openstack-manuals/doc/admin-guide-cloud/section_networking_adv_features.xml
Andreas Jaeger dfc02eb284 Fix typo in Admin Guide
Change-Id: Idae4aa007148d3f5c0fcad7da8555e7a23802a9d
Closes-Bug: #1245265
2013-10-27 21:33:07 +01:00

1830 lines
91 KiB
XML
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="section_networking-adv-features">
<title>Advanced features through API extensions</title>
<para>Several plug-ins implement API extensions that provide
capabilities similar to what was available in nova-network:
These plug-ins are likely to be of interest to the OpenStack
community.</para>
<section xml:id="section_provider_networks">
<title>Provider networks</title>
<para>Provider networks enable cloud administrators to create
Networking networks that map directly to the physical
networks in the data center. This is commonly used to give
tenants direct access to a public network that can be used
to reach the Internet. It might also be used to integrate
with VLANs in the network that already have a defined
meaning (for example, allow a VM from the "marketing"
department to be placed on the same VLAN as bare-metal
marketing hosts in the same data center).</para>
<para>The provider extension allows administrators to
explicitly manage the relationship between Networking
virtual networks and underlying physical mechanisms such
as VLANs and tunnels. When this extension is supported,
Networking client users with administrative privileges see
additional provider attributes on all virtual networks,
and are able to specify these attributes in order to
create provider networks.</para>
<para>The provider extension is supported by the Open vSwitch
and Linux Bridge plug-ins. Configuration of these plug-ins
requires familiarity with this extension.</para>
<section xml:id="provider_terminology">
<title>Terminology</title>
<para>A number of terms are used in the provider extension
and in the configuration of plug-ins supporting the
provider extension:</para>
<para>
<table rules="all">
<caption>Provider extension terminology</caption>
<col width="20%"/>
<col width="80%"/>
<thead>
<tr>
<th>Term</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><emphasis role="bold">virtual network</emphasis></td>
<td>An Networking L2
network (identified by a UUID and optional
name) whose ports can be attached as vNICs to
Compute instances and to various Networking
agents. The Open vSwitch and Linux Bridge
plug-ins each support several different
mechanisms to realize virtual networks.</td>
</tr>
<tr>
<td><emphasis role="bold">physical network</emphasis></td>
<td>A network connecting
virtualization hosts (such as, Compute nodes)
with each other and with other network
resources. Each physical network might support
multiple virtual networks. The provider
extension and the plug-in configurations
identify physical networks using simple string
names.</td>
</tr>
<tr>
<td><emphasis role="bold">tenant network</emphasis></td>
<td>A virtual network that
a tenant or an administrator creates. The
physical details of the network are not
exposed to the tenant.</td>
</tr>
<tr>
<td><emphasis role="bold">provider network</emphasis></td>
<td>A virtual network
administratively created to map to a specific
network in the data center, typically to
enable direct access to non-OpenStack
resources on that network. Tenants can be
given access to provider networks.</td>
</tr>
<tr>
<td><emphasis role="bold">VLAN network</emphasis></td>
<td>A virtual network
implemented as packets on a specific physical
network containing IEEE 802.1Q headers with a
specific VID field value. VLAN networks
sharing the same physical network are isolated
from each other at L2, and can even have
overlapping IP address spaces. Each distinct
physical network supporting VLAN networks is
treated as a separate VLAN trunk, with a
distinct space of VID values. Valid VID values
are 1 through 4094.</td>
</tr>
<tr>
<td><emphasis role="bold">flat network</emphasis></td>
<td>A virtual network
implemented as packets on a specific physical
network containing no IEEE 802.1Q header. Each
physical network can realize at most one flat
network.</td>
</tr>
<tr>
<td><emphasis role="bold">local network</emphasis></td>
<td>A virtual network that
allows communication within each host, but not
across a network. Local networks are intended
mainly for single-node test scenarios, but can
have other uses.</td>
</tr>
<tr>
<td><emphasis role="bold">GRE network</emphasis></td>
<td>A virtual network
implemented as network packets encapsulated
using GRE. GRE networks are also referred to
as <emphasis role="italic">tunnels</emphasis>.
GRE tunnel packets are routed by the IP
routing table for the host, so GRE networks
are not associated by Networking with specific
physical networks.</td>
</tr>
<tr>
<td><emphasis role="bold">Virtual Extensible LAN (VXLAN) network</emphasis></td>
<td>VXLAN is a proposed
encapsulation protocol for running an overlay
network on existing Layer 3 infrastructure. An
overlay network is a virtual network that is
built on top of existing network Layer 2 and
Layer 3 technologies to support elastic compute
architectures.</td>
</tr>
</tbody>
</table>
</para>
<para>The ML2, Open vSwitch and Linux Bridge plug-ins support
VLAN networks, flat networks, and local networks. Only
the ML2 and Open vSwitch plug-ins currently support GRE
and VXLAN networks, provided that the required features
exist in the hosts Linux kernel, Open vSwitch and iproute2
packages.</para>
</section>
<section xml:id="provider_attributes">
<title>Provider attributes</title>
<para>The provider extension extends the Networking
network resource with the following attributes:</para>
<table rules="all">
<caption>Provider Network Attributes</caption>
<col width="25%"/>
<col width="10%"/>
<col width="25%"/>
<col width="40%"/>
<thead>
<tr>
<th>Attribute name</th>
<th>Type</th>
<th>Default Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>provider:network_type</td>
