diff --git a/doc/install-guide/ch_neutron.xml b/doc/install-guide/ch_neutron.xml
index 47a06b9845..248bd6df75 100644
--- a/doc/install-guide/ch_neutron.xml
+++ b/doc/install-guide/ch_neutron.xml
@@ -3,8 +3,7 @@
     xmlns:xi="http://www.w3.org/2001/XInclude"
     xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
     xml:id="ch_neutron">
-    <title>Install the Networking service</title>
-
+    <title>Add the Networking service</title>
     <warning>
         <para>This chapter is a bit more adventurous than we would
             like. We are working on cleanup and improvements to it.
@@ -33,6 +32,9 @@
         </warning>
     </section>
     <xi:include href="section_neutron-concepts.xml"/>
-    <xi:include href="section_neutron-install.xml"/>
+    <xi:include href="section_neutron-controller-node.xml"/>
+    <xi:include href="section_neutron-network-node.xml"/>
+    <xi:include href="section_neutron-compute-node.xml"/>
+    <xi:include href="section_neutron-initial-networks.xml"/>
     <xi:include href="section_neutron-deploy-use-cases.xml"/>
 </chapter>
diff --git a/doc/install-guide/section_neutron-compute-node.xml b/doc/install-guide/section_neutron-compute-node.xml
new file mode 100644
index 0000000000..877a4ca10c
--- /dev/null
+++ b/doc/install-guide/section_neutron-compute-node.xml
@@ -0,0 +1,391 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<section xml:id="neutron-compute-node"
+  xmlns="http://docbook.org/ns/docbook"
+  xmlns:xi="http://www.w3.org/2001/XInclude"
+  xmlns:xlink="http://www.w3.org/1999/xlink"
+  xmlns:svg="http://www.w3.org/2000/svg"
+  xmlns:html="http://www.w3.org/1999/xhtml" version="5.0">
+    <title>Configure compute node</title>
+    <note>
+      <para>This section details set up for any node that runs the
+          <literal>nova-compute</literal> component but does not run
+        the full network stack.</para>
+    </note>
+    <warning os="rhel;centos">
+      <para>By default, the <literal>system-config-firewall</literal>
+        automated firewall configuration tool is in place on RHEL.
+        This graphical interface (and a curses-style interface with
+          <literal>-tui</literal> on the end of the name) enables you
+        to configure IP tables as a basic firewall. You should disable
+        it when you work with Neutron unless you are familiar with the
+        underlying network technologies, as, by default, it blocks
+        various types of network traffic that are important to
+        Neutron. To disable it, simple launch the program and clear
+        the <guilabel>Enabled</guilabel> check box.</para>
+      <para>After you successfully set up OpenStack with Neutron, you
+        can re-enable and configure the tool. However, during Neutron
+        set up, disable the tool to make it easier to debug network
+        issues.</para>
+    </warning>
+    <procedure>
+      <step>
+        <para>Disable packet destination filtering (route
+          verification) to let the networking services route traffic
+          to the VMs. Edit the <filename>/etc/sysctl.conf</filename>
+          file and run the following command to activate
+          changes:</para>
+        <programlisting language="ini">net.ipv4.conf.all.rp_filter=0
+net.ipv4.conf.default.rp_filter=0</programlisting>
+        <screen><prompt>#</prompt> <userinput>sysctl -p</userinput></screen>
+      </step>
+      <step>
+        <para>Install and configure your networking plug-in
+          components. To install and configure the network plug-in
+          that you chose when you set up your network node, see <xref
+            linkend="install-neutron.install-plugin-compute"/>.</para>
+      </step>
+      <step os="rhel;centos;fedora;opensuse;sles">
+          <para>Configure Networking to use <systemitem class="service">keystone</systemitem> for authentication:</para>
+          <substeps>
+              <step>
+                  <para>Set the <literal>auth_strategy</literal>
+                  configuration key to <literal>keystone</literal> in the
+                  <literal>DEFAULT</literal> section of the file:</para>
+                  <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone</userinput></screen>
+              </step>
+              <step>
+                  <para>Set the <systemitem class="service">neutron</systemitem> configuration for
+                      <systemitem class="service">keystone</systemitem> authentication:</para>
+                      <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
+   auth_host <replaceable>controller</replaceable></userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
+   auth_url http://<replaceable>controller</replaceable>:35357/v2.0</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
+   admin_tenant_name service</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
+   admin_user neutron</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
+   admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
+              </step></substeps>
+      </step>
+      <step os="opensuse;sles">
+          <para>Configure access to the <application>RabbitMQ</application> service:</para>
+          <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+   rpc_backend neutron.openstack.common.rpc.impl_kombu</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+   rabbit_host controller</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+   rabbit_userid guest</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+   rabbit_password <replaceable>RABBIT_PASS</replaceable></userinput></screen>
+      </step>
+      <step os="rhel;centos;fedora">
+        <para>Configure access to the <application>Qpid</application> message queue:</para>
+            <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+   rpc_backend neutron.openstack.common.rpc.impl_qpid</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+   qpid_hostname <replaceable>controller</replaceable></userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+   qpid_port 5672</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+   qpid_username <replaceable>guest</replaceable></userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+   qpid_password <replaceable>guest</replaceable></userinput></screen>
+      </step>
+      <step os="ubuntu;debian">
+        <para>Configure the core components of Neutron. Edit the
+            <filename>/etc/neutron/neutron.conf</filename>
+          file:</para>
+        <programlisting language="ini">auth_host = <replaceable>controller</replaceable>
+admin_tenant_name = service
+admin_user = neutron
+admin_password = <replaceable>NEUTRON_PASS</replaceable>
+auth_url = http://controller:35357/v2.0
+auth_strategy = keystone
+rpc_backend = neutron.openstack.common.rpc.impl_kombu
+rabbit_host = controller
+rabbit_port = 5672
+# Change the following settings if you're not using the default RabbitMQ configuration
+#rabbit_userid = guest
+rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
+      </step>
+      <step os="rhel;centos;fedora">
+        <para>Set the <literal>root_helper</literal> configuration in the
+          <literal>[agent]</literal> section of <filename>/etc/neutron/neutron.conf</filename>:</para>
+          <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf AGENT \
+   root_helper sudo neutron-rootwrap /etc/neutron/rootwrap.conf</userinput></screen>
+      </step>
+          <step os="rhel;centos;fedora;opensuse;sles">
+          <para>Configure Networking to connect to the database:</para>
+          <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DATABASE sql_connection \
+   mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@controller/neutron</userinput></screen>
+      </step>
+      <step os="ubuntu">
+        <para>Configure Networking to connect to the database. Edit
+          the <literal>[database]</literal> section in the same file,
+          as follows:</para>
+        <programlisting language="ini">[database]
+connection = mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@<replaceable>controller</replaceable>/neutron</programlisting>
+      </step>
+      <step os="ubuntu;debian">
+        <para>Edit the <filename>/etc/neutron/api-paste.ini</filename>
+          file and add these lines to the
+            <literal>[filter:authtoken]</literal> section:</para>
+        <programlisting language="ini">[filter:authtoken]
+paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
+auth_host = <replaceable>controller</replaceable>
+admin_tenant_name = service
+admin_user = neutron
+admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
+      </step>
+      <step os="rhel;centos;fedora;opensuse;sles">
+          <para>Configure the <filename>/etc/neutron/api-paste.ini</filename> file for <systemitem class="service">keystone</systemitem>
+          authentication:</para>
+              <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
+   paste.filter_factory keystoneclient.middleware.auth_token:filter_factory</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
+   auth_host <replaceable>controller</replaceable></userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
+   admin_tenant_name service</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
+   admin_user neutron</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
+   admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
+      </step>
+      <step>
+      <para os="rhel;centos;fedora;opensuse;sles">Configure OpenStack Compute to use OpenStack Networking
+          services. Configure the <filename>/etc/nova/nova.conf</filename>
+          file as per instructions below:</para>
+      <screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
+   network_api_class nova.network.neutronv2.api.API</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
+   neutron_url http://<replaceable>controller</replaceable>:9696</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
+   neutron_auth_strategy keystone</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
+   neutron_admin_tenant_name service</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
+   neutron_admin_username neutron</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
+   neutron_admin_password <replaceable>NEUTRON_PASS</replaceable></userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
+   neutron_admin_auth_url http://<replaceable>controller</replaceable>:35357/v2.0</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
+   linuxnet_interface_driver nova.network.linux_net.LinuxOVSInterfaceDriver</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
+   firewall_driver nova.virt.firewall.NoopFirewallDriver</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
+   security_group_api neutron</userinput></screen>
+        <para os="ubuntu;debian">Configure OpenStack Compute to use OpenStack Networking
+          services. Edit the <filename>/etc/nova/nova.conf</filename>
+          file:</para>
+        <programlisting language="ini" os="ubuntu;debian">network_api_class=nova.network.neutronv2.api.API
+neutron_url=http://<replaceable>controller</replaceable>:9696
+neutron_auth_strategy=keystone
+neutron_admin_tenant_name=service
+neutron_admin_username=neutron
+neutron_admin_password=<replaceable>NEUTRON_PASS</replaceable>
+neutron_admin_auth_url=http://<replaceable>controller</replaceable>:35357/v2.0
+linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
+firewall_driver=nova.virt.firewall.NoopFirewallDriver
+security_group_api=neutron</programlisting>
+        <note>
+          <itemizedlist>
+            <listitem>
+              <para>No matter which firewall driver you chose when you
+                configured the network and compute nodes, you must
+                edit the <filename>/etc/nova/nova.conf</filename> file
+                to set the firewall driver to
+                  <literal>nova.virt.firewall.NoopFirewallDriver</literal>.
+                Because OpenStack Networking handles the firewall,
+                this statement instructs Compute to not use a
+                firewall.</para>
+            </listitem>
+            <listitem>
+              <para>If you want Networking to handle the firewall,
+                edit the
+                  <filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
+                file to set the <code>firewall_driver</code> option to
+                the firewall for the plug-in. For example, with
+                  <acronym>OVS</acronym>, edit the file as
+                follows:</para>
+              <programlisting language="ini" os="ubuntu;debian">[securitygroup]
+# Firewall driver for realizing neutron security group function.
+firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
+              <screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set \
+   /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini securitygroup firewall_driver \
+   neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</userinput></screen>
+            </listitem>
+            <listitem>
+              <para>If you do not want to use a firewall in Compute or
+                Networking, edit both configuration files and set
+                  <code>firewall_driver=nova.virt.firewall.NoopFirewallDriver</code>.
+                Also, edit the
+                  <filename>/etc/nova/nova.conf</filename> file and
+                comment out or remove the
+                  <code>security_group_api=neutron</code>
+                statement.</para>
+              <para>Otherwise, when you issue <command>nova
+                  list</command> commands, the <errortext>ERROR: The
+                  server has either erred or is incapable of
+                  performing the requested operation. (HTTP
+                  500)</errortext> error might be returned.</para>
+            </listitem>
+          </itemizedlist>
+        </note>
+      </step>
+      <step>
+        <para>Restart the Compute service.</para>
+        <screen os="debian;ubuntu"><prompt>#</prompt> <userinput>service nova-compute restart</userinput></screen>
+        <screen os="centos;rhel;fedora"><prompt>#</prompt> <userinput>service openstack-nova-compute restart</userinput></screen>
+        <screen os="sles;opensuse"><prompt>#</prompt> <userinput>service openstack-nova-compute restart</userinput></screen>
+        <para>Also restart your chosen Networking plug-in agent, for example, Open vSwitch.</para>
+        <screen os="ubuntu;debian"><prompt>#</prompt> <userinput>service neutron-plugin-openvswitch-agent restart</userinput></screen>
+        <screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>service neutron-openvswitch-agent restart</userinput></screen>
+        <screen os="sles;opensuse"><prompt>#</prompt> <userinput>service openstack-neutron-openvswitch-agent restart</userinput></screen>
+      </step>
+    </procedure>
+    <section xml:id="install-neutron.install-plugin-compute">
+      <title>Install and configure Neutron plug-ins on a dedicated
+        compute node</title>
+      <section xml:id="install-neutron.install-plugin-compute.ovs">
+        <title>Install the Open vSwitch (OVS) plug-in on a dedicated
+          compute node</title>
+        <procedure>
+          <step>
+            <para>Install the Open vSwitch plug-in and its
+              dependencies:</para>
+            <screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-openvswitch-agent openvswitch-datapath-dkms</userinput></screen>
+            <screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>yum install openstack-neutron-openvswitch</userinput></screen>
+            <screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent</userinput></screen>
+          </step>
+          <step os="ubuntu;debian">
+            <para>Restart Open vSwitch:</para>
+            <screen><prompt>#</prompt> <userinput>service openvswitch-switch restart</userinput></screen>
+          </step>
+          <step os="rhel;fedora;centos;opensuse;sles">
+            <para>Start Open vSwitch and configure it to start when
+              the system boots:</para>
+            <screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>service openvswitch start</userinput>
+<prompt>#</prompt> <userinput>chkconfig openvswitch on</userinput></screen>
+            <screen os="opensuse;sles"><prompt>#</prompt> <userinput>service openvswitch-switch start</userinput>
+<prompt>#</prompt> <userinput>chkconfig openvswitch-switch on</userinput></screen>
+          </step>
+          <step>
+            <para>You must set some common configuration options no
+              matter which networking technology you choose to use
+              with Open vSwitch. You must add the
+                <literal>br-int</literal> integration bridge, which
+              connects to the VMs.</para>
+            <screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-int</userinput></screen>
+          </step>
+          <step os="rhel;centos;fedora;opensuse;sles;ubuntu">
+            <para>You must set some common configuration options. You
+              must configure Networking core to use
+                <acronym>OVS</acronym>. Edit the
+                <filename>/etc/neutron/neutron.conf</filename>
+              file:</para>
+            <programlisting language="ini" os="ubuntu;opensuse;sles">core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2</programlisting>
+            <programlisting language="ini">auth_uri = http://<replaceable>controller</replaceable>:5000</programlisting>
+            <programlisting language="ini" os="rhel;centos;fedora">core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2
+api_paste_config = /etc/neutron/api-paste.ini
+rpc_backend = neutron.openstack.common.rpc.impl_qpid</programlisting>
+          </step>
+          <step>
+            <para>Configure the networking type that you chose when
+              you set up the network node: either <link
+                linkend="install-neutron.install-plugin-compute.ovs.gre"
+                >GRE tunneling</link> or <link
+                linkend="install-neutron.install-plugin-compute.ovs.vlan"
+                >VLANs</link>.</para>
+          </step>
+          <!-- TODO(sross): support provider networks?  you need to modify things above for this to work -->
+          <step>
+            <para>You must configure a firewall as well. You should
+              use the same firewall plug-in that you chose to use when
+              you set up the network node. To do this, edit
+                <filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
+              file and set the <literal>firewall_driver</literal>
+              value under the <literal>securitygroup</literal> to the
+              same value used on the network node. For instance, if
+              you chose to use the Hybrid OVS-IPTables plug-in, your
+              configuration looks like this:</para>
+            <programlisting language="ini">[securitygroup]
+# Firewall driver for realizing neutron security group function.
+firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
+            <warning>
+              <para>You must use at least the No-Op firewall.
+                Otherwise, Horizon and other OpenStack services cannot
+                get and set required VM boot options.</para>
+            </warning>
+          </step>
+          <step os="rhel;centos;fedora;sles;opensuse">
+            <para>Configure the <acronym>OVS</acronym> plug-in to start
+              on boot.</para>
+            <screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>chkconfig neutron-openvswitch-agent on</userinput></screen>
+            <screen os="sles;opensuse"><prompt>#</prompt> <userinput>chkconfig openstack-neutron-openvswitch-agent on</userinput></screen>
+          </step>
+          <step>
+            <para>Now, return to the general <acronym>OVS</acronym>
+              instructions.</para>
+          </step>
+        </procedure>
+        <section
+          xml:id="install-neutron.install-plugin-compute.ovs.gre">
+          <title>Configure the Neutron <acronym>OVS</acronym> plug-in
+            for GRE tunneling on a dedicated compute node</title>
+          <procedure>
+            <step>
+              <para>Tell the <acronym>OVS</acronym> plug-in to use GRE
+                tunneling with a <literal>br-int</literal> integration
+                bridge, a <literal>br-tun</literal> tunneling bridge,
+                and a local IP for the tunnel of
+                  <replaceable>DATA_INTERFACE</replaceable>'s IP Edit
+                the
+                  <filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
+                file:</para>
+              <programlisting language="ini">[ovs]
+tenant_network_type = gre
+tunnel_id_ranges = 1:1000
+enable_tunneling = True
+integration_bridge = br-int
+tunnel_bridge = br-tun
+local_ip = <replaceable>DATA_INTERFACE_IP</replaceable></programlisting>
+            </step>
+            <step>
+              <para>Now, return to the general <acronym>OVS</acronym>
+                instructions.</para>
+            </step>
+          </procedure>
+        </section>
+        <section
+          xml:id="install-neutron.install-plugin-compute.ovs.vlan">
+          <title>Configure the Neutron <acronym>OVS</acronym> plug-in
+            for VLANs on a dedicated compute node</title>
+          <procedure>
+            <step>
+              <para>Tell <acronym>OVS</acronym> to use VLANs. Edit the
+                  <filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
+                file:</para>
+              <programlisting language="ini">[ovs]
+tenant_network_type = vlan
+network_vlan_ranges = physnet1:1:4094
+bridge_mappings = physnet1:br-<replaceable>DATA_INTERFACE</replaceable></programlisting>
+            </step>
+            <step>
+              <para>Create the bridge for the
+                  <replaceable>DATA_INTERFACE</replaceable> and add
+                  <replaceable>DATA_INTERFACE</replaceable> to it, the
+                same way you did on the network node:</para>
+              <screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-DATA_INTERFACE</userinput>
+<prompt>#</prompt> <userinput>ovs-vsctl add-port br-DATA_INTERFACE DATA_INTERFACE</userinput></screen>
+            </step>
+            <step>
+              <para>Return to the general <acronym>OVS</acronym>
+                instructions.</para>
+            </step>
+          </procedure>
+        </section>
+      </section>
+    </section>
+  </section>
diff --git a/doc/install-guide/section_neutron-controller-node.xml b/doc/install-guide/section_neutron-controller-node.xml
new file mode 100644
index 0000000000..8de6873125
--- /dev/null
+++ b/doc/install-guide/section_neutron-controller-node.xml
@@ -0,0 +1,552 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<section xml:id="neutron-controller-node"
+  xmlns="http://docbook.org/ns/docbook"
+  xmlns:xi="http://www.w3.org/2001/XInclude"
+  xmlns:xlink="http://www.w3.org/1999/xlink"
+  xmlns:svg="http://www.w3.org/2000/svg"
+  xmlns:html="http://www.w3.org/1999/xhtml" version="5.0">
+    <title>Configure controller node</title>
+    <note>
+      <para>This is for a node which runs the control components of
+        Neutron, but does not run any of the components that provide
+        the underlying functionality (such as the plug-in agent or the
+        L3 agent). If you wish to have a combined controller/compute
+        node follow these instructions, and then those for the compute
+        node.</para>
+    </note>
+    <warning os="rhel;centos">
+      <para>By default, the <literal>system-config-firewall</literal>
+        automated firewall configuration tool is in place on RHEL.
+        This graphical interface (and a curses-style interface with
+          <literal>-tui</literal> on the end of the name) enables you
+        to configure IP tables as a basic firewall. You should disable
+        it when you work with Neutron unless you are familiar with the
+        underlying network technologies, as, by default, it blocks
+        various types of network traffic that are important to
+        Neutron. To disable it, simple launch the program and clear
+        the <guilabel>Enabled</guilabel> check box.</para>
+      <para>After you successfully set up OpenStack with Neutron, you
+        can re-enable and configure the tool. However, during Neutron
+        set up, disable the tool to make it easier to debug network
+        issues.</para>
+    </warning>
+<!-- FIXME This material needs validation, updates, and relocation to more
+  appropriate sections.
