ce9003f498
The service insertion feature allows us to redirect some of the NSX traffic to an external security vendor like Palo-Alto or checkpoint for advanced inspection. The implementation contains: Enable the flow classifier plugin, and use it to create redirect rules on NSX When the flow classifier plugin is initialized a new security group is created and added to the configured service profile When a vm port with port security is created/updated, it is added to this security group When the admin user create a flow classifier entry, a backed redirect rule will be created. DocImpact: new NSXV Configuration parameters: service_insertion_profile_id = <service profile id, i.e. serviceprofile-1> DocImpact: The flow classifier methods should be added to the policy.json as admin only Change-Id: I67a132d4b35764c6940516a8365a2749d574aad2
31 lines
986 B
ReStructuredText
31 lines
986 B
ReStructuredText
===============================================================
|
|
Enabling NSX Flow Classifier for service insertion in DevStack
|
|
===============================================================
|
|
|
|
1. Download DevStack
|
|
|
|
2. Update the ``local.conf`` file::
|
|
|
|
[[local|localrc]]
|
|
enable_plugin networking-sfc https://git.openstack.org/openstack/networking-sfc master
|
|
|
|
[[post-config|$NEUTRON_CONF]]
|
|
[DEFAULT]
|
|
service_plugins = networking_sfc.services.flowclassifier.plugin.FlowClassifierPlugin
|
|
|
|
[flowclassifier]
|
|
drivers = vmware-nsxv-sfc
|
|
|
|
[nsxv]
|
|
service_insertion_profile_id = <service profile id. i.e. serviceprofile-1>
|
|
|
|
3. In order to prevent tenants from changing the flow classifier, please add the following
|
|
lines to the policy.json file:
|
|
|
|
"create_flow_classifier": "rule:admin_only",
|
|
"update_flow_classifier": "rule:admin_only",
|
|
"delete_flow_classifier": "rule:admin_only",
|
|
"get_flow_classifier": "rule:admin_only"
|
|
|
|
4. run ``stack.sh``
|