<td>String</td>
<td>N/A</td>
<td>The physical mechanism by which the
virtual network is implemented. Possible
values are <literal>flat</literal>,
<literal>vlan</literal>,
<literal>local</literal>, and
<literal>gre</literal>, corresponding
to flat networks, VLAN networks, local
networks, and GRE networks as defined
above. All types of provider networks can
be created by administrators, while tenant
networks can be implemented as
<literal>vlan</literal>,
<literal>gre</literal>, or
<literal>local</literal> network types
depending on plug-in configuration.</td>
</tr>
<tr>
<td>provider:physical_network</td>
<td>String</td>
<td>If a physical network named "default" has
been configured, and if
provider:network_type is
<literal>flat</literal> or
<literal>vlan</literal>, then
"default" is used.</td>
<td>The name of the physical network over
which the virtual network is implemented
for flat and VLAN networks. Not applicable
to the <literal>local</literal> or
<literal>gre</literal> network
types.</td>
</tr>
<tr>
<td>provider:segmentation_id</td>
<td>Integer</td>
<td>N/A</td>
<td>For VLAN networks, the VLAN VID on the
physical network that realizes the virtual
network. Valid VLAN VIDs are 1 through
4094. For GRE networks, the tunnel ID.
Valid tunnel IDs are any 32 bit unsigned
integer. Not applicable to the
<literal>flat</literal> or
<literal>local</literal> network
types.</td>
</tr>
</tbody>
</table>
<para>To view or set provider extended attributes, a
client must be authorized for the
<code>extension:provider_network:view</code> and
<code>extension:provider_network:set</code>
actions in the Networking policy configuration. The
default Networking configuration authorizes both
actions for users with the admin role. An authorized
client or an administrative user can view and set the
provider extended attributes through Networking API
calls. See <xref linkend="section_auth"/> for details
on policy configuration.</para>
</section>
<section xml:id="provider_api_workflow">
<title>Provider Extension API operations</title>
<para>To use the provider extension with the default
policy settings, you must have the administrative
role.</para>
<para>The following table shows example neutron commands
that enable you to complete basic provider extension
API operations:</para>
<table rules="all">
<caption>Basic provider extension API
operations</caption>
<col width="40%"/>
<col width="60%"/>
<thead>
<tr>
<th>Operation</th>
<th>Command</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<para>Shows all attributes of a network,
including provider
attributes.</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron net-show &lt;name or net-id&gt;</userinput></screen>
</td>
</tr>
<tr>
<td>
<para>Creates a local provider
network.</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron net-create &lt;name&gt; --tenant_id &lt;tenant-id&gt; --provider:network_type local</userinput></screen>
</td>
</tr>
<tr>
<td>
<para>Creates a flat provider network.
When you create flat networks,
&lt;phys-net-name&gt; must be known to
the plug-in. See the <citetitle
xmlns:svg="http://www.w3.org/2000/svg"
xmlns:html="http://www.w3.org/1999/xhtml"
>OpenStack Configuration
Reference</citetitle> for
details.</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron net-create &lt;name&gt; --tenant_id &lt;tenant-id&gt; --provider:network_type flat --provider:physical_network &lt;phys-net-name&gt;</userinput></screen>
</td>
</tr>
<tr>
<td>
<para>Creates a VLAN provider network.
When you create VLAN networks,
&lt;phys-net-name&gt; must be known to
the plug-in. See the <citetitle
xmlns:svg="http://www.w3.org/2000/svg"
xmlns:html="http://www.w3.org/1999/xhtml"
>OpenStack Configuration
Reference</citetitle> for details
on configuring network_vlan_ranges to
identify all physical networks. When
you create VLAN networks, &lt;VID&gt;
can fall either within or outside any
configured ranges of VLAN IDs from
which tenant networks are
allocated.</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron net-create &lt;name&gt; --tenant_id &lt;tenant-id&gt; --provider:network_type vlan --provider:physical_network &lt;phys-net-name&gt; --provider:segmentation_id &lt;VID&gt;</userinput></screen>
</td>
</tr>
<tr>
<td>
<para>Creates a GRE provider network. When
you create GRE networks,
&lt;tunnel-id&gt; can be either inside
or outside any tunnel ID ranges from
which tenant networks are
allocated.</para>
<para>After you create provider networks,
you can allocate subnets, which you
can use in the same way as other
virtual networks, subject to
authorization policy based on the
specified
&lt;tenant_id&gt;.</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron net-create &lt;name&gt; --tenant_id &lt;tenant-id&gt; --provider:network_type gre --provider:segmentation_id &lt;tunnel-id&gt;</userinput></screen>
</td>
</tr>
</tbody>
</table>
</section>
</section>
<section xml:id="section_l3_router_and_nat">
<title>L3 Routing and NAT</title>
<para>The Networking API provides abstract L2 network segments
that are decoupled from the technology used to implement
the L2 network. Networking includes an API extension that
provides abstract L3 routers that API users can
dynamically provision and configure. These Networking
routers can connect multiple L2 Networking networks, and
can also provide a gateway that connects one or more
private L2 networks to a shared external network. For
example, a public network for access to the Internet. See
the <citetitle xmlns:svg="http://www.w3.org/2000/svg"
xmlns:html="http://www.w3.org/1999/xhtml">OpenStack
Configuration Reference</citetitle> for details on
common models of deploying Networking L3 routers.</para>
<para>The L3 router provides basic NAT capabilities on gateway
ports that uplink the router to external networks. This
router SNATs all traffic by default, and supports floating
IPs, which creates a static one-to-one mapping from a
public IP on the external network to a private IP on one
of the other subnets attached to the router. This allows a
tenant to selectively expose VMs on private networks to
other hosts on the external network (and often to all
hosts on the Internet). You can allocate and map floating
IPs from one port to another, as needed.</para>
<?hard-pagebreak?>
<section xml:id="l3_api_abstractions">
<title>L3 API abstractions</title>
<table rules="all">
<caption>Router</caption>
<col width="20%"/>
<col width="20%"/>
<col width="20%"/>
<col width="40%"/>
<thead>
<tr>
<th>Attribute name</th>
<th>Type</th>
<th>Default Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>id</td>
<td>uuid-str</td>
<td>generated</td>
<td>UUID for the router.</td>
</tr>
<tr>
<td>name</td>
<td>String</td>
<td>None</td>
<td>Human-readable name for the router. Might
not be unique.</td>
</tr>
<tr>
<td>admin_state_up</td>
<td>Bool</td>
<td>True</td>
<td>The administrative state of router. If
false (down), the router does not forward
packets.</td>
</tr>
<tr>
<td>status</td>
<td>String</td>
<td>N/A</td>
<td><para>Indicates whether router is
currently operational.</para></td>
</tr>
<tr>
<td>tenant_id</td>
<td>uuid-str</td>
<td>N/A</td>
<td>Owner of the router. Only admin users can
specify a tenant_id other than its
own.</td>
</tr>
<tr>
<td>external_gateway_info</td>
<td>dict contain 'network_id' key-value
pair</td>
<td>Null</td>
<td>External network that this router connects
to for gateway services (for example,
NAT)</td>
</tr>
</tbody>
</table>
<table rules="all">
<caption>Floating IP</caption>
<col width="20%"/>
<col width="20%"/>
<col width="20%"/>
<col width="40%"/>
<thead>
<tr>
<th>Attribute name</th>
<th>Type</th>
<th>Default Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>id</td>
<td>uuid-str</td>
<td>generated</td>
<td>UUID for the floating IP.</td>
</tr>
<tr>