+
+  <procedure os="debian">
+  <para os="debian">When you install a Networking node, you must
+    configure it for API endpoints, RabbitMQ,
+      <code>keystone_authtoken</code>, and the database. Use
+      <package>debconf</package> to configure these values.</para>
+  <para os="debian">When you install a Networking package,
+      <package>debconf</package> prompts you to choose configuration
+    options including which plug-in to use, as follows:</para>
+  <informalfigure os="debian">
+    <mediaobject>
+      <imageobject>
+        <imagedata scale="50"
+          fileref="figures/debconf-screenshots/neutron_1_plugin_selection.png"
+        />
+      </imageobject>
+    </mediaobject>
+  </informalfigure>
+  <para os="debian">This parameter sets the
+      <parameter>core_plugin</parameter> option value in the
+      <filename>/etc/neutron/neutron.conf</filename> file.</para>
+  <note os="debian">
+    <para>When you install the <package>neutron-common</package>
+      package, all plug-ins are installed by default.</para>
+  </note>
+  <para os="debian">This table lists the values for the
+      <parameter>core_plugin</parameter> option. These values depend
+    on your response to the <package>debconf</package> prompt.</para>
+  <table rules="all" os="debian">
+    <caption>Plug-ins and the core_plugin option</caption>
+    <thead>
+      <tr>
+        <th>Plug-in</th>
+        <th>core_plugin value in
+          <filename>neutron.conf</filename></th>
+      </tr>
+    </thead>
+    <tbody>
+      <tr>
+        <td><para>BigSwitch</para></td>
+        <td><para>neutron.plugins.bigswitch.plugin.NeutronRestProxyV2</para></td>
+      </tr>
+      <tr>
+        <td><para>Brocade</para></td>
+        <td><para>neutron.plugins.brocade.NeutronPlugin.BrocadePluginV2</para></td>
+      </tr>
+      <tr>
+        <td><para>Cisco</para></td>
+        <td><para>neutron.plugins.cisco.network_plugin.PluginV2</para></td>
+      </tr>
+      <tr>
+        <td><para>Hyper-V</para></td>
+        <td><para>neutron.plugins.hyperv.hyperv_neutron_plugin.HyperVNeutronPlugin</para></td>
+      </tr>
+      <tr>
+        <td><para>LinuxBridge</para></td>
+        <td><para>neutron.plugins.linuxbridge.lb_neutron_plugin.LinuxBridgePluginV2</para></td>
+      </tr>
+      <tr>
+        <td><para>Mellanox</para></td>
+        <td><para>neutron.plugins.mlnx.mlnx_plugin.MellanoxEswitchPlugin</para></td>
+      </tr>
+      <tr>
+        <td><para>MetaPlugin</para></td>
+        <td><para>neutron.plugins.metaplugin.meta_neutron_plugin.MetaPluginV2</para></td>
+      </tr>
+      <tr>
+        <td><para>Midonet</para></td>
+        <td><para>neutron.plugins.midonet.plugin.MidonetPluginV2</para></td>
+      </tr>
+      <tr>
+        <td><para>ml2</para></td>
+        <td><para>neutron.plugins.ml2.plugin.Ml2Plugin</para></td>
+      </tr>
+      <tr>
+        <td><para>Nec</para></td>
+        <td><para>neutron.plugins.nec.nec_plugin.NECPluginV2</para></td>
+      </tr>
+      <tr>
+        <td><para>OpenVSwitch</para></td>
+        <td><para>neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2</para></td>
+      </tr>
+      <tr>
+        <td><para>PLUMgrid</para></td>
+        <td><para>neutron.plugins.plumgrid.plumgrid_nos_plugin.plumgrid_plugin.NeutronPluginPLUMgridV2</para></td>
+      </tr>
+      <tr>
+        <td><para>RYU</para></td>
+        <td><para>neutron.plugins.ryu.ryu_neutron_plugin.RyuNeutronPluginV2</para></td>
+      </tr>
+    </tbody>
+  </table>
+  <para os="debian">Depending on the value of
+      <parameter>core_plugin</parameter>, the start-up scripts start
+    the daemons by using the corresponding plug-in configuration file
+    directly. For example, if you selected the Open vSwitch plug-in,
+      <code>neutron-server</code> automatically launches with
+
+FIXME Removed a double-hyphen here.
+
+      <parameter>config-file
+      /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</parameter>.</para>
+  <para os="debian">The <package>neutron-common</package> package also
+    prompts you for the default network configuration:</para>
+  <informalfigure os="debian">
+    <mediaobject>
+      <imageobject>
+        <imagedata scale="50"
+          fileref="figures/debconf-screenshots/neutron_2_networking_type.png"
+        />
+      </imageobject>
+    </mediaobject>
+  </informalfigure>
+  <informalfigure os="debian">
+    <mediaobject>
+      <imageobject>
+        <imagedata scale="50"
+          fileref="figures/debconf-screenshots/neutron_3_hypervisor_ip.png"
+        />
+      </imageobject>
+    </mediaobject>
+  </informalfigure>
+  </procedure>
+-->
+  <procedure>
+  <para os="rhel;centos;fedora;opensuse;sles;ubuntu">Before you
+    configure individual nodes for Networking, you must create the
+    required OpenStack components: user, service, database, and one or
+    more endpoints. After you complete these steps on the controller
+    node, follow the instructions in this guide to set up OpenStack
+    Networking nodes.</para>
+    <step os="rhel;centos;fedora;opensuse;sles;ubuntu">
+      <!-- TODO(sross): change this to use `openstack-db` once it supports Neutron -->
+      <!-- TODO(sross): move this into its own section -->
+      <para>Use the password that you set previously to log in as root
+        and create a <literal>neutron</literal> database:</para>
+      <screen><prompt>#</prompt> <userinput>mysql -u root -p</userinput>
+<prompt>mysql></prompt> <userinput>CREATE DATABASE neutron;</userinput>
+<prompt>mysql></prompt> <userinput>GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \
+IDENTIFIED BY '<replaceable>NEUTRON_DBPASS</replaceable>';</userinput>
+<prompt>mysql></prompt> <userinput>GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \
+IDENTIFIED BY '<replaceable>NEUTRON_DBPASS</replaceable>';</userinput></screen>
+    </step>
+    <step os="rhel;centos;fedora;opensuse;sles;ubuntu">
+      <para>Create the required user, service, and endpoint so that
+        Networking can interface with the Identity Service.</para>
+      <para>Create a <literal>neutron</literal> user:</para>
+      <screen><prompt>#</prompt> <userinput>keystone user-create --name=neutron --pass=<replaceable>NEUTRON_PASS</replaceable> --email=<replaceable>neutron@example.com</replaceable></userinput></screen>
+      <para>Add the user role to the neutron user:</para>
+      <screen><prompt>#</prompt> <userinput>keystone user-role-add --user=neutron --tenant=service --role=admin</userinput></screen>
+      <para>Create the neutron service:</para>
+      <screen><prompt>#</prompt> <userinput>keystone service-create --name=neutron --type=network \
+     --description="OpenStack Networking Service"</userinput></screen>
+      <para>Create a Networking endpoint:</para>
+      <screen><prompt>#</prompt> <userinput>keystone endpoint-create \
+     --service-id $(keystone service-list | awk '/ network / {print $2}') \
+     --publicurl http://<replaceable>controller</replaceable>:9696 \
+     --adminurl http://<replaceable>controller</replaceable>:9696 \
+     --internalurl http://<replaceable>controller</replaceable>:9696</userinput></screen>
+    </step>
+      <step>
+        <para>Install the server component of Networking and any dependencies.</para>
+        <screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-server</userinput></screen>
+        <screen os="fedora;rhel;centos"><prompt>#</prompt> <userinput>yum install openstack-neutron python-neutron python-neutronclient</userinput></screen>
+        <screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron python-neutron python-neutronclient</userinput></screen>
+      </step>
+      <step os="rhel;centos;fedora;opensuse;sles">
+          <para>Configure Networking to connect to the database:</para>
+          <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DATABASE sql_connection \
+   mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@controller/neutron</userinput></screen>
+      </step>
+      <step os="ubuntu;debian">
+        <para>Configure Networking to use your MySQL database. Edit the
+          <filename>/etc/neutron/neutron.conf</filename> file and add the
+          following key under the <literal>[database]</literal> section. Replace
+          <replaceable>NEUTRON_DBPASS</replaceable> with the password you
+          chose for the Neutron database.</para>
+        <programlisting language="ini">[database]
+...
+connection = mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@<replaceable>controller</replaceable>/neutron</programlisting>
+      </step>
+      <step os="rhel;centos;fedora;opensuse;sles">
+          <para>Configure Networking to use <systemitem class="service">keystone</systemitem> for authentication:</para>
+          <substeps>
+              <step>
+                  <para>Set the <literal>auth_strategy</literal>
+                  configuration key to <literal>keystone</literal> in the
+                  <literal>DEFAULT</literal> section of the file:</para>
+                  <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone</userinput></screen>
+              </step>
+              <step>
+                  <para>Set the <systemitem class="service">neutron</systemitem> configuration for
+                      <systemitem class="service">keystone</systemitem> authentication:</para>
+                      <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
+   auth_host <replaceable>controller</replaceable></userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
+   auth_url http://<replaceable>controller</replaceable>:35357/v2.0</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
+   admin_tenant_name service</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
+   admin_user neutron</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
+   admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
+              </step></substeps>
+      </step>
+      <step os="ubuntu;debian">
+        <para>Configure Networking to use <systemitem class="service">keystone</systemitem> as the Identity Service
+          for authentication.</para>
+        <substeps>
+          <step>
+            <para>Edit the
+              <filename>/etc/neutron/neutron.conf</filename> file and add the
+              following key under the <literal>[DEFAULT]</literal>
+              section.</para>
+            <programlisting language="ini">[DEFAULT]
+...
+auth_strategy = keystone</programlisting>
+            <para>Add the following keys under the
+              <literal>[keystone_authtoken]</literal> section. Replace
+              <replaceable>NEUTRON_PASS</replaceable> with the password you
+              chose for the Neutron user in Keystone.</para>
+            <programlisting language="ini">[keystone_authtoken]
+...
+auth_host = <replaceable>controller</replaceable>
+auth_port = 35357
+auth_protocol = http
+admin_tenant_name = service
+admin_user = neutron
+admin_password = <replaceable>NEUTRON_PASS</replaceable>
+auth_uri = http://<replaceable>controller</replaceable>:5000
+auth_url = http://<replaceable>controller</replaceable>:35357/v2.0
+            </programlisting>
+          </step>
+          <step>
+            <para>Edit the <filename>/etc/neutron/api-paste.ini</filename> file
+              and add the following keys under the
+              <literal>[filter:authtoken]</literal> section. Replace
+              <replaceable>NEUTRON_PASS</replaceable> with the password you
+              chose for the Neutron user in Keystone.</para>
+            <programlisting language="ini">[filter:authtoken]
+...
+paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
+admin_tenant_name = service
+admin_user = neutron
+admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
+          </step>
+        </substeps>
+      </step>
+      <step os="rhel;centos;fedora;opensuse;sles">
+          <para>Configure the <filename>/etc/neutron/api-paste.ini</filename> file for <systemitem class="service">keystone</systemitem>
+          authentication:</para>
+              <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
+   paste.filter_factory keystoneclient.middleware.auth_token:filter_factory</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
+   auth_host <replaceable>controller</replaceable></userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
+   admin_tenant_name service</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
+   admin_user neutron</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
+   admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
+      </step>
+      <step os="opensuse;sles">
+          <para>Configure access to the <application>RabbitMQ</application> service:</para>
+          <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+   rpc_backend neutron.openstack.common.rpc.impl_kombu</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+   rabbit_host controller</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+   rabbit_userid guest</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+   rabbit_password <replaceable>RABBIT_PASS</replaceable></userinput></screen>
+      </step>
+      <step os="rhel;centos;fedora">
+        <para>Configure access to the <application>Qpid</application> message queue:</para>
+            <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+   rpc_backend neutron.openstack.common.rpc.impl_qpid</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+   qpid_hostname <replaceable>controller</replaceable></userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+   qpid_port 5672</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+   qpid_username <replaceable>guest</replaceable></userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+   qpid_password <replaceable>guest</replaceable></userinput></screen>
+      </step>
+      <step os="ubuntu;debian">
+        <para>Configure Networking to use your message broker. Edit the
+          <filename>/etc/neutron/neutron.conf</filename> file and add
+          the following keys under the <literal>[DEFAULT]</literal>
+          section.</para>
+        <para>Replace
+          <replaceable>RABBIT_PASS</replaceable> with the password you chose
+          for RabbitMQ.</para>
+       <programlisting language="ini">[DEFAULT]
+...
+rpc_backend = neutron.openstack.common.rpc.impl_kombu
+rabbit_host = <replaceable>controller</replaceable>
+rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
+      </step>
+      <step os="rhel;centos;fedora">
+        <para>Set the <literal>root_helper</literal> configuration in the
+          <literal>[agent]</literal> section of <filename>/etc/neutron/neutron.conf</filename>:</para>
+          <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf AGENT \
+   root_helper sudo neutron-rootwrap /etc/neutron/rootwrap.conf</userinput></screen>
+      </step>
+      <step>
+        <para>Although the controller node does not run any Networking agents,
+          you must install and configure the same plug-in that you configured
+          on the network node.</para>
+        <para><link linkend="install-neutron.install-plug-in-controller">
+          Install and configure the Networking plug-ins on a dedicated
+          controller node</link></para>
+      </step>
+      <step>
+      <para os="rhel;centos;fedora;opensuse;sles">Configure OpenStack Compute to use OpenStack Networking
+          services. Configure the <filename>/etc/nova/nova.conf</filename>
+          file as per instructions below:</para>
+      <screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
+   network_api_class nova.network.neutronv2.api.API</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
+   neutron_url http://<replaceable>controller</replaceable>:9696</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
+   neutron_auth_strategy keystone</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
+   neutron_admin_tenant_name service</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
+   neutron_admin_username neutron</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
+   neutron_admin_password <replaceable>NEUTRON_PASS</replaceable></userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
+   neutron_admin_auth_url http://<replaceable>controller</replaceable>:35357/v2.0</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
+   linuxnet_interface_driver nova.network.linux_net.LinuxOVSInterfaceDriver</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
+   firewall_driver nova.virt.firewall.NoopFirewallDriver</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
+   security_group_api neutron</userinput></screen>
+        <para os="ubuntu;debian">Configure OpenStack Compute to use OpenStack Networking
+          services. Edit the <filename>/etc/nova/nova.conf</filename>
+          file:</para>
+        <programlisting language="ini" os="ubuntu;debian">network_api_class=nova.network.neutronv2.api.API
+neutron_url=http://<replaceable>controller</replaceable>:9696
+neutron_auth_strategy=keystone
+neutron_admin_tenant_name=service
+neutron_admin_username=neutron
+neutron_admin_password=<replaceable>NEUTRON_PASS</replaceable>
+neutron_admin_auth_url=http://<replaceable>controller</replaceable>:35357/v2.0
+linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
+firewall_driver=nova.virt.firewall.NoopFirewallDriver
+security_group_api=neutron</programlisting>
+        <note>
+          <itemizedlist>
+            <listitem>
+              <para>Regardless of which firewall driver you chose when you
+              configured the network and compute nodes, set this driver
+              as the No-Op firewall. This firewall is a
+              <systemitem class="service">nova</systemitem> firewall,
+              and because  <systemitem class="service">neutron</systemitem>
+              handles the Firewall, you must tell <systemitem class="service">nova</systemitem>
+              not to use one.</para>
+              <para>When Networking handles the firewall, the option
+              <code>firewall_driver</code> should be set according to
+              the specified plug-in. For example with
+              <acronym>OVS</acronym>, edit the
+              <filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
+              file:</para>
+              <programlisting language="ini" os="ubuntu;debian">[securitygroup]
+# Firewall driver for realizing neutron security group function.
+firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
+              <screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set \
+   /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini security_group \
+   neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</userinput></screen>
+            </listitem>
+            <listitem>
+               <para>If you do not want to use a firewall in Compute or
+               Networking, set
+               <code>firewall_driver=nova.virt.firewall.NoopFirewallDriver</code>
+               in both config files, and comment out or remove
+               <code>security_group_api=neutron</code> in the
+               <filename>/etc/nova/nova.conf</filename> file, otherwise
+               you may encounter <errortext>ERROR: The server has either
+               erred or is incapable of performing the requested
+               operation. (HTTP 500)</errortext> when issuing
+              <command>nova list</command> commands.</para>
+            </listitem>
+          </itemizedlist>
+        </note>
+      </step>
+      <step os="rhel;centos;fedora">
+        <para>The <systemitem class="service">neutron-server</systemitem>
+          initialization script expects a symbolic link
+          <filename>/etc/neutron/plugin.ini</filename> pointing to the
+          configuration file associated with your chosen plug-in. Using
+          Open vSwitch, for example, the symbolic link must point to
+          <filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>.
