You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by clement mutz <c....@servitics.fr> on 2014/08/07 09:56:36 UTC
question about security group
Hi community !
I'll try to create a zone with public network. I can't ping my VMs (Instances, systems VM).
How I can to configure the different access ?
Appreciate all helps.
Best regards,
Cloudstack 4.3 on centos.
Re: question about security group
Posted by clement mutz <c....@servitics.fr>.
Hi Skrev,
> Get the verbose iptables output.
> iptables -Lnv
root@v-2-VM:/var/www# iptables -vnL
Chain INPUT (policy DROP 77 packets, 25256 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
988 75720 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4242 411K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
327 25304 ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 13
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
10 600 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3922
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8001
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8001
0 0 ACCEPT tcp -- eth2 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
0 0 ACCEPT tcp -- eth2 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5334 packets, 603K bytes)
pkts bytes target prot opt in out source destination
Get the verbose iptables output.
iptables -Lnv
15. aug. 2014 18:24 skrev "clement mutz" <c....@servitics.fr> følgende:
>
> Hi,
>
>
> > What's wrong with my configuration ? I forgot something ?
>
> >> Start by running tcpdump along the network path and try to isolate
> >> the faulty network configuration.
>
> Ok i running tcpdump on console proxy and i can see packets.
>
>
> With the following command on console proxy : tcpdump -vv -i eth1
>
> Quote
> 16:05:14.378905 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has
> 10.254.50.209 tell 10.254.50.45, length 46
> 16:05:15.377608 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has
> 10.254.50.209 tell 10.254.50.45, length 46
> 16:05:16.377600 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has
> 10.254.50.209 tell 10.254.50.45, length 46
> 16:05:17.395947 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has
> 10.254.50.209 tell 10.254.50.45, length 46
> 16:05:18.393719 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has
> 10.254.50.209 tell 10.254.50.45, length 46
> 16:05:18.828127 IP (tos 0x0, ttl 64, id 30676, offset 0, flags [DF], proto
> TCP (6), length 56)
> 10.254.50.201.58036 > 10.254.50.45.8250: Flags [P.], cksum 0x7b1c
> (incorrect -> 0xdd06), seq 3973496:3973500, ack 1507845368, win 2641,
> options [nop,nop,TS val 826858 ecr 954898], length 4
> seq 3973496:3973500, ack 1507845368, win
> eq 1:5, ack 217, win 331, options [nop,nop,TS val 956151 ecr 826868],
> length 4
> 16:05:18.883024 IP (tos 0x0, ttl 64, id 30678, offset 0, flags [DF], proto
> TCP (6), length 52)
>
>
> I see paquets come on my console proxy
>
> I didn't touch iptables rules
>
>
> iptables -L on console proxy :
>
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> DROP icmp -- anywhere anywhere icmp
> timestamp-request
> ACCEPT icmp -- anywhere anywhere
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:3922
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:8001
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:8001
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:https
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:http
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
>
> Thanks for your reply.
>
> Clément
>
> -------------------------------------------
>
>
>
> Hi,
>
> I give you my different tests, the first problem I can't ping system vm
> (internal nic and external nic) since same network (since computing node
> for exemple).
>
> I can ping a host from internal nic (10.254.50.0/24) since system vm.
>
> IP address of computing node 10.254.50.45.
> IP address of console proxy vm 10.254.50.209
>
>
> On console proxy VM :
>
> root@v-2-VM:~# route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 0.0.0.0 37.122.XXX.XX 0.0.0.0 UG 0 0 0
> eth2
> 8.8.8.8 10.254.50.254 255.255.255.255 UGH 0 0 0
> eth1
> 10.254.50.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth1
> 37.122.XXX.XXX 0.0.0.0 255.255.255.XXX U 0 0 0
> eth2
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
> eth0
>
> I can ping www.google.fr, my two gateway and host for test:
>
> root@v-2-VM:~# ping -c2 www.google.fr
> PING www.google.fr (173.194.66.94): 48 data bytes
> 56 bytes from 173.194.66.94: icmp_seq=0 ttl=48 time=5.989 ms
> 56 bytes from 173.194.66.94: icmp_seq=1 ttl=48 time=5.959 ms
> --- www.google.fr ping statistics ---
> 2 packets transmitted, 2 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 5.959/5.974/5.989/0.000 ms
>
> root@v-2-VM:~# ping -c2 10.254.50.254
> PING 10.254.50.254 (10.254.50.254): 48 data bytes
> 56 bytes from 10.254.50.254: icmp_seq=0 ttl=64 time=0.250 ms
> 56 bytes from 10.254.50.254: icmp_seq=1 ttl=64 time=0.251 ms
> --- 10.254.50.254 ping statistics ---
> 2 packets transmitted, 2 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 0.250/0.251/0.251/0.000 ms
>
> root@v-2-VM:~# ping -c2 37.122.XXX.XXX
> PING 37.122.XXX.XXX (37.122.XXX.XXX): 48 data bytes
> 56 bytes from 37.122.XXX.XXX: icmp_seq=0 ttl=64 time=0.284 ms
> 56 bytes from 37.122.XXX.XXX: icmp_seq=1 ttl=64 time=0.173 ms
> --- 37.122.XXX.XXX ping statistics ---
> 2 packets transmitted, 2 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 0.173/0.228/0.284/0.056 ms
>
> root@v-2-VM:~# ping -c2 10.254.50.123
> PING 10.254.50.123 (10.254.50.123): 48 data bytes
> 56 bytes from 10.254.50.123: icmp_seq=0 ttl=128 time=1.468 ms
> 56 bytes from 10.254.50.123: icmp_seq=1 ttl=128 time=0.345 ms
> --- 10.254.50.123 ping statistics ---
> 2 packets transmitted, 2 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 0.345/0.906/1.468/0.562 ms
>
> From my computing node I can ping gateway but not system vm :
>
> root@ubuntu:/# ping -c2 10.254.50.254
> PING 10.254.50.254 (10.254.50.254) 56(84) bytes of data.
> 64 bytes from 10.254.50.254: icmp_req=1 ttl=64 time=1.14 ms
> 64 bytes from 10.254.50.254: icmp_req=2 ttl=64 time=0.238 ms
>
> --- 10.254.50.254 ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 1001ms
> rtt min/avg/max/mdev = 0.238/0.691/1.145/0.454 ms
>
> root@ubuntu:/# ping -c2 10.254.50.209
> PING 10.254.50.209 (10.254.50.209) 56(84) bytes of data.
>
> --- 10.254.50.209 ping statistics ---
> 2 packets transmitted, 0 received, 100% packet loss, time 1000ms
>
>
> There is a firewall hidden ?
>
>
>
>
>
>
> Hi Tejas,
>
> > Thanks you for your reply. I already trying to configure the firewall
> Rules (ex : http://i.imgur.com/oiGMMle.png).
> > not access at my instances.
>
> >> From the VM instance, are you able to ICMP ping the virtual router? If
> you cant,
> >> then please check your network VLAN assignments and traffic label
> configurations
>
> Yes very good point ! I can't ping the virtual router from the VM instance.
> So for validate my network I duplicate the network configuration creating
> by cloudstack on another xenserver (same environment, same switch ...) ;) .
> So on another xenserver I created two VM (with xencenter) and PING worked.
> Picture with network configuration creating by cloudstack (see vl41)
> http://i.imgur.com/K8Bo3kK.png .
> Picture with network configuration creating by me on another xen pool
> http://i.imgur.com/ieYD5Oy.png
>
> On Cloudstack my traffic label http://i.imgur.com/P7ZRbf7.png
>
>
> > I haven't access system vm (console, secondary storage).
>
> >> If you are not able to access the system VMs, then I would first
> >> make sure my Zone network configuration and the hypervisor
> >> network traffic types are configured correctly.
>
> ---------------------------------------------------------------
> interfaces | with isolation mode | without isolation mode
> administration | Vl50 | Vl50
> public | NONE | Vl60
> guest | Vl60 | Vl50
> Storage | Vl20 | Vl20
> ---------------------------------------------------------------
>
> Like you see It's traffic label configuration. With isolation mode
> cloudstack work without problem.
> With isolation mode I declared My guest network (labbel Vl60) like public
> network (testing). And I can ping my Vms system console and storage and my
> instances by Public NIC.
> I can ping the administration network too (not possible without isolation
> mode)
>
> I make sure my zone network configuration (at 99%) because I created a
> advanced zone with isolation mode and that worked (access) ;)
>
>
>
> > My network is ok because when I configure my zone with security groups I
> have access
> > system vm and at my instances.
>
> >> Basic network and Advanced Networks work very differently. Advanced
> network uses VLANs
> >> which if configured incorrectly can lead to issues like the one you are
> facing.