<td>floating_ip_address</td>
<td>string (IP address)</td>
<td>allocated by Networking</td>
<td>The external network IP address available
to be mapped to an internal IP
address.</td>
</tr>
<tr>
<td>floating_network_id</td>
<td>uuid-str</td>
<td>N/A</td>
<td><para>The network indicating the set of
subnets from which the floating IP
should be allocated</para></td>
</tr>
<tr>
<td>router_id</td>
<td>uuid-str</td>
<td>N/A</td>
<td>Read-only value indicating the router that
connects the external network to the
associated internal port, if a port is
associated.</td>
</tr>
<tr>
<td>port_id</td>
<td>uuid-str</td>
<td>Null</td>
<td>Indicates the internal Networking port
associated with the external floating
IP.</td>
</tr>
<tr>
<td>fixed_ip_address</td>
<td>string (IP address)</td>
<td>Null</td>
<td>Indicates the IP address on the internal
port that is mapped to by the floating IP
(since an Networking port might have more
than one IP address).</td>
</tr>
<tr>
<td>tenant_id</td>
<td>uuid-str</td>
<td>N/A</td>
<td>Owner of the Floating IP. Only admin users
can specify a tenant_id other than its
own.</td>
</tr>
</tbody>
</table>
</section>
<?hard-pagebreak?>
<section xml:id="l3_workflow">
<title>Basic L3 operations</title>
<para>External networks are visible to all users. However,
the default policy settings enable only administrative
users to create, update, and delete external
networks.</para>
<para>The following table shows example neutron commands
that enable you to complete basic L3
operations:</para>
<table rules="all">
<caption>Basic L3 operations</caption>
<col width="40%"/>
<col width="60%"/>
<thead>
<tr>
<th>Operation</th>
<th>Command</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<para>Creates external
networks.</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron net-create public --router:external=True</userinput>
<prompt>$</prompt> <userinput>neutron subnet-create public 172.16.1.0/24</userinput></screen>
</td>
</tr>
<tr>
<td>
<para>Lists external networks.</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron net-list -- --router:external=True</userinput></screen>
</td>
</tr>
<tr>
<td><para>Creates an internal-only router that
connects to multiple L2 networks
privately.</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron net-create net1</userinput>
<prompt>$</prompt> <userinput>neutron subnet-create net1 10.0.0.0/24</userinput>
<prompt>$</prompt> <userinput>neutron net-create net2</userinput>
<prompt>$</prompt> <userinput>neutron subnet-create net2 10.0.1.0/24</userinput>
<prompt>$</prompt> <userinput>neutron router-create router1</userinput>
<prompt>$</prompt> <userinput>neutron router-interface-add router1 &lt;subnet1-uuid&gt;</userinput>
<prompt>$</prompt> <userinput>neutron router-interface-add router1 &lt;subnet2-uuid&gt;</userinput></screen>
</td>
</tr>
<tr>
<td>
<para>Connects a router to an external
network, which enables that router to
act as a NAT gateway for external
connectivity.</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron router-gateway-set router1 &lt;ext-net-id&gt;</userinput></screen>
<para>The router obtains an interface with
the gateway_ip address of the subnet,
and this interface is attached to a
port on the L2 Networking network
associated with the subnet. The router
also gets a gateway interface to the
specified external network. This
provides SNAT connectivity to the
external network as well as support
for floating IPs allocated on that
external networks. Commonly an
external network maps to a network in
the provider</para>
</td>
</tr>
<tr>
<td>
<para>Lists routers.</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron router-list</userinput></screen>
</td>
</tr>
<tr>
<td>
<para>Shows information for a specified
router.</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron router-show &lt;router_id&gt;</userinput></screen>
</td>
</tr>
<tr>
<td>
<para>Shows all internal interfaces for a
router.</para>
</td>
</tr>
<tr>
<td>
<para>Identifies the
<literal>port-id</literal> that
represents the VM NIC to which the
floating IP should map.</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron port-list -c id -c fixed_ips -- --device_id=&lt;instance_id&gt;</userinput></screen>
<para>This port must be on an Networking
subnet that is attached to a router
uplinked to the external network used
to create the floating IP. 
Conceptually, this is because the
router must be able to perform the
Destination NAT (DNAT) rewriting of
packets from the Floating IP address
(chosen from a subnet on the external
network) to the internal Fixed IP
(chosen from a private subnet that is
behind the router).</para>
</td>
</tr>
<tr>
<td>
<para>Creates a floating IP address and
associates it with a port.</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron floatingip-create &lt;ext-net-id&gt;</userinput>
<prompt>$</prompt> <userinput>neutron floatingip-associate &lt;floatingip-id&gt; &lt;internal VM port-id&gt;</userinput></screen>
</td>
</tr>
<tr>
<td>
<para>Creates a floating IP address and
associates it with a port, in a single
step.</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron floatingip-create --port_id &lt;internal VM port-id&gt; &lt;ext-net-id&gt;</userinput></screen>
</td>
</tr>
<tr>
<td>
<para>Lists floating IPs.</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron floatingip-list</userinput></screen>
</td>
</tr>
<tr>
<td>
<para>Finds floating IP for a specified VM
port.</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron floatingip-list -- --port_id=ZZZ</userinput></screen>
</td>
</tr>
<tr>
<td>
<para>Disassociates a floating IP
address.</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron floatingip-disassociate &lt;floatingip-id&gt;</userinput></screen>
</td>
</tr>
<tr>
<td>
<para>Deletes the floating IP
address.</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron floatingip-delete &lt;floatingip-id&gt;</userinput></screen>
</td>
</tr>
<tr>
<td>
<para>Clears the gateway.</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron router-gateway-clear router1</userinput></screen>
</td>
</tr>
<tr>
<td>
<para>Removes the interfaces from the
router.</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron router-interface-delete router1 &lt;subnet-id&gt;</userinput></screen>
</td>
</tr>
<tr>
<td>
<para>Deletes the router.</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron router-delete router1</userinput></screen>
</td>
</tr>
</tbody>
</table>
</section>
</section>
<?hard-pagebreak?>
<section xml:id="section_securitygroups">
<title>Security groups</title>
<para>Security groups and security group rules allows
administrators and tenants the ability to specify the type
of traffic and direction (ingress/egress) that is allowed
to pass through a port. A security group is a container
for security group rules.</para>
<para>When a port is created in Networking it is associated
with a security group. If a security group is not
specified the port is associated with a 'default' security
group. By default, this group drops all ingress traffic
and allows all egress. Rules can be added to this group in
order to change the behaviour.</para>
<para>To use the Compute security group APIs or use Compute to
orchestrate the creation of ports for instances on
specific security groups, you must complete additional
configuration. You must configure the
<filename>/etc/nova/nova.conf</filename> file and set
the <code>security_group_api=neutron</code> option on
every node that runs <systemitem class="service"
>nova-compute</systemitem> and <systemitem
class="service">nova-api</systemitem>. After you make
this change, restart <systemitem class="service"
>nova-api</systemitem> and <systemitem class="service"
>nova-compute</systemitem> to pick up this change.