+          If this symbolic link does not exist, create it using the
+          following commands:</para>
+        <screen><prompt>#</prompt> <userinput>cd /etc/neutron</userinput>
+<prompt>#</prompt> <userinput>ln -s plugins/openvswitch/ovs_neutron_plugin.ini plugin.ini</userinput></screen>
+      </step>
+      <step os="sles;opensuse">
+        <para>The <systemitem class="service">openstack-neutron</systemitem>
+          initialization script expects the variable
+          <literal>NEUTRON_PLUGIN_CONF</literal> in file
+          <filename>/etc/sysconfig/neutron</filename> to reference the
+          configuration file associated with your chosen plug-in. Using
+          Open vSwitch, for example, edit the
+          <filename>/etc/sysconfig/neutron</filename> file and add the
+          following:</para>
+        <programlisting>NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini"</programlisting>
+      </step>
+      <step os="ubuntu;debian">
+        <para>Restart the Compute and Networking services:</para>
+        <screen><prompt>#</prompt> <userinput>service nova-api restart</userinput>
+<prompt>#</prompt> <userinput>service nova-scheduler restart</userinput>
+<prompt>#</prompt> <userinput>service nova-conductor restart</userinput>
+<prompt>#</prompt> <userinput>service neutron-server restart</userinput></screen>
+      </step>
+      <step os="fedora;rhel;centos;opensuse;sles">
+        <para>Restart the Compute services:</para>
+        <screen><prompt>#</prompt> <userinput>service openstack-nova-api restart</userinput>
+<prompt>#</prompt> <userinput>service openstack-nova-scheduler restart</userinput>
+<prompt>#</prompt> <userinput>service openstack-nova-conductor restart</userinput></screen>
+      </step>
+      <step os="fedora;rhel;centos;opensuse;sles">
+        <para>Start the Networking service and configure it to start when the
+          system boots:</para>
+        <screen os="fedora;rhel;centos"><prompt>#</prompt> <userinput>service neutron-server start</userinput>
+<prompt>#</prompt> <userinput>chkconfig neutron-server on</userinput></screen>
+        <screen os="opensuse;sles"><prompt>#</prompt> <userinput>service openstack-neutron start</userinput>
+<prompt>#</prompt> <userinput>chkconfig openstack-neutron on</userinput></screen>
+      </step>
+    </procedure>
+    <section xml:id="install-neutron.install-plug-in-controller">
+      <title>Install and configure the Neutron plug-ins on a dedicated
+        controller node</title>
+      <section xml:id="install-neutron.install-plug-in-controller.ovs">
+        <title>Install the Open vSwitch (OVS) plug-in on a dedicated
+          controller node</title>
+        <procedure>
+          <step>
+            <para>Install the Open vSwitch plug-in:</para>
+            <screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-openvswitch</userinput></screen>
+            <screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>yum install openstack-neutron-openvswitch</userinput></screen>
+            <screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent</userinput></screen>
+          </step>
+          <step>
+            <para>You must set some common configuration options no
+              matter which networking technology you choose to use
+              with Open vSwitch. You must configure Networking core to
+              use <acronym>OVS</acronym>. Edit the
+                <filename>/etc/neutron/neutron.conf</filename>
+              file:</para>
+            <programlisting language="ini">core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2</programlisting>
+          </step>
+          <step>
+            <para>Configure the <acronym>OVS</acronym> plug-in for the
+              networking type that you chose when you configured the
+              network node: <link
+                linkend="install-neutron.install-plug-in-controller.ovs.gre"
+                >GRE tunneling</link> or <link
+                linkend="install-neutron.install-plug-in-controller.ovs.vlan"
+                >VLANs</link>.</para>
+            <!-- TODO(sross): support provider networks?  you need to modify things above for this to work -->
+            <note>
+              <para>The dedicated controller node does not need to run
+                Open vSwitch or the Open vSwitch agent.</para>
+            </note>
+          </step>
+          <step>
+            <para>Now, return to the general <acronym>OVS</acronym>
+              instructions.</para>
+          </step>
+        </procedure>
+        <section
+          xml:id="install-neutron.install-plug-in-controller.ovs.gre">
+          <title>Configure the Neutron <acronym>OVS</acronym> plug-in
+            for GRE tunneling on a dedicated controller node</title>
+          <procedure>
+            <step>
+              <para>Tell the <acronym>OVS</acronym> plug-in to use GRE
+                tunneling. Edit the
+                  <filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
+                file:</para>
+              <programlisting language="ini">[ovs]
+tenant_network_type = gre
+tunnel_id_ranges = 1:1000
+enable_tunneling = True</programlisting>
+            </step>
+            <step>
+              <para>Return to the general <acronym>OVS</acronym>
+                instructions.</para>
+            </step>
+          </procedure>
+        </section>
+        <section
+          xml:id="install-neutron.install-plug-in-controller.ovs.vlan">
+          <title>Configure the Neutron <acronym>OVS</acronym> plug-in
+            for VLANs on a dedicated controller node</title>
+          <procedure>
+            <step>
+              <para>Tell <acronym>OVS</acronym> to use VLANS. Edit the
+                  <filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
+                file, as follows:</para>
+              <programlisting language="ini">[ovs]
+tenant_network_type = vlan
+network_vlan_ranges = physnet1:1:4094</programlisting>
+            </step>
+            <step>
+              <para>Return to the general <acronym>OVS</acronym>
+                instructions.</para>
+            </step>
+          </procedure>
+        </section>
+      </section>
+    </section>
+  </section>
diff --git a/doc/install-guide/section_neutron-initial-networks.xml b/doc/install-guide/section_neutron-initial-networks.xml
new file mode 100644
index 0000000000..f34c009ebf
--- /dev/null
+++ b/doc/install-guide/section_neutron-initial-networks.xml
@@ -0,0 +1,168 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<section xml:id="neutron-initial-networks"
+  xmlns="http://docbook.org/ns/docbook"
+  xmlns:xi="http://www.w3.org/2001/XInclude"
+  xmlns:xlink="http://www.w3.org/1999/xlink"
+  xmlns:svg="http://www.w3.org/2000/svg"
+  xmlns:html="http://www.w3.org/1999/xhtml" version="5.0">
+    <title>Create initial networks</title>
+    <note>
+      <para>In these sections, replace
+          <replaceable>SPECIAL_OPTIONS</replaceable> with any options
+        specific to your Networking plug-in choices. See <link
+          linkend="install-neutron.configure-networks.plug-in-specific"
+          >here</link> to check if your plug-in requires any special
+        options.</para>
+    </note>
+    <procedure>
+      <step>
+        <para>Create the <literal>ext-net</literal> external network.
+          This network represents a slice of the outside world. VMs
+          are not directly linked to this network; instead, they
+          connect to internal networks. Outgoing traffic is routed by
+          Neutron to the external network. Additionally, floating IP
+          addresses from the subnet for <literal>ext-net</literal>
+          might be assigned to VMs so that the external network can
+          contact them. Neutron routes the traffic
+          appropriately.</para>
+        <screen><prompt>#</prompt> <userinput>neutron net-create ext-net --router:external=True <replaceable>SPECIAL_OPTIONS</replaceable></userinput></screen>
+      </step>
+      <step>
+        <para>Create the associated subnet with the same gateway and
+          CIDR as <replaceable>EXTERNAL_INTERFACE</replaceable>. It
+          does not have DHCP because it represents a slice of the
+          external world:</para>
+        <screen><prompt>#</prompt> <userinput>neutron subnet-create ext-net \
+  --allocation-pool start=<replaceable>FLOATING_IP_START</replaceable>,end=<replaceable>FLOATING_IP_END</replaceable> \
+  --gateway=<replaceable>EXTERNAL_INTERFACE_GATEWAY</replaceable> --enable_dhcp=False \
+  <replaceable>EXTERNAL_INTERFACE_CIDR</replaceable></userinput></screen>
+      </step>
+      <step>
+        <para>Create one or more initial tenants, for example:</para>
+        <screen><prompt>#</prompt> <userinput>keystone tenant-create --name <replaceable>DEMO_TENANT</replaceable></userinput></screen>
+        <para os="rhel;centos;fedora;opensuse;sles;ubuntu"> See <xref
+            linkend="keystone-users"/> for further details.</para>
+        <para os="debian"> See <xref linkend="keystone-install"/> for
+          further details.</para>
+      </step>
+      <step>
+        <para>Create the router attached to the external network. This
+          router routes traffic to the internal subnets as
+          appropriate. You can create it under a given tenant: Append
+            <literal>--tenant-id</literal> option with a value of
+            <replaceable>DEMO_TENANT_ID</replaceable> to the
+          command.</para>
+        <para>Use the following to quickly get the
+            <replaceable>DEMO_TENANT</replaceable> tenant-id:</para>
+        <screen><prompt>#</prompt> <userinput>keystone tenant-list | grep <replaceable>DEMO_TENANT</replaceable> | awk '{print $2;}'</userinput></screen>
+        <para>Then create the router:</para>
+        <screen><prompt>#</prompt> <userinput>neutron router-create ext-to-int --tenant-id <replaceable>DEMO_TENANT_ID</replaceable></userinput></screen>
+      </step>
+      <step>
+        <para>Connect the router to <literal>ext-net</literal> by
+          setting the gateway for the router as
+            <literal>ext-net</literal>:</para>
+        <screen><prompt>#</prompt> <userinput>neutron router-gateway-set <replaceable>EXT_TO_INT_ID</replaceable> <replaceable>EXT_NET_ID</replaceable></userinput></screen>
+      </step>
+      <step>
+        <para>Create an internal network for
+            <replaceable>DEMO_TENANT</replaceable> (and associated
+          subnet over an arbitrary internal IP range, such as,
+            <literal>10.5.5.0/24</literal>), and connect it to the
+          router by setting it as a port:</para>
+        <screen><prompt>#</prompt> <userinput>neutron net-create --tenant-id <replaceable>DEMO_TENANT_ID</replaceable> demo-net <replaceable>SPECIAL_OPTIONS</replaceable></userinput>
+<prompt>#</prompt> <userinput>neutron subnet-create --tenant-id <replaceable>DEMO_TENANT_ID</replaceable> demo-net 10.5.5.0/24 --gateway 10.5.5.1</userinput>
+<prompt>#</prompt> <userinput>neutron router-interface-add <replaceable>EXT_TO_INT_ID</replaceable> <replaceable>DEMO_NET_SUBNET_ID</replaceable></userinput></screen>
+      </step>
+      <step>
+        <para>Check the special options page for your plug-in for
+          remaining steps. Now, return to the general
+            <acronym>OVS</acronym> instructions.</para>
+      </step>
+    </procedure>
+    <section
+      xml:id="install-neutron.configure-networks.plug-in-specific">
+      <title>Plug-in-specific Neutron network options</title>
+      <section
+        xml:id="install-neutron.configure-networks.plug-in-specific.ovs">
+        <title>Open vSwitch Network configuration options</title>
+        <section
+          xml:id="install-neutron.configure-networks.plug-in-specific.ovs.gre">
+          <title>GRE tunneling network options</title>
+          <note>
+            <para>While this guide currently enables network
+              namespaces by default, you can disable them if you have
+              issues or your kernel does not support them. If you
+              disabled namespaces, you must perform some additional
+              configuration for the L3 agent.</para>
+            <para>After you create all the networks, tell the L3 agent
+              what the external network ID is, as well as the ID of
+              the router associated with this machine (because you are
+              not using namespaces, there can be only one router for
+              each machine). To do this, edit the
+                <filename>/etc/neutron/l3_agent.ini</filename>
+              file:</para>
+            <programlisting language="ini">gateway_external_network_id = <replaceable>EXT_NET_ID</replaceable>
+router_id = <replaceable>EXT_TO_INT_ID</replaceable></programlisting>
+            <para>Then, restart the L3 agent:</para>
+            <screen><prompt>#</prompt> <userinput>service neutron-l3-agent restart</userinput></screen>
+          </note>
+          <para>When creating networks, you should use the
+            options:</para>
+          <screen><userinput>--provider:network_type gre --provider:segmentation_id SEG_ID</userinput></screen>
+          <para><replaceable>SEG_ID</replaceable> should be
+              <literal>2</literal> for the external network, and just
+            any unique number inside the tunnel range specified before
+            for any other network.</para>
+          <note>
+            <para>These options are not needed beyond the first
+              network, as Neutron automatically increments the
+              segmentation id and copy the network type option for any
+              additional networks.</para>
+          </note>
+          <para>Now, return to the general <acronym>OVS</acronym>
+            instructions.</para>
+        </section>
+        <section
+          xml:id="install-neutron.configure-networks.plug-in-specific.ovs.vlan">
+          <title>VLAN network options</title>
+          <para>When creating networks, use these options:</para>
+          <screen><userinput>--provider:network_type vlan --provider:physical_network physnet1 --provider:segmentation_id SEG_ID</userinput>         </screen>
+          <para><replaceable>SEG_ID</replaceable> should be
+              <literal>2</literal> for the external network, and just
+            any unique number inside the vlan range specified above
+            for any other network.</para>
+          <note>
+            <para>These options are not needed beyond the first
+              network, as Neutron automatically increments the
+              segmentation ID and copies the network type and physical
+              network options for any additional networks. They are
+              only needed if you wish to modify those values in any
+              way.</para>
+          </note>
+          <warning>
+            <para>Some NICs have Linux drivers that do not handle
+              VLANs properly. See the
+                <literal>ovs-vlan-bug-workaround</literal> and
+                <literal>ovs-vlan-test</literal> man pages for more
+              information. Additionally, you might try turning off
+                <literal>rx-vlan-offload</literal> and
+                <literal>tx-vlan-offload</literal> by using
+                <literal>ethtool</literal> on the
+                <replaceable>DATA_INTERFACE</replaceable>. Another
+              potential caveat to VLAN functionality is that VLAN tags
+              add an additional 4 bytes to the packet size. If your
+              NICs cannot handle large packets, make sure to set the
+              MTU to a value that is 4 bytes less than the normal
+              value on the
+              <replaceable>DATA_INTERFACE</replaceable>.</para>
+            <para>If you run OpenStack inside a virtualized
+              environment (for testing purposes), switching to the
+                <literal>virtio</literal> NIC type (or a similar
+              technology if you are not using KVM/QEMU to run your
+              host VMs) might solve the issue.</para>
+          </warning>
+        </section>
+      </section>
+    </section>
+  </section>
diff --git a/doc/install-guide/section_neutron-install.xml b/doc/install-guide/section_neutron-install.xml
deleted file mode 100644
index 622a07743e..0000000000
--- a/doc/install-guide/section_neutron-install.xml
+++ /dev/null
@@ -1,1731 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<section xml:id="neutron-install-network-node"
-  xmlns="http://docbook.org/ns/docbook"
-  xmlns:xi="http://www.w3.org/2001/XInclude"
-  xmlns:xlink="http://www.w3.org/1999/xlink"
-  xmlns:svg="http://www.w3.org/2000/svg"
-  xmlns:html="http://www.w3.org/1999/xhtml" version="5.0">
-  <title>Install Networking services</title>
-  <para os="debian">When you install a Networking node, you must
-    configure it for API endpoints, RabbitMQ,
-      <code>keystone_authtoken</code>, and the database. Use
-      <package>debconf</package> to configure these values.</para>
-  <para os="debian">When you install a Networking package,
-      <package>debconf</package> prompts you to choose configuration
-    options including which plug-in to use, as follows:</para>
-  <informalfigure os="debian">
-    <mediaobject>
-      <imageobject>
-        <imagedata scale="50"
-          fileref="figures/debconf-screenshots/neutron_1_plugin_selection.png"
-        />
-      </imageobject>
-    </mediaobject>
-  </informalfigure>
-  <para os="debian">This parameter sets the
-      <parameter>core_plugin</parameter> option value in the
-      <filename>/etc/neutron/neutron.conf</filename> file.</para>
-  <note os="debian">
-    <para>When you install the <package>neutron-common</package>
-      package, all plug-ins are installed by default.</para>
-  </note>
-  <para os="debian">This table lists the values for the
-      <parameter>core_plugin</parameter> option. These values depend
-    on your response to the <package>debconf</package> prompt.</para>
-  <table rules="all" os="debian">
-    <caption>Plug-ins and the core_plugin option</caption>
-    <thead>
-      <tr>
-        <th>Plug-in</th>
-        <th>core_plugin value in
-          <filename>neutron.conf</filename></th>
-      </tr>
-    </thead>
-    <tbody>
-      <tr>
-        <td><para>BigSwitch</para></td>
-        <td><para>neutron.plugins.bigswitch.plugin.NeutronRestProxyV2</para></td>
-      </tr>
-      <tr>
-        <td><para>Brocade</para></td>
-        <td><para>neutron.plugins.brocade.NeutronPlugin.BrocadePluginV2</para></td>
-      </tr>
-      <tr>
-        <td><para>Cisco</para></td>
-        <td><para>neutron.plugins.cisco.network_plugin.PluginV2</para></td>
-      </tr>
-      <tr>
-        <td><para>Hyper-V</para></td>
-        <td><para>neutron.plugins.hyperv.hyperv_neutron_plugin.HyperVNeutronPlugin</para></td>
-      </tr>
-      <tr>
-        <td><para>LinuxBridge</para></td>
-        <td><para>neutron.plugins.linuxbridge.lb_neutron_plugin.LinuxBridgePluginV2</para></td>
-      </tr>
-      <tr>
-        <td><para>Mellanox</para></td>
-        <td><para>neutron.plugins.mlnx.mlnx_plugin.MellanoxEswitchPlugin</para></td>
-      </tr>
-      <tr>
-        <td><para>MetaPlugin</para></td>
-        <td><para>neutron.plugins.metaplugin.meta_neutron_plugin.MetaPluginV2</para></td>
-      </tr>
-      <tr>
-        <td><para>Midonet</para></td>
-        <td><para>neutron.plugins.midonet.plugin.MidonetPluginV2</para></td>
-      </tr>
-      <tr>
-        <td><para>ml2</para></td>
-        <td><para>neutron.plugins.ml2.plugin.Ml2Plugin</para></td>
-      </tr>
-      <tr>
-        <td><para>Nec</para></td>
-        <td><para>neutron.plugins.nec.nec_plugin.NECPluginV2</para></td>
-      </tr>
-      <tr>
-        <td><para>OpenVSwitch</para></td>
-        <td><para>neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2</para></td>
-      </tr>
-      <tr>
-        <td><para>PLUMgrid</para></td>
-        <td><para>neutron.plugins.plumgrid.plumgrid_nos_plugin.plumgrid_plugin.NeutronPluginPLUMgridV2</para></td>
-      </tr>
-      <tr>
-        <td><para>RYU</para></td>
-        <td><para>neutron.plugins.ryu.ryu_neutron_plugin.RyuNeutronPluginV2</para></td>
-      </tr>
-    </tbody>
-  </table>
-  <para os="debian">Depending on the value of
-      <parameter>core_plugin</parameter>, the start-up scripts start
-    the daemons by using the corresponding plug-in configuration file
-    directly. For example, if you selected the Open vSwitch plug-in,
-      <code>neutron-server</code> automatically launches with
-      <parameter>--config-file
-      /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</parameter>.</para>
-  <para os="debian">The <package>neutron-common</package> package also
-    prompts you for the default network configuration:</para>
-  <informalfigure os="debian">
-    <mediaobject>
-      <imageobject>
-        <imagedata scale="50"
-          fileref="figures/debconf-screenshots/neutron_2_networking_type.png"
-        />
-      </imageobject>
-    </mediaobject>
-  </informalfigure>
-  <informalfigure os="debian">
-    <mediaobject>
-      <imageobject>
-        <imagedata scale="50"
-          fileref="figures/debconf-screenshots/neutron_3_hypervisor_ip.png"
-        />
-      </imageobject>
-    </mediaobject>
-  </informalfigure>
-  <para os="rhel;centos;fedora;opensuse;sles;ubuntu">Before you
-    configure individual nodes for Networking, you must create the
-    required OpenStack components: user, service, database, and one or
-    more endpoints. After you complete these steps on the controller
-    node, follow the instructions in this guide to set up OpenStack
-    Networking nodes.</para>
-  <procedure os="rhel;centos;fedora;opensuse;sles;ubuntu">
-    <step>
-      <!-- TODO(sross): change this to use `openstack-db` once it supports Neutron -->
-      <!-- TODO(sross): move this into its own section -->
-      <para>Use the password that you set previously to log in as root
-        and create a <literal>neutron</literal> database:</para>
-      <screen><prompt>#</prompt> <userinput>mysql -u root -p</userinput>
-<prompt>mysql></prompt> <userinput>CREATE DATABASE neutron;</userinput>
-<prompt>mysql></prompt> <userinput>GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \
-IDENTIFIED BY '<replaceable>NEUTRON_DBPASS</replaceable>';</userinput>
-<prompt>mysql></prompt> <userinput>GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \
-IDENTIFIED BY '<replaceable>NEUTRON_DBPASS</replaceable>';</userinput></screen>
-    </step>
-    <step>
-      <para>Create the required user, service, and endpoint so that
-        Networking can interface with the Identity Service.</para>
-      <para>Create a <literal>neutron</literal> user:</para>
-      <screen><prompt>#</prompt> <userinput>keystone user-create --name=neutron --pass=<replaceable>NEUTRON_PASS</replaceable> --email=<replaceable>neutron@example.com</replaceable></userinput></screen>
-      <para>Add the user role to the neutron user:</para>
-      <screen><prompt>#</prompt> <userinput>keystone user-role-add --user=neutron --tenant=service --role=admin</userinput></screen>
-      <para>Create the neutron service:</para>
-      <screen><prompt>#</prompt> <userinput>keystone service-create --name=neutron --type=network \
-     --description="OpenStack Networking Service"</userinput></screen>
-      <para>Create a Networking endpoint:</para>
-      <screen><prompt>#</prompt> <userinput>keystone endpoint-create \
-     --service-id $(keystone service-list | awk '/ network / {print $2}') \
-     --publicurl http://<replaceable>controller</replaceable>:9696 \
-     --adminurl http://<replaceable>controller</replaceable>:9696 \
-     --internalurl http://<replaceable>controller</replaceable>:9696</userinput></screen>
-    </step>
-  </procedure>
-  <section xml:id="neutron-install.dedicated-network-node">
-    <title>Install Networking services on a dedicated network
-      node</title>
-    <note>
-      <para>Before you start, set up a machine as a dedicated network
-        node. Dedicated network nodes have a
-          <replaceable>MGMT_INTERFACE</replaceable> NIC, a
-          <replaceable>DATA_INTERFACE</replaceable> NIC, and a
-          <replaceable>EXTERNAL_INTERFACE</replaceable> NIC.</para>
-      <para>The management network handles communication among nodes.
-        The data network handles communication coming to and from VMs.
-        The external NIC connects the network node, and optionally to
-        the controller node, so your VMs can connect to the outside
-        world.</para>
-      <para>All NICs must have static IPs. However, the data and
-        external NICs have a special set up. For details about
-        Networking plug-ins, see <xref
-          linkend="install-neutron.install-plug-in"/>.</para>
-    </note>
-    <warning os="rhel;centos">
-      <para>By default, the <literal>system-config-firewall</literal>
-        automated firewall configuration tool is in place on RHEL.