>
> Thank you but when I mean "configuration my zone with security group", I
> talk about advanced network and I check "Isolation mode" :) .
>
>
>
>
>
> Hi Clement,
>
> Comments inline.
>
> On 08-Aug-2014, at 12:18 am, clement mutz <c....@servitics.fr> wrote:
>
> > Thanks you for your reply. I already trying to configure the firewall
> Rules (ex : http://i.imgur.com/oiGMMle.png).
> > not access at my instances.
>
> From the VM instance, are you able to ICMP ping the virtual router? If you
> cant,
> then please check your network VLAN assignments and traffic label
> configurations
>
>
> > I haven't access system vm (console, secondary storage).
>
> If you are not able to access the system VMs, then I would first
> make sure my Zone network configuration and the hypervisor
> network traffic types are configured correctly.
>
>
> > My network is ok because when I configure my zone with security groups I
> have access
> > system vm and at my instances.
>
> Basic network and Advanced Networks work very differently. Advanced
> network uses VLANs
> which if configured incorrectly can lead to issues like the one you are
> facing.
>
> > What's wrong with my configuration ? I forgot something ?
>
> Start by running tcpdump along the network path and try to isolate
> the faulty network configuration.
>
>
> > Sorry my bad english. I learning ;)
> >
> > Thanks you very much.
> >
>
> No problems.
>
>
>
>
> > Clément
> >
> >
> >
> >
> > Comments inline.
> >
> > On 07-Aug-2014, at 6:24 pm, clement mutz <c....@servitics.fr> wrote:
> >
> >> Hi Shanker,
> >>
> >>> Look under Network -> Select View -> Security Groups.
> >>
> >> Thanks you, but the problem appear when I choose a advanced zone
> without security group. So I can't see Security Groups(
> http://i.imgur.com/WR18PPl.png) ;)
> >>
> >
> > Advanced zones you dont have security groups by default. Only EGRESS and
> INGRESS rules.
> >
> >> How I can to configure the different access without security group ?
> >
> > Looking at your screenshot, go to Network -> Isolated Network (vl400) ->
> Egress Rules and
> > Network -> Isolated Network (vl400) -> Source NAT -> Configuration ->
> Firewall Rules.
> >
> >>
> >>> The ML strips out attachment. You can use http://imgur.com to share
> images.
> >>
> >> Thanks for your information :)
> >>
> >> I can't choose Security group, when I created a zone with public
> network (I mean with nic public) (http://i.imgur.com/52bjasU.png and
> http://i.imgur.com/UN9RXR2.png)...
> >> I don't understand why.
> >> When I created a zone with security group no problem, I can use ACC
> Ingress and Egress rules but I haven't public interface (
> http://i.imgur.com/EhBAbvC.png and http://i.imgur.com/GjhFOZD.png).
> >>
> >>
> >>
> >>
> >>
> >> ----- Mail original -----
> >> De: "Shanker Balan" <sh...@shapeblue.com>
> >> À: "CloudStack-Users" <us...@cloudstack.apache.org>
> >> Envoyé: Jeudi 7 Août 2014 13:49:40
> >> Objet: Re: question about security group
> >>
> >> Comments inline.
> >>
> >> On 07-Aug-2014, at 3:44 pm, clement mutz <c....@servitics.fr> wrote:
> >>
> >>> Hi Tejas,
> >>>
> >>> I cannot see the security group in network tab.
> >>
> >> Look under Network -> Select View -> Security Groups.
> >>
> >>>
> >>> I can't choose Security group, when I created a zone with public
> network (I mean with nic public) (picture 1 and 2)... I don't understand
> why.
> >>> When I created a zone with security group no problem, I can use ACC
> Ingress and Egress rules but I haven't public interface (picture 3 and 4).
> >>>
> >>
> >> The ML strips out attachment. You can use http://imgur.com to share
> images.
> >>
> >> --
> >> @shankerbalan
> >>
> >> M: +91 98860 60539 | O: +91 (80) 67935867
> >> shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
> >> ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade
> Centre, Bangalore - 560 055
> >>
> >> Find out more about ShapeBlue and our range of CloudStack related
> services
> >>
> >> IaaS Cloud Design & Build<
> http://shapeblue.com/iaas-cloud-design-and-build//>
> >> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/
> >
> >> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> >> CloudStack Infrastructure Support<
> http://shapeblue.com/cloudstack-infrastructure-support/>
> >> CloudStack Bootcamp Training Courses<
> http://shapeblue.com/cloudstack-training/>
> >>
> >> This email and any attachments to it may be confidential and are
> intended solely for the use of the individual to whom it is addressed. Any
> views or opinions expressed are solely those of the author and do not
> necessarily represent those of Shape Blue Ltd or related companies. If you
> are not the intended recipient of this email, you must neither take any
> action based upon its contents, nor copy or show it to anyone. Please
> contact the sender if you believe you have received this email in error.
> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
> Services India LLP is a company incorporated in India and is operated under
> license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a
> company incorporated in Brasil and is operated under license from Shape
> Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of
> South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is
> a registered trademark.
> >
> > --
> > @shankerbalan
> >
> > M: +91 98860 60539 | O: +91 (80) 67935867
> > shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
> > ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade
> Centre, Bangalore - 560 055
> >
> > Find out more about ShapeBlue and our range of CloudStack related
> services
> >
> > IaaS Cloud Design & Build<
> http://shapeblue.com/iaas-cloud-design-and-build//>
> > CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> > CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> > CloudStack Infrastructure Support<
> http://shapeblue.com/cloudstack-infrastructure-support/>
> > CloudStack Bootcamp Training Courses<
> http://shapeblue.com/cloudstack-training/>
> >
> > This email and any attachments to it may be confidential and are
> intended solely for the use of the individual to whom it is addressed. Any
> views or opinions expressed are solely those of the author and do not
> necessarily represent those of Shape Blue Ltd or related companies. If you
> are not the intended recipient of this email, you must neither take any
> action based upon its contents, nor copy or show it to anyone. Please
> contact the sender if you believe you have received this email in error.
> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
> Services India LLP is a company incorporated in India and is operated under
> license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a
> company incorporated in Brasil and is operated under license from Shape
> Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of
> South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is
> a registered trademark.
>
> --
> @shankerbalan
>
> M: +91 98860 60539 | O: +91 (80) 67935867
> shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
> ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre,
> Bangalore - 560 055
>
> Find out more about ShapeBlue and our range of CloudStack related services
>
> IaaS Cloud Design & Build<
> http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Infrastructure Support<
> http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training Courses<
> http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are intended
> solely for the use of the individual to whom it is addressed. Any views or
> opinions expressed are solely those of the author and do not necessarily
> represent those of Shape Blue Ltd or related companies. If you are not the
> intended recipient of this email, you must neither take any action based
> upon its contents, nor copy or show it to anyone. Please contact the sender
> if you believe you have received this email in error. Shape Blue Ltd is a
> company incorporated in England & Wales. ShapeBlue Services India LLP is a
> company incorporated in India and is operated under license from Shape Blue
> Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil
> and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is
> a company registered by The Republic of South Africa and is traded under
> license from Shape Blue Ltd. ShapeBlue is a registered trademark.
>
Re: question about security group
Posted by Erik Weber <te...@gmail.com>.
Get the verbose iptables output.
iptables -Lnv
15. aug. 2014 18:24 skrev "clement mutz" <c....@servitics.fr> følgende:
>
> Hi,
>
>
> > What's wrong with my configuration ? I forgot something ?
>
> >> Start by running tcpdump along the network path and try to isolate
> >> the faulty network configuration.
>
> Ok i running tcpdump on console proxy and i can see packets.
>
>
> With the following command on console proxy : tcpdump -vv -i eth1
>
> Quote
> 16:05:14.378905 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has
> 10.254.50.209 tell 10.254.50.45, length 46
> 16:05:15.377608 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has
> 10.254.50.209 tell 10.254.50.45, length 46
> 16:05:16.377600 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has
> 10.254.50.209 tell 10.254.50.45, length 46
> 16:05:17.395947 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has
> 10.254.50.209 tell 10.254.50.45, length 46
> 16:05:18.393719 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has
> 10.254.50.209 tell 10.254.50.45, length 46
> 16:05:18.828127 IP (tos 0x0, ttl 64, id 30676, offset 0, flags [DF], proto
> TCP (6), length 56)
> 10.254.50.201.58036 > 10.254.50.45.8250: Flags [P.], cksum 0x7b1c
> (incorrect -> 0xdd06), seq 3973496:3973500, ack 1507845368, win 2641,
> options [nop,nop,TS val 826858 ecr 954898], length 4
> seq 3973496:3973500, ack 1507845368, win
> eq 1:5, ack 217, win 331, options [nop,nop,TS val 956151 ecr 826868],
> length 4
> 16:05:18.883024 IP (tos 0x0, ttl 64, id 30678, offset 0, flags [DF], proto
> TCP (6), length 52)
>
>
> I see paquets come on my console proxy
>
> I didn't touch iptables rules
>
>
> iptables -L on console proxy :
>
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> DROP icmp -- anywhere anywhere icmp
> timestamp-request
> ACCEPT icmp -- anywhere anywhere
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:3922
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:8001
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:8001
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:https
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:http
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
>
> Thanks for your reply.