Then, you can use both the Compute and OpenStack Network
security group APIs at the same time.</para>
<note>
<itemizedlist>
<listitem>
<para>To use the Compute security group API with Networking, the Networking
plug-in must implement the security group API. The following plug-ins
currently implement this: ML2, Nicira NVP, Open vSwitch, Linux Bridge, NEC,
and Ryu.</para>
</listitem>
<listitem>
<para>You must configure the correct firewall
driver in the <literal>securitygroup</literal>
section of the plug-in/agent configuration
file. Some plug-ins and agents, such as Linux
Bridge Agent and Open vSwitch Agent, use the
no-operation driver as the default, which
results in non-working security groups.</para>
</listitem>
<listitem>
<para>When using the security group API through
Compute, security groups are applied to all
ports on an instance. The reason for this is
that Compute security group APIs are instances
based and not port based as Networking.</para>
</listitem>
</itemizedlist>
</note>
<section xml:id="securitygroup_api_abstractions">
<title>Security Group API Abstractions</title>
<table rules="all">
<caption>Security Group Attributes</caption>
<col width="20%"/>
<col width="20%"/>
<col width="20%"/>
<col width="40%"/>
<thead>
<tr>
<th>Attribute name</th>
<th>Type</th>
<th>Default Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>id</td>
<td>uuid-str</td>
<td>generated</td>
<td>UUID for the security group.</td>
</tr>
<tr>
<td>name</td>
<td>String</td>
<td>None</td>
<td>Human-readable name for the security
group. Might not be unique. Cannot be
named default as that is automatically
created for a tenant.</td>
</tr>
<tr>
<td>description</td>
<td>String</td>
<td>None</td>
<td>Human-readable description of a security
group.</td>
</tr>
<tr>
<td>tenant_id</td>
<td>uuid-str</td>
<td>N/A</td>
<td>Owner of the security group. Only admin
users can specify a tenant_id other than
their own.</td>
</tr>
</tbody>
</table>
<table rules="all">
<caption>Security Group Rules</caption>
<col width="20%"/>
<col width="20%"/>
<col width="20%"/>
<col width="40%"/>
<thead>
<tr>
<th>Attribute name</th>
<th>Type</th>
<th>Default Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>id</td>
<td>uuid-str</td>
<td>generated</td>
<td>UUID for the security group rule.</td>
</tr>
<tr>
<td>security_group_id</td>
<td>uuid-str or Integer</td>
<td>allocated by Networking</td>
<td>The security group to associate rule
with.</td>
</tr>
<tr>
<td>direction</td>
<td>String</td>
<td>N/A</td>
<td>The direction the traffic is allow
(ingress/egress) from a VM.</td>
</tr>
<tr>
<td>protocol</td>
<td>String</td>
<td>None</td>
<td>IP Protocol (icmp, tcp, udp, and so
on).</td>
</tr>
<tr>
<td>port_range_min</td>
<td>Integer</td>
<td>None</td>
<td>Port at start of range</td>
</tr>
<tr>
<td>port_range_max</td>
<td>Integer</td>
<td>None</td>
<td>Port at end of range</td>
</tr>
<tr>
<td>ethertype</td>
<td>String</td>
<td>None</td>
<td>ethertype in L2 packet (IPv4, IPv6, and so
on)</td>
</tr>
<tr>
<td>remote_ip_prefix</td>
<td>string (IP cidr)</td>
<td>None</td>
<td>CIDR for address range</td>
</tr>
<tr>
<td>remote_group_id</td>
<td>uuid-str or Integer</td>
<td>allocated by Networking or Compute</td>
<td>Source security group to apply to
rule.</td>
</tr>
<tr>
<td>tenant_id</td>
<td>uuid-str</td>
<td>N/A</td>
<td>Owner of the security group rule. Only
admin users can specify a tenant_id other
than its own.</td>
</tr>
</tbody>
</table>
</section>
<section xml:id="securitygroup_workflow">
<title>Basic security group operations</title>
<para>The following table shows example neutron commands
that enable you to complete basic security group
operations:</para>
<table rules="all">
<caption>Basic security group operations</caption>
<col width="40%"/>
<col width="60%"/>
<thead>
<tr>
<th>Operation</th>
<th>Command</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<para>Creates a security group for our web
servers.</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron security-group-create webservers --description "security group for webservers"</userinput></screen></td>
</tr>
<tr>
<td><para>Lists security groups.</para></td>
<td><screen><prompt>$</prompt> <userinput>neutron security-group-list</userinput></screen>
</td>
</tr>
<tr>
<td>
<para>Creates a security group rule to
allow port 80 ingress.</para></td>
<td><screen><prompt>$</prompt> <userinput>neutron security-group-rule-create --direction ingress --protocol tcp --port_range_min 80 --port_range_max 80 &lt;security_group_uuid&gt;</userinput></screen>
</td>
</tr>
<tr>
<td>
<para>Lists security group
rules.</para></td>
<td><screen><prompt>$</prompt> <userinput>neutron security-group-rule-list</userinput></screen>
</td>
</tr>
<tr>
<td><para>Deletes a security group
rule.</para></td>
<td><screen><prompt>$</prompt> <userinput>neutron security-group-rule-delete &lt;security_group_rule_uuid&gt;</userinput></screen>
</td>
</tr>
<tr>
<td>
<para>Deletes a security
group.</para></td>
<td><screen><prompt>$</prompt> <userinput>neutron security-group-delete &lt;security_group_uuid&gt;</userinput></screen>
</td>
</tr>
<tr>
<td><para>Creates a port and associates two
security groups.</para></td>
<td><screen><prompt>$</prompt> <userinput>neutron port-create --security-group &lt;security_group_id1&gt; --security-group &lt;security_group_id2&gt; &lt;network_id&gt;</userinput></screen>
</td>
</tr>
<tr>
<td>
<para>Removes security groups from a
port.</para></td>
<td><screen><prompt>$</prompt> <userinput>neutron port-update --no-security-groups &lt;port_id&gt;</userinput></screen>
</td>
</tr>
</tbody>
</table>
</section>
</section>
<?hard-pagebreak?>
<section xml:id="lbaas_workflow">
<title>Basic Load-Balancer-as-a-Service operations</title>
<note>
<para>The Load-Balancer-as-a-Service (LBaaS) API
provisions and configures load balancers. The Havana
release offers a reference implementation that is
