vmware-nsx/doc/source/devstack.rst
Adit Sarfaty 754e0e7561 NSX|V3: FWaaS-v1 support
Adding FW rules to protect the traffic north-south behind a T1 router.
This will be done only if a firewall was attached to the router.
This includes:
- FWaaS rules
- Drop all default rule

When the firewall is deleted or the router removed from it,
a default allow all rule will be set.

For the rotuer firewall to work, the rotuer NAT rules should set
nat-bypass=False.

Change-Id: Iba03db8ca67ee10d1c54b96fb41a888cb549684d
2017-06-17 05:18:15 +00:00

191 lines
5.0 KiB
ReStructuredText

NSX DevStack Configurations
===========================
Below are the options for configuring the NSX plugin with DevStack. Prior
to doing this DevStack needs to be downloaded. After updating the relevant
configuration file(s) run ./stack.sh
NSXv
----
LBaaS v2 Driver
~~~~~~~~~~~~~~~
Add lbaas repo as an external repository and configure following flags in ``local.conf``::
[[local]|[localrc]]
enable_plugin neutron-lbaas https://git.openstack.org/openstack/neutron-lbaas
enable_service q-lbaasv2
Configure the service provider::
[[post-config|$NEUTRON_LBAAS_CONF]]
[service_providers]
service_provider = LOADBALANCERV2:VMWareEdge:neutron_lbaas.drivers.vmware.edge_driver_v2.EdgeLoadBalancerDriverV2:default
QoS Driver
~~~~~~~~~~
Enable the qos in ``local.conf``::
[[local|localrc]]
ENABLED_SERVICES=q-qos
For NSXv set the service plugin in ``local.conf``, and enable the dvs features::
[[post-config|$NEUTRON_CONF]]
[DEFAULT]
service_plugins = vmware_nsxv_qos
[[local|localrc]]
NSXV_USE_DVS_FEATURES = True
Optional: Update the nsx qos_peak_bw_multiplier in nsx.ini (default value is 2.0)::
[NSX]
qos_peak_bw_multiplier = <i.e 10.0>
L2GW Driver
~~~~~~~~~~~
Add networking-l2gw repo as an external repository and configure following flags in ``local.conf``::
[[local|localrc]]
enable_plugin networking-l2gw https://github.com/openstack/networking-l2gw
ENABLED_SERVICES+=l2gw-plugin
NETWORKING_L2GW_SERVICE_DRIVER=L2GW:vmware-nsx-l2gw:vmware_nsx.services.l2gateway.nsx_v.driver.NsxvL2GatewayDriver:default
IPAM Driver
~~~~~~~~~~~
Update the ``local.conf`` file::
[[post-config|$NEUTRON_CONF]]
[DEFAULT]
ipam_driver = vmware_nsxv_ipam
Flow Classifier
~~~~~~~~~~~~~~~
Update the ``local.conf`` file::
[[local|localrc]]
enable_plugin networking-sfc https://git.openstack.org/openstack/networking-sfc master
[[post-config|$NEUTRON_CONF]]
[DEFAULT]
service_plugins = networking_sfc.services.flowclassifier.plugin.FlowClassifierPlugin
[flowclassifier]
drivers = vmware-nsxv-sfc
[nsxv]
service_insertion_profile_id = <service profile id. i.e. serviceprofile-1>
In order to prevent tenants from changing the flow classifier, please add the following
lines to the policy.json file::
"create_flow_classifier": "rule:admin_only",
"update_flow_classifier": "rule:admin_only",
"delete_flow_classifier": "rule:admin_only",
"get_flow_classifier": "rule:admin_only"
FWAAS (V1) Driver
~~~~~~~~~~~~~~~~~
Add neutron-fwaas repo as an external repository and configure following flags in ``local.conf``::
[[local|localrc]]
enable_plugin neutron-fwaas https://git.openstack.org/openstack/neutron-fwaas
ENABLED_SERVICES+=,q-fwaas
[[post-config|$NEUTRON_CONF]]
[DEFAULT]
service_plugins = neutron_fwaas.services.firewall.fwaas_plugin.FirewallPlugin
[fwaas]
enabled = True
driver = vmware_nsxv_edge
Neutron dynamic routing plugin (bgp)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Add neutron-dynamic-routing repo as an external repository and configure following flags in ``local.conf``::
[[local|localrc]]
enable_plugin neutron-dynamic-routing https://git.openstack.org/openstack/neutron-dynamic-routing
DR_MODE=dr_plugin
BGP_PLUGIN=vmware_nsx.services.dynamic_routing.bgp_plugin.NSXvBgpPlugin
[[post-config|$NEUTRON_CONF]]
[DEFAULT]
api_extensions_path = $DEST/neutron-dynamic-routing/neutron_dynamic_routing/extensions
NSXv3
-----
QoS Driver
~~~~~~~~~~
Enable the qos in ``local.conf``::
[[local|localrc]]
ENABLED_SERVICES=q-qos
[[post-config|$NEUTRON_CONF]]
[DEFAULT]
service_plugins = neutron.services.qos.qos_plugin.QoSPlugin
Optional: Update the nsx qos_peak_bw_multiplier in nsx.ini (default value is 2.0)::
[NSX]
qos_peak_bw_multiplier = <i.e 10.0>
L2GW Driver
~~~~~~~~~~~
Add networking-l2gw repo as an external repository and configure following flags in ``local.conf``::
[[local|localrc]]
enable_plugin networking-l2gw https://github.com/openstack/networking-l2gw
ENABLED_SERVICES+=l2gw-plugin
NETWORKING_L2GW_SERVICE_DRIVER=L2GW:vmware-nsx-l2gw:vmware_nsx.services.l2gateway.nsx_v3.driver.NsxV3Driver:default
DEFAULT_BRIDGE_CLUSTER_UUID=
IPAM Driver
~~~~~~~~~~~
Update the ``local.conf`` file::
[[post-config|$NEUTRON_CONF]]
[DEFAULT]
ipam_driver = vmware_nsxv3_ipam
Trunk Driver
~~~~~~~~~~~~
Enable trunk service and configure following flags in ``local.conf``::
[[local]|[localrc]]
# Trunk plugin NSXv3 driver config
ENABLED_SERVICES+=,q-trunk
Q_SERVICE_PLUGIN_CLASSES=trunk
FWAAS (V1) Driver:
~~~~~~~~~~~~~
Add neutron-fwaas repo as an external repository and configure following flags in ``local.conf``::
[[local|localrc]]
enable_plugin neutron-fwaas https://git.openstack.org/openstack/neutron-fwaas
ENABLED_SERVICES+=,q-fwaas
[[post-config|$NEUTRON_CONF]]
[DEFAULT]
service_plugins = neutron_fwaas.services.firewall.fwaas_plugin.FirewallPlugin
[fwaas]
enabled = True
driver = vmware_nsxv3_edge