>
> Clément
>
> -------------------------------------------
>
>
>
> Hi,
>
> I give you my different tests, the first problem I can't ping system vm
> (internal nic and external nic) since same network (since computing node
> for exemple).
>
> I can ping a host from internal nic (10.254.50.0/24) since system vm.
>
> IP address of computing node 10.254.50.45.
> IP address of console proxy vm 10.254.50.209
>
>
> On console proxy VM :
>
> root@v-2-VM:~# route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 0.0.0.0 37.122.XXX.XX 0.0.0.0 UG 0 0 0
> eth2
> 8.8.8.8 10.254.50.254 255.255.255.255 UGH 0 0 0
> eth1
> 10.254.50.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth1
> 37.122.XXX.XXX 0.0.0.0 255.255.255.XXX U 0 0 0
> eth2
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
> eth0
>
> I can ping www.google.fr, my two gateway and host for test:
>
> root@v-2-VM:~# ping -c2 www.google.fr
> PING www.google.fr (173.194.66.94): 48 data bytes
> 56 bytes from 173.194.66.94: icmp_seq=0 ttl=48 time=5.989 ms
> 56 bytes from 173.194.66.94: icmp_seq=1 ttl=48 time=5.959 ms
> --- www.google.fr ping statistics ---
> 2 packets transmitted, 2 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 5.959/5.974/5.989/0.000 ms
>
> root@v-2-VM:~# ping -c2 10.254.50.254
> PING 10.254.50.254 (10.254.50.254): 48 data bytes
> 56 bytes from 10.254.50.254: icmp_seq=0 ttl=64 time=0.250 ms
> 56 bytes from 10.254.50.254: icmp_seq=1 ttl=64 time=0.251 ms
> --- 10.254.50.254 ping statistics ---
> 2 packets transmitted, 2 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 0.250/0.251/0.251/0.000 ms
>
> root@v-2-VM:~# ping -c2 37.122.XXX.XXX
> PING 37.122.XXX.XXX (37.122.XXX.XXX): 48 data bytes
> 56 bytes from 37.122.XXX.XXX: icmp_seq=0 ttl=64 time=0.284 ms
> 56 bytes from 37.122.XXX.XXX: icmp_seq=1 ttl=64 time=0.173 ms
> --- 37.122.XXX.XXX ping statistics ---
> 2 packets transmitted, 2 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 0.173/0.228/0.284/0.056 ms
>
> root@v-2-VM:~# ping -c2 10.254.50.123
> PING 10.254.50.123 (10.254.50.123): 48 data bytes
> 56 bytes from 10.254.50.123: icmp_seq=0 ttl=128 time=1.468 ms
> 56 bytes from 10.254.50.123: icmp_seq=1 ttl=128 time=0.345 ms
> --- 10.254.50.123 ping statistics ---
> 2 packets transmitted, 2 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 0.345/0.906/1.468/0.562 ms
>
> From my computing node I can ping gateway but not system vm :
>
> root@ubuntu:/# ping -c2 10.254.50.254
> PING 10.254.50.254 (10.254.50.254) 56(84) bytes of data.
> 64 bytes from 10.254.50.254: icmp_req=1 ttl=64 time=1.14 ms
> 64 bytes from 10.254.50.254: icmp_req=2 ttl=64 time=0.238 ms
>
> --- 10.254.50.254 ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 1001ms
> rtt min/avg/max/mdev = 0.238/0.691/1.145/0.454 ms
>
> root@ubuntu:/# ping -c2 10.254.50.209
> PING 10.254.50.209 (10.254.50.209) 56(84) bytes of data.
>
> --- 10.254.50.209 ping statistics ---
> 2 packets transmitted, 0 received, 100% packet loss, time 1000ms
>
>
> There is a firewall hidden ?
>
>
>
>
>
>
> Hi Tejas,
>
> > Thanks you for your reply. I already trying to configure the firewall
> Rules (ex : http://i.imgur.com/oiGMMle.png).
> > not access at my instances.
>
> >> From the VM instance, are you able to ICMP ping the virtual router? If
> you cant,
> >> then please check your network VLAN assignments and traffic label
> configurations
>
> Yes very good point ! I can't ping the virtual router from the VM instance.
> So for validate my network I duplicate the network configuration creating
> by cloudstack on another xenserver (same environment, same switch ...) ;) .
> So on another xenserver I created two VM (with xencenter) and PING worked.
> Picture with network configuration creating by cloudstack (see vl41)
> http://i.imgur.com/K8Bo3kK.png .
> Picture with network configuration creating by me on another xen pool
> http://i.imgur.com/ieYD5Oy.png
>
> On Cloudstack my traffic label http://i.imgur.com/P7ZRbf7.png
>
>
> > I haven't access system vm (console, secondary storage).
>
> >> If you are not able to access the system VMs, then I would first
> >> make sure my Zone network configuration and the hypervisor
> >> network traffic types are configured correctly.
>
> ---------------------------------------------------------------
> interfaces | with isolation mode | without isolation mode
> administration | Vl50 | Vl50
> public | NONE | Vl60
> guest | Vl60 | Vl50
> Storage | Vl20 | Vl20
> ---------------------------------------------------------------
>
> Like you see It's traffic label configuration. With isolation mode
> cloudstack work without problem.
> With isolation mode I declared My guest network (labbel Vl60) like public
> network (testing). And I can ping my Vms system console and storage and my
> instances by Public NIC.
> I can ping the administration network too (not possible without isolation
> mode)
>
> I make sure my zone network configuration (at 99%) because I created a
> advanced zone with isolation mode and that worked (access) ;)
>
>
>
> > My network is ok because when I configure my zone with security groups I
> have access
> > system vm and at my instances.
>
> >> Basic network and Advanced Networks work very differently. Advanced
> network uses VLANs
> >> which if configured incorrectly can lead to issues like the one you are
> facing.
>
> Thank you but when I mean "configuration my zone with security group", I
> talk about advanced network and I check "Isolation mode" :) .
>
>
>
>
>
> Hi Clement,
>
> Comments inline.
>
> On 08-Aug-2014, at 12:18 am, clement mutz <c....@servitics.fr> wrote:
>
> > Thanks you for your reply. I already trying to configure the firewall
> Rules (ex : http://i.imgur.com/oiGMMle.png).
> > not access at my instances.
>
> From the VM instance, are you able to ICMP ping the virtual router? If you
> cant,
> then please check your network VLAN assignments and traffic label
> configurations
>
>
> > I haven't access system vm (console, secondary storage).
>
> If you are not able to access the system VMs, then I would first
> make sure my Zone network configuration and the hypervisor
> network traffic types are configured correctly.
>
>
> > My network is ok because when I configure my zone with security groups I
> have access
> > system vm and at my instances.
>
> Basic network and Advanced Networks work very differently. Advanced
> network uses VLANs
> which if configured incorrectly can lead to issues like the one you are
> facing.
>
> > What's wrong with my configuration ? I forgot something ?
>
> Start by running tcpdump along the network path and try to isolate
> the faulty network configuration.
>
>
> > Sorry my bad english. I learning ;)
> >
> > Thanks you very much.
> >
>
> No problems.
>
>
>
>
> > Clément
> >
> >
> >
> >
> > Comments inline.
> >
> > On 07-Aug-2014, at 6:24 pm, clement mutz <c....@servitics.fr> wrote:
> >
> >> Hi Shanker,
> >>
> >>> Look under Network -> Select View -> Security Groups.
> >>
> >> Thanks you, but the problem appear when I choose a advanced zone
> without security group. So I can't see Security Groups(
> http://i.imgur.com/WR18PPl.png) ;)
> >>
> >
> > Advanced zones you dont have security groups by default. Only EGRESS and
> INGRESS rules.
> >
> >> How I can to configure the different access without security group ?
> >
> > Looking at your screenshot, go to Network -> Isolated Network (vl400) ->
> Egress Rules and
> > Network -> Isolated Network (vl400) -> Source NAT -> Configuration ->
> Firewall Rules.