based on the HAProxy software load balancer.</para>
</note>
<para>The following table shows example neutron commands that
enable you to complete basic LBaaS operations:</para>
<table rules="all">
<caption>Basic LBaaS operations</caption>
<col width="40%"/>
<col width="60%"/>
<thead>
<tr>
<th>Operation</th>
<th>Command</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<para>Creates a load balancer pool by using
specific provider.</para>
<para><parameter>--provider</parameter> is an
optional argument. If not used, the pool
is created with default provider for LBaaS
service. You should configure the default
provider in the
<literal>[service_providers]</literal>
section of
<filename>neutron.conf</filename>
file. If no default provider is specified
for LBaaS, the
<parameter>--provider</parameter>
option is required for pool
creation.</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron lb-pool-create --lb-method ROUND_ROBIN --name mypool --protocol HTTP --subnet-id &lt;subnet-uuid&gt; <parameter>--provider &lt;provider_name&gt;</parameter></userinput></screen></td>
</tr>
<tr>
<td>
<para>Associates two web servers with
pool.</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron lb-member-create --address &lt;webserver one IP&gt; --protocol-port 80 mypool</userinput>
<prompt>$</prompt> <userinput>neutron lb-member-create --address &lt;webserver two IP&gt; --protocol-port 80 mypool</userinput></screen></td>
</tr>
<tr>
<td>
<para>Creates a health monitor which checks to
make sure our instances are still running
on the specified
protocol-port.</para></td>
<td><screen><prompt>$</prompt> <userinput>neutron lb-healthmonitor-create --delay 3 --type HTTP --max-retries 3 --timeout 3</userinput></screen>
</td>
</tr>
<tr>
<td><para>Associates a health monitor with
pool.</para></td>
<td><screen><prompt>$</prompt> <userinput>neutron lb-healthmonitor-associate &lt;healthmonitor-uuid&gt; mypool</userinput></screen>
</td>
</tr>
<tr>
<td>
<para>Creates a virtual IP (VIP) address that,
when accessed through the load balancer,
directs the requests to one of the pool
members.</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron lb-vip-create --name myvip --protocol-port 80 --protocol HTTP --subnet-id &lt;subnet-uuid&gt; mypool</userinput></screen>
</td>
</tr>
</tbody>
</table>
</section>
<?hard-pagebreak?>
<section xml:id="fwaas">
<title>Firewall-as-a-Service</title>
<para>The Firewall-as-a-Service (FWaaS) API is an experimental
API that enables early adopters and vendors to test their
networking implementations.</para>
<para>The FWaaS is backed by a <emphasis role="bold">reference
implementation</emphasis> that works with the
Networking OVS plug-in and provides perimeter firewall
functionality. It leverages the footprint of the
Networking OVS L3 agent and an IPTables driver to apply
the firewall rules contained in a particular firewall
policy. This reference implementation supports one
firewall policy and consequently one logical firewall
instance for each tenant. This is not a constraint of the
resource model, but of the current reference
implementation. The firewall is present on a Networking
virtual router. If a tenant has multiple routers, the
firewall is present on all the routers. If a tenant does
not have any router, the firewall is in
<code>PENDING_CREATE</code> state until a router is
created and the first interface is added to the router. At
that point the firewall policy is immediately applied to
the router and the firewall changes to <code>ACTIVE</code>
state.</para>
<note>
<para>Because this is the first iteration of this
implementation, it should probably not be run in
production environments without adequate
testing.</para>
</note>
<section xml:id="fwaas_api_abstractions">
<title>Firewall-as-a-Service API abstractions</title>
<table rules="all">
<caption>Firewall rules</caption>
<col width="20%"/>
<col width="20%"/>
<col width="20%"/>
<col width="40%"/>
<thead>
<tr>
<th>Attribute name</th>
<th>Type</th>
<th>Default Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>id</td>
<td>uuid-str</td>
<td>generated</td>
<td>UUID for the firewall rule.</td>
</tr>
<tr>
<td>tenant_id</td>
<td>uuid-str</td>
<td>N/A</td>
<td>Owner of the firewall rule. Only admin
users can specify a tenant_id other than
its own.</td>
</tr>
<tr>
<td>name</td>
<td>String</td>
<td>None</td>
<td>Human readable name for the firewall rule
(255 characters limit).</td>
</tr>
<tr>
<td>description</td>
<td>String</td>
<td>None</td>
<td>Human readable description for the
firewall rule (1024 characters
limit).</td>
</tr>
<tr>
<td>firewall_policy_id</td>
<td>uuid-str or None</td>
<td>allocated by Networking</td>
<td>This is a read-only attribute that gets
populated with the uuid of the firewall
policy when this firewall rule is
associated with a firewall policy. A
firewall rule can be associated with only
one firewall policy at a time. However,
the association can be changed to a
different firewall policy.</td>
</tr>
<tr>
<td>shared</td>
<td>Boolean</td>
<td>False</td>
<td>When set to True makes this firewall rule
visible to tenants other than its owner,
and it can be used in firewall policies
not owned by its tenant.</td>
</tr>
<tr>
<td>protocol</td>
<td>String</td>
<td>None</td>
<td>IP Protocol (icmp, tcp, udp, None).</td>
</tr>
<tr>
<td>ip_version</td>
<td>Integer or String</td>
<td>4</td>
<td>IP Version (4, 6).</td>
</tr>
<tr>
<td>source_ip_address</td>
<td>String (IP address or CIDR)</td>
<td>None</td>
<td>Source IP address or CIDR.</td>
</tr>
<tr>
<td>destination_ip_address</td>
<td>String (IP address or CIDR)</td>
<td>None</td>
<td>Destination IP address or CIDR.</td>
</tr>
<tr>
<td>source_port</td>
<td>Integer or String (either as a single port
number or in the format of a ':' separated
range)</td>
<td>None</td>
<td>Source port number or a range.</td>
</tr>
<tr>
<td>destination_port</td>
