Single-core and multicore CPUs

2 GB and above

5 GB and above

OpenStack deployed by using Kolla-Ansible

·     OpenStack Ocata

·     OpenStack Pike

·     OpenStack Rocky

Item

Configuration directory

Fabrics

Provision > Network Design > Fabrics

VDS

Tenants > Common Network Settings > Virtual Distributed Switches

IP address pool

Provision > Inventory > IP Address Pools

Add access devices and border devices to a fabric

Provision > Network Design > Fabrics

L4-L7 device, physical resource pool, and template

Provision > Inventory > Devices > L4-L7 Device

Provision > Inventory > Devices > L4-L7 Physical Resource Pools

Border gateway

Tenants > Common Network Settings > Gateway

core_plugin

ml2

Used for loading the core plug-in ml2 to OpenStack.

service_plugins

h3c_vcfplugin.l3_router.h3c_l3_router_plugin.H3CL3RouterPlugin,firewall,lbaas,vpnaas

Used for loading the extension plug-ins to OpenStack.

For the Kilo, Mitaka, Pike, and Queens plug-ins, if deployment of firewall policies and rules takes a long time, you can change firewall in the value to fwaas_h3c.

service_provider

·     FIREWALL:H3C:h3c_vcfplugin.fw.h3c_fwplugin_driver.H3CFwaasDriver:default

·     LOADBALANCER:H3C:h3c_vcfplugin.lb.h3c_lbplugin_driver.H3CLbaasPluginDriver:default

·     VPN:H3C:h3c_vcfplugin.vpn.h3c_vpnplugin_driver.H3CVpnPluginDriver:default

Directory where the extension plug-ins are saved.

notification_drivers

message_queue,qos_h3c

Name of the QoS notification driver.

admin_user

N/A

Admin username for Keystone authentication in OpenStack, for example, neutron.

admin_password

N/A

Admin password for Keystone authentication in OpenStack, for example, 123456.

type_drivers

vxlan,vlan

Driver type.

vxlan must be specified as the first driver type.

tenant_network_types

vxlan,vlan

Type of the networks to which the tenants belong.

·     In the host overlay scenario and network overlay with hierarchical port binding scenario, vxlan must be specified as the first network type.

·     In the network overlay without hierarchical port binding scenario, vlan must be specified as the first network type.

For intranet, only vxlan is available.

For extranet, only vlan is available.

mechanism_drivers

ml2_h3c

Name of the ml2 driver.

To create SR-IOV instances for VLAN networks, set this parameter to sriovnicswitch, ml2_h3c.

To create hierarchy-supported instances, set this parameter to ml2_h3c,openvswitch.

extension_drivers

ml2_extension_h3c,qos

Names of the ml2 extension drivers. Available names include ml2_extension_h3c, qos, and port_security. If the QoS feature is not enabled on OpenStack, you do not need to specify the value qos for this parameter. To not enable port security on OpenStack, you do not need to specify the port_security value for this parameter (The Ocata 2017.1 plug-ins do not support the port_security value.)

Kilo 2015.1 plug-ins do not support the QoS driver.

network_vlan_ranges

N/A

Value range for the VLAN ID of the extranet, for example, physicnet1:1000:2999.

vni_ranges

N/A

Value range for the VXLAN ID of the intranet, for example, 1:500.

enable_lb

Whether to enable or disable the LB configuration page.

·     True—Enable.

·     False—Disable.

enable_firewall

Whether to enable or disable the FW configuration page.

·     True—Enable.

·     False—Disable.

enable_vpn

Whether to enable or disable the VPN configuration page.

·     True—Enable.

·     False—Disable.

url

URL address for logging in to SNA Center, for example, http://127.0.0.1:10080.

username

Username for logging in to SNA Center, for example, admin. You do not need to configure a username when the use_neutron_credential parameter is set to True.

password

Password for logging in to SNA Center, for example, admin@123. You do not need to configure a password when the use_neutron_credential parameter is set to True. To use character "$" in the password, enter a backslash (\) before the character.

domain

Name of the domain where the controller resides, for example, sdn.

timeout

The amount of time that the Neutron server waits for a response from the controller in seconds, for example, 1800 seconds.

As a best practice, set the waiting time greater than or equal to 1800 seconds.

retry

Maximum times for sending connection requests from the Neutron server to the controller, for example, 10.

vif_type

Default vNIC type:

·     ovs

·     vhostuser (applied to the OVS DPDK solution)

You can set the vhostuser_mode parameter when the value of this parameter is vhostuser.