> >
> >>
> >>> The ML strips out attachment. You can use http://imgur.com to share
> images.
> >>
> >> Thanks for your information :)
> >>
> >> I can't choose Security group, when I created a zone with public
> network (I mean with nic public) (http://i.imgur.com/52bjasU.png and
> http://i.imgur.com/UN9RXR2.png)...
> >> I don't understand why.
> >> When I created a zone with security group no problem, I can use ACC
> Ingress and Egress rules but I haven't public interface (
> http://i.imgur.com/EhBAbvC.png and http://i.imgur.com/GjhFOZD.png).
> >>
> >>
> >>
> >>
> >>
> >> ----- Mail original -----
> >> De: "Shanker Balan" <sh...@shapeblue.com>
> >> À: "CloudStack-Users" <us...@cloudstack.apache.org>
> >> Envoyé: Jeudi 7 Août 2014 13:49:40
> >> Objet: Re: question about security group
> >>
> >> Comments inline.
> >>
> >> On 07-Aug-2014, at 3:44 pm, clement mutz <c....@servitics.fr> wrote:
> >>
> >>> Hi Tejas,
> >>>
> >>> I cannot see the security group in network tab.
> >>
> >> Look under Network -> Select View -> Security Groups.
> >>
> >>>
> >>> I can't choose Security group, when I created a zone with public
> network (I mean with nic public) (picture 1 and 2)... I don't understand
> why.
> >>> When I created a zone with security group no problem, I can use ACC
> Ingress and Egress rules but I haven't public interface (picture 3 and 4).
> >>>
> >>
> >> The ML strips out attachment. You can use http://imgur.com to share
> images.
> >>
> >> --
> >> @shankerbalan
> >>
> >> M: +91 98860 60539 | O: +91 (80) 67935867
> >> shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
> >> ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade
> Centre, Bangalore - 560 055
> >>
> >> Find out more about ShapeBlue and our range of CloudStack related
> services
> >>
> >> IaaS Cloud Design & Build<
> http://shapeblue.com/iaas-cloud-design-and-build//>
> >> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/
> >
> >> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> >> CloudStack Infrastructure Support<
> http://shapeblue.com/cloudstack-infrastructure-support/>
> >> CloudStack Bootcamp Training Courses<
> http://shapeblue.com/cloudstack-training/>
> >>
> >> This email and any attachments to it may be confidential and are
> intended solely for the use of the individual to whom it is addressed. Any
> views or opinions expressed are solely those of the author and do not
> necessarily represent those of Shape Blue Ltd or related companies. If you
> are not the intended recipient of this email, you must neither take any
> action based upon its contents, nor copy or show it to anyone. Please
> contact the sender if you believe you have received this email in error.
> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
> Services India LLP is a company incorporated in India and is operated under
> license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a
> company incorporated in Brasil and is operated under license from Shape
> Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of
> South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is
> a registered trademark.
> >
> > --
> > @shankerbalan
> >
> > M: +91 98860 60539 | O: +91 (80) 67935867
> > shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
> > ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade
> Centre, Bangalore - 560 055
> >
> > Find out more about ShapeBlue and our range of CloudStack related
> services
> >
> > IaaS Cloud Design & Build<
> http://shapeblue.com/iaas-cloud-design-and-build//>
> > CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> > CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> > CloudStack Infrastructure Support<
> http://shapeblue.com/cloudstack-infrastructure-support/>
> > CloudStack Bootcamp Training Courses<
> http://shapeblue.com/cloudstack-training/>
> >
> > This email and any attachments to it may be confidential and are
> intended solely for the use of the individual to whom it is addressed. Any
> views or opinions expressed are solely those of the author and do not
> necessarily represent those of Shape Blue Ltd or related companies. If you
> are not the intended recipient of this email, you must neither take any
> action based upon its contents, nor copy or show it to anyone. Please
> contact the sender if you believe you have received this email in error.
> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
> Services India LLP is a company incorporated in India and is operated under
> license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a
> company incorporated in Brasil and is operated under license from Shape
> Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of
> South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is
> a registered trademark.
>
> --
> @shankerbalan
>
> M: +91 98860 60539 | O: +91 (80) 67935867
> shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
> ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre,
> Bangalore - 560 055
>
> Find out more about ShapeBlue and our range of CloudStack related services
>
> IaaS Cloud Design & Build<
> http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Infrastructure Support<
> http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training Courses<
> http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are intended
> solely for the use of the individual to whom it is addressed. Any views or
> opinions expressed are solely those of the author and do not necessarily
> represent those of Shape Blue Ltd or related companies. If you are not the
> intended recipient of this email, you must neither take any action based
> upon its contents, nor copy or show it to anyone. Please contact the sender
> if you believe you have received this email in error. Shape Blue Ltd is a
> company incorporated in England & Wales. ShapeBlue Services India LLP is a
> company incorporated in India and is operated under license from Shape Blue
> Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil
> and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is
> a company registered by The Republic of South Africa and is traded under
> license from Shape Blue Ltd. ShapeBlue is a registered trademark.
>
Re: question about security group
Posted by clement mutz <c....@servitics.fr>.
Hi,
> What's wrong with my configuration ? I forgot something ?
>> Start by running tcpdump along the network path and try to isolate
>> the faulty network configuration.
Ok i running tcpdump on console proxy and i can see packets.
With the following command on console proxy : tcpdump -vv -i eth1
Quote
16:05:14.378905 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.254.50.209 tell 10.254.50.45, length 46
16:05:15.377608 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.254.50.209 tell 10.254.50.45, length 46
16:05:16.377600 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.254.50.209 tell 10.254.50.45, length 46
16:05:17.395947 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.254.50.209 tell 10.254.50.45, length 46
16:05:18.393719 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.254.50.209 tell 10.254.50.45, length 46
16:05:18.828127 IP (tos 0x0, ttl 64, id 30676, offset 0, flags [DF], proto TCP (6), length 56)
10.254.50.201.58036 > 10.254.50.45.8250: Flags [P.], cksum 0x7b1c (incorrect -> 0xdd06), seq 3973496:3973500, ack 1507845368, win 2641, options [nop,nop,TS val 826858 ecr 954898], length 4
seq 3973496:3973500, ack 1507845368, win
eq 1:5, ack 217, win 331, options [nop,nop,TS val 956151 ecr 826868], length 4
16:05:18.883024 IP (tos 0x0, ttl 64, id 30678, offset 0, flags [DF], proto TCP (6), length 52)
I see paquets come on my console proxy
I didn't touch iptables rules
iptables -L on console proxy :
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP icmp -- anywhere anywhere icmp timestamp-request
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:3922
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:8001
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:8001
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Thanks for your reply.
Clément
-------------------------------------------
Hi,
I give you my different tests, the first problem I can't ping system vm (internal nic and external nic) since same network (since computing node for exemple).
I can ping a host from internal nic (10.254.50.0/24) since system vm.
IP address of computing node 10.254.50.45.
IP address of console proxy vm 10.254.50.209
On console proxy VM :
root@v-2-VM:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 37.122.XXX.XX 0.0.0.0 UG 0 0 0 eth2
8.8.8.8 10.254.50.254 255.255.255.255 UGH 0 0 0 eth1
10.254.50.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
37.122.XXX.XXX 0.0.0.0 255.255.255.XXX U 0 0 0 eth2
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
I can ping www.google.fr, my two gateway and host for test:
root@v-2-VM:~# ping -c2 www.google.fr
PING www.google.fr (173.194.66.94): 48 data bytes
56 bytes from 173.194.66.94: icmp_seq=0 ttl=48 time=5.989 ms
56 bytes from 173.194.66.94: icmp_seq=1 ttl=48 time=5.959 ms
--- www.google.fr ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 5.959/5.974/5.989/0.000 ms
root@v-2-VM:~# ping -c2 10.254.50.254
PING 10.254.50.254 (10.254.50.254): 48 data bytes
56 bytes from 10.254.50.254: icmp_seq=0 ttl=64 time=0.250 ms
56 bytes from 10.254.50.254: icmp_seq=1 ttl=64 time=0.251 ms
--- 10.254.50.254 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.250/0.251/0.251/0.000 ms
root@v-2-VM:~# ping -c2 37.122.XXX.XXX
PING 37.122.XXX.XXX (37.122.XXX.XXX): 48 data bytes
56 bytes from 37.122.XXX.XXX: icmp_seq=0 ttl=64 time=0.284 ms
56 bytes from 37.122.XXX.XXX: icmp_seq=1 ttl=64 time=0.173 ms
--- 37.122.XXX.XXX ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.173/0.228/0.284/0.056 ms
root@v-2-VM:~# ping -c2 10.254.50.123
PING 10.254.50.123 (10.254.50.123): 48 data bytes
56 bytes from 10.254.50.123: icmp_seq=0 ttl=128 time=1.468 ms
56 bytes from 10.254.50.123: icmp_seq=1 ttl=128 time=0.345 ms
--- 10.254.50.123 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.345/0.906/1.468/0.562 ms
>From my computing node I can ping gateway but not system vm :
root@ubuntu:/# ping -c2 10.254.50.254
PING 10.254.50.254 (10.254.50.254) 56(84) bytes of data.