-        This graphical interface (and a curses-style interface with
-          <literal>-tui</literal> on the end of the name) enables you
-        to configure IP tables as a basic firewall. You should disable
-        it when you work with Networking unless you are familiar with
-        the underlying network technologies, as, by default, it blocks
-        various types of network traffic that are important to
-        Networking. To disable it, simply launch the program and clear
-        the <guilabel>Enabled</guilabel> check box.</para>
-      <para>After you successfully set up OpenStack Networking, you
-        can re-enable and configure the tool. However, during
-        Networking set up, disable the tool to make it easier to debug
-        network issues.</para>
-    </warning>
-    <procedure>
-      <step>
-        <para>Install the Networking packages and any dependencies.
-          </para>
-        <screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-dhcp-agent neutron-l3-agent</userinput></screen>
-        <screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>yum install openstack-neutron</userinput></screen>
-        <screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron openstack-neutron-l3-agent \
-   openstack-neutron-dhcp-agent openstack-neutron-metadata-agent</userinput></screen>
-      </step>
-      <step os="debian">
-        <para>Respond to prompts for <link
-            linkend="debconf-dbconfig-common">database
-            management</link>, <link
-            linkend="debconf-keystone_authtoken"
-              ><literal>[keystone_authtoken]</literal>
-          settings</link>, <link linkend="debconf-rabbitqm">RabbitMQ
-            credentials</link> and <link
-            linkend="debconf-api-endpoints">API endpoint</link>
-          registration.</para>
-      </step>
-      <step os="rhel;centos;fedora;opensuse;sles">
-        <para>Configure basic Networking-related services to start at
-          boot time:</para>
-        <screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>for s in neutron-{dhcp,metadata,l3}-agent; do chkconfig $s on; done</userinput></screen>
-        <screen os="opensuse;sles"><prompt>#</prompt> <userinput>for s in openstack-neutron-{dhcp,metadata,l3}-agent; do chkconfig $s on; done</userinput></screen>
-      </step>
-      <step>
-        <para>Enable packet forwarding and disable packet destination
-          filtering so that the network node can coordinate traffic
-          for the VMs. Edit the <filename>/etc/sysctl.conf</filename>
-          file, as follows:</para>
-        <programlisting language="ini">net.ipv4.ip_forward=1
-net.ipv4.conf.all.rp_filter=0
-net.ipv4.conf.default.rp_filter=0</programlisting>
-        <para>Use the <command>sysctl</command> command to ensure the
-          changes made to the <filename>/etc/sysctl.conf</filename>
-          file take effect:</para>
-        <screen><prompt>#</prompt> <userinput>sysctl -p</userinput></screen>
-        <note>
-          <para>It is recommended that the networking service is
-            restarted after changing values related to the networking
-            configuration. This ensures that all modified values take
-            effect immediately:</para>
-          <screen os="ubuntu"><prompt>#</prompt> <userinput>service networking restart</userinput></screen>
-          <screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>service network restart</userinput></screen>
-        </note>
-      </step>
-      <step os="rhel;centos;fedora;opensuse;sles">
-          <para>Configure Networking to use <systemitem class="service">keystone</systemitem> for authentication:</para>
-          <substeps>
-              <step>
-                  <para>Set the <literal>auth_strategy</literal>
-                  configuration key to <literal>keystone</literal> in the
-                  <literal>DEFAULT</literal> section of the file:</para>
-                  <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone</userinput></screen>
-              </step>
-              <step>
-                  <para>Set the <systemitem class="service">neutron</systemitem> configuration for
-                      <systemitem class="service">keystone</systemitem> authentication:</para>
-                      <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
-   auth_port 35357</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
-   auth_protocol http</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
-   admin_tenant_name service</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
-   admin_user neutron</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
-   admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
-              </step></substeps>
-      </step>
-      <step os="ubuntu">
-        <para>To configure <systemitem class="service">neutron</systemitem> to use <systemitem class="service">keystone</systemitem>
-            for authentication, edit the <filename>/etc/neutron/neutron.conf</filename>file.</para>
-        <substeps>
-          <step>
-            <para>Set the <literal>auth_strategy</literal>
-              configuration key to <literal>keystone</literal> in the
-                <literal>DEFAULT</literal> section of the file:</para>
-            <programlisting language="ini">auth_strategy = keystone</programlisting>
-          </step>
-          <step>
-            <para>Add these lines to the
-                <literal>keystone_authtoken</literal> section of the
-              file:</para>
-            <programlisting language="ini">auth_host = <replaceable>controller</replaceable>
-auth_port = 35357
-auth_protocol = http
-admin_tenant_name = service
-admin_user = neutron
-admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
-          </step>
-        </substeps>
-      </step>
-      <step os="rhel;centos;fedora">
-        <para>Set the <literal>root_helper</literal> configuration in the
-          <literal>[agent]</literal> section of <filename>/etc/neutron/neutron.conf</filename>:</para>
-          <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf AGENT \
-   root_helper sudo neutron-rootwrap /etc/neutron/rootwrap.conf</userinput></screen>
-      </step>
-      <step os="opensuse;sles">
-          <para>Configure access to the <application>RabbitMQ</application> service:</para>
-          <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
-   rpc_backend neutron.openstack.common.rpc.impl_kombu</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
-   rabbit_host controller</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
-   rabbit_userid guest</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
-   rabbit_password <replaceable>RABBIT_PASS</replaceable></userinput></screen>
-      </step>
-      <step os="ubuntu">
-        <para>Configure the <application>RabbitMQ</application> access. Edit the
-            <filename>/etc/neutron/neutron.conf</filename> file to
-          modify the following parameters in the
-            <literal>DEFAULT</literal> section.</para>
-        <programlisting language="ini">rabbit_host = controller
-rabbit_userid = guest
-rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
-      </step>
-      <step os="rhel;centos;fedora">
-        <para>Configure access to the <application>Qpid</application> message queue:</para>
-            <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
-   rpc_backend neutron.openstack.common.rpc.impl_qpid</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
-   qpid_hostname <replaceable>controller</replaceable></userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
-   qpid_port 5672</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
-   qpid_username <replaceable>guest</replaceable></userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
-   qpid_password <replaceable>guest</replaceable></userinput></screen>
-      </step>
-      <step os="rhel;centos;fedora;opensuse;sles">
-          <para>Configure Networking to connect to the database:</para>
-          <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DATABASE sql_connection \
-   mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@controller/neutron</userinput></screen>
-      </step>
-      <step os="ubuntu">
-        <para>Configure Networking to connect to the database. Edit
-          the <literal>[database]</literal> section in the same file,
-          as follows:</para>
-        <programlisting language="ini">[database]
-connection = mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@<replaceable>controller</replaceable>/neutron</programlisting>
-      </step>
-      <step os="rhel;centos;fedora;opensuse;sles">
-          <para>Configure the <filename>/etc/neutron/api-paste.ini</filename> file for <systemitem class="service">keystone</systemitem>
-          authentication:</para>
-              <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
-   paste.filter_factory keystoneclient.middleware.auth_token:filter_factory</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
-   auth_host <replaceable>controller</replaceable></userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
-   auth_uri http://<replaceable>controller</replaceable>:5000</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
-   admin_tenant_name service</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
-   admin_user neutron</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
-   admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
-      </step>
-      <step os="ubuntu">
-        <para>Edit the <filename>/etc/neutron/api-paste.ini</filename>
-          file and add these lines to the
-            <literal>[filter:authtoken]</literal> section:</para>
-        <programlisting language="ini">[filter:authtoken]
-paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
-auth_host = <replaceable>controller</replaceable>
-auth_uri = http://<replaceable>controller</replaceable>:5000
-admin_tenant_name = service
-admin_user = neutron
-admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
-        <warning>
-          <para><literal>keystoneclient.middleware.auth_token</literal>:
-            You must configure <literal>auth_uri</literal> to point to
-            the public identity endpoint. Otherwise, clients might not
-            be able to authenticate against an admin endpoint.</para>
-        </warning>
-      </step>
-      <step os="debian">
-        <para>Configure your network plug-in. For instructions, see
-            <link linkend="install-neutron.install-plug-in"
-            >instructions</link>. Then, return here.</para>
-      </step>
-      <step os="rhel;centos;fedora;opensuse;sles;ubuntu">
-        <para>Install and configure a networking plug-in. OpenStack
-          Networking uses this plug-in to perform software-defined
-          networking. See <xref linkend="install-neutron.install-plug-in"/>
-          for further details. Then, return here when finished.</para>
-      </step>
-    </procedure>
-    <para>Now that you've installed and configured a plug-in, it is time to configure
-        the remaining parts of OpenStack Networking.</para>
-    <procedure>
-      <step>
-        <para>To perform DHCP on the software-defined networks,
-          Networking supports several different plug-ins. However, in
-          general, you use the <application>dnsmasq</application> plug-in.</para>
-        <para>Configure the
-            <filename>/etc/neutron/dhcp_agent.ini</filename>
-          file:</para>
-        <programlisting language="ini" os="ubuntu;debian">dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq</programlisting>
-        <screen os="rhel;centos;fedora;opensuse;sles">
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT \
-   dhcp_driver neutron.agent.linux.dhcp.Dnsmasq</userinput></screen>
-      </step>
-      <step>
-        <para>To allow virtual machines to access the Compute metadata
-          information, the Networking metadata agent must be enabled
-          and configured. The agent will act as a proxy for the
-          Compute metadata service.</para>
-        <para>On the controller, edit the
-            <filename>/etc/nova/nova.conf</filename> file to define a
-          secret key that will be shared between the Compute Service
-          and the Networking metadata agent.</para>
-        <para os="debian;ubuntu">Add to the
-            <literal>[DEFAULT]</literal> section:</para>
-        <programlisting os="ubuntu;debian" language="ini">[DEFAULT]
-neutron_metadata_proxy_shared_secret = <replaceable>METADATA_PASS</replaceable>
-service_neutron_metadata_proxy = true</programlisting>
-        <para os="opensuse;sles;rhel;centos;fedora">Set the
-            <literal>neutron_metadata_proxy_shared_secret</literal>
-          key:</para>
-        <screen os="opensuse;sles;rhel;centos;fedora"><prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
-    neutron_metadata_proxy_shared_secret <replaceable>METADATA_PASS</replaceable></userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
-    service_neutron_metadata_proxy true</userinput></screen>
-        <para>Restart the <systemitem class="service"
-            >nova-api</systemitem> service:</para>
-        <screen os="debian;ubuntu"><prompt>#</prompt> <userinput>service nova-api restart</userinput></screen>
-        <screen os="centos;rhel;fedora;opensuse;sles"><prompt>#</prompt> <userinput>service openstack-nova-api restart</userinput></screen>
-        <para>On the network node, modify the metadata agent
-          configuration.</para>
-        <para os="debian;ubuntu">Edit the
-            <filename>/etc/neutron/metadata_agent.ini</filename> file
-          and modify the <literal>[DEFAULT]</literal> section:</para>
-        <programlisting os="debian;ubuntu" language="ini">[DEFAULT]
-auth_url = http://controller:5000/v2.0
-auth_region = regionOne
-admin_tenant_name = service
-admin_user = neutron
-admin_password = <replaceable>NEUTRON_PASS</replaceable>
-nova_metadata_ip = controller
-metadata_proxy_shared_secret = <replaceable>METADATA_PASS</replaceable></programlisting>
-        <para os="opensuse;sles;rhel;centos;fedora">Set the required
-          keys:</para>
-        <screen os="opensuse;sles;rhel;centos;fedora"><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
-    auth_url http://controller:5000/v2.0</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
-    auth_region regionOne</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
-    admin_tenant_name service</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
-    admin_user neutron</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
-    admin_password <replaceable>NEUTRON_PASS</replaceable></userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
-    nova_metadata_ip controller</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
-    metadata_proxy_shared_secret <replaceable>METADATA_PASS</replaceable></userinput></screen>
-        <note>
-          <para>The value of <literal>auth_region</literal> is
-            case-sensitive and must match the endpoint region defined
-            in Keystone.</para>
-        </note>
-        <note>
-          <para>If you serve the OpenStack Networking API over HTTPS with
-            self-signed certificates, you must perform additional configuration
-            for the metadata agent because Networking cannot validate the SSL
-            certificates from the service catalog.</para>
-          <para os="debian;ubuntu">Add this statement to the <literal>[DEFAULT]</literal> section:</para>
-          <programlisting os="debian;ubuntu" language="ini">
-neutron_insecure = True
-          </programlisting>
-          <para os="opensuse;sles;rhel;centos;fedora">Set the required keys:</para>
-          <screen os="opensuse;sles;rhel;centos;fedora"><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT neutron_insecure True</userinput></screen>
-        </note>
-      </step>
-      <step os="rhel;centos;fedora">
-        <para>The <systemitem class="service">neutron-server</systemitem>
-          initialization script expects a symbolic link
-          <filename>/etc/neutron/plugin.ini</filename> pointing to the
-          configuration file associated with your chosen plug-in. Using
-          Open vSwitch, for example, the symbolic link must point to
-          <filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>.
-          If this symbolic link does not exist, create it using the
-          following commands:</para>
-        <screen><prompt>#</prompt> <userinput>cd /etc/neutron</userinput>
-<prompt>#</prompt> <userinput>ln -s plugins/openvswitch/ovs_neutron_plugin.ini plugin.ini</userinput></screen>
-      </step>
-      <step os="sles;opensuse">
-        <para>The <systemitem class="service">openstack-neutron</systemitem>
-          initialization script expects the variable
-          <literal>NEUTRON_PLUGIN_CONF</literal> in file
-          <filename>/etc/sysconfig/neutron</filename> to reference the
-          configuration file associated with your chosen plug-in. Using
-          Open vSwitch, for example, edit the
-          <filename>/etc/sysconfig/neutron</filename> file and add the
-          following:</para>
-        <programlisting>NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini"</programlisting>
-      </step>
-      <step>
-        <para>Restart Networking services.</para>
-        <screen os="ubuntu;debian"><prompt>#</prompt> <userinput>service neutron-dhcp-agent restart</userinput>
-<prompt>#</prompt> <userinput>service neutron-l3-agent restart</userinput>
-<prompt>#</prompt> <userinput>service neutron-metadata-agent restart</userinput></screen>
-        <screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>service neutron-dhcp-agent restart</userinput>
-<prompt>#</prompt> <userinput>service neutron-l3-agent restart</userinput>
-<prompt>#</prompt> <userinput>service neutron-metadata-agent restart</userinput></screen>
-        <screen os="sles;opensuse"><prompt>#</prompt> <userinput>service openstack-neutron-dhcp-agent restart</userinput>
-<prompt>#</prompt> <userinput>service openstack-neutron-l3-agent restart</userinput>
-<prompt>#</prompt> <userinput>service openstack-neutron-metadata-agent restart</userinput></screen>
-        <para>Also restart your chosen Networking plug-in agent, for example, Open vSwitch.</para>
-        <screen os="ubuntu;debian"><prompt>#</prompt> <userinput>service neutron-plugin-openvswitch-agent restart</userinput></screen>
-        <screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>service neutron-openvswitch-agent restart</userinput></screen>
-        <screen os="sles;opensuse"><prompt>#</prompt> <userinput>service openstack-neutron-openvswitch-agent restart</userinput></screen>
-      </step>
-      <step>
-        <para>After you configure the <link
-            linkend="install-neutron.dedicated-compute-node"
-            >compute</link> and <link
-            linkend="install-neutron.dedicated-controller-node"
-            >controller</link> nodes, <link
-            linkend="install-neutron.configure-networks">configure the
-            base networks</link>.</para>
-      </step>
-    </procedure>
-    <section xml:id="install-neutron.install-plug-in">
-      <title>Install and configure the Networking plug-ins</title>
-      <section xml:id="install-neutron.install-plug-in.ovs">
-        <title>Install the Open vSwitch (OVS) plug-in</title>
-        <procedure>
-          <step>
-            <para>Install the Open vSwitch plug-in and its
-              dependencies:</para>
-            <screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-openvswitch-agent</userinput></screen>
-            <screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>yum install openstack-neutron-openvswitch</userinput></screen>
-            <screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent</userinput></screen>
-            <note os="ubuntu">
-              <para>On Ubuntu 12.04 LTS with GRE you must install
-                openvswitch-datapath-dkms and restart the service to
-                enable the GRE flow so that OVS 1.10 and higher is
-                used. Make sure you are running the OVS 1.10 kernel
-                module in addition to the OVS 1.10 user space. Both
-                the kernel module and user space are required for
-                VXLAN support. The error you see in the
-                  <filename>/var/log/openvswitchovs-vswitchd.log</filename>
-                log file is "Stderr: 'ovs-ofctl: -1: negative values
-                not supported for in_port\n'". If you see this error,
-                make sure <command>modinfo openvswitch</command> shows
-                the right version. Also check the output from
-                  <command>dmesg</command> for the version of the OVS
-                module being loaded.</para>
-            </note>
-          </step>
-          <step>
-            <para>Start Open vSwitch:</para>
-            <screen os="debian;rhel;fedora;centos"><prompt>#</prompt> <userinput>service openvswitch start</userinput></screen>
-            <screen os="opensuse;sles"><prompt>#</prompt> <userinput>service openvswitch-switch start</userinput></screen>
-            <screen os="ubuntu"><prompt>#</prompt> <userinput>service openvswitch-switch restart</userinput></screen>
-            <para os="rhel;fedora;centos;opensuse;sles">And configure
-              it to start when the system boots:</para>
-            <screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>chkconfig openvswitch on</userinput></screen>
-            <screen os="opensuse;sles"><prompt>#</prompt> <userinput>chkconfig openvswitch-switch on</userinput></screen>
-          </step>
-          <step>
-            <para>No matter which networking technology you use, you
-              must add the <literal>br-int</literal> integration
-              bridge, which connects to the VMs, and the
-                <literal>br-ex</literal> external bridge, which
-              connects to the outside world.</para>
-            <screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-int</userinput>
-<prompt>#</prompt> <userinput>ovs-vsctl add-br br-ex</userinput></screen>
-          </step>
-          <step>
-            <para>Add a <glossterm>port</glossterm> (connection) from
-              the <replaceable>EXTERNAL_INTERFACE</replaceable>
-              interface to <literal>br-ex</literal> interface:</para>
-            <screen><prompt>#</prompt> <userinput>ovs-vsctl add-port br-ex <replaceable>EXTERNAL_INTERFACE</replaceable></userinput></screen>
-                    <warning>
-                    <para>The host must have an IP address associated
-                      with an interface other than <replaceable>EXTERNAL_INTERFACE</replaceable>,
-                      and your remote terminal session must be associated with this other
-                      IP address.</para>
-                      <para>If you associate an IP address with <replaceable>EXTERNAL_INTERFACE</replaceable>,
-                    that IP address stops working after you issue the <command>ovs-vsctl add-port br-ex <replaceable>EXTERNAL_INTERFACE</replaceable></command> command.
-                    If you associate a remote terminal session with that
-                    IP address, you lose connectivity with the host.</para>
-                    <para>For more details about this behavior, see the
-                      <emphasis>Configuration Problems</emphasis> section of the
-                      <link xlink:href="http://git.openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=blob_plain;f=FAQ;hb=HEAD">Open vSwitch FAQ</link>.