Only the Pike plug-ins support this parameter.

vnic_type

Default vNIC type:

·     ovs

·     vhostuser

Only the plug-ins earlier than Ocata support this parameter.

vhostuser_mode

Default DPDK vHost-user mode:

·     server

·     client

The default value is server.

This setting takes effect only when the value of the vif_type parameter is vhostuser.

hybrid_vnic

Whether to enable or disable the feature of mapping OpenStack VLAN to SeerEngine-DC VXLAN.

·     True—Enable.

·     False—Disable.

ip_mac_binding

Whether to enable or disable IP-MAC binding.

·     True—Enable.

·     False—Disable.

denyflow_age

Anti-spoofing flow table aging time for the virtual distributed switch (VDS), an integer in the range of 1 to 3600 seconds, for example, 300 seconds.

white_list

Whether to enable or disable the authentication-free user feature on OpenStack.

·     True—Enable.

·     False—Disable.

auto_create_tenant_to_vcfc

Whether to enable or disable the feature of automatically creating tenants on the controller.

·     True—Enable.

·     False—Disable.

router_binding_public_vrf

Whether to use the public network VRF for creating a vRouter.

·     True—Use.

·     False—Do not use.

Do not set the value to True for a weak control network.

enable_subnet_dhcp

Whether to enable or disable DHCP for creating a vSubnet.

·     True—Enable.

·     False—Disable.

dhcp_lease_time

Valid time for vSubnet IP addresses obtained from the DHCP address pool in days, for example, 365 days.

firewall_type

Type of the firewalls created on the controller:

·     CGSR—Context-based gateway service type firewall, each using an independent context. This firewall type is available only when the value of the resource_mode parameter is CORE_GATEWAY.

·     CGSR_SHARE—Context-based gateway service type firewall, all using the same context even if they belong to different tenants. This firewall type is available only when the value of the resource_mode parameter is CORE_GATEWAY.

·     CGSR_SHARE_BY_COUNT—Context-based gateway service type firewall, all using the same context when the number of contexts reaches the threshold set by the cgsr_fw_context_limit parameter. This firewall type is available only when the value of the resource_mode parameter is CORE_GATEWAY. Only the Pike plug-ins support this firewall type.

·     NFV_CGSR—VNF-based gateway service type firewall, each using an independent VNF. This firewall type is available only when the value of the resource_mode parameter is CORE_GATEWAY.

fw_share_by_tenant

Whether to enable exclusive use of a gateway service type firewall context by a single tenant and allow the context to be shared by service resources of the tenant when the firewall type is CGSR_SHARE.

lb_type

Type of the load balancers created on the controller.

·     CGSR—Gateway service type load balancer on a context. This type of load balancers are available only when the value of the resource_mode parameter is set to CORE_GATEWAY. When the value of the lb_resource_mode parameter is SP, CGSR type load balancers that belong to one tenant use the same context. CGSR type load balancers that belong to different tenants use different contexts. When the value of the lb_resource_mode parameter is MP, CGSR type load balancers that belong to one tenant and are bound to the same gateway use the same context. CGSR type load balancers that belong to different tenants use different contexts.

·     CGSR_SHARE—Gateway service type load balancer on a context. This type of load balancers are available only when the value of the resource_mode parameter is set to CORE_GATEWAY. When the value of the lb_resource_mode parameter is SP, all CGSR_SHARE type load balancers use the same context even if they belong to different tenants. When the value of the lb_resource_mode parameter is MP, CGSR_SHARE type load balancers that belong to different tenants and are bound to the same gateway use the same context.

·     NFV_CGSR—Gateway service type load balancer on a VNF. This type of load balancers are available only when the value of the resource_mode parameter is set to CORE_GATEWAY. When the value of the lb_resource_mode parameter is SP, NFV_CGSR type load balancers that belong to one tenant use the same VNF. NFV_CGSR type load balancers that belong to different tenants use different VNFs. When the value of the lb_resource_mode parameter is MP, NFV_CGSR type load balancers that belong to one tenant and are bound to the same gateway use the same VNF. NFV_CGSR type load balancers that belong to different tenants use different VNFs.

resource_mode

Type of the resources created on the controller.

·     CORE_GATEWAY—Gateway resources.

·     NFV—VNF resources. This value is obsoleted.

resource_share_count

Number of resources that can share a resource node. The value is in the range of 1 to 65535. The default value is 1, indicating that no resources can share a resource node.

auto_delete_tenant_to_vcfc

Whether to enable or disable the feature of automatically removing tenants from the controller.