64 bytes from 10.254.50.254: icmp_req=1 ttl=64 time=1.14 ms
64 bytes from 10.254.50.254: icmp_req=2 ttl=64 time=0.238 ms
--- 10.254.50.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.238/0.691/1.145/0.454 ms
root@ubuntu:/# ping -c2 10.254.50.209
PING 10.254.50.209 (10.254.50.209) 56(84) bytes of data.
--- 10.254.50.209 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1000ms
There is a firewall hidden ?
Hi Tejas,
> Thanks you for your reply. I already trying to configure the firewall Rules (ex : http://i.imgur.com/oiGMMle.png).
> not access at my instances.
>> From the VM instance, are you able to ICMP ping the virtual router? If you cant,
>> then please check your network VLAN assignments and traffic label configurations
Yes very good point ! I can't ping the virtual router from the VM instance.
So for validate my network I duplicate the network configuration creating by cloudstack on another xenserver (same environment, same switch ...) ;) .
So on another xenserver I created two VM (with xencenter) and PING worked.
Picture with network configuration creating by cloudstack (see vl41) http://i.imgur.com/K8Bo3kK.png .
Picture with network configuration creating by me on another xen pool http://i.imgur.com/ieYD5Oy.png
On Cloudstack my traffic label http://i.imgur.com/P7ZRbf7.png
> I haven't access system vm (console, secondary storage).
>> If you are not able to access the system VMs, then I would first
>> make sure my Zone network configuration and the hypervisor
>> network traffic types are configured correctly.
---------------------------------------------------------------
interfaces | with isolation mode | without isolation mode
administration | Vl50 | Vl50
public | NONE | Vl60
guest | Vl60 | Vl50
Storage | Vl20 | Vl20
---------------------------------------------------------------
Like you see It's traffic label configuration. With isolation mode cloudstack work without problem.
With isolation mode I declared My guest network (labbel Vl60) like public network (testing). And I can ping my Vms system console and storage and my instances by Public NIC.
I can ping the administration network too (not possible without isolation mode)
I make sure my zone network configuration (at 99%) because I created a advanced zone with isolation mode and that worked (access) ;)
> My network is ok because when I configure my zone with security groups I have access
> system vm and at my instances.
>> Basic network and Advanced Networks work very differently. Advanced network uses VLANs
>> which if configured incorrectly can lead to issues like the one you are facing.
Thank you but when I mean "configuration my zone with security group", I talk about advanced network and I check "Isolation mode" :) .
Hi Clement,
Comments inline.
On 08-Aug-2014, at 12:18 am, clement mutz <c....@servitics.fr> wrote:
> Thanks you for your reply. I already trying to configure the firewall Rules (ex : http://i.imgur.com/oiGMMle.png).
> not access at my instances.
>From the VM instance, are you able to ICMP ping the virtual router? If you cant,
then please check your network VLAN assignments and traffic label configurations
> I haven't access system vm (console, secondary storage).
If you are not able to access the system VMs, then I would first
make sure my Zone network configuration and the hypervisor
network traffic types are configured correctly.
> My network is ok because when I configure my zone with security groups I have access
> system vm and at my instances.
Basic network and Advanced Networks work very differently. Advanced network uses VLANs
which if configured incorrectly can lead to issues like the one you are facing.
> What's wrong with my configuration ? I forgot something ?
Start by running tcpdump along the network path and try to isolate
the faulty network configuration.
> Sorry my bad english. I learning ;)
>
> Thanks you very much.
>
No problems.
> Clément
>
>
>
>
> Comments inline.
>
> On 07-Aug-2014, at 6:24 pm, clement mutz <c....@servitics.fr> wrote:
>
>> Hi Shanker,
>>
>>> Look under Network -> Select View -> Security Groups.
>>
>> Thanks you, but the problem appear when I choose a advanced zone without security group. So I can't see Security Groups(http://i.imgur.com/WR18PPl.png) ;)
>>
>
> Advanced zones you dont have security groups by default. Only EGRESS and INGRESS rules.
>
>> How I can to configure the different access without security group ?
>
> Looking at your screenshot, go to Network -> Isolated Network (vl400) -> Egress Rules and
> Network -> Isolated Network (vl400) -> Source NAT -> Configuration -> Firewall Rules.
>
>>
>>> The ML strips out attachment. You can use http://imgur.com to share images.
>>
>> Thanks for your information :)
>>
>> I can't choose Security group, when I created a zone with public network (I mean with nic public) (http://i.imgur.com/52bjasU.png and http://i.imgur.com/UN9RXR2.png)...
>> I don't understand why.
>> When I created a zone with security group no problem, I can use ACC Ingress and Egress rules but I haven't public interface (http://i.imgur.com/EhBAbvC.png and http://i.imgur.com/GjhFOZD.png).
>>
>>
>>
>>
>>
>> ----- Mail original -----
>> De: "Shanker Balan" <sh...@shapeblue.com>
>> À: "CloudStack-Users" <us...@cloudstack.apache.org>
>> Envoyé: Jeudi 7 Août 2014 13:49:40
>> Objet: Re: question about security group
>>
>> Comments inline.
>>
>> On 07-Aug-2014, at 3:44 pm, clement mutz <c....@servitics.fr> wrote:
>>
>>> Hi Tejas,
>>>
>>> I cannot see the security group in network tab.
>>
>> Look under Network -> Select View -> Security Groups.
>>
>>>
>>> I can't choose Security group, when I created a zone with public network (I mean with nic public) (picture 1 and 2)... I don't understand why.
>>> When I created a zone with security group no problem, I can use ACC Ingress and Egress rules but I haven't public interface (picture 3 and 4).
>>>
>>
>> The ML strips out attachment. You can use http://imgur.com to share images.
>>
>> --
>> @shankerbalan
>>
>> M: +91 98860 60539 | O: +91 (80) 67935867
>> shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
>> ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055
>>
>> Find out more about ShapeBlue and our range of CloudStack related services
>>
>> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
>>
>> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
>
> --
> @shankerbalan
>
> M: +91 98860 60539 | O: +91 (80) 67935867
> shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
> ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055
>
> Find out more about ShapeBlue and our range of CloudStack related services
>
> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
--
@shankerbalan
M: +91 98860 60539 | O: +91 (80) 67935867
shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: question about security group
Posted by clement mutz <c....@servitics.fr>.
Hi,
I give you my different tests, the first problem I can't ping system vm (internal nic and external nic) since same network (since computing node for exemple).
I can ping a host from internal nic (10.254.50.0/24) since system vm.
IP address of computing node 10.254.50.45.
IP address of console proxy vm 10.254.50.209
On console proxy VM :
root@v-2-VM:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 37.122.XXX.XX 0.0.0.0 UG 0 0 0 eth2
8.8.8.8 10.254.50.254 255.255.255.255 UGH 0 0 0 eth1
10.254.50.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
37.122.XXX.XXX 0.0.0.0 255.255.255.XXX U 0 0 0 eth2
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
I can ping www.google.fr, my two gateway and host for test:
root@v-2-VM:~# ping -c2 www.google.fr
PING www.google.fr (173.194.66.94): 48 data bytes
56 bytes from 173.194.66.94: icmp_seq=0 ttl=48 time=5.989 ms
56 bytes from 173.194.66.94: icmp_seq=1 ttl=48 time=5.959 ms
--- www.google.fr ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 5.959/5.974/5.989/0.000 ms
root@v-2-VM:~# ping -c2 10.254.50.254
PING 10.254.50.254 (10.254.50.254): 48 data bytes
56 bytes from 10.254.50.254: icmp_seq=0 ttl=64 time=0.250 ms
56 bytes from 10.254.50.254: icmp_seq=1 ttl=64 time=0.251 ms
--- 10.254.50.254 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.250/0.251/0.251/0.000 ms
root@v-2-VM:~# ping -c2 37.122.XXX.XXX
PING 37.122.XXX.XXX (37.122.XXX.XXX): 48 data bytes
56 bytes from 37.122.XXX.XXX: icmp_seq=0 ttl=64 time=0.284 ms
56 bytes from 37.122.XXX.XXX: icmp_seq=1 ttl=64 time=0.173 ms
--- 37.122.XXX.XXX ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.173/0.228/0.284/0.056 ms
root@v-2-VM:~# ping -c2 10.254.50.123
PING 10.254.50.123 (10.254.50.123): 48 data bytes
56 bytes from 10.254.50.123: icmp_seq=0 ttl=128 time=1.468 ms
56 bytes from 10.254.50.123: icmp_seq=1 ttl=128 time=0.345 ms
--- 10.254.50.123 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.345/0.906/1.468/0.562 ms
>From my computing node I can ping gateway but not system vm :
root@ubuntu:/# ping -c2 10.254.50.254
PING 10.254.50.254 (10.254.50.254) 56(84) bytes of data.
