in Opendaylight is for implementing the driver itself.

There are 3 steps to the policy creation:

  1. Create rule set. This specifies how packet is classified and what action is applied. Example could be http ruleset that matches on port 80 with action allow.
  2. Create groups and associate ruleset. Example could be create web group which provides http ruleset and a client group which consumes http ruleset.
  3. The last step is associating VMs to the groups.

Following link specifies GBP commands, workflow and how to try this with devstack.

Current status:

Openstack Juno release and Opendaylight Helium release has some GBP content. Based on my understanding, the current released contents are preliminary and proof of concepts, work is still ongoing and will be available in the next set of releases.



2 thoughts on “Group based policy

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s