·     True—Enable.

·     False—Disable.

auto_create_resource

Whether to enable or disable the feature of automatically creating resources.

·     True—Enable.

·     False—Disable.

nfv_ha

Whether configure the NFV and NFV_SHARE resources to support stack.

·     True—Support.

·     False—Do not support.

vds_name

Name of the VDS, for example, VDS1.

After deleting a VDS and recreating a VDS with the same name, you must perform the following tasks on the controller node for the new VDS to take effect:

·     Reboot the neutron-server service.

·     Reboot the h3c-agent service.

enable_metadata

Whether to enable or disable metadata for OpenStack.

·     True—Enable.

·     False—Disable.

If you enable this feature, you must set the enable_l3_router_rpc_notify parameter to True.

use_neutron_credential

Whether to use the OpenStack Neutron username and password to communicate with the controller.

·     True—Use.

·     False—Do not use.

enable_security_group

Whether to enable or disable the feature of deploying security group rules to the controller.

·     True—Enable.

·     False—Disable.

disable_internal_l3flow_offload

Whether to enable or disable intra-network traffic routing through the gateway.

·     True—Disable.

·     False—Enable.

firewall_force_audit

Whether to audit firewall policies synchronized to the controller by OpenStack. The default value is False for the Kilo 2015.1 plug-ins and True for plug-ins of other versions.

·     True—Audits firewall policies synchronized to the controller by OpenStack. The auditing state of the synchronized policies on the controller is True (audited).

·     False—Does not audit firewall policies synchronized to the controller by OpenStack. The synchronized policies on the controller retain their previous auditing state.

enable_l3_router_rpc_notify

Whether to enable or disable the feature of sending Layer 3 routing events through RPC.

·     True—Enable.

·     False—Disable.

output_json_log

Whether to output REST API messages to the OpenStack operating logs in JSON format for communication between the SeerEngine-DC Neutron plug-ins and the controller.

·     True—Enable.

·     False—Disable.

lb_enable_snat

Whether to enable or disable Source Network Address Translation (SNAT) for load balancers on the controller.

·     True—Enable.

·     False—Disable.

empty_rule_action

Set the action for security policies that do not contain any ACL rules on the controller.

·     permit

·     deny

enable_l3_vxlan

Whether to enable or disable the feature of using Layer 3 VXLAN IDs (L3VNIs) to mark Layer 3 flows between vRouters on the controller.

·     True—Enable.

·     False—Disable.

By default, this feature is disabled.

l3_vni_ranges

Set the value range for the L3VNI, for example, 10000:10100. If the controller interoperates with multiple OpenStack platforms, make sure the L3VNI value range for each OpenStack platform is unique.

vendor_rpc_topic

RPC topic of the vendor. This parameter is required when the vendor needs to obtain Neutron data from the SeerEngine-DC Neutron plug-ins. The available values are as follows:

·     VENDOR_PLUGIN—Default value, which means that the parameter does not take effect.

·     DP_PLUGIN—RPC topic of DPtech.

The value of this parameter must be negotiated by the vendor and H3C.

vsr_descriptor_name

VNF descriptor name of the VNF virtual gateway resource created on VNF manager 3.0. This parameter is available only when the value of the resource_mode parameter is set to NFV. When you configure this parameter, make sure its value is the same as the VNF descriptor name specified on the VNF manager of the controller.

vlb_descriptor_name

VNF descriptor name of the virtual load balancing resource created on VNF manager 3.0. This parameter is available only when the value of the resource_mode parameter is set to NFV or the value of the lb_type parameter is set to NFV_CGSR. When you configure this parameter, make sure its value is the same as the VNF descriptor name specified on the VNF manager of the controller.

vfw_descriptor_name

VNF descriptor name of the virtual firewall resource created on VNF manager 3.0. This parameter is available only when the value of the resource_mode parameter is set to NFV or the value of the firewall_type parameter is set to NFV_CGSR. When you configure this parameter, make sure its value is the same as the VNF descriptor name specified on the VNF manager of the controller.

hierarchical_port_binding_physicnets

Policy for OpenStack to select a physical VLAN when performing hierarchical port binding. The default value is ANY.

·     ANY—A VLAN is selected from all physical VLANs for VLAN ID assignment.

·     PREFIX—A VLAN is selected from all physical VLANs matching the specified prefix for VLAN ID assignment.

hierarchical_port_binding_physicnets_prefix

Prefix for matching physical VLANs. The default value is physicnet. This parameter is available only when you set the value of the hierarchical_port_binding_physicnets parameter to PREFIX.