64 bytes from 10.254.50.254: icmp_req=1 ttl=64 time=1.14 ms
64 bytes from 10.254.50.254: icmp_req=2 ttl=64 time=0.238 ms
--- 10.254.50.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.238/0.691/1.145/0.454 ms
root@ubuntu:/# ping -c2 10.254.50.209
PING 10.254.50.209 (10.254.50.209) 56(84) bytes of data.
--- 10.254.50.209 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1000ms
There is a firewall hidden ?
Hi Tejas,
> Thanks you for your reply. I already trying to configure the firewall Rules (ex : http://i.imgur.com/oiGMMle.png).
> not access at my instances.
>> From the VM instance, are you able to ICMP ping the virtual router? If you cant,
>> then please check your network VLAN assignments and traffic label configurations
Yes very good point ! I can't ping the virtual router from the VM instance.
So for validate my network I duplicate the network configuration creating by cloudstack on another xenserver (same environment, same switch ...) ;) .
So on another xenserver I created two VM (with xencenter) and PING worked.
Picture with network configuration creating by cloudstack (see vl41) http://i.imgur.com/K8Bo3kK.png .
Picture with network configuration creating by me on another xen pool http://i.imgur.com/ieYD5Oy.png
On Cloudstack my traffic label http://i.imgur.com/P7ZRbf7.png
> I haven't access system vm (console, secondary storage).
>> If you are not able to access the system VMs, then I would first
>> make sure my Zone network configuration and the hypervisor
>> network traffic types are configured correctly.
---------------------------------------------------------------
interfaces | with isolation mode | without isolation mode
administration | Vl50 | Vl50
public | NONE | Vl60
guest | Vl60 | Vl50
Storage | Vl20 | Vl20
---------------------------------------------------------------
Like you see It's traffic label configuration. With isolation mode cloudstack work without problem.
With isolation mode I declared My guest network (labbel Vl60) like public network (testing). And I can ping my Vms system console and storage and my instances by Public NIC.
I can ping the administration network too (not possible without isolation mode)
I make sure my zone network configuration (at 99%) because I created a advanced zone with isolation mode and that worked (access) ;)
> My network is ok because when I configure my zone with security groups I have access
> system vm and at my instances.
>> Basic network and Advanced Networks work very differently. Advanced network uses VLANs
>> which if configured incorrectly can lead to issues like the one you are facing.
Thank you but when I mean "configuration my zone with security group", I talk about advanced network and I check "Isolation mode" :) .
Hi Clement,
Comments inline.
On 08-Aug-2014, at 12:18 am, clement mutz <c....@servitics.fr> wrote:
> Thanks you for your reply. I already trying to configure the firewall Rules (ex : http://i.imgur.com/oiGMMle.png).
> not access at my instances.
>From the VM instance, are you able to ICMP ping the virtual router? If you cant,
then please check your network VLAN assignments and traffic label configurations
> I haven't access system vm (console, secondary storage).
If you are not able to access the system VMs, then I would first
make sure my Zone network configuration and the hypervisor
network traffic types are configured correctly.
> My network is ok because when I configure my zone with security groups I have access
> system vm and at my instances.
Basic network and Advanced Networks work very differently. Advanced network uses VLANs
which if configured incorrectly can lead to issues like the one you are facing.
> What's wrong with my configuration ? I forgot something ?
Start by running tcpdump along the network path and try to isolate
the faulty network configuration.
> Sorry my bad english. I learning ;)
>
> Thanks you very much.
>
No problems.
> Clément
>
>
>
>
> Comments inline.
>
> On 07-Aug-2014, at 6:24 pm, clement mutz <c....@servitics.fr> wrote:
>
>> Hi Shanker,
>>
>>> Look under Network -> Select View -> Security Groups.
>>
>> Thanks you, but the problem appear when I choose a advanced zone without security group. So I can't see Security Groups(http://i.imgur.com/WR18PPl.png) ;)
>>
>
> Advanced zones you dont have security groups by default. Only EGRESS and INGRESS rules.
>
>> How I can to configure the different access without security group ?
>
> Looking at your screenshot, go to Network -> Isolated Network (vl400) -> Egress Rules and
> Network -> Isolated Network (vl400) -> Source NAT -> Configuration -> Firewall Rules.
>
>>
>>> The ML strips out attachment. You can use http://imgur.com to share images.
>>
>> Thanks for your information :)
>>
>> I can't choose Security group, when I created a zone with public network (I mean with nic public) (http://i.imgur.com/52bjasU.png and http://i.imgur.com/UN9RXR2.png)...
>> I don't understand why.
>> When I created a zone with security group no problem, I can use ACC Ingress and Egress rules but I haven't public interface (http://i.imgur.com/EhBAbvC.png and http://i.imgur.com/GjhFOZD.png).
>>
>>
>>
>>
>>
>> ----- Mail original -----
>> De: "Shanker Balan" <sh...@shapeblue.com>
>> À: "CloudStack-Users" <us...@cloudstack.apache.org>
>> Envoyé: Jeudi 7 Août 2014 13:49:40
>> Objet: Re: question about security group
>>
>> Comments inline.
>>
>> On 07-Aug-2014, at 3:44 pm, clement mutz <c....@servitics.fr> wrote:
>>
>>> Hi Tejas,
>>>
>>> I cannot see the security group in network tab.
>>
>> Look under Network -> Select View -> Security Groups.
>>
>>>
>>> I can't choose Security group, when I created a zone with public network (I mean with nic public) (picture 1 and 2)... I don't understand why.
>>> When I created a zone with security group no problem, I can use ACC Ingress and Egress rules but I haven't public interface (picture 3 and 4).
>>>
>>
>> The ML strips out attachment. You can use http://imgur.com to share images.
>>
>> --
>> @shankerbalan
>>
>> M: +91 98860 60539 | O: +91 (80) 67935867
>> shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
>> ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055
>>
>> Find out more about ShapeBlue and our range of CloudStack related services
>>
>> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
>>
>> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
>
> --
> @shankerbalan
>
> M: +91 98860 60539 | O: +91 (80) 67935867
> shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
> ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055
>
> Find out more about ShapeBlue and our range of CloudStack related services
>
> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
--
@shankerbalan
M: +91 98860 60539 | O: +91 (80) 67935867
shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: question about security group
Posted by clement mutz <c....@servitics.fr>.
Hi Tejas,
> Thanks you for your reply. I already trying to configure the firewall Rules (ex : http://i.imgur.com/oiGMMle.png).
> not access at my instances.
>> From the VM instance, are you able to ICMP ping the virtual router? If you cant,
>> then please check your network VLAN assignments and traffic label configurations
Yes very good point ! I can't ping the virtual router from the VM instance.
So for validate my network I duplicate the network configuration creating by cloudstack on another xenserver (same environment, same switch ...) ;) .
So on another xenserver I created two VM (with xencenter) and PING worked.
Picture with network configuration creating by cloudstack (see vl41) http://i.imgur.com/K8Bo3kK.png .
Picture with network configuration creating by me on another xen pool http://i.imgur.com/ieYD5Oy.png
On Cloudstack my traffic label http://i.imgur.com/P7ZRbf7.png
> I haven't access system vm (console, secondary storage).
>> If you are not able to access the system VMs, then I would first
>> make sure my Zone network configuration and the hypervisor
>> network traffic types are configured correctly.
---------------------------------------------------------------
interfaces | with isolation mode | without isolation mode
administration | Vl50 | Vl50
public | NONE | Vl60
guest | Vl60 | Vl50
Storage | Vl20 | Vl20
---------------------------------------------------------------
Like you see It's traffic label configuration. With isolation mode cloudstack work without problem.
With isolation mode I declared My guest network (labbel Vl60) like public network (testing). And I can ping my Vms system console and storage and my instances by Public NIC.
