x/vmware-nsx
Code Issues Proposed changes
vmware-nsx/vmware_nsx/services/flowclassifier/nsx_v/README.rst
Adit Sarfaty ce9003f498 NSX-V Service insertion support 
The service insertion feature allows us to redirect some of the NSX traffic to an external
security vendor like Palo-Alto or checkpoint for advanced inspection.

The implementation contains:
Enable the flow classifier plugin, and use it to create redirect rules on NSX
When the flow classifier plugin is initialized a new security group is created
and added to the configured service profile

When a vm port with port security is created/updated, it is added to this security group
When the admin user create a flow classifier entry, a backed redirect rule will be created.

DocImpact: new NSXV Configuration parameters:
service_insertion_profile_id = <service profile id, i.e. serviceprofile-1>

DocImpact: The flow classifier methods should be added to the policy.json as admin only

Change-Id: I67a132d4b35764c6940516a8365a2749d574aad2
2016-07-13 11:29:05 +03:00

986 B
Raw Blame History

Enabling NSX Flow Classifier for service insertion in DevStack

  1. Download DevStack

  2. Update the local.conf file:

    [[local|localrc]]
enable_plugin networking-sfc https://git.openstack.org/openstack/networking-sfc master

[[post-config|$NEUTRON_CONF]]
[DEFAULT]
service_plugins = networking_sfc.services.flowclassifier.plugin.FlowClassifierPlugin

[flowclassifier]
drivers = vmware-nsxv-sfc

[nsxv]
service_insertion_profile_id = <service profile id. i.e. serviceprofile-1>

  3. In order to prevent tenants from changing the flow classifier, please add the following lines to the policy.json file:

    "create_flow_classifier": "rule:admin_only", "update_flow_classifier": "rule:admin_only", "delete_flow_classifier": "rule:admin_only", "get_flow_classifier": "rule:admin_only"

  4. run stack.sh