-                    </para>
-                    </warning>
-          </step>
-          <step>
-            <para>Configure the
-                <replaceable>EXTERNAL_INTERFACE</replaceable> without
-              an IP address and in promiscuous mode. Additionally, you
-              must set the newly created <literal>br-ex</literal>
-              interface to have the IP address that formerly belonged
-              to <replaceable>EXTERNAL_INTERFACE</replaceable>.</para>
-            <warning os="ubuntu">
-              <para>Generic Receive Offload (GRO) should not be
-                enabled on this interface as it can cause severe
-                performance problems. It can be disabled with the
-                ethtool utility.</para>
-            </warning>
-            <para os="rhel;fedora;centos">Edit the
-                <filename>/etc/sysconfig/network-scripts/ifcfg-EXTERNAL_INTERFACE</filename>
-              file:</para>
-            <programlisting language="ini" os="rhel;fedora;centos">DEVICE_INFO_HERE
-ONBOOT=yes
-BOOTPROTO=none
-PROMISC=yes</programlisting>
-          </step>
-          <step os="rhel;fedora;centos">
-            <para>Create and edit the
-                <filename>/etc/sysconfig/network-scripts/ifcfg-br-ex</filename>
-              file:</para>
-            <programlisting language="ini">DEVICE=br-ex
-TYPE=Bridge
-ONBOOT=no
-BOOTPROTO=none
-IPADDR=EXTERNAL_INTERFACE_IP
-NETMASK=EXTERNAL_INTERFACE_NETMASK
-GATEWAY=EXTERNAL_INTERFACE_GATEWAY</programlisting>
-          </step>
-          <!-- TODO(sross): support other distros -->
-          <step>
-            <para>You must set some common configuration options no
-              matter which networking technology you choose to use
-              with Open vSwitch. Configure the L3 and DHCP agents to
-              use <acronym>OVS</acronym> and namespaces. Edit the
-                <filename>/etc/neutron/l3_agent.ini</filename> and
-                <filename>/etc/neutron/dhcp_agent.ini</filename>
-              files, respectively:</para>
-            <programlisting language="ini">interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
-use_namespaces = True</programlisting>
-            <para os="rhel;centos">You must enable veth support if you
-              use certain kernels. Some kernels, such as recent
-              versions of RHEL (not RHOS) and CentOS, only partially
-              support namespaces. Edit the previous files, as
-              follows:</para>
-            <programlisting language="ini" os="rhel;centos">ovs_use_veth = True</programlisting>
-          </step>
-          <step os="rhel;centos;fedora;opensuse;sles;ubuntu">
-            <para>Similarly, you must also tell Neutron core to use
-                <acronym>OVS</acronym>. Edit the
-                <filename>/etc/neutron/neutron.conf</filename>
-              file:</para>
-            <programlisting language="ini">core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2</programlisting>
-          </step>
-          <step>
-            <para>Choose a networking technology to create the virtual
-              networks. Neutron supports GRE tunneling, VLANs, and
-              VXLANs. This guide shows how to configure GRE tunneling
-              and VLANs.</para>
-            <para>
-              <link linkend="install-neutron.install-plug-in.ovs.gre"
-                >GRE tunneling</link> is simpler to set up because it
-              does not require any special configuration from any
-              physical network hardware. However, its protocol makes
-              it difficult to filter traffic on the physical network.
-              Additionally, this configuration does not use
-              namespaces. You can have only one router for each
-              network node. However, you can enable namespacing, and
-              potentially veth, as described in the section detailing
-              how to use VLANs with <acronym>OVS</acronym>).</para>
-            <para>On the other hand, <link
-                linkend="install-neutron.install-plug-in.ovs.vlan"
-                >VLAN tagging</link> modifies the ethernet header of
-              packets. You can filter packets on the physical network
-              through normal methods. However, not all NICs handle the
-              increased packet size of VLAN-tagged packets well, and
-              you might need to complete additional configuration on
-              physical network hardware to ensure that your Neutron
-              VLANs do not interfere with any other VLANs on your
-              network and that any physical network hardware between
-              nodes does not strip VLAN tags.</para>
-            <note>
-              <para>While the examples in this guide enable network
-                namespaces by default, you can disable them if issues
-                occur or your kernel does not support them. Edit the
-                  <filename>/etc/neutron/l3_agent.ini</filename> and
-                  <filename>/etc/neutron/dhcp_agent.ini</filename>
-                files, respectively:</para>
-              <programlisting language="ini">use_namespaces = False</programlisting>
-              <para>Edit the
-                  <filename>/etc/neutron/neutron.conf</filename> file
-                to disable overlapping IP addresses:</para>
-              <programlisting language="ini">allow_overlapping_ips = False</programlisting>
-              <para>Note that when network namespaces are disabled,
-                you can have only one router for each network node and
-                overlapping IP addresses are not supported.</para>
-              <para>You must complete additional steps after you
-                create the initial Neutron virtual networks and
-                router.</para>
-            </note>
-          </step>
-          <!-- TODO(sross): support provider networks?  you need to modify things above for this to work -->
-          <step>
-            <para>Configure a firewall plug-in. If you do not wish to
-              enforce firewall rules, called <glossterm
-              baseform="security group">security groups</glossterm>
-              by OpenStack, you can use
-                <literal>neutron.agent.firewall.NoopFirewall</literal>.
-              Otherwise, you can choose one of the Networking firewall
-              plug-ins. The most common choice is the Hybrid
-              OVS-IPTables driver, but you can also use the
-              Firewall-as-a-Service driver. Edit the
-                <filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
-              file:</para>
-            <programlisting language="ini">[securitygroup]
-# Firewall driver for realizing neutron security group function.
-firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
-            <warning>
-              <para>You must use at least the No-Op firewall.
-                Otherwise, Horizon and other OpenStack services cannot
-                get and set required VM boot options.</para>
-            </warning>
-          </step>
-          <!-- TODO(sross): document other firewall options -->
-          <step os="rhel;centos;fedora;sles;opensuse">
-            <para>Configure the <acronym>OVS</acronym> plug-in to start
-              on boot.</para>
-            <screen os="fedora;centos;rhel"><prompt>#</prompt> <userinput>chkconfig neutron-openvswitch-agent on</userinput></screen>
-            <screen os="sles;opensuse"><prompt>#</prompt> <userinput>chkconfig openstack-neutron-openvswitch-agent on</userinput></screen>
-          </step>
-          <step>
-            <para>Now, return to the general <acronym>OVS</acronym>
-              instructions.</para>
-          </step>
-        </procedure>
-        <section xml:id="install-neutron.install-plug-in.ovs.gre">
-          <title>Configure the Neutron <acronym>OVS</acronym> plug-in
-            for GRE tunneling</title>
-          <procedure>
-            <step>
-              <para>Configure the <acronym>OVS</acronym> plug-in to
-                use GRE tunneling, the <literal>br-int</literal>
-                integration bridge, the <literal>br-tun</literal>
-                tunneling bridge, and a local IP for the
-                  <replaceable>DATA_INTERFACE</replaceable> tunnel IP.
-                Edit the
-                  <filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
-                file:</para>
-              <programlisting language="ini">[ovs]
-tenant_network_type = gre
-tunnel_id_ranges = 1:1000
-enable_tunneling = True
-integration_bridge = br-int
-tunnel_bridge = br-tun
-local_ip = DATA_INTERFACE_IP</programlisting>
-            </step>
-            <step>
-              <para>Return to the general <acronym>OVS</acronym>
-                instructions.</para>
-            </step>
-          </procedure>
-        </section>
-        <section xml:id="install-neutron.install-plug-in.ovs.vlan">
-          <title>Configure the Neutron <acronym>OVS</acronym> plug-in
-            for VLANs</title>
-          <procedure>
-            <step>
-              <para>Configure <acronym>OVS</acronym> to use VLANS.
-                Edit the
-                  <filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
-                file:</para>
-              <programlisting language="ini">[ovs]
-tenant_network_type = vlan
-network_vlan_ranges = physnet1:1:4094
-bridge_mappings = physnet1:br-DATA_INTERFACE</programlisting>
-            </step>
-            <step>
-              <para>Create the bridge for
-                  <replaceable>DATA_INTERFACE</replaceable> and add
-                  <replaceable>DATA_INTERFACE</replaceable> to
-                it:</para>
-              <screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-DATA_INTERFACE</userinput>
-<prompt>#</prompt> <userinput>ovs-vsctl add-port br-DATA_INTERFACE DATA_INTERFACE</userinput></screen>
-            </step>
-            <step>
-              <para>Transfer the IP address for
-                  <replaceable>DATA_INTERFACE</replaceable> to the
-                bridge in the same way that you transferred the
-                  <replaceable>EXTERNAL_INTERFACE</replaceable> IP
-                address to <literal>br-ex</literal>. However, do not
-                turn on promiscuous mode.</para>
-            </step>
-            <step>
-              <para>Return to the <acronym>OVS</acronym> general
-                instruction.</para>
-            </step>
-          </procedure>
-        </section>
-      </section>
-    </section>
-  </section>
-  <section xml:id="install-neutron.dedicated-compute-node">
-    <title>Install networking support on a dedicated compute
-      node</title>
-    <note>
-      <para>This section details set up for any node that runs the
-          <literal>nova-compute</literal> component but does not run
-        the full network stack.</para>
-    </note>
-    <warning os="rhel;centos">
-      <para>By default, the <literal>system-config-firewall</literal>
-        automated firewall configuration tool is in place on RHEL.
-        This graphical interface (and a curses-style interface with
-          <literal>-tui</literal> on the end of the name) enables you
-        to configure IP tables as a basic firewall. You should disable
-        it when you work with Neutron unless you are familiar with the
-        underlying network technologies, as, by default, it blocks
-        various types of network traffic that are important to
-        Neutron. To disable it, simple launch the program and clear
-        the <guilabel>Enabled</guilabel> check box.</para>
-      <para>After you successfully set up OpenStack with Neutron, you
-        can re-enable and configure the tool. However, during Neutron
-        set up, disable the tool to make it easier to debug network
-        issues.</para>
-    </warning>
-    <procedure>
-      <step>
-        <para>Disable packet destination filtering (route
-          verification) to let the networking services route traffic
-          to the VMs. Edit the <filename>/etc/sysctl.conf</filename>
-          file and run the following command to activate
-          changes:</para>
-        <programlisting language="ini">net.ipv4.conf.all.rp_filter=0
-net.ipv4.conf.default.rp_filter=0</programlisting>
-        <screen><prompt>#</prompt> <userinput>sysctl -p</userinput></screen>
-      </step>
-      <step>
-        <para>Install and configure your networking plug-in
-          components. To install and configure the network plug-in
-          that you chose when you set up your network node, see <xref
-            linkend="install-neutron.install-plugin-compute"/>.</para>
-      </step>
-      <step os="rhel;centos;fedora;opensuse;sles">
-          <para>Configure Networking to use <systemitem class="service">keystone</systemitem> for authentication:</para>
-          <substeps>
-              <step>
-                  <para>Set the <literal>auth_strategy</literal>
-                  configuration key to <literal>keystone</literal> in the
-                  <literal>DEFAULT</literal> section of the file:</para>
-                  <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone</userinput></screen>
-              </step>
-              <step>
-                  <para>Set the <systemitem class="service">neutron</systemitem> configuration for
-                      <systemitem class="service">keystone</systemitem> authentication:</para>
-                      <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
-   auth_host <replaceable>controller</replaceable></userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
-   auth_url http://<replaceable>controller</replaceable>:35357/v2.0</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
-   admin_tenant_name service</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
-   admin_user neutron</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
-   admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
-              </step></substeps>
-      </step>
-      <step os="opensuse;sles">
-          <para>Configure access to the <application>RabbitMQ</application> service:</para>
-          <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
-   rpc_backend neutron.openstack.common.rpc.impl_kombu</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
-   rabbit_host controller</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
-   rabbit_userid guest</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
-   rabbit_password <replaceable>RABBIT_PASS</replaceable></userinput></screen>
-      </step>
-      <step os="rhel;centos;fedora">
-        <para>Configure access to the <application>Qpid</application> message queue:</para>
-            <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
-   rpc_backend neutron.openstack.common.rpc.impl_qpid</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
-   qpid_hostname <replaceable>controller</replaceable></userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
-   qpid_port 5672</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
-   qpid_username <replaceable>guest</replaceable></userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
-   qpid_password <replaceable>guest</replaceable></userinput></screen>
-      </step>
-      <step os="ubuntu;debian">
-        <para>Configure the core components of Neutron. Edit the
-            <filename>/etc/neutron/neutron.conf</filename>
-          file:</para>
-        <programlisting language="ini">auth_host = <replaceable>controller</replaceable>
-admin_tenant_name = service
-admin_user = neutron
-admin_password = <replaceable>NEUTRON_PASS</replaceable>
-auth_url = http://controller:35357/v2.0
-auth_strategy = keystone
-rpc_backend = neutron.openstack.common.rpc.impl_kombu
-rabbit_host = controller
-rabbit_port = 5672
-# Change the following settings if you're not using the default RabbitMQ configuration
-#rabbit_userid = guest
-rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
-      </step>
-      <step os="rhel;centos;fedora">
-        <para>Set the <literal>root_helper</literal> configuration in the
-          <literal>[agent]</literal> section of <filename>/etc/neutron/neutron.conf</filename>:</para>
-          <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf AGENT \
-   root_helper sudo neutron-rootwrap /etc/neutron/rootwrap.conf</userinput></screen>
-      </step>
-          <step os="rhel;centos;fedora;opensuse;sles">
-          <para>Configure Networking to connect to the database:</para>
-          <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DATABASE sql_connection \
-   mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@controller/neutron</userinput></screen>
-      </step>
-      <step os="ubuntu">
-        <para>Configure Networking to connect to the database. Edit
-          the <literal>[database]</literal> section in the same file,
-          as follows:</para>
-        <programlisting language="ini">[database]
-connection = mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@<replaceable>controller</replaceable>/neutron</programlisting>
-      </step>
-      <step os="ubuntu;debian">
-        <para>Edit the <filename>/etc/neutron/api-paste.ini</filename>
-          file and add these lines to the
-            <literal>[filter:authtoken]</literal> section:</para>
-        <programlisting language="ini">[filter:authtoken]
-paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
-auth_host = <replaceable>controller</replaceable>
-admin_tenant_name = service
-admin_user = neutron
-admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
-      </step>
-      <step os="rhel;centos;fedora;opensuse;sles">
-          <para>Configure the <filename>/etc/neutron/api-paste.ini</filename> file for <systemitem class="service">keystone</systemitem>
-          authentication:</para>
-              <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
-   paste.filter_factory keystoneclient.middleware.auth_token:filter_factory</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
-   auth_host <replaceable>controller</replaceable></userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
-   admin_tenant_name service</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
-   admin_user neutron</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
-   admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
-      </step>
-      <step>
-      <para os="rhel;centos;fedora;opensuse;sles">Configure OpenStack Compute to use OpenStack Networking
-          services. Configure the <filename>/etc/nova/nova.conf</filename>
-          file as per instructions below:</para>
-      <screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
-   network_api_class nova.network.neutronv2.api.API</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
-   neutron_url http://<replaceable>controller</replaceable>:9696</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
-   neutron_auth_strategy keystone</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
-   neutron_admin_tenant_name service</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
-   neutron_admin_username neutron</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
-   neutron_admin_password <replaceable>NEUTRON_PASS</replaceable></userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
-   neutron_admin_auth_url http://<replaceable>controller</replaceable>:35357/v2.0</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
-   linuxnet_interface_driver nova.network.linux_net.LinuxOVSInterfaceDriver</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
-   firewall_driver nova.virt.firewall.NoopFirewallDriver</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
-   security_group_api neutron</userinput></screen>
-        <para os="ubuntu;debian">Configure OpenStack Compute to use OpenStack Networking
-          services. Edit the <filename>/etc/nova/nova.conf</filename>
-          file:</para>
-        <programlisting language="ini" os="ubuntu;debian">network_api_class=nova.network.neutronv2.api.API
-neutron_url=http://<replaceable>controller</replaceable>:9696
-neutron_auth_strategy=keystone
-neutron_admin_tenant_name=service
-neutron_admin_username=neutron
-neutron_admin_password=<replaceable>NEUTRON_PASS</replaceable>
-neutron_admin_auth_url=http://<replaceable>controller</replaceable>:35357/v2.0
-linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
-firewall_driver=nova.virt.firewall.NoopFirewallDriver
-security_group_api=neutron</programlisting>
-        <note>
-          <itemizedlist>
-            <listitem>
-              <para>No matter which firewall driver you chose when you
-                configured the network and compute nodes, you must
-                edit the <filename>/etc/nova/nova.conf</filename> file
-                to set the firewall driver to
-                  <literal>nova.virt.firewall.NoopFirewallDriver</literal>.
-                Because OpenStack Networking handles the firewall,
-                this statement instructs Compute to not use a
-                firewall.</para>
-            </listitem>
-            <listitem>
-              <para>If you want Networking to handle the firewall,
-                edit the
-                  <filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
-                file to set the <code>firewall_driver</code> option to
-                the firewall for the plug-in. For example, with
-                  <acronym>OVS</acronym>, edit the file as
-                follows:</para>
-              <programlisting language="ini" os="ubuntu;debian">[securitygroup]
-# Firewall driver for realizing neutron security group function.
-firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
-              <screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set \
-   /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini securitygroup firewall_driver \
-   neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</userinput></screen>
-            </listitem>
-            <listitem>
-              <para>If you do not want to use a firewall in Compute or
-                Networking, edit both configuration files and set
-                  <code>firewall_driver=nova.virt.firewall.NoopFirewallDriver</code>.
-                Also, edit the
-                  <filename>/etc/nova/nova.conf</filename> file and
-                comment out or remove the
-                  <code>security_group_api=neutron</code>
-                statement.</para>
-              <para>Otherwise, when you issue <command>nova
-                  list</command> commands, the <errortext>ERROR: The
-                  server has either erred or is incapable of
-                  performing the requested operation. (HTTP
-                  500)</errortext> error might be returned.</para>
-            </listitem>
-          </itemizedlist>
-        </note>
-      </step>
-      <step>
-        <para>Restart the Compute service.</para>
-        <screen os="debian;ubuntu"><prompt>#</prompt> <userinput>service nova-compute restart</userinput></screen>
-        <screen os="centos;rhel;fedora"><prompt>#</prompt> <userinput>service openstack-nova-compute restart</userinput></screen>
-        <screen os="sles;opensuse"><prompt>#</prompt> <userinput>service openstack-nova-compute restart</userinput></screen>
-        <para>Also restart your chosen Networking plug-in agent, for example, Open vSwitch.</para>
-        <screen os="ubuntu;debian"><prompt>#</prompt> <userinput>service neutron-plugin-openvswitch-agent restart</userinput></screen>
-        <screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>service neutron-openvswitch-agent restart</userinput></screen>
-        <screen os="sles;opensuse"><prompt>#</prompt> <userinput>service openstack-neutron-openvswitch-agent restart</userinput></screen>
-      </step>
-    </procedure>
-    <section xml:id="install-neutron.install-plugin-compute">
-      <title>Install and configure Neutron plug-ins on a dedicated
-        compute node</title>
-      <section xml:id="install-neutron.install-plugin-compute.ovs">
-        <title>Install the Open vSwitch (OVS) plug-in on a dedicated
-          compute node</title>
-        <procedure>
-          <step>
-            <para>Install the Open vSwitch plug-in and its
-              dependencies:</para>
-            <screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-openvswitch-agent openvswitch-datapath-dkms</userinput></screen>
-            <screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>yum install openstack-neutron-openvswitch</userinput></screen>
-            <screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent</userinput></screen>
-          </step>
-          <step os="ubuntu;debian">
-            <para>Restart Open vSwitch:</para>
-            <screen><prompt>#</prompt> <userinput>service openvswitch-switch restart</userinput></screen>
-          </step>
-          <step os="rhel;fedora;centos;opensuse;sles">
-            <para>Start Open vSwitch and configure it to start when
-              the system boots:</para>
-            <screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>service openvswitch start</userinput>
-<prompt>#</prompt> <userinput>chkconfig openvswitch on</userinput></screen>
-            <screen os="opensuse;sles"><prompt>#</prompt> <userinput>service openvswitch-switch start</userinput>
-<prompt>#</prompt> <userinput>chkconfig openvswitch-switch on</userinput></screen>
-          </step>
-          <step>
-            <para>You must set some common configuration options no
-              matter which networking technology you choose to use
-              with Open vSwitch. You must add the
-                <literal>br-int</literal> integration bridge, which
-              connects to the VMs.</para>
-            <screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-int</userinput></screen>
-          </step>
-          <step os="rhel;centos;fedora;opensuse;sles;ubuntu">
-            <para>You must set some common configuration options. You
-              must configure Networking core to use
-                <acronym>OVS</acronym>. Edit the
-                <filename>/etc/neutron/neutron.conf</filename>
-              file:</para>
-            <programlisting language="ini" os="ubuntu;opensuse;sles">core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2</programlisting>
-            <programlisting language="ini">auth_uri = http://<replaceable>controller</replaceable>:5000</programlisting>
-            <programlisting language="ini" os="rhel;centos;fedora">core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2
-api_paste_config = /etc/neutron/api-paste.ini
-rpc_backend = neutron.openstack.common.rpc.impl_qpid</programlisting>
-          </step>
-          <step>
-            <para>Configure the networking type that you chose when
-              you set up the network node: either <link
-                linkend="install-neutron.install-plugin-compute.ovs.gre"
-                >GRE tunneling</link> or <link
-                linkend="install-neutron.install-plugin-compute.ovs.vlan"
-                >VLANs</link>.</para>
-          </step>
-          <!-- TODO(sross): support provider networks?  you need to modify things above for this to work -->
-          <step>
-            <para>You must configure a firewall as well. You should
-              use the same firewall plug-in that you chose to use when
-              you set up the network node. To do this, edit
-                <filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
-              file and set the <literal>firewall_driver</literal>
-              value under the <literal>securitygroup</literal> to the
-              same value used on the network node. For instance, if
-              you chose to use the Hybrid OVS-IPTables plug-in, your
-              configuration looks like this:</para>
-            <programlisting language="ini">[securitygroup]
-# Firewall driver for realizing neutron security group function.
-firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
-            <warning>
-              <para>You must use at least the No-Op firewall.
-                Otherwise, Horizon and other OpenStack services cannot
-                get and set required VM boot options.</para>
-            </warning>
-          </step>
-          <step os="rhel;centos;fedora;sles;opensuse">
-            <para>Configure the <acronym>OVS</acronym> plug-in to start
-              on boot.</para>
-            <screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>chkconfig neutron-openvswitch-agent on</userinput></screen>
-            <screen os="sles;opensuse"><prompt>#</prompt> <userinput>chkconfig openstack-neutron-openvswitch-agent on</userinput></screen>
-          </step>
-          <step>
-            <para>Now, return to the general <acronym>OVS</acronym>
-              instructions.</para>
-          </step>
-        </procedure>
-        <section
-          xml:id="install-neutron.install-plugin-compute.ovs.gre">
-          <title>Configure the Neutron <acronym>OVS</acronym> plug-in
-            for GRE tunneling on a dedicated compute node</title>
-          <procedure>
-            <step>
-              <para>Tell the <acronym>OVS</acronym> plug-in to use GRE
-                tunneling with a <literal>br-int</literal> integration
-                bridge, a <literal>br-tun</literal> tunneling bridge,
-                and a local IP for the tunnel of
-                  <replaceable>DATA_INTERFACE</replaceable>'s IP Edit
-                the
-                  <filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
-                file:</para>
-              <programlisting language="ini">[ovs]
-tenant_network_type = gre
-tunnel_id_ranges = 1:1000
-enable_tunneling = True
-integration_bridge = br-int
-tunnel_bridge = br-tun
-local_ip = <replaceable>DATA_INTERFACE_IP</replaceable></programlisting>
-            </step>
-            <step>
-              <para>Now, return to the general <acronym>OVS</acronym>
-                instructions.</para>
-            </step>
-          </procedure>
-        </section>
-        <section
-          xml:id="install-neutron.install-plugin-compute.ovs.vlan">
-          <title>Configure the Neutron <acronym>OVS</acronym> plug-in
-            for VLANs on a dedicated compute node</title>
-          <procedure>
-            <step>
-              <para>Tell <acronym>OVS</acronym> to use VLANs. Edit the
-                  <filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
-                file:</para>
-              <programlisting language="ini">[ovs]
-tenant_network_type = vlan
-network_vlan_ranges = physnet1:1:4094
-bridge_mappings = physnet1:br-<replaceable>DATA_INTERFACE</replaceable></programlisting>
-            </step>
-            <step>
-              <para>Create the bridge for the
-                  <replaceable>DATA_INTERFACE</replaceable> and add
-                  <replaceable>DATA_INTERFACE</replaceable> to it, the
-                same way you did on the network node:</para>
-              <screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-DATA_INTERFACE</userinput>
-<prompt>#</prompt> <userinput>ovs-vsctl add-port br-DATA_INTERFACE DATA_INTERFACE</userinput></screen>
-            </step>
-            <step>
-              <para>Return to the general <acronym>OVS</acronym>
-                instructions.</para>
-            </step>
-          </procedure>
-        </section>
-      </section>
-    </section>
-  </section>
-  <section xml:id="install-neutron.dedicated-controller-node">
-    <title>Install networking support on a dedicated controller
-      node</title>
-    <note>
-      <para>This is for a node which runs the control components of
-        Neutron, but does not run any of the components that provide
-        the underlying functionality (such as the plug-in agent or the
-        L3 agent). If you wish to have a combined controller/compute
-        node follow these instructions, and then those for the compute
-        node.</para>
-    </note>
-    <warning os="rhel;centos">
-      <para>By default, the <literal>system-config-firewall</literal>
-        automated firewall configuration tool is in place on RHEL.
-        This graphical interface (and a curses-style interface with
-          <literal>-tui</literal> on the end of the name) enables you
-        to configure IP tables as a basic firewall. You should disable
-        it when you work with Neutron unless you are familiar with the
-        underlying network technologies, as, by default, it blocks
-        various types of network traffic that are important to
-        Neutron. To disable it, simple launch the program and clear
-        the <guilabel>Enabled</guilabel> check box.</para>
-      <para>After you successfully set up OpenStack with Neutron, you
-        can re-enable and configure the tool. However, during Neutron
-        set up, disable the tool to make it easier to debug network
-        issues.</para>
-    </warning>
-    <procedure>
-      <step>
-        <para>Install the server component of Networking and any dependencies.</para>
-        <screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-server</userinput></screen>
-        <screen os="fedora;rhel;centos"><prompt>#</prompt> <userinput>yum install openstack-neutron python-neutron python-neutronclient</userinput></screen>
-        <screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron python-neutron python-neutronclient</userinput></screen>
-      </step>
-      <step os="rhel;centos;fedora;opensuse;sles">
-          <para>Configure Networking to connect to the database:</para>
-          <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DATABASE sql_connection \
-   mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@controller/neutron</userinput></screen>
-      </step>
-      <step os="ubuntu;debian">
-        <para>Configure Networking to use your MySQL database. Edit the
-          <filename>/etc/neutron/neutron.conf</filename> file and add the
-          following key under the <literal>[database]</literal> section. Replace
-          <replaceable>NEUTRON_DBPASS</replaceable> with the password you
-          chose for the Neutron database.</para>
-        <programlisting language="ini">[database]
-...
-connection = mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@<replaceable>controller</replaceable>/neutron</programlisting>
-      </step>
-      <step os="rhel;centos;fedora;opensuse;sles">
-          <para>Configure Networking to use <systemitem class="service">keystone</systemitem> for authentication:</para>
-          <substeps>
-              <step>
-                  <para>Set the <literal>auth_strategy</literal>
-                  configuration key to <literal>keystone</literal> in the
-                  <literal>DEFAULT</literal> section of the file:</para>
-                  <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone</userinput></screen>
-              </step>
-              <step>
-                  <para>Set the <systemitem class="service">neutron</systemitem> configuration for
-                      <systemitem class="service">keystone</systemitem> authentication:</para>
-                      <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
-   auth_host <replaceable>controller</replaceable></userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
-   auth_url http://<replaceable>controller</replaceable>:35357/v2.0</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
-   admin_tenant_name service</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
-   admin_user neutron</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
-   admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
-              </step></substeps>
-      </step>
-      <step os="ubuntu;debian">
-        <para>Configure Networking to use <systemitem class="service">keystone</systemitem> as the Identity Service
-          for authentication.</para>
-        <substeps>
-          <step>
-            <para>Edit the
-              <filename>/etc/neutron/neutron.conf</filename> file and add the
-              following key under the <literal>[DEFAULT]</literal>
-              section.</para>
-            <programlisting language="ini">[DEFAULT]
-...
-auth_strategy = keystone</programlisting>
-            <para>Add the following keys under the
-              <literal>[keystone_authtoken]</literal> section. Replace
-              <replaceable>NEUTRON_PASS</replaceable> with the password you
-              chose for the Neutron user in Keystone.</para>
-            <programlisting language="ini">[keystone_authtoken]
-...
-auth_host = <replaceable>controller</replaceable>
-auth_port = 35357
-auth_protocol = http
-admin_tenant_name = service
-admin_user = neutron
-admin_password = <replaceable>NEUTRON_PASS</replaceable>
-auth_uri = http://<replaceable>controller</replaceable>:5000
-auth_url = http://<replaceable>controller</replaceable>:35357/v2.0
-            </programlisting>
-          </step>
-          <step>
-            <para>Edit the <filename>/etc/neutron/api-paste.ini</filename> file
-              and add the following keys under the
-              <literal>[filter:authtoken]</literal> section. Replace
-              <replaceable>NEUTRON_PASS</replaceable> with the password you
-              chose for the Neutron user in Keystone.</para>
-            <programlisting language="ini">[filter:authtoken]
-...
-paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
-admin_tenant_name = service
-admin_user = neutron
-admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
-          </step>
-        </substeps>
-      </step>
-      <step os="rhel;centos;fedora;opensuse;sles">
-          <para>Configure the <filename>/etc/neutron/api-paste.ini</filename> file for <systemitem class="service">keystone</systemitem>
-          authentication:</para>
-              <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
-   paste.filter_factory keystoneclient.middleware.auth_token:filter_factory</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
-   auth_host <replaceable>controller</replaceable></userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
-   admin_tenant_name service</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
-   admin_user neutron</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
-   admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
-      </step>
-      <step os="opensuse;sles">
-          <para>Configure access to the <application>RabbitMQ</application> service:</para>
-          <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
-   rpc_backend neutron.openstack.common.rpc.impl_kombu</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
-   rabbit_host controller</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
-   rabbit_userid guest</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
-   rabbit_password <replaceable>RABBIT_PASS</replaceable></userinput></screen>
-      </step>
-      <step os="rhel;centos;fedora">
-        <para>Configure access to the <application>Qpid</application> message queue:</para>
-            <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
-   rpc_backend neutron.openstack.common.rpc.impl_qpid</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
-   qpid_hostname <replaceable>controller</replaceable></userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
-   qpid_port 5672</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
-   qpid_username <replaceable>guest</replaceable></userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
-   qpid_password <replaceable>guest</replaceable></userinput></screen>
-      </step>
-      <step os="ubuntu;debian">
-        <para>Configure Networking to use your message broker. Edit the
-          <filename>/etc/neutron/neutron.conf</filename> file and add
-          the following keys under the <literal>[DEFAULT]</literal>
-          section.</para>
-        <para>Replace
-          <replaceable>RABBIT_PASS</replaceable> with the password you chose
-          for RabbitMQ.</para>
-       <programlisting language="ini">[DEFAULT]
-...
-rpc_backend = neutron.openstack.common.rpc.impl_kombu
-rabbit_host = <replaceable>controller</replaceable>
-rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
-      </step>
-      <step os="rhel;centos;fedora">
-        <para>Set the <literal>root_helper</literal> configuration in the
-          <literal>[agent]</literal> section of <filename>/etc/neutron/neutron.conf</filename>:</para>
-          <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf AGENT \
-   root_helper sudo neutron-rootwrap /etc/neutron/rootwrap.conf</userinput></screen>
-      </step>
-      <step>
-        <para>Although the controller node does not run any Networking agents,
-          you must install and configure the same plug-in that you configured
-          on the network node.</para>
-        <para><link linkend="install-neutron.install-plug-in-controller">
-          Install and configure the Networking plug-ins on a dedicated
-          controller node</link></para>
-      </step>
-      <step>
-      <para os="rhel;centos;fedora;opensuse;sles">Configure OpenStack Compute to use OpenStack Networking
-          services. Configure the <filename>/etc/nova/nova.conf</filename>
-          file as per instructions below:</para>
-      <screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
-   network_api_class nova.network.neutronv2.api.API</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
-   neutron_url http://<replaceable>controller</replaceable>:9696</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
-   neutron_auth_strategy keystone</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
-   neutron_admin_tenant_name service</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
-   neutron_admin_username neutron</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
-   neutron_admin_password <replaceable>NEUTRON_PASS</replaceable></userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
-   neutron_admin_auth_url http://<replaceable>controller</replaceable>:35357/v2.0</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
-   linuxnet_interface_driver nova.network.linux_net.LinuxOVSInterfaceDriver</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
-   firewall_driver nova.virt.firewall.NoopFirewallDriver</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
-   security_group_api neutron</userinput></screen>
-        <para os="ubuntu;debian">Configure OpenStack Compute to use OpenStack Networking
-          services. Edit the <filename>/etc/nova/nova.conf</filename>
-          file:</para>
-        <programlisting language="ini" os="ubuntu;debian">network_api_class=nova.network.neutronv2.api.API
-neutron_url=http://<replaceable>controller</replaceable>:9696
-neutron_auth_strategy=keystone
-neutron_admin_tenant_name=service
-neutron_admin_username=neutron
-neutron_admin_password=<replaceable>NEUTRON_PASS</replaceable>
-neutron_admin_auth_url=http://<replaceable>controller</replaceable>:35357/v2.0
-linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
-firewall_driver=nova.virt.firewall.NoopFirewallDriver
-security_group_api=neutron</programlisting>
-        <note>
-          <itemizedlist>
-            <listitem>
-              <para>Regardless of which firewall driver you chose when you
-              configured the network and compute nodes, set this driver
-              as the No-Op firewall. This firewall is a
-              <systemitem class="service">nova</systemitem> firewall,
-              and because  <systemitem class="service">neutron</systemitem>
-              handles the Firewall, you must tell <systemitem class="service">nova</systemitem>
-              not to use one.</para>
-              <para>When Networking handles the firewall, the option
-              <code>firewall_driver</code> should be set according to
-              the specified plug-in. For example with
-              <acronym>OVS</acronym>, edit the
-              <filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
-              file:</para>
-              <programlisting language="ini" os="ubuntu;debian">[securitygroup]
-# Firewall driver for realizing neutron security group function.
-firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
-              <screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set \
-   /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini security_group \
-   neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</userinput></screen>
-            </listitem>
-            <listitem>
-               <para>If you do not want to use a firewall in Compute or
-               Networking, set
-               <code>firewall_driver=nova.virt.firewall.NoopFirewallDriver</code>
-               in both config files, and comment out or remove
-               <code>security_group_api=neutron</code> in the
-               <filename>/etc/nova/nova.conf</filename> file, otherwise
-               you may encounter <errortext>ERROR: The server has either
-               erred or is incapable of performing the requested
-               operation. (HTTP 500)</errortext> when issuing
-              <command>nova list</command> commands.</para>
-            </listitem>
-          </itemizedlist>
-        </note>
-      </step>
-      <step os="rhel;centos;fedora">
-        <para>The <systemitem class="service">neutron-server</systemitem>
-          initialization script expects a symbolic link
-          <filename>/etc/neutron/plugin.ini</filename> pointing to the
-          configuration file associated with your chosen plug-in. Using
-          Open vSwitch, for example, the symbolic link must point to
-          <filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>.
-          If this symbolic link does not exist, create it using the
-          following commands:</para>
-        <screen><prompt>#</prompt> <userinput>cd /etc/neutron</userinput>
-<prompt>#</prompt> <userinput>ln -s plugins/openvswitch/ovs_neutron_plugin.ini plugin.ini</userinput></screen>
-      </step>
-      <step os="sles;opensuse">
-        <para>The <systemitem class="service">openstack-neutron</systemitem>
-          initialization script expects the variable
-          <literal>NEUTRON_PLUGIN_CONF</literal> in file
-          <filename>/etc/sysconfig/neutron</filename> to reference the
-          configuration file associated with your chosen plug-in. Using
-          Open vSwitch, for example, edit the
-          <filename>/etc/sysconfig/neutron</filename> file and add the
-          following:</para>
-        <programlisting>NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini"</programlisting>
-      </step>
-      <step os="ubuntu;debian">
-        <para>Restart the Compute and Networking services:</para>
-        <screen><prompt>#</prompt> <userinput>service nova-api restart</userinput>
-<prompt>#</prompt> <userinput>service nova-scheduler restart</userinput>
-<prompt>#</prompt> <userinput>service nova-conductor restart</userinput>
-<prompt>#</prompt> <userinput>service neutron-server restart</userinput></screen>
-      </step>
-      <step os="fedora;rhel;centos;opensuse;sles">
-        <para>Restart the Compute services:</para>
-        <screen><prompt>#</prompt> <userinput>service openstack-nova-api restart</userinput>
-<prompt>#</prompt> <userinput>service openstack-nova-scheduler restart</userinput>
-<prompt>#</prompt> <userinput>service openstack-nova-conductor restart</userinput></screen>
-      </step>
-      <step os="fedora;rhel;centos;opensuse;sles">
-        <para>Start the Networking service and configure it to start when the
-          system boots:</para>
-        <screen os="fedora;rhel;centos"><prompt>#</prompt> <userinput>service neutron-server start</userinput>
-<prompt>#</prompt> <userinput>chkconfig neutron-server on</userinput></screen>
-        <screen os="opensuse;sles"><prompt>#</prompt> <userinput>service openstack-neutron start</userinput>
-<prompt>#</prompt> <userinput>chkconfig openstack-neutron on</userinput></screen>
-      </step>
-    </procedure>
-    <section xml:id="install-neutron.install-plug-in-controller">
-      <title>Install and configure the Neutron plug-ins on a dedicated
-        controller node</title>
-      <section xml:id="install-neutron.install-plug-in-controller.ovs">
-        <title>Install the Open vSwitch (OVS) plug-in on a dedicated
-          controller node</title>
-        <procedure>
-          <step>
-            <para>Install the Open vSwitch plug-in:</para>
-            <screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-openvswitch</userinput></screen>
-            <screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>yum install openstack-neutron-openvswitch</userinput></screen>
-            <screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent</userinput></screen>
-          </step>
-          <step>
-            <para>You must set some common configuration options no
-              matter which networking technology you choose to use
-              with Open vSwitch. You must configure Networking core to
-              use <acronym>OVS</acronym>. Edit the
-                <filename>/etc/neutron/neutron.conf</filename>
-              file:</para>
-            <programlisting language="ini">core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2</programlisting>
-          </step>
-          <step>
-            <para>Configure the <acronym>OVS</acronym> plug-in for the
-              networking type that you chose when you configured the
-              network node: <link
-                linkend="install-neutron.install-plug-in-controller.ovs.gre"
-                >GRE tunneling</link> or <link
-                linkend="install-neutron.install-plug-in-controller.ovs.vlan"
-                >VLANs</link>.</para>
-            <!-- TODO(sross): support provider networks?  you need to modify things above for this to work -->
-            <note>
-              <para>The dedicated controller node does not need to run
-                Open vSwitch or the Open vSwitch agent.</para>
-            </note>
-          </step>
-          <step>
-            <para>Now, return to the general <acronym>OVS</acronym>
-              instructions.</para>
-          </step>
-        </procedure>
-        <section
-          xml:id="install-neutron.install-plug-in-controller.ovs.gre">
-          <title>Configure the Neutron <acronym>OVS</acronym> plug-in
-            for GRE tunneling on a dedicated controller node</title>
-          <procedure>
-            <step>
-              <para>Tell the <acronym>OVS</acronym> plug-in to use GRE
-                tunneling. Edit the
-                  <filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
-                file:</para>
-              <programlisting language="ini">[ovs]
-tenant_network_type = gre
-tunnel_id_ranges = 1:1000
-enable_tunneling = True</programlisting>
-            </step>
-            <step>
-              <para>Return to the general <acronym>OVS</acronym>
-                instructions.</para>
-            </step>
-          </procedure>
-        </section>
-        <section
-          xml:id="install-neutron.install-plug-in-controller.ovs.vlan">
-          <title>Configure the Neutron <acronym>OVS</acronym> plug-in
-            for VLANs on a dedicated controller node</title>
-          <procedure>
-            <step>
-              <para>Tell <acronym>OVS</acronym> to use VLANS. Edit the
-                  <filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
-                file, as follows:</para>
-              <programlisting language="ini">[ovs]
-tenant_network_type = vlan
-network_vlan_ranges = physnet1:1:4094</programlisting>
-            </step>
-            <step>
-              <para>Return to the general <acronym>OVS</acronym>
-                instructions.</para>
-            </step>
-          </procedure>
-        </section>
-      </section>
-    </section>
-  </section>
-  <section xml:id="install-neutron.configure-networks">
-    <title>Create the base Neutron networks</title>
-    <note>
-      <para>In these sections, replace
-          <replaceable>SPECIAL_OPTIONS</replaceable> with any options
-        specific to your Networking plug-in choices. See <link
-          linkend="install-neutron.configure-networks.plug-in-specific"
-          >here</link> to check if your plug-in requires any special
-        options.</para>
-    </note>
-    <procedure>
-      <step>
-        <para>Create the <literal>ext-net</literal> external network.