I can ping the administration network too (not possible without isolation mode)
I make sure my zone network configuration (at 99%) because I created a advanced zone with isolation mode and that worked (access) ;)
> My network is ok because when I configure my zone with security groups I have access
> system vm and at my instances.
>> Basic network and Advanced Networks work very differently. Advanced network uses VLANs
>> which if configured incorrectly can lead to issues like the one you are facing.
Thank you but when I mean "configuration my zone with security group", I talk about advanced network and I check "Isolation mode" :) .
Hi Clement,
Comments inline.
On 08-Aug-2014, at 12:18 am, clement mutz <c....@servitics.fr> wrote:
> Thanks you for your reply. I already trying to configure the firewall Rules (ex : http://i.imgur.com/oiGMMle.png).
> not access at my instances.
>From the VM instance, are you able to ICMP ping the virtual router? If you cant,
then please check your network VLAN assignments and traffic label configurations
> I haven't access system vm (console, secondary storage).
If you are not able to access the system VMs, then I would first
make sure my Zone network configuration and the hypervisor
network traffic types are configured correctly.
> My network is ok because when I configure my zone with security groups I have access
> system vm and at my instances.
Basic network and Advanced Networks work very differently. Advanced network uses VLANs
which if configured incorrectly can lead to issues like the one you are facing.
> What's wrong with my configuration ? I forgot something ?
Start by running tcpdump along the network path and try to isolate
the faulty network configuration.
> Sorry my bad english. I learning ;)
>
> Thanks you very much.
>
No problems.
> Clément
>
>
>
>
> Comments inline.
>
> On 07-Aug-2014, at 6:24 pm, clement mutz <c....@servitics.fr> wrote:
>
>> Hi Shanker,
>>
>>> Look under Network -> Select View -> Security Groups.
>>
>> Thanks you, but the problem appear when I choose a advanced zone without security group. So I can't see Security Groups(http://i.imgur.com/WR18PPl.png) ;)
>>
>
> Advanced zones you dont have security groups by default. Only EGRESS and INGRESS rules.
>
>> How I can to configure the different access without security group ?
>
> Looking at your screenshot, go to Network -> Isolated Network (vl400) -> Egress Rules and
> Network -> Isolated Network (vl400) -> Source NAT -> Configuration -> Firewall Rules.
>
>>
>>> The ML strips out attachment. You can use http://imgur.com to share images.
>>
>> Thanks for your information :)
>>
>> I can't choose Security group, when I created a zone with public network (I mean with nic public) (http://i.imgur.com/52bjasU.png and http://i.imgur.com/UN9RXR2.png)...
>> I don't understand why.
>> When I created a zone with security group no problem, I can use ACC Ingress and Egress rules but I haven't public interface (http://i.imgur.com/EhBAbvC.png and http://i.imgur.com/GjhFOZD.png).
>>
>>
>>
>>
>>
>> ----- Mail original -----
>> De: "Shanker Balan" <sh...@shapeblue.com>
>> À: "CloudStack-Users" <us...@cloudstack.apache.org>
>> Envoyé: Jeudi 7 Août 2014 13:49:40
>> Objet: Re: question about security group
>>
>> Comments inline.
>>
>> On 07-Aug-2014, at 3:44 pm, clement mutz <c....@servitics.fr> wrote:
>>
>>> Hi Tejas,
>>>
>>> I cannot see the security group in network tab.
>>
>> Look under Network -> Select View -> Security Groups.
>>
>>>
>>> I can't choose Security group, when I created a zone with public network (I mean with nic public) (picture 1 and 2)... I don't understand why.
>>> When I created a zone with security group no problem, I can use ACC Ingress and Egress rules but I haven't public interface (picture 3 and 4).
>>>
>>
>> The ML strips out attachment. You can use http://imgur.com to share images.
>>
>> --
>> @shankerbalan
>>
>> M: +91 98860 60539 | O: +91 (80) 67935867
>> shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
>> ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055
>>
>> Find out more about ShapeBlue and our range of CloudStack related services
>>
>> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
>>
>> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
>
> --
> @shankerbalan
>
> M: +91 98860 60539 | O: +91 (80) 67935867
> shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
> ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055
>
> Find out more about ShapeBlue and our range of CloudStack related services
>
> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
--
@shankerbalan
M: +91 98860 60539 | O: +91 (80) 67935867
shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: question about security group
Posted by Shanker Balan <sh...@shapeblue.com>.
Hi Clement,
Comments inline.
On 08-Aug-2014, at 12:18 am, clement mutz <c....@servitics.fr> wrote:
> Thanks you for your reply. I already trying to configure the firewall Rules (ex : http://i.imgur.com/oiGMMle.png).
> not access at my instances.
>From the VM instance, are you able to ICMP ping the virtual router? If you cant,
then please check your network VLAN assignments and traffic label configurations
> I haven't access system vm (console, secondary storage).
If you are not able to access the system VMs, then I would first
make sure my Zone network configuration and the hypervisor
network traffic types are configured correctly.
> My network is ok because when I configure my zone with security groups I have access
> system vm and at my instances.
Basic network and Advanced Networks work very differently. Advanced network uses VLANs
which if configured incorrectly can lead to issues like the one you are facing.
> What's wrong with my configuration ? I forgot something ?
Start by running tcpdump along the network path and try to isolate
the faulty network configuration.
> Sorry my bad english. I learning ;)
>
> Thanks you very much.
>
No problems.
> Clément
>
>
>
>
> Comments inline.
>
> On 07-Aug-2014, at 6:24 pm, clement mutz <c....@servitics.fr> wrote:
>
>> Hi Shanker,
>>
>>> Look under Network -> Select View -> Security Groups.
>>
>> Thanks you, but the problem appear when I choose a advanced zone without security group. So I can't see Security Groups(http://i.imgur.com/WR18PPl.png) ;)
>>
>
> Advanced zones you dont have security groups by default. Only EGRESS and INGRESS rules.
>
>> How I can to configure the different access without security group ?
>
> Looking at your screenshot, go to Network -> Isolated Network (vl400) -> Egress Rules and
> Network -> Isolated Network (vl400) -> Source NAT -> Configuration -> Firewall Rules.
>
>>
>>> The ML strips out attachment. You can use http://imgur.com to share images.
>>
>> Thanks for your information :)
>>
>> I can't choose Security group, when I created a zone with public network (I mean with nic public) (http://i.imgur.com/52bjasU.png and http://i.imgur.com/UN9RXR2.png)...
>> I don't understand why.
>> When I created a zone with security group no problem, I can use ACC Ingress and Egress rules but I haven't public interface (http://i.imgur.com/EhBAbvC.png and http://i.imgur.com/GjhFOZD.png).
>>
>>
>>
>>
>>
>> ----- Mail original -----
>> De: "Shanker Balan" <sh...@shapeblue.com>
>> À: "CloudStack-Users" <us...@cloudstack.apache.org>
>> Envoyé: Jeudi 7 Août 2014 13:49:40
>> Objet: Re: question about security group
>>
>> Comments inline.
>>
>> On 07-Aug-2014, at 3:44 pm, clement mutz <c....@servitics.fr> wrote:
>>
>>> Hi Tejas,
>>>
>>> I cannot see the security group in network tab.
>>
>> Look under Network -> Select View -> Security Groups.
>>
>>>
>>> I can't choose Security group, when I created a zone with public network (I mean with nic public) (picture 1 and 2)... I don't understand why.
>>> When I created a zone with security group no problem, I can use ACC Ingress and Egress rules but I haven't public interface (picture 3 and 4).
>>>
>>
>> The ML strips out attachment. You can use http://imgur.com to share images.
>>
>> --
>> @shankerbalan
>>
>> M: +91 98860 60539 | O: +91 (80) 67935867
>> shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
>> ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055
>>
>> Find out more about ShapeBlue and our range of CloudStack related services
>>
>> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
>>
>> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
>
> --
> @shankerbalan
>
> M: +91 98860 60539 | O: +91 (80) 67935867
> shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
> ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055
>
> Find out more about ShapeBlue and our range of CloudStack related services
>
> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
--
@shankerbalan
M: +91 98860 60539 | O: +91 (80) 67935867
shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: question about security group
Posted by clement mutz <c....@servitics.fr>.
Thanks you for your reply. I already trying to configure the firewall Rules (ex : http://i.imgur.com/oiGMMle.png). not access at my instances.
I haven't access system vm (console, secondary storage).
My network is ok because when I configure my zone with security groups I have access system vm and at my instances.
What's wrong with my configuration ? I forgot something ?
Sorry my bad english. I learning ;)
Thanks you very much.
Clément
Comments inline.
