diff --git a/doc/admin-guide-cloud/section_networking_adv_features.xml b/doc/admin-guide-cloud/section_networking_adv_features.xml index 0d1f759f92..d9fca91fcc 100644 --- a/doc/admin-guide-cloud/section_networking_adv_features.xml +++ b/doc/admin-guide-cloud/section_networking_adv_features.xml @@ -1705,5 +1705,112 @@ + +
+ Big Switch Plugin Extensions + The following section explains the Big Switch Neutron plugin-specific extension. +
+ Big Switch Router Rules + Big Switch allows router rules to be added to each + tenant router. These rules can be used to enforce routing + policies such as denying traffic between subnets or traffic + to external networks. By enforcing these at the router + level, network segmentation policies can be enforced across + many VMs that have differing security groups. +
+ Router Rule Attributes + Each tenant router has a set of router rules + associated with it. Each router rule has the attributes + in the following table. Router rules and their + attributes can be set using the + neutron router-update command, + via the Horizon interface, or through the Neutron API. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Big Switch Router Rule Attributes
Attribute nameRequiredInput TypeDescription
sourceYesA valid CIDR or one of the keywords + 'any' or 'external'The network that a packet's source IP must + match for the rule to be applied
destinationYesA valid CIDR or one of the keywords + 'any' or 'external'The network that a packet's destination IP + must match for the rule to be applied
actionYes'permit' or 'deny'Determines whether or not the matched + packets will allowed to cross the router
nexthopNoA plus-separated (+) list of next-hop IP + addresses (e.g. '1.1.1.1+1.1.1.2')Overrides the default virtual router used to + handle traffic for packets that match the + rule
+
+
+ Order of Rule Processing + The order of router rules has no effect. Overlapping + rules are evaluated using longest prefix matching on + the source and destination fields. The source field + is matched first so it always takes higher precedence + over the destination field. In other words, longest + prefix matching is used on the destination field only + if there are multiple matching rules with the same + source. +
+
+ Big Switch Router Rules Operations + Router rules are configured with a router update + operation in Neutron. The update overrides any previous + rules so all of the rules must be provided at the same + time. + Update a router with rules to permit traffic by + default but block traffic from external networks to the + 10.10.10.0/24 subnet: + $ neutron router-update Router-UUID --router_rules type=dict list=true\ +source=any,destination=any,action=permit \ +source=external,destination=10.10.10.0/24,action=deny + Specify alternate next-hop addresses for a specific + subnet: + $ neutron router-update Router-UUID --router_rules type=dict list=true\ +source=any,destination=any,action=permit \ +source=10.10.10.0/24,destination=any,action=permit,nexthops=10.10.10.254+10.10.10.253 + Block traffic between two subnets while + allowing everything else: + $ neutron router-update Router-UUID --router_rules type=dict list=true\ +source=any,destination=any,action=permit \ +source=10.10.10.0/24,destination=10.20.20.20/24,action=deny +
+
+