-          This network represents a slice of the outside world. VMs
-          are not directly linked to this network; instead, they
-          connect to internal networks. Outgoing traffic is routed by
-          Neutron to the external network. Additionally, floating IP
-          addresses from the subnet for <literal>ext-net</literal>
-          might be assigned to VMs so that the external network can
-          contact them. Neutron routes the traffic
-          appropriately.</para>
-        <screen><prompt>#</prompt> <userinput>neutron net-create ext-net --router:external=True <replaceable>SPECIAL_OPTIONS</replaceable></userinput></screen>
-      </step>
-      <step>
-        <para>Create the associated subnet with the same gateway and
-          CIDR as <replaceable>EXTERNAL_INTERFACE</replaceable>. It
-          does not have DHCP because it represents a slice of the
-          external world:</para>
-        <screen><prompt>#</prompt> <userinput>neutron subnet-create ext-net \
-  --allocation-pool start=<replaceable>FLOATING_IP_START</replaceable>,end=<replaceable>FLOATING_IP_END</replaceable> \
-  --gateway=<replaceable>EXTERNAL_INTERFACE_GATEWAY</replaceable> --enable_dhcp=False \
-  <replaceable>EXTERNAL_INTERFACE_CIDR</replaceable></userinput></screen>
-      </step>
-      <step>
-        <para>Create one or more initial tenants, for example:</para>
-        <screen><prompt>#</prompt> <userinput>keystone tenant-create --name <replaceable>DEMO_TENANT</replaceable></userinput></screen>
-        <para os="rhel;centos;fedora;opensuse;sles;ubuntu"> See <xref
-            linkend="keystone-users"/> for further details.</para>
-        <para os="debian"> See <xref linkend="keystone-install"/> for
-          further details.</para>
-      </step>
-      <step>
-        <para>Create the router attached to the external network. This
-          router routes traffic to the internal subnets as
-          appropriate. You can create it under a given tenant: Append
-            <literal>--tenant-id</literal> option with a value of
-            <replaceable>DEMO_TENANT_ID</replaceable> to the
-          command.</para>
-        <para>Use the following to quickly get the
-            <replaceable>DEMO_TENANT</replaceable> tenant-id:</para>
-        <screen><prompt>#</prompt> <userinput>keystone tenant-list | grep <replaceable>DEMO_TENANT</replaceable> | awk '{print $2;}'</userinput></screen>
-        <para>Then create the router:</para>
-        <screen><prompt>#</prompt> <userinput>neutron router-create ext-to-int --tenant-id <replaceable>DEMO_TENANT_ID</replaceable></userinput></screen>
-      </step>
-      <step>
-        <para>Connect the router to <literal>ext-net</literal> by
-          setting the gateway for the router as
-            <literal>ext-net</literal>:</para>
-        <screen><prompt>#</prompt> <userinput>neutron router-gateway-set <replaceable>EXT_TO_INT_ID</replaceable> <replaceable>EXT_NET_ID</replaceable></userinput></screen>
-      </step>
-      <step>
-        <para>Create an internal network for
-            <replaceable>DEMO_TENANT</replaceable> (and associated
-          subnet over an arbitrary internal IP range, such as,
-            <literal>10.5.5.0/24</literal>), and connect it to the
-          router by setting it as a port:</para>
-        <screen><prompt>#</prompt> <userinput>neutron net-create --tenant-id <replaceable>DEMO_TENANT_ID</replaceable> demo-net <replaceable>SPECIAL_OPTIONS</replaceable></userinput>
-<prompt>#</prompt> <userinput>neutron subnet-create --tenant-id <replaceable>DEMO_TENANT_ID</replaceable> demo-net 10.5.5.0/24 --gateway 10.5.5.1</userinput>
-<prompt>#</prompt> <userinput>neutron router-interface-add <replaceable>EXT_TO_INT_ID</replaceable> <replaceable>DEMO_NET_SUBNET_ID</replaceable></userinput></screen>
-      </step>
-      <step>
-        <para>Check the special options page for your plug-in for
-          remaining steps. Now, return to the general
-            <acronym>OVS</acronym> instructions.</para>
-      </step>
-    </procedure>
-    <section
-      xml:id="install-neutron.configure-networks.plug-in-specific">
-      <title>Plug-in-specific Neutron network options</title>
-      <section
-        xml:id="install-neutron.configure-networks.plug-in-specific.ovs">
-        <title>Open vSwitch Network configuration options</title>
-        <section
-          xml:id="install-neutron.configure-networks.plug-in-specific.ovs.gre">
-          <title>GRE tunneling network options</title>
-          <note>
-            <para>While this guide currently enables network
-              namespaces by default, you can disable them if you have
-              issues or your kernel does not support them. If you
-              disabled namespaces, you must perform some additional
-              configuration for the L3 agent.</para>
-            <para>After you create all the networks, tell the L3 agent
-              what the external network ID is, as well as the ID of
-              the router associated with this machine (because you are
-              not using namespaces, there can be only one router for
-              each machine). To do this, edit the
-                <filename>/etc/neutron/l3_agent.ini</filename>
-              file:</para>
-            <programlisting language="ini">gateway_external_network_id = <replaceable>EXT_NET_ID</replaceable>
-router_id = <replaceable>EXT_TO_INT_ID</replaceable></programlisting>
-            <para>Then, restart the L3 agent:</para>
-            <screen><prompt>#</prompt> <userinput>service neutron-l3-agent restart</userinput></screen>
-          </note>
-          <para>When creating networks, you should use the
-            options:</para>
-          <screen><userinput>--provider:network_type gre --provider:segmentation_id SEG_ID</userinput></screen>
-          <para><replaceable>SEG_ID</replaceable> should be
-              <literal>2</literal> for the external network, and just
-            any unique number inside the tunnel range specified before
-            for any other network.</para>
-          <note>
-            <para>These options are not needed beyond the first
-              network, as Neutron automatically increments the
-              segmentation id and copy the network type option for any
-              additional networks.</para>
-          </note>
-          <para>Now, return to the general <acronym>OVS</acronym>
-            instructions.</para>
-        </section>
-        <section
-          xml:id="install-neutron.configure-networks.plug-in-specific.ovs.vlan">
-          <title>VLAN network options</title>
-          <para>When creating networks, use these options:</para>
-          <screen><userinput>--provider:network_type vlan --provider:physical_network physnet1 --provider:segmentation_id SEG_ID</userinput>         </screen>
-          <para><replaceable>SEG_ID</replaceable> should be
-              <literal>2</literal> for the external network, and just
-            any unique number inside the vlan range specified above
-            for any other network.</para>
-          <note>
-            <para>These options are not needed beyond the first
-              network, as Neutron automatically increments the
-              segmentation ID and copies the network type and physical
-              network options for any additional networks. They are
-              only needed if you wish to modify those values in any
-              way.</para>
-          </note>
-          <warning>
-            <para>Some NICs have Linux drivers that do not handle
-              VLANs properly. See the
-                <literal>ovs-vlan-bug-workaround</literal> and
-                <literal>ovs-vlan-test</literal> man pages for more
-              information. Additionally, you might try turning off
-                <literal>rx-vlan-offload</literal> and
-                <literal>tx-vlan-offload</literal> by using
-                <literal>ethtool</literal> on the
-                <replaceable>DATA_INTERFACE</replaceable>. Another
-              potential caveat to VLAN functionality is that VLAN tags
-              add an additional 4 bytes to the packet size. If your
-              NICs cannot handle large packets, make sure to set the
-              MTU to a value that is 4 bytes less than the normal
-              value on the
-              <replaceable>DATA_INTERFACE</replaceable>.</para>
-            <para>If you run OpenStack inside a virtualized
-              environment (for testing purposes), switching to the
-                <literal>virtio</literal> NIC type (or a similar
-              technology if you are not using KVM/QEMU to run your
-              host VMs) might solve the issue.</para>
-          </warning>
-        </section>
-      </section>
-    </section>
-  </section>
-</section>
diff --git a/doc/install-guide/section_neutron-network-node.xml b/doc/install-guide/section_neutron-network-node.xml
new file mode 100644
index 0000000000..80507e4436
--- /dev/null
+++ b/doc/install-guide/section_neutron-network-node.xml
@@ -0,0 +1,641 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<section xml:id="neutron-network-node"
+  xmlns="http://docbook.org/ns/docbook"
+  xmlns:xi="http://www.w3.org/2001/XInclude"
+  xmlns:xlink="http://www.w3.org/1999/xlink"
+  xmlns:svg="http://www.w3.org/2000/svg"
+  xmlns:html="http://www.w3.org/1999/xhtml" version="5.0">
+    <title>Configure network node</title>
+    <note>
+      <para>Before you start, set up a machine as a dedicated network
+        node. Dedicated network nodes have a
+          <replaceable>MGMT_INTERFACE</replaceable> NIC, a
+          <replaceable>DATA_INTERFACE</replaceable> NIC, and a
+          <replaceable>EXTERNAL_INTERFACE</replaceable> NIC.</para>
+      <para>The management network handles communication among nodes.
+        The data network handles communication coming to and from VMs.
+        The external NIC connects the network node, and optionally to
+        the controller node, so your VMs can connect to the outside
+        world.</para>
+      <para>All NICs must have static IPs. However, the data and
+        external NICs have a special set up. For details about
+        Networking plug-ins, see <xref
+          linkend="install-neutron.install-plug-in"/>.</para>
+    </note>
+    <warning os="rhel;centos">
+      <para>By default, the <literal>system-config-firewall</literal>
+        automated firewall configuration tool is in place on RHEL.
+        This graphical interface (and a curses-style interface with
+          <literal>-tui</literal> on the end of the name) enables you
+        to configure IP tables as a basic firewall. You should disable
+        it when you work with Networking unless you are familiar with
+        the underlying network technologies, as, by default, it blocks
+        various types of network traffic that are important to
+        Networking. To disable it, simply launch the program and clear
+        the <guilabel>Enabled</guilabel> check box.</para>
+      <para>After you successfully set up OpenStack Networking, you
+        can re-enable and configure the tool. However, during
+        Networking set up, disable the tool to make it easier to debug
+        network issues.</para>
+    </warning>
+    <procedure>
+      <step>
+        <para>Install the Networking packages and any dependencies.
+          </para>
+        <screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-dhcp-agent neutron-l3-agent</userinput></screen>
+        <screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>yum install openstack-neutron</userinput></screen>
+        <screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron openstack-neutron-l3-agent \
+   openstack-neutron-dhcp-agent openstack-neutron-metadata-agent</userinput></screen>
+      </step>
+      <step os="debian">
+        <para>Respond to prompts for <link
+            linkend="debconf-dbconfig-common">database
+            management</link>, <link
+            linkend="debconf-keystone_authtoken"
+              ><literal>[keystone_authtoken]</literal>
+          settings</link>, <link linkend="debconf-rabbitqm">RabbitMQ
+            credentials</link> and <link
+            linkend="debconf-api-endpoints">API endpoint</link>
+          registration.</para>
+      </step>
+      <step os="rhel;centos;fedora;opensuse;sles">
+        <para>Configure basic Networking-related services to start at
+          boot time:</para>
+        <screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>for s in neutron-{dhcp,metadata,l3}-agent; do chkconfig $s on; done</userinput></screen>
+        <screen os="opensuse;sles"><prompt>#</prompt> <userinput>for s in openstack-neutron-{dhcp,metadata,l3}-agent; do chkconfig $s on; done</userinput></screen>
+      </step>
+      <step>
+        <para>Enable packet forwarding and disable packet destination
+          filtering so that the network node can coordinate traffic
+          for the VMs. Edit the <filename>/etc/sysctl.conf</filename>
+          file, as follows:</para>
+        <programlisting language="ini">net.ipv4.ip_forward=1
+net.ipv4.conf.all.rp_filter=0
+net.ipv4.conf.default.rp_filter=0</programlisting>
+        <para>Use the <command>sysctl</command> command to ensure the
+          changes made to the <filename>/etc/sysctl.conf</filename>
+          file take effect:</para>
+        <screen><prompt>#</prompt> <userinput>sysctl -p</userinput></screen>
+        <note>
+          <para>It is recommended that the networking service is
+            restarted after changing values related to the networking
+            configuration. This ensures that all modified values take
+            effect immediately:</para>
+          <screen os="ubuntu"><prompt>#</prompt> <userinput>service networking restart</userinput></screen>
+          <screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>service network restart</userinput></screen>
+        </note>
+      </step>
+      <step os="rhel;centos;fedora;opensuse;sles">
+          <para>Configure Networking to use <systemitem class="service">keystone</systemitem> for authentication:</para>
+          <substeps>
+              <step>
+                  <para>Set the <literal>auth_strategy</literal>
+                  configuration key to <literal>keystone</literal> in the
+                  <literal>DEFAULT</literal> section of the file:</para>
+                  <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone</userinput></screen>
+              </step>
+              <step>
+                  <para>Set the <systemitem class="service">neutron</systemitem> configuration for
+                      <systemitem class="service">keystone</systemitem> authentication:</para>
+                      <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
+   auth_port 35357</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
+   auth_protocol http</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
+   admin_tenant_name service</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
+   admin_user neutron</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
+   admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
+              </step></substeps>
+      </step>
+      <step os="ubuntu">
+        <para>To configure <systemitem class="service">neutron</systemitem> to use <systemitem class="service">keystone</systemitem>
+            for authentication, edit the <filename>/etc/neutron/neutron.conf</filename>file.</para>
+        <substeps>
+          <step>
+            <para>Set the <literal>auth_strategy</literal>
+              configuration key to <literal>keystone</literal> in the
+                <literal>DEFAULT</literal> section of the file:</para>
+            <programlisting language="ini">auth_strategy = keystone</programlisting>
+          </step>
+          <step>
+            <para>Add these lines to the
+                <literal>keystone_authtoken</literal> section of the
+              file:</para>
+            <programlisting language="ini">auth_host = <replaceable>controller</replaceable>
+auth_port = 35357
+auth_protocol = http
+admin_tenant_name = service
+admin_user = neutron
+admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
+          </step>
+        </substeps>
+      </step>
+      <step os="rhel;centos;fedora">
+        <para>Set the <literal>root_helper</literal> configuration in the
+          <literal>[agent]</literal> section of <filename>/etc/neutron/neutron.conf</filename>:</para>
+          <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf AGENT \
+   root_helper sudo neutron-rootwrap /etc/neutron/rootwrap.conf</userinput></screen>
+      </step>
+      <step os="opensuse;sles">
+          <para>Configure access to the <application>RabbitMQ</application> service:</para>
+          <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+   rpc_backend neutron.openstack.common.rpc.impl_kombu</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+   rabbit_host controller</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+   rabbit_userid guest</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+   rabbit_password <replaceable>RABBIT_PASS</replaceable></userinput></screen>
+      </step>
+      <step os="ubuntu">
+        <para>Configure the <application>RabbitMQ</application> access. Edit the
+            <filename>/etc/neutron/neutron.conf</filename> file to
+          modify the following parameters in the
+            <literal>DEFAULT</literal> section.</para>
+        <programlisting language="ini">rabbit_host = controller
+rabbit_userid = guest
+rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
+      </step>
+      <step os="rhel;centos;fedora">
+        <para>Configure access to the <application>Qpid</application> message queue:</para>
+            <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+   rpc_backend neutron.openstack.common.rpc.impl_qpid</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+   qpid_hostname <replaceable>controller</replaceable></userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+   qpid_port 5672</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+   qpid_username <replaceable>guest</replaceable></userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+   qpid_password <replaceable>guest</replaceable></userinput></screen>
+      </step>
+      <step os="rhel;centos;fedora;opensuse;sles">
+          <para>Configure Networking to connect to the database:</para>
+          <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DATABASE sql_connection \
+   mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@controller/neutron</userinput></screen>
+      </step>
+      <step os="ubuntu">
+        <para>Configure Networking to connect to the database. Edit
+          the <literal>[database]</literal> section in the same file,
+          as follows:</para>
+        <programlisting language="ini">[database]
+connection = mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@<replaceable>controller</replaceable>/neutron</programlisting>
+      </step>
+      <step os="rhel;centos;fedora;opensuse;sles">
+          <para>Configure the <filename>/etc/neutron/api-paste.ini</filename> file for <systemitem class="service">keystone</systemitem>
+          authentication:</para>
+              <screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
+   paste.filter_factory keystoneclient.middleware.auth_token:filter_factory</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
+   auth_host <replaceable>controller</replaceable></userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
+   auth_uri http://<replaceable>controller</replaceable>:5000</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
+   admin_tenant_name service</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
+   admin_user neutron</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
+   admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
+      </step>
+      <step os="ubuntu">
+        <para>Edit the <filename>/etc/neutron/api-paste.ini</filename>
+          file and add these lines to the
+            <literal>[filter:authtoken]</literal> section:</para>
+        <programlisting language="ini">[filter:authtoken]
+paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
+auth_host = <replaceable>controller</replaceable>
+auth_uri = http://<replaceable>controller</replaceable>:5000
+admin_tenant_name = service
+admin_user = neutron
+admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
+        <warning>
+          <para><literal>keystoneclient.middleware.auth_token</literal>:
+            You must configure <literal>auth_uri</literal> to point to
+            the public identity endpoint. Otherwise, clients might not
+            be able to authenticate against an admin endpoint.</para>
+        </warning>
+      </step>
+      <step os="debian">
+        <para>Configure your network plug-in. For instructions, see
+            <link linkend="install-neutron.install-plug-in"
+            >instructions</link>. Then, return here.</para>
+      </step>
+      <step os="rhel;centos;fedora;opensuse;sles;ubuntu">
+        <para>Install and configure a networking plug-in. OpenStack
+          Networking uses this plug-in to perform software-defined
+          networking. See <xref linkend="install-neutron.install-plug-in"/>
+          for further details. Then, return here when finished.</para>
+      </step>
+    </procedure>
+    <para>Now that you've installed and configured a plug-in, it is time to configure
+        the remaining parts of OpenStack Networking.</para>
+    <procedure>
+      <step>
+        <para>To perform DHCP on the software-defined networks,
+          Networking supports several different plug-ins. However, in
+          general, you use the <application>dnsmasq</application> plug-in.</para>
+        <para>Configure the
+            <filename>/etc/neutron/dhcp_agent.ini</filename>
+          file:</para>
+        <programlisting language="ini" os="ubuntu;debian">dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq</programlisting>
+        <screen os="rhel;centos;fedora;opensuse;sles">
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT \
+   dhcp_driver neutron.agent.linux.dhcp.Dnsmasq</userinput></screen>
+      </step>
+      <step>
+        <para>To allow virtual machines to access the Compute metadata
+          information, the Networking metadata agent must be enabled
+          and configured. The agent will act as a proxy for the
+          Compute metadata service.</para>
+        <para>On the controller, edit the
+            <filename>/etc/nova/nova.conf</filename> file to define a
+          secret key that will be shared between the Compute Service
+          and the Networking metadata agent.</para>
+        <para os="debian;ubuntu">Add to the
+            <literal>[DEFAULT]</literal> section:</para>
+        <programlisting os="ubuntu;debian" language="ini">[DEFAULT]
+neutron_metadata_proxy_shared_secret = <replaceable>METADATA_PASS</replaceable>
+service_neutron_metadata_proxy = true</programlisting>
+        <para os="opensuse;sles;rhel;centos;fedora">Set the
+            <literal>neutron_metadata_proxy_shared_secret</literal>
+          key:</para>
+        <screen os="opensuse;sles;rhel;centos;fedora"><prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
+    neutron_metadata_proxy_shared_secret <replaceable>METADATA_PASS</replaceable></userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
+    service_neutron_metadata_proxy true</userinput></screen>
+        <para>Restart the <systemitem class="service"
+            >nova-api</systemitem> service:</para>
+        <screen os="debian;ubuntu"><prompt>#</prompt> <userinput>service nova-api restart</userinput></screen>
+        <screen os="centos;rhel;fedora;opensuse;sles"><prompt>#</prompt> <userinput>service openstack-nova-api restart</userinput></screen>
+        <para>On the network node, modify the metadata agent
+          configuration.</para>
+        <para os="debian;ubuntu">Edit the
+            <filename>/etc/neutron/metadata_agent.ini</filename> file
+          and modify the <literal>[DEFAULT]</literal> section:</para>
+        <programlisting os="debian;ubuntu" language="ini">[DEFAULT]
+auth_url = http://controller:5000/v2.0
+auth_region = regionOne
+admin_tenant_name = service
+admin_user = neutron
+admin_password = <replaceable>NEUTRON_PASS</replaceable>
+nova_metadata_ip = controller
+metadata_proxy_shared_secret = <replaceable>METADATA_PASS</replaceable></programlisting>
+        <para os="opensuse;sles;rhel;centos;fedora">Set the required
+          keys:</para>
+        <screen os="opensuse;sles;rhel;centos;fedora"><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
+    auth_url http://controller:5000/v2.0</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
+    auth_region regionOne</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
+    admin_tenant_name service</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
+    admin_user neutron</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
+    admin_password <replaceable>NEUTRON_PASS</replaceable></userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
+    nova_metadata_ip controller</userinput>
+<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
+    metadata_proxy_shared_secret <replaceable>METADATA_PASS</replaceable></userinput></screen>
+        <note>
+          <para>The value of <literal>auth_region</literal> is
+            case-sensitive and must match the endpoint region defined
+            in Keystone.</para>
+        </note>
+        <note>
+          <para>If you serve the OpenStack Networking API over HTTPS with
+            self-signed certificates, you must perform additional configuration
+            for the metadata agent because Networking cannot validate the SSL
+            certificates from the service catalog.</para>
+          <para os="debian;ubuntu">Add this statement to the <literal>[DEFAULT]</literal> section:</para>
+          <programlisting os="debian;ubuntu" language="ini">
+neutron_insecure = True
+          </programlisting>
+          <para os="opensuse;sles;rhel;centos;fedora">Set the required keys:</para>
+          <screen os="opensuse;sles;rhel;centos;fedora"><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT neutron_insecure True</userinput></screen>
+        </note>
+      </step>
+      <step os="rhel;centos;fedora">
+        <para>The <systemitem class="service">neutron-server</systemitem>
+          initialization script expects a symbolic link
+          <filename>/etc/neutron/plugin.ini</filename> pointing to the
+          configuration file associated with your chosen plug-in. Using
+          Open vSwitch, for example, the symbolic link must point to
+          <filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>.