On 07-Aug-2014, at 6:24 pm, clement mutz <c....@servitics.fr> wrote:
> Hi Shanker,
>
>> Look under Network -> Select View -> Security Groups.
>
> Thanks you, but the problem appear when I choose a advanced zone without security group. So I can't see Security Groups(http://i.imgur.com/WR18PPl.png) ;)
>
Advanced zones you dont have security groups by default. Only EGRESS and INGRESS rules.
> How I can to configure the different access without security group ?
Looking at your screenshot, go to Network -> Isolated Network (vl400) -> Egress Rules and
Network -> Isolated Network (vl400) -> Source NAT -> Configuration -> Firewall Rules.
>
>> The ML strips out attachment. You can use http://imgur.com to share images.
>
> Thanks for your information :)
>
> I can't choose Security group, when I created a zone with public network (I mean with nic public) (http://i.imgur.com/52bjasU.png and http://i.imgur.com/UN9RXR2.png)...
> I don't understand why.
> When I created a zone with security group no problem, I can use ACC Ingress and Egress rules but I haven't public interface (http://i.imgur.com/EhBAbvC.png and http://i.imgur.com/GjhFOZD.png).
>
>
>
>
>
> ----- Mail original -----
> De: "Shanker Balan" <sh...@shapeblue.com>
> À: "CloudStack-Users" <us...@cloudstack.apache.org>
> Envoyé: Jeudi 7 Août 2014 13:49:40
> Objet: Re: question about security group
>
> Comments inline.
>
> On 07-Aug-2014, at 3:44 pm, clement mutz <c....@servitics.fr> wrote:
>
>> Hi Tejas,
>>
>> I cannot see the security group in network tab.
>
> Look under Network -> Select View -> Security Groups.
>
>>
>> I can't choose Security group, when I created a zone with public network (I mean with nic public) (picture 1 and 2)... I don't understand why.
>> When I created a zone with security group no problem, I can use ACC Ingress and Egress rules but I haven't public interface (picture 3 and 4).
>>
>
> The ML strips out attachment. You can use http://imgur.com to share images.
>
> --
> @shankerbalan
>
> M: +91 98860 60539 | O: +91 (80) 67935867
> shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
> ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055
>
> Find out more about ShapeBlue and our range of CloudStack related services
>
> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
--
@shankerbalan
M: +91 98860 60539 | O: +91 (80) 67935867
shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: question about security group
Posted by Shanker Balan <sh...@shapeblue.com>.
Comments inline.
On 07-Aug-2014, at 6:24 pm, clement mutz <c....@servitics.fr> wrote:
> Hi Shanker,
>
>> Look under Network -> Select View -> Security Groups.
>
> Thanks you, but the problem appear when I choose a advanced zone without security group. So I can't see Security Groups(http://i.imgur.com/WR18PPl.png) ;)
>
Advanced zones you dont have security groups by default. Only EGRESS and INGRESS rules.
> How I can to configure the different access without security group ?
Looking at your screenshot, go to Network -> Isolated Network (vl400) -> Egress Rules and
Network -> Isolated Network (vl400) -> Source NAT -> Configuration -> Firewall Rules.
>
>> The ML strips out attachment. You can use http://imgur.com to share images.
>
> Thanks for your information :)
>
> I can't choose Security group, when I created a zone with public network (I mean with nic public) (http://i.imgur.com/52bjasU.png and http://i.imgur.com/UN9RXR2.png)...
> I don't understand why.
> When I created a zone with security group no problem, I can use ACC Ingress and Egress rules but I haven't public interface (http://i.imgur.com/EhBAbvC.png and http://i.imgur.com/GjhFOZD.png).
>
>
>
>
>
> ----- Mail original -----
> De: "Shanker Balan" <sh...@shapeblue.com>
> À: "CloudStack-Users" <us...@cloudstack.apache.org>
> Envoyé: Jeudi 7 Août 2014 13:49:40
> Objet: Re: question about security group
>
> Comments inline.
>
> On 07-Aug-2014, at 3:44 pm, clement mutz <c....@servitics.fr> wrote:
>
>> Hi Tejas,
>>
>> I cannot see the security group in network tab.
>
> Look under Network -> Select View -> Security Groups.
>
>>
>> I can't choose Security group, when I created a zone with public network (I mean with nic public) (picture 1 and 2)... I don't understand why.
>> When I created a zone with security group no problem, I can use ACC Ingress and Egress rules but I haven't public interface (picture 3 and 4).
>>
>
> The ML strips out attachment. You can use http://imgur.com to share images.
>
> --
> @shankerbalan
>
> M: +91 98860 60539 | O: +91 (80) 67935867
> shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
> ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055
>
> Find out more about ShapeBlue and our range of CloudStack related services
>
> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
--
@shankerbalan
M: +91 98860 60539 | O: +91 (80) 67935867
shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: question about security group
Posted by clement mutz <c....@servitics.fr>.
Hi Shanker,
> Look under Network -> Select View -> Security Groups.
Thanks you, but the problem appear when I choose a advanced zone without security group. So I can't see Security Groups(http://i.imgur.com/WR18PPl.png) ;)
How I can to configure the different access without security group ?
> The ML strips out attachment. You can use http://imgur.com to share images.
Thanks for your information :)
I can't choose Security group, when I created a zone with public network (I mean with nic public) (http://i.imgur.com/52bjasU.png and http://i.imgur.com/UN9RXR2.png)...
I don't understand why.
When I created a zone with security group no problem, I can use ACC Ingress and Egress rules but I haven't public interface (http://i.imgur.com/EhBAbvC.png and http://i.imgur.com/GjhFOZD.png).
----- Mail original -----
De: "Shanker Balan" <sh...@shapeblue.com>
À: "CloudStack-Users" <us...@cloudstack.apache.org>
Envoyé: Jeudi 7 Août 2014 13:49:40
Objet: Re: question about security group
Comments inline.
On 07-Aug-2014, at 3:44 pm, clement mutz <c....@servitics.fr> wrote:
> Hi Tejas,
>
> I cannot see the security group in network tab.
Look under Network -> Select View -> Security Groups.
>
> I can't choose Security group, when I created a zone with public network (I mean with nic public) (picture 1 and 2)... I don't understand why.
> When I created a zone with security group no problem, I can use ACC Ingress and Egress rules but I haven't public interface (picture 3 and 4).
>
The ML strips out attachment. You can use http://imgur.com to share images.
--
@shankerbalan
M: +91 98860 60539 | O: +91 (80) 67935867
shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: question about security group
Posted by Shanker Balan <sh...@shapeblue.com>.
Comments inline.
On 07-Aug-2014, at 3:44 pm, clement mutz <c....@servitics.fr> wrote:
> Hi Tejas,
>
> I cannot see the security group in network tab.
Look under Network -> Select View -> Security Groups.
>
> I can't choose Security group, when I created a zone with public network (I mean with nic public) (picture 1 and 2)... I don't understand why.
> When I created a zone with security group no problem, I can use ACC Ingress and Egress rules but I haven't public interface (picture 3 and 4).
>
The ML strips out attachment. You can use http://imgur.com to share images.
--
@shankerbalan
M: +91 98860 60539 | O: +91 (80) 67935867
shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: question about security group
Posted by clement mutz <c....@servitics.fr>.
Hi Tejas,
I cannot see the security group in network tab.
I can't choose Security group, when I created a zone with public network (I mean with nic public) (picture 1 and 2)... I don't understand why.
When I created a zone with security group no problem, I can use ACC Ingress and Egress rules but I haven't public interface (picture 3 and 4).
Thanks for your reply.
Clément.
----- Mail original -----
De: "tejas sheth" <te...@frontier.in>
À: users@cloudstack.apache.org
Envoyé: Jeudi 7 Août 2014 11:32:37
Objet: Re: question about security group
Did you add ACL Ingress and Egress rules?
-Tejas
From: clement mutz <c....@servitics.fr>
To: users@cloudstack.apache.org
Date: 08/07/2014 01:16 PM
Subject: question about security group
Hi community !
I'll try to create a zone with public network. I can't ping my VMs
(Instances, systems VM).
How I can to configure the different access ?
Appreciate all helps.
Best regards,
Cloudstack 4.3 on centos.
Re: question about security group
Posted by te...@frontier.in.
Did you add ACL Ingress and Egress rules?
-Tejas
From: clement mutz <c....@servitics.fr>
To: users@cloudstack.apache.org
Date: 08/07/2014 01:16 PM
Subject: question about security group
Hi community !
I'll try to create a zone with public network. I can't ping my VMs
(Instances, systems VM).
How I can to configure the different access ?
Appreciate all helps.
Best regards,
Cloudstack 4.3 on centos.