Only the Ocata and Pike plug-ins support this parameter.

network_force_flat

Whether to enable forcible conversion of an external network to a flat network. The value can only be set to True if the external network is a VXLAN.

directly_external

Whether traffic to the external network is directly forwarded by the gateway. The available values are as follows:

·     ANY—Traffic to the external network is directly forwarded by the gateway to the external network.

·     OFF—Traffic to the external network is forwarded by the gateway to the firewall and then to the external network.

·     SUFFIX—Determine the forwarding method for the traffic to the external network by matching the traffic against the vRouter name suffix (set by the directly_external_suffix parameter).

¡     If the traffic matches the suffix, the traffic is directly forwarded by the gateway to the external network.

¡     If the traffic does not match the suffix, the traffic is forwarded by the gateway to the firewall and then to the external network.

The default value is OFF. You can set the value to ANY only when the external network is a VXLAN and the value of network_force_flat is False.

directly_external_suffix

vRouter name suffix (DMZ for example). This parameter is available only when you set the value of the directly_external parameter to SUFFIX.

generate_vrf_based_on_router_name

Whether to use the vRouter names configured on OpenStack as the VRF names on the controller.

·     True—Use the names. Make sure each vRouter name configured on OpenStack is a case-sensitive string of 1 to 31 characters that contain only letters and digits.

·     False—Not to use the names.

By default, the vRouter names configured on OpenStack are not used as the VRF names on the controller.

enable_dhcp_hierarchical_port_binding

Whether to enable DHCP hierarchical port binding. The default value is False.

·     True—Enable.

·     False—Disable.

Only the Pike, Mitaka, Newton, and Rocky plug-ins support this parameter.

enable_multi_segments

Whether to enable multiple outbound interfaces, allowing the vRouter to access the external network from multiple outbound interfaces. The default value is False.

To enable multiple outbound interfaces, configure the following settings:

·     Set the value of this parameter to True.

·     Set the value of the network_force_flat parameter to False.

·     Access the /etc/neutron/plugins/ml2/ml2_conf.ini file on the control node and specify the controller's gateway name for the network_vlan_ranges parameter.

Only the Pike plug-ins support this parameter.

enable_https

Whether to enable HTTPS bidirectional authentication. The default value is False.

·     True—Enable.

·     False—Disable.

Only the Pike plug-ins support this parameter.

neutron_plugin_ca_file

Save location for the CA certificate of the controller. As a best practice, save the CA certificate in the /usr/share/neutron directory.

Only the Pike plug-ins support this parameter.

neutron_plugin_cert_file

Save location for the Cert certificate of the controller. As a best practice, save the Cert certificate in the /usr/share/neutron directory.

Only the Pike plug-ins support this parameter.

neutron_plugin_key_file

Save location for the Key certificate of the controller. As a best practice, save the Cert certificate in the /usr/share/neutron directory.

Only the Pike plug-ins support this parameter.

router_route_type

Route entry type:

·     None—Standard route.

·     401—Extended route with the IP address of an online vPort as the next hop.

·     402—Extended route with the IP address of an offline vPort as the next hop.

The default value is None.

Only the Pike plug-ins support this parameter.

enable_router_nat_without_firewall

Whether to enable NAT when no firewall is configured for the tenant.

·     True—Enable NAT when no firewall is configured. This setting automatically creates default firewall resources to implement NAT if the vRouter has been bound to an external network.

·     False—Not enable NAT when no firewall is configured.

The default value is False.

Only the Pike plug-ins support this parameter.

cgsr_fw_context_limit

Context threshold for context-based gateway service type firewalls. The value is an integer. When the threshold is reached, all the context-based gateway service type firewalls use the same context.

This parameter takes effect only when the value of the firewall_type parameter is CGSR_SHARE_BY_COUNT.

Only the Pike plug-ins support this parameter.

force_vip_port_device_owner_none

Whether to support the LB vport device_owner field.

·     False—Support the LB vport device_owner field. This setting is applicable to an LB tight coupling solution.

·     True—Do not support the LB vport device_owner field. This setting is applicable to an LB loose coupling solution.

The default value is False.

enable_multi_gateways

Whether to enable the multi-gateway mode for the tenant.

·     True—Enable the multi-gateway mode for the tenant. In an OpenStack environment without the Segments configuration, this setting enables different vRouters to access the external network over different gateways.

·     False—Not enable the multi-gateway mode for the tenant.

The default value is False.