+          If this symbolic link does not exist, create it using the
+          following commands:</para>
+        <screen><prompt>#</prompt> <userinput>cd /etc/neutron</userinput>
+<prompt>#</prompt> <userinput>ln -s plugins/openvswitch/ovs_neutron_plugin.ini plugin.ini</userinput></screen>
+      </step>
+      <step os="sles;opensuse">
+        <para>The <systemitem class="service">openstack-neutron</systemitem>
+          initialization script expects the variable
+          <literal>NEUTRON_PLUGIN_CONF</literal> in file
+          <filename>/etc/sysconfig/neutron</filename> to reference the
+          configuration file associated with your chosen plug-in. Using
+          Open vSwitch, for example, edit the
+          <filename>/etc/sysconfig/neutron</filename> file and add the
+          following:</para>
+        <programlisting>NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini"</programlisting>
+      </step>
+      <step>
+        <para>Restart Networking services.</para>
+        <screen os="ubuntu;debian"><prompt>#</prompt> <userinput>service neutron-dhcp-agent restart</userinput>
+<prompt>#</prompt> <userinput>service neutron-l3-agent restart</userinput>
+<prompt>#</prompt> <userinput>service neutron-metadata-agent restart</userinput></screen>
+        <screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>service neutron-dhcp-agent restart</userinput>
+<prompt>#</prompt> <userinput>service neutron-l3-agent restart</userinput>
+<prompt>#</prompt> <userinput>service neutron-metadata-agent restart</userinput></screen>
+        <screen os="sles;opensuse"><prompt>#</prompt> <userinput>service openstack-neutron-dhcp-agent restart</userinput>
+<prompt>#</prompt> <userinput>service openstack-neutron-l3-agent restart</userinput>
+<prompt>#</prompt> <userinput>service openstack-neutron-metadata-agent restart</userinput></screen>
+        <para>Also restart your chosen Networking plug-in agent, for example, Open vSwitch.</para>
+        <screen os="ubuntu;debian"><prompt>#</prompt> <userinput>service neutron-plugin-openvswitch-agent restart</userinput></screen>
+        <screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>service neutron-openvswitch-agent restart</userinput></screen>
+        <screen os="sles;opensuse"><prompt>#</prompt> <userinput>service openstack-neutron-openvswitch-agent restart</userinput></screen>
+      </step>
+<!-- FIXME
+      <step>
+        <para>After you configure the <link
+            linkend="install-neutron.dedicated-compute-node"
+            >compute</link> and <link
+            linkend="install-neutron.dedicated-controller-node"
+            >controller</link> nodes, <link
+            linkend="install-neutron.configure-networks">configure the
+            base networks</link>.</para>
+      </step>
+-->
+    </procedure>
+    <section xml:id="install-neutron.install-plug-in">
+      <title>Install and configure the Networking plug-ins</title>
+      <section xml:id="install-neutron.install-plug-in.ovs">
+        <title>Install the Open vSwitch (OVS) plug-in</title>
+        <procedure>
+          <step>
+            <para>Install the Open vSwitch plug-in and its
+              dependencies:</para>
+            <screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-openvswitch-agent</userinput></screen>
+            <screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>yum install openstack-neutron-openvswitch</userinput></screen>
+            <screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent</userinput></screen>
+            <note os="ubuntu">
+              <para>On Ubuntu 12.04 LTS with GRE you must install
+                openvswitch-datapath-dkms and restart the service to
+                enable the GRE flow so that OVS 1.10 and higher is
+                used. Make sure you are running the OVS 1.10 kernel
+                module in addition to the OVS 1.10 user space. Both
+                the kernel module and user space are required for
+                VXLAN support. The error you see in the
+                  <filename>/var/log/openvswitchovs-vswitchd.log</filename>
+                log file is "Stderr: 'ovs-ofctl: -1: negative values
+                not supported for in_port\n'". If you see this error,
+                make sure <command>modinfo openvswitch</command> shows
+                the right version. Also check the output from
+                  <command>dmesg</command> for the version of the OVS
+                module being loaded.</para>
+            </note>
+          </step>
+          <step>
+            <para>Start Open vSwitch:</para>
+            <screen os="debian;rhel;fedora;centos"><prompt>#</prompt> <userinput>service openvswitch start</userinput></screen>
+            <screen os="opensuse;sles"><prompt>#</prompt> <userinput>service openvswitch-switch start</userinput></screen>
+            <screen os="ubuntu"><prompt>#</prompt> <userinput>service openvswitch-switch restart</userinput></screen>
+            <para os="rhel;fedora;centos;opensuse;sles">And configure
+              it to start when the system boots:</para>
+            <screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>chkconfig openvswitch on</userinput></screen>
+            <screen os="opensuse;sles"><prompt>#</prompt> <userinput>chkconfig openvswitch-switch on</userinput></screen>
+          </step>
+          <step>
+            <para>No matter which networking technology you use, you
+              must add the <literal>br-int</literal> integration
+              bridge, which connects to the VMs, and the
+                <literal>br-ex</literal> external bridge, which
+              connects to the outside world.</para>
+            <screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-int</userinput>
+<prompt>#</prompt> <userinput>ovs-vsctl add-br br-ex</userinput></screen>
+          </step>
+          <step>
+            <para>Add a <glossterm>port</glossterm> (connection) from
+              the <replaceable>EXTERNAL_INTERFACE</replaceable>
+              interface to <literal>br-ex</literal> interface:</para>
+            <screen><prompt>#</prompt> <userinput>ovs-vsctl add-port br-ex <replaceable>EXTERNAL_INTERFACE</replaceable></userinput></screen>
+                    <warning>
+                    <para>The host must have an IP address associated
+                      with an interface other than <replaceable>EXTERNAL_INTERFACE</replaceable>,
+                      and your remote terminal session must be associated with this other
+                      IP address.</para>
+                      <para>If you associate an IP address with <replaceable>EXTERNAL_INTERFACE</replaceable>,
+                    that IP address stops working after you issue the <command>ovs-vsctl add-port br-ex <replaceable>EXTERNAL_INTERFACE</replaceable></command> command.
+                    If you associate a remote terminal session with that
+                    IP address, you lose connectivity with the host.</para>
+                    <para>For more details about this behavior, see the
+                      <emphasis>Configuration Problems</emphasis> section of the
+                      <link xlink:href="http://git.openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=blob_plain;f=FAQ;hb=HEAD">Open vSwitch FAQ</link>.
+                    </para>
+                    </warning>
+          </step>
+          <step>
+            <para>Configure the
+                <replaceable>EXTERNAL_INTERFACE</replaceable> without
+              an IP address and in promiscuous mode. Additionally, you
+              must set the newly created <literal>br-ex</literal>
+              interface to have the IP address that formerly belonged
+              to <replaceable>EXTERNAL_INTERFACE</replaceable>.</para>
+            <warning os="ubuntu">
+              <para>Generic Receive Offload (GRO) should not be
+                enabled on this interface as it can cause severe
+                performance problems. It can be disabled with the
+                ethtool utility.</para>
+            </warning>
+            <para os="rhel;fedora;centos">Edit the
+                <filename>/etc/sysconfig/network-scripts/ifcfg-EXTERNAL_INTERFACE</filename>
+              file:</para>
+            <programlisting language="ini" os="rhel;fedora;centos">DEVICE_INFO_HERE
+ONBOOT=yes
+BOOTPROTO=none
+PROMISC=yes</programlisting>
+          </step>
+          <step os="rhel;fedora;centos">
+            <para>Create and edit the
+                <filename>/etc/sysconfig/network-scripts/ifcfg-br-ex</filename>
+              file:</para>
+            <programlisting language="ini">DEVICE=br-ex
+TYPE=Bridge
+ONBOOT=no
+BOOTPROTO=none
+IPADDR=EXTERNAL_INTERFACE_IP
+NETMASK=EXTERNAL_INTERFACE_NETMASK
+GATEWAY=EXTERNAL_INTERFACE_GATEWAY</programlisting>
+          </step>
+          <!-- TODO(sross): support other distros -->
+          <step>
+            <para>You must set some common configuration options no
+              matter which networking technology you choose to use
+              with Open vSwitch. Configure the L3 and DHCP agents to
+              use <acronym>OVS</acronym> and namespaces. Edit the
+                <filename>/etc/neutron/l3_agent.ini</filename> and
+                <filename>/etc/neutron/dhcp_agent.ini</filename>
+              files, respectively:</para>
+            <programlisting language="ini">interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
+use_namespaces = True</programlisting>
+            <para os="rhel;centos">You must enable veth support if you
+              use certain kernels. Some kernels, such as recent
+              versions of RHEL (not RHOS) and CentOS, only partially
+              support namespaces. Edit the previous files, as
+              follows:</para>
+            <programlisting language="ini" os="rhel;centos">ovs_use_veth = True</programlisting>
+          </step>
+          <step os="rhel;centos;fedora;opensuse;sles;ubuntu">
+            <para>Similarly, you must also tell Neutron core to use
+                <acronym>OVS</acronym>. Edit the
+                <filename>/etc/neutron/neutron.conf</filename>
+              file:</para>
+            <programlisting language="ini">core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2</programlisting>
+          </step>
+          <step>
+            <para>Choose a networking technology to create the virtual
+              networks. Neutron supports GRE tunneling, VLANs, and
+              VXLANs. This guide shows how to configure GRE tunneling
+              and VLANs.</para>
+            <para>
+              <link linkend="install-neutron.install-plug-in.ovs.gre"
+                >GRE tunneling</link> is simpler to set up because it
+              does not require any special configuration from any
+              physical network hardware. However, its protocol makes
+              it difficult to filter traffic on the physical network.
+              Additionally, this configuration does not use
+              namespaces. You can have only one router for each
+              network node. However, you can enable namespacing, and
+              potentially veth, as described in the section detailing
+              how to use VLANs with <acronym>OVS</acronym>).</para>
+            <para>On the other hand, <link
+                linkend="install-neutron.install-plug-in.ovs.vlan"
+                >VLAN tagging</link> modifies the ethernet header of
+              packets. You can filter packets on the physical network
+              through normal methods. However, not all NICs handle the
+              increased packet size of VLAN-tagged packets well, and
+              you might need to complete additional configuration on
+              physical network hardware to ensure that your Neutron
+              VLANs do not interfere with any other VLANs on your
+              network and that any physical network hardware between
+              nodes does not strip VLAN tags.</para>
+            <note>
+              <para>While the examples in this guide enable network
+                namespaces by default, you can disable them if issues
+                occur or your kernel does not support them. Edit the
+                  <filename>/etc/neutron/l3_agent.ini</filename> and
+                  <filename>/etc/neutron/dhcp_agent.ini</filename>
+                files, respectively:</para>
+              <programlisting language="ini">use_namespaces = False</programlisting>
+              <para>Edit the
+                  <filename>/etc/neutron/neutron.conf</filename> file
+                to disable overlapping IP addresses:</para>
+              <programlisting language="ini">allow_overlapping_ips = False</programlisting>
+              <para>Note that when network namespaces are disabled,
+                you can have only one router for each network node and
+                overlapping IP addresses are not supported.</para>
+              <para>You must complete additional steps after you
+                create the initial Neutron virtual networks and
+                router.</para>
+            </note>
+          </step>
+          <!-- TODO(sross): support provider networks?  you need to modify things above for this to work -->
+          <step>
+            <para>Configure a firewall plug-in. If you do not wish to
+              enforce firewall rules, called <glossterm
+              baseform="security group">security groups</glossterm>
+              by OpenStack, you can use
+                <literal>neutron.agent.firewall.NoopFirewall</literal>.
+              Otherwise, you can choose one of the Networking firewall
+              plug-ins. The most common choice is the Hybrid
+              OVS-IPTables driver, but you can also use the
+              Firewall-as-a-Service driver. Edit the
+                <filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
+              file:</para>
+            <programlisting language="ini">[securitygroup]
+# Firewall driver for realizing neutron security group function.
+firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
+            <warning>
+              <para>You must use at least the No-Op firewall.
+                Otherwise, Horizon and other OpenStack services cannot
+                get and set required VM boot options.</para>
+            </warning>
+          </step>
+          <!-- TODO(sross): document other firewall options -->
+          <step os="rhel;centos;fedora;sles;opensuse">
+            <para>Configure the <acronym>OVS</acronym> plug-in to start
+              on boot.</para>
+            <screen os="fedora;centos;rhel"><prompt>#</prompt> <userinput>chkconfig neutron-openvswitch-agent on</userinput></screen>
+            <screen os="sles;opensuse"><prompt>#</prompt> <userinput>chkconfig openstack-neutron-openvswitch-agent on</userinput></screen>
+          </step>
+          <step>
+            <para>Now, return to the general <acronym>OVS</acronym>
+              instructions.</para>
+          </step>
+        </procedure>
+        <section xml:id="install-neutron.install-plug-in.ovs.gre">
+          <title>Configure the Neutron <acronym>OVS</acronym> plug-in
+            for GRE tunneling</title>
+          <procedure>
+            <step>
+              <para>Configure the <acronym>OVS</acronym> plug-in to
+                use GRE tunneling, the <literal>br-int</literal>
+                integration bridge, the <literal>br-tun</literal>
+                tunneling bridge, and a local IP for the
+                  <replaceable>DATA_INTERFACE</replaceable> tunnel IP.
+                Edit the
+                  <filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
+                file:</para>
+              <programlisting language="ini">[ovs]
+tenant_network_type = gre
+tunnel_id_ranges = 1:1000
+enable_tunneling = True
+integration_bridge = br-int
+tunnel_bridge = br-tun
+local_ip = DATA_INTERFACE_IP</programlisting>
+            </step>
+            <step>
+              <para>Return to the general <acronym>OVS</acronym>
+                instructions.</para>
+            </step>
+          </procedure>
+        </section>
+        <section xml:id="install-neutron.install-plug-in.ovs.vlan">
+          <title>Configure the Neutron <acronym>OVS</acronym> plug-in
+            for VLANs</title>
+          <procedure>
+            <step>
+              <para>Configure <acronym>OVS</acronym> to use VLANS.
+                Edit the
+                  <filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
+                file:</para>
+              <programlisting language="ini">[ovs]
+tenant_network_type = vlan
+network_vlan_ranges = physnet1:1:4094
+bridge_mappings = physnet1:br-DATA_INTERFACE</programlisting>
+            </step>
+            <step>
+              <para>Create the bridge for
+                  <replaceable>DATA_INTERFACE</replaceable> and add
+                  <replaceable>DATA_INTERFACE</replaceable> to
+                it:</para>
+              <screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-DATA_INTERFACE</userinput>
+<prompt>#</prompt> <userinput>ovs-vsctl add-port br-DATA_INTERFACE DATA_INTERFACE</userinput></screen>
+            </step>
+            <step>
+              <para>Transfer the IP address for
+                  <replaceable>DATA_INTERFACE</replaceable> to the
+                bridge in the same way that you transferred the
+                  <replaceable>EXTERNAL_INTERFACE</replaceable> IP
+                address to <literal>br-ex</literal>. However, do not
+                turn on promiscuous mode.</para>
+            </step>
+            <step>
+              <para>Return to the <acronym>OVS</acronym> general
+                instruction.</para>
+            </step>
+          </procedure>
+        </section>
+      </section>
+    </section>
+  </section>
diff --git a/doc/install-guide/section_neutron-single-flat.xml b/doc/install-guide/section_neutron-single-flat.xml
index c55278b84a..54bb28adda 100644
--- a/doc/install-guide/section_neutron-single-flat.xml
+++ b/doc/install-guide/section_neutron-single-flat.xml
@@ -160,7 +160,7 @@
                                    <code>keystone_authtoken</code>,
                                 and the RabbitMQ credentials.</para>
                             <para>
-                                See <xref linkend="install-neutron.dedicated-controller-node"/>
+                                See <xref linkend="neutron-controller-node"/>
                                 for installation instructions.</para>
                         </listitem>
                         <listitem
@@ -169,7 +169,7 @@
                                    role="bold"
                                 >ovs_neutron</emphasis>.</para>
                             <para>
-                                See <xref linkend="neutron-install-network-node"/>
+                                See <xref linkend="neutron-network-node"/>
                                 for database creation details.
                             </para>
                         </listitem>
@@ -411,7 +411,7 @@ bridge_mappings = physnet1:br-eth0</programlisting>
                         <listitem>
                             <para>Install the DHCP agent.</para>
                             <para>
-                                See <xref linkend="neutron-install.dedicated-network-node"/>
+                                See <xref linkend="neutron-network-node"/>
                                 for <emphasis role="bold">generic</emphasis> installation instructions.</para>
                         </listitem>
                         <listitem os="ubuntu;debian">