Neutron Extensions¶
Networking-SFC¶
Preparation and deployment¶
Modify the /etc/kolla/globals.yml
file as the following example shows:
enable_neutron_sfc: "yes"
Verification¶
For setting up a testbed environment and creating a port chain, please refer to networking-sfc documentation.
Neutron FWaaS (Firewall-as-a-Service)¶
Preparation and deployment¶
Warning
FWaaS has currently no support for OVN.
Modify the /etc/kolla/globals.yml
file as the following example shows:
enable_neutron_fwaas: "yes"
For more information on FWaaS in Neutron refer to the Neutron FWaaS docs.
Neutron VPNaaS (VPN-as-a-Service)¶
Preparation and deployment¶
Modify the /etc/kolla/globals.yml
file as the following example shows:
enable_neutron_vpnaas: "yes"
Verification¶
VPNaaS is a complex subject, hence this document provides directions for a simple smoke test to verify the service is up and running.
On the network node(s), the neutron_vpnaas_agent
should be up (image naming
and versioning may differ depending on deploy configuration):
# docker ps --filter name=neutron_vpnaas_agent
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
97d25657d55e operator:5000/kolla/centos-source-neutron-vpnaas-agent:4.0.0 "kolla_start" 44 minutes ago Up 44 minutes neutron_vpnaas_agent
Warning
You are free to use the following init-runonce
script for demo
purposes but note it does not have to be run in order to use your
cloud. Depending on your customisations, it may not work, or it may
conflict with the resources you want to create. You have been warned.
Similarly, the init-vpn
script does not have to be run unless
you want to follow this particular demo.
Kolla Ansible includes a small script that can be used in tandem with
tools/init-runonce
to verify the VPN using two routers and two Nova VMs:
tools/init-runonce
tools/init-vpn
Verify both VPN services are active:
# neutron vpn-service-list
+--------------------------------------+----------+--------------------------------------+--------+
| id | name | router_id | status |
+--------------------------------------+----------+--------------------------------------+--------+
| ad941ec4-5f3d-4a30-aae2-1ab3f4347eb1 | vpn_west | 051f7ce3-4301-43cc-bfbd-7ffd59af539e | ACTIVE |
| edce15db-696f-46d8-9bad-03d087f1f682 | vpn_east | 058842e0-1d01-4230-af8d-0ba6d0da8b1f | ACTIVE |
+--------------------------------------+----------+--------------------------------------+--------+
Two VMs can now be booted, one on vpn_east, the other on vpn_west, and encrypted ping packets observed being sent from one to the other.
For more information on this and VPNaaS in Neutron refer to the Neutron VPNaaS Testing and the OpenStack wiki.
Trunking¶
The network trunk service allows multiple networks to be connected to an instance using a single virtual NIC (vNIC). Multiple networks can be presented to an instance by connecting it to a single port.
Modify the /etc/kolla/globals.yml
file as the following example shows:
enable_neutron_trunk: "yes"
Neutron Logging Framework¶
Preparation and deployment¶
Modify the /etc/kolla/globals.yml
file as the following example shows:
enable_neutron_packet_logging: "yes"
For OVS deployment, you need to override the firewall driver in openvswitch_agent.ini to:
[security_group]
firewall_driver = openvswitch
Verification¶
Verify that loggable resources are properly registered:
# openstack network loggable resources list
+-----------------+
| Supported types |
+-----------------+
| security_group |
+-----------------+
The output shows security groups logging is now enabled.
You may now create a network logging rule to log all events based on a security group object:
# openstack network log create --resource-type security_group \
--description "Collecting all security events" \
--event ALL Log_Created
More examples and information can be found at: https://docs.openstack.org/neutron/latest/admin/config-logging.html