<td>Integer or String (either as a single port
number or in the format of a ':' separated
range)</td>
<td>None</td>
<td>Destination port number or a range.</td>
</tr>
<tr>
<td>position</td>
<td>Integer</td>
<td>None</td>
<td>This is a read-only attribute that gets
assigned to this rule when the rule is
associated with a firewall policy. It
indicates the position of this rule in
that firewall policy.</td>
</tr>
<tr>
<td>action</td>
<td>String</td>
<td>deny</td>
<td>Action to be performed on the traffic
matching the rule (allow, deny).</td>
</tr>
<tr>
<td>enabled</td>
<td>Boolean</td>
<td>True</td>
<td>When set to False, disables this rule in
the firewall policy. Facilitates
selectively turning off rules without
having to disassociate the rule from the
firewall policy.</td>
</tr>
</tbody>
</table>
<table rules="all">
<caption>Firewall policies</caption>
<col width="20%"/>
<col width="20%"/>
<col width="20%"/>
<col width="40%"/>
<thead>
<tr>
<th>Attribute name</th>
<th>Type</th>
<th>Default Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>id</td>
<td>uuid-str</td>
<td>generated</td>
<td>UUID for the firewall policy.</td>
</tr>
<tr>
<td>tenant_id</td>
<td>uuid-str</td>
<td>N/A</td>
<td>Owner of the firewall policy. Only admin
users can specify a tenant_id other their
own.</td>
</tr>
<tr>
<td>name</td>
<td>String</td>
<td>None</td>
<td>Human readable name for the firewall
policy (255 characters limit).</td>
</tr>
<tr>
<td>description</td>
<td>String</td>
<td>None</td>
<td>Human readable description for the
firewall policy (1024 characters
limit).</td>
</tr>
<tr>
<td>shared</td>
<td>Boolean</td>
<td>False</td>
<td>When set to True makes this firewall
policy visible to tenants other than its
owner, and can be used to associate with
firewalls not owned by its tenant.</td>
</tr>
<tr>
<td>firewall_rules</td>
<td>List of uuid-str or None</td>
<td>None</td>
<td>This is an ordered list of firewall rule
uuids. The firewall applies the rules in
the order in which they appear in this
list.</td>
</tr>
<tr>
<td>audited</td>
<td>Boolean</td>
<td>False</td>
<td>When set to True by the policy owner
indicates that the firewall policy has
been audited. This attribute is meant to
aid in the firewall policy audit
workflows. Each time the firewall policy
or the associated firewall rules are
changed, this attribute is set to False
and must be explicitly set to True through
an update operation.</td>
</tr>
</tbody>
</table>
<table rules="all">
<caption>Firewalls</caption>
<col width="20%"/>
<col width="20%"/>
<col width="20%"/>
<col width="40%"/>
<thead>
<tr>
<th>Attribute name</th>
<th>Type</th>
<th>Default Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>id</td>
<td>uuid-str</td>
<td>generated</td>
<td>UUID for the firewall.</td>
</tr>
<tr>
<td>tenant_id</td>
<td>uuid-str</td>
<td>N/A</td>
<td>Owner of the firewall. Only admin users
can specify a tenant_id other than its
own.</td>
</tr>
<tr>
<td>name</td>
<td>String</td>
<td>None</td>
<td>Human readable name for the firewall (255
characters limit).</td>
</tr>
<tr>
<td>description</td>
<td>String</td>
<td>None</td>
<td>Human readable description for the
firewall (1024 characters limit).</td>
</tr>
<tr>
<td>admin_state_up</td>
<td>Boolean</td>
<td>True</td>
<td>The administrative state of the firewall.
If False (down), the firewall does not
forward any packets.</td>
</tr>
<tr>
<td>status</td>
<td>String</td>
<td>N/A</td>
<td><para>Indicates whether the firewall is
currently operational. Possible values
include:</para>
<itemizedlist>
<listitem>
<para>ACTIVE</para>
</listitem>
<listitem>
<para>DOWN</para>
</listitem>
<listitem>
<para>PENDING_CREATE</para>
</listitem>
<listitem>
<para>PENDING_UPDATE</para>
</listitem>
<listitem>
<para>PENDING_DELETE</para>
</listitem>
<listitem>
<para>ERROR</para>
</listitem>
</itemizedlist>
</td>
</tr>
<tr>
<td>firewall_policy_id</td>
<td>uuid-str or None</td>
<td>None</td>
<td>The firewall policy uuid that this
firewall is associated with. This firewall
implements the rules contained in the
firewall policy represented by this uuid.
</td>
</tr>
</tbody>
</table>
</section>
<section xml:id="fwaas_workflow">
<title>Basic Firewall-as-a-Service operations</title>
<itemizedlist>
<listitem>
<para>Create a firewall rule:</para>
<screen><prompt>$</prompt> <userinput>neutron firewall-rule-create --protocol &lt;tcp|udp|icmp|any&gt; --destination-port &lt;port-range&gt; --action &lt;allow|deny&gt;</userinput></screen>
<para>The CLI requires that a protocol value be
provided. If the rule is protocol agnostic,
the 'any' value can be used.</para>
<para>In addition to the protocol attribute, other
attributes can be specified in the firewall
rule. See the previous section for the
supported attributes.</para>
</listitem>
<listitem>
<para>Create a firewall policy:</para>
<screen><prompt>$</prompt> <userinput>neutron firewall-policy-create --firewall-rules "&lt;firewall-rule ids or names separated by space&gt;" myfirewallpolicy</userinput></screen>
<para>The order of the rules specified above is
important. A firewall policy can be created
without any rules and rules can be added later
either via the update operation (if adding
multiple rules) or via the insert-rule
operation (if adding a single rule). Please
check the CLI help for more details on these
operations.</para>
<note>
<para>The reference implementation always adds
a default deny all rule at the end of each
policy. This implies that if a firewall
policy is created without any rules and is
associated with a firewall, that firewall
blocks all traffic.</para>
</note>
</listitem>
<listitem>
<para>Create a firewall:</para>
<screen><prompt>$</prompt> <userinput>neutron firewall-create &lt;firewall-policy-uuid&gt;</userinput></screen>
</listitem>
</itemizedlist>
<note>
<para>The FWaaS features and the above workflow can
also be accessed from the Horizon user interface.