Only the Pike, Queens, and Rocky plug-ins support this parameter.

tenant_gateway_name

Name of the gateway to which the tenant is bound. The default value is None.

When the value of the tenant_gw_selection_strategy parameter is match_gateway_name. You must specify the name of an existing gateway on the controller side.

Only the Pike and Rocky plug-ins support this parameter.

tenant_gw_selection_strategy

Gateway selection strategy for the tenant.

·     match_first—Select the first gateway.

·     match_gateway_name—Take effect together with the tenant_gateway_name parameter.

Only the Pike and Rocky plug-ins support this parameter.

enable_iam_auth

Whether to enable IAM interface authentication.

·     True—Enable.

·     False—Disable.

When connecting to SNA Center, you can set the value to True to use the IAM interface for authentication.

The default value is False.

Only the Mitaka and Newton plug-ins support this parameter.

enable_vcfc_rpc

Whether to enable RPC connection between the plug-ins and the controller in the DHCP fail-safe scenario.

The default value is False.

Only the Pike plug-ins support this parameter.

vcfc_rpc_url

RPC interface URL of the controller. Only a WebSocket type interface is supported.

The default value is ws://127.0.0.1:1080.

vcfc_rpc_ping_interval

Interval at which an RPC ICMP echo request message is sent to the controller, in seconds.

The default value is 60 seconds.

websocket_fragment_size

Size of a WebSocket fragment sent from the plug-in to the controller in the DHCP fail-safe scenario, in bytes.

The value is an integer equal to or larger than 1024. The default value is 1024. If the value is 1024, the message is not fragmented.

lb_member_slow_shutdown

Whether to enable slow shutdown when creating an LB pool.

The default value is False.

enable_network_l3vni

Whether to issue the L3VNIs when creating an external network. This parameter is valid only when the value of the enable_l3_vxlan parameter is True.

The default value is False.

lb_resource_mode

Resource pool mode of LB service resources. When the value is SP, all gateways share one LB resource pool. When the value is MP, the system creates an LB resource pool for each gateway.

The default value is SP.

neutron_black_list

Neutron denylist. Only value flat is supported. No default value exists.

When the value is flat, the SDN ML2 plug-in will not issue flat-type internal network resources to the controller, and you are not allowed to bind or unbind router interfaces from flat-type internal subnets.

Only the Pike plug-ins support this parameter.

enable_lb_xff

Whether to enable XFF transparent transmission for LB listeners.

·     True—Enable.

·     False—Disable.

The default value is False.

When the value is True and the listener protocol is HTTP or TERMINATED_HTTPS, a newly created listener is enabled with XFF transparent transmission by default, and the client's IP address is transparently transmitted to the server encapsulated in the X-Forward-For field of the HTTP header.

Only the Pike plug-ins support this parameter.

cloud_identity_mode

Whether to enable the multicloud function.

·     disable—Not carry the cloud_region_name field when sending a request to the controller.

·     region—Carry the cloud_region_name field when sending a request to the controller.

If multiple cloud platforms are connected to the controller, configure a different region name for each cloud platform.

·     custom—Carry the cloud_region_name field when sending a request to the controller. The value of the cloud_region_name field is that of the custom_cloud_name parameter.

The default value is disable.

Only the Newton, Queens, and Rocky plug-ins support this parameter.

custom_cloud_name

Cloud platform name. The default value is openstack-1. If multiple cloud platforms are connected to the controller, configure a different name for each cloud platform.

This parameter takes effect only when the value of the cloud_identity_mode parameter is custom.

Only the Newton, Queens, and Rocky plug-ins support this parameter.

deploy_network_resource_gateway

Whether to carry the gateway_list field for the external network sources.

The default value is False.

When the value of this field is True, you must set the value of the network_force_flat field to False.

force_vlan_port_details_qvo

Whether to forcibly create a qvo-type vPort on the OVS bridge after a VM in a VLAN network comes online. If the value is True, the system forcibly creates a qvo-type vPort. If the value is False, the system automatically creates a tap-type or qvo-type vPort as configured. As a best practice, set the value to False for interoperability with the cloud platform for the first time.

Only the Mitaka, Newton, Pike, Queens, and Rocky plug-ins support this parameter.

enable_firewall_object_group

Whether to enable firewall object groups for the plug-ins.

The default value is False. If the value is True, the OpenStack platform can create firewall object groups through the plug-ins.

Only the Rocky plug-ins support this parameter.

For this feature to take effect, you must ensure its compatibility with the OpenStack Platform. For the compatibility configuration, contact the technical support.