This support is disabled by default, but can be
enabled by configuring
<filename>$HORIZON_DIR/openstack_dashboard/local/local_settings.py
</filename> and setting
<programlisting language="ini">
'enable_firewall' = True
</programlisting>
</para>
</note>
</section>
</section>
<?hard-pagebreak?>
<section xml:id="section_allowed_address_pairs">
<title>Allowed-address-pairs</title>
<para>Allowed-address-pairs is an API extension that extends
the port attribute. This extension allows one to specify
arbitrary mac_address/ip_address(cidr) pairs that are
allowed to pass through a port regardless of subnet. The
main use case for this is to enable the ability to use
protocols such as VRRP which floats an ip address between
two instances to enable fast data plane failover.</para>
<note>
<para>The allowed-address-pairs extension is currently
only supported by the following plug-ins: ML2, Nicira
NVP, and Open vSwitch.</para>
</note>
<section xml:id="section_allowed_address_pairs_workflow">
<title>Basic allowed address pairs operations</title>
<itemizedlist>
<listitem>
<para>Create a port with a specific
allowed-address-pairs:</para>
<screen><prompt>$</prompt> <userinput>neutron port-create net1 --allowed-address-pairs type=dict list=true mac_address=&lt;mac_address&gt;,ip_address=&lt;ip_cidr&gt;</userinput></screen>
</listitem>
<listitem>
<para>Update a port adding
allowed-address-pairs:</para>
<screen><prompt>$</prompt> <userinput>neutron port-update &lt;subnet-uuid&gt; --allowed-address-pairs type=dict list=true mac_address=&lt;mac_address&gt;,ip_address=&lt;ip_cidr&gt;</userinput></screen>
</listitem>
</itemizedlist>
<note>
<para>Setting an allowed-address-pair that matches the
mac_address and ip_address of a port is prevented.
This is because that would have no effect since
traffic matching the mac_address and ip_address is
already allowed to pass through the port.</para>
</note>
<note>
<para>If your plug-in implements the port-security
extension port-security-enabled must be set to
True on the port in order to have
allowed-address-pairs on a port. The reason for
this is because if port-security-enabled is set to
False this allows all traffic to be passed through
the port thus having allowed-address-pairs would
have no effect.</para>
</note>
</section>
</section>
<?hard-pagebreak?>
<section xml:id="section_plugin_specific_extensions">
<title>Plug-in specific extensions</title>
<?dbhtml stop-chunking?>
<para>Each vendor can choose to implement additional API
extensions to the core API. This section describes the
extensions for each plug-in.</para>
<section xml:id="section_nicira_extensions">
<title>Nicira NVP extensions</title>
<para>The following sections explain Nicira NVP plug-in
extensions.</para>
<section xml:id="section_nicira_nvp_plugin_qos_extension">
<title>Nicira NVP QoS extension</title>
<para>The Nicira NVP QoS extension rate-limits network
ports to guarantee a specific amount of bandwidth
for each port. This extension, by default, is only
accessible by a tenant with an admin role but is
configurable through the
<filename>policy.json</filename> file. To use
this extension, create a queue and specify the
min/max bandwidth rates (kbps) and optionally set
the QoS Marking and DSCP value (if your network
fabric uses these values to make forwarding
decisions). Once created, you can associate a
queue with a network. Then, when ports are created
on that network they are automatically created and
associated with the specific queue size that was
associated with the network. Because one size
queue for a every port on a network might not be
optimal, a scaling factor from the Nova flavor
'rxtx_factor' is passed in from Compute when
creating the port to scale the queue.</para>
<para>Lastly, if you want to set a specific baseline
QoS policy for the amount of bandwidth a single
port can use (unless a network queue is specified
with the network a port is created on) a default
queue can be created in Networking which then
causes ports created to be associated with a queue
of that size times the rxtx scaling factor. Note
that after a network or default queue is
specified, queues are added to ports that are
subsequently created but are not added to existing
ports.</para>
<section
xml:id="section_nicira_nvp_qos_api_abstractions">
<title>Nicira NVP QoS API abstractions</title>
<table rules="all">
<caption>Nicira NVP QoS Attributes</caption>
<col width="20%"/>
<col width="20%"/>
<col width="20%"/>
<col width="40%"/>
<thead>
<tr>
<th>Attribute name</th>
<th>Type</th>
<th>Default Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>id</td>
<td>uuid-str</td>
<td>generated</td>
<td>UUID for the QoS queue.</td>
</tr>
<tr>
<td>default</td>
<td>Boolean</td>
<td>False by default</td>
<td>If True, ports are created with
this queue size unless the network
port is created or associated with
a queue at port creation time.</td>
</tr>
<tr>
<td>name</td>
<td>String</td>
<td>None</td>
<td>Name for QoS queue.</td>
</tr>
<tr>
<td>min</td>
<td>Integer</td>
<td>0</td>
<td>Minimum Bandwidth Rate (kbps).
</td>
</tr>
<tr>
<td>max</td>
<td>Integer</td>
<td>N/A</td>
<td>Maximum Bandwidth Rate (kbps).
</td>
</tr>
<tr>
<td>qos_marking</td>
<td>String</td>
<td>untrusted by default</td>
<td>Whether QoS marking should be
trusted or untrusted.</td>
</tr>
<tr>
<td>dscp</td>
<td>Integer</td>
<td>0</td>
<td>DSCP Marking value.</td>
</tr>
<tr>
<td>tenant_id</td>
<td>uuid-str</td>
<td>N/A</td>
<td>The owner of the QoS queue.</td>
</tr>
</tbody>
</table>
</section>
<section xml:id="nicira_nvp_qos_walk_through">
<title>Basic Nicira NVP QoS operations</title>
<para>The following table shows example neutron
commands that enable you to complete basic
queue operations:</para>
<table rules="all">
<caption>Basic Nicira NVP QoS
operations</caption>
<col width="40%"/>
<col width="60%"/>
<thead>
<tr>
<th>Operation</th>
<th>Command</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<para>Creates QoS Queue
(admin-only).</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron queue-create--min 10 --max 1000 myqueue</userinput></screen>
</td>
</tr>
<tr>
<td>
<para>Associates a queue with a
network.</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron net-create network --queue_id=&lt;queue_id&gt;</userinput></screen>
</td>
</tr>
<tr>
<td>
<para>Creates a default system
queue.</para></td>
<td><screen><prompt>$</prompt> <userinput>neutron queue-create --default True --min 10 --max 2000 default</userinput></screen>
</td>
</tr>
<tr>
<td><para>Lists QoS
queues.</para></td>
<td><screen><prompt>$</prompt> <userinput>neutron queue-list</userinput></screen>
</td>
</tr>
<tr>
<td>
<para>Deletes a QoS
queue.</para></td>
<td>
<screen><prompt>$</prompt> <userinput>neutron queue-delete &lt;queue_id or name&gt;'</userinput></screen>
</td>
</tr>
</tbody>
</table>
</section>
</section>
<section xml:id="section_nicira_nvp_provider_extension">
<title>Nicira NVP provider networks extension</title>
<para>Provider networks can be implemented in
different ways by the underlying NVP
platform.</para>
<para>The <emphasis>FLAT</emphasis> and
<emphasis>VLAN</emphasis> network types use
bridged transport connectors. These network types
enable the attachment of large number of ports. To
handle the increased scale, the NVP plug-in can
back a single Openstack Network with a chain of
NVP logical switches. You can specify the maximum
number of ports on each logical switch in this
chain on the
<literal>max_lp_per_bridged_ls</literal>
parameter, which has a default value of
5,000.</para>
<para>The recommended value for this parameter varies
with the NVP version running in the back end, as
shown in the following table.</para>
<para>
<table rules="all">
<caption>Recommended values for
max_lp_per_bridged_ls</caption>
<col width="50%"/>
<col width="50%"/>
<thead>
<tr>
<td>NVP version</td>
<td>Recommended Value</td>
</tr>
</thead>
<tbody>
<tr>
<td>2.x</td>
<td>64</td>
</tr>
<tr>
<td>3.0.x</td>
<td>5,000</td>
</tr>
<tr>
<td>3.1.x</td>
<td>5,000</td>
</tr>
<tr>
<td>3.2.x</td>
<td>10,000</td>
</tr>
</tbody>
</table>
</para>
<para>In addition to the above network types, the NVP
plug-in also supports a special
<emphasis>l3_ext</emphasis> network type,
which maps external networks to specific NVP
gateway services as discussed in the following
section.</para>
</section>
<section xml:id="section_nicira_nvp_plugin_l3_extension">
<title>Nicira NVP L3 extension</title>
<para>NVP exposes its L3 capabilities through gateway
services which are usually configured out of band
from OpenStack. To use NVP with L3 capabilities,
first create a L3 gateway service in the NVP
Manager. Next, in <filename>
/etc/neutron/plugins/nicira/nvp.ini</filename>
set <literal>default_l3_gw_service_uuid</literal>
to this value. By default, routers are mapped to
this gateway service.</para>
<section xml:id="section_nicira_l3_walk_through">
<title>Nicira NVP L3 extension operations</title>
<para>Create external network and map it to a
specific NVP gateway service:</para>
<screen><prompt>$</prompt> <userinput>neutron net-create public --router:external=True --provider:network_type l3_ext \
--provider:physical_network &lt;L3-Gateway-Service-UUID&gt;</userinput></screen>
<para>Terminate traffic on a specific VLAN from a
NVP gateway service:</para>
<screen><prompt>$</prompt> <userinput>neutron net-create public --router:external=True --provider:network_type l3_ext \
--provider:physical_network &lt;L3-Gateway-Service-UUID&gt; -provider:segmentation_id &lt;VLAN_ID&gt;</userinput></screen>
</section>
</section>
</section>
<section xml:id="section_bigswitch_extensions">
<title>Big Switch Plugin Extensions</title>
<para>The following section explains the Big Switch Neutron plugin-specific extension.</para>
<section xml:id="section_bigswitch_extension_routerrules">
<title>Big Switch Router Rules</title>
<para>Big Switch allows router rules to be added to each
tenant router. These rules can be used to enforce routing
policies such as denying traffic between subnets or traffic
to external networks. By enforcing these at the router
level, network segmentation policies can be enforced across
many VMs that have differing security groups.</para>
<section xml:id="section_bigswitch_routerrule_fields">
<title>Router Rule Attributes</title>
<para>Each tenant router has a set of router rules
associated with it. Each router rule has the attributes
in the following table. Router rules and their
attributes can be set using the
<command>neutron router-update</command> command,
via the Horizon interface, or through the Neutron API.
</para>
<table rules="all">
<caption>Big Switch Router Rule Attributes</caption>
<col width="20%"/>
<col width="15%"/>
<col width="25%"/>
<col width="40%"/>
<thead>
<tr>
<th>Attribute name</th>
<th>Required</th>
<th>Input Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>source</td>
<td>Yes</td>
<td>A valid CIDR or one of the keywords
'any' or 'external'</td>
<td>The network that a packet's source IP must
match for the rule to be applied</td>
</tr>
<tr>
<td>destination</td>
<td>Yes</td>
<td>A valid CIDR or one of the keywords
'any' or 'external'</td>
<td>The network that a packet's destination IP
must match for the rule to be applied</td>
</tr>
<tr>
<td>action</td>
<td>Yes</td>
<td>'permit' or 'deny'</td>
<td>Determines whether or not the matched
packets will allowed to cross the router</td>
</tr>
<tr>
<td>nexthop</td>
<td>No</td>
<td>A plus-separated (+) list of next-hop IP
addresses (e.g. '1.1.1.1+1.1.1.2')</td>
<td>Overrides the default virtual router used to
handle traffic for packets that match the
rule</td>
</tr>
</tbody>
</table>
</section>
<section xml:id="section_bigswitch_routerrule_processorder">
<title>Order of Rule Processing</title>
<para>The order of router rules has no effect. Overlapping
rules are evaluated using longest prefix matching on
the source and destination fields. The source field
is matched first so it always takes higher precedence
over the destination field. In other words, longest
prefix matching is used on the destination field only
if there are multiple matching rules with the same
source.</para>
</section>
<section xml:id="section_bigswitch_routerrule_walkthrough">
<title>Big Switch Router Rules Operations</title>
<para>Router rules are configured with a router update
operation in Neutron. The update overrides any previous
rules so all of the rules must be provided at the same
time.</para>
<para>Update a router with rules to permit traffic by
default but block traffic from external networks to the
10.10.10.0/24 subnet:</para>
<screen><prompt>$</prompt> <userinput>neutron router-update <replaceable>Router-UUID</replaceable> --router_rules type=dict list=true\
source=any,destination=any,action=permit \
source=external,destination=10.10.10.0/24,action=deny</userinput></screen>
<para>Specify alternate next-hop addresses for a specific
subnet:</para>
<screen><prompt>$</prompt> <userinput>neutron router-update <replaceable>Router-UUID</replaceable> --router_rules type=dict list=true\
source=any,destination=any,action=permit \
source=10.10.10.0/24,destination=any,action=permit,nexthops=10.10.10.254+10.10.10.253</userinput></screen>
<para>Block traffic between two subnets while
allowing everything else:</para>
<screen><prompt>$</prompt> <userinput>neutron router-update <replaceable>Router-UUID</replaceable> --router_rules type=dict list=true\
source=any,destination=any,action=permit \
source=10.10.10.0/24,destination=10.20.20.20/24,action=deny</userinput></screen>
</section>
</section>
</section>
</section>
</section>