You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by ra...@apache.org on 2013/07/30 08:03:14 UTC
git commit: updated refs/heads/4.2 to 4380dee
Updated Branches:
refs/heads/4.2 3d4d350db -> 4380dee86
CLOUDSTACK-3580
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/4380dee8
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/4380dee8
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/4380dee8
Branch: refs/heads/4.2
Commit: 4380dee8671c124b9645525252260f61eebbee6a
Parents: 3d4d350
Author: Radhika PC <ra...@citrix.com>
Authored: Tue Jul 30 11:32:07 2013 +0530
Committer: Radhika PC <ra...@citrix.com>
Committed: Tue Jul 30 11:32:07 2013 +0530
----------------------------------------------------------------------
docs/en-US/hardware-firewall.xml | 8 ++-
docs/en-US/vnmc-cisco.xml | 125 ++++++++++++++++++----------------
2 files changed, 72 insertions(+), 61 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/4380dee8/docs/en-US/hardware-firewall.xml
----------------------------------------------------------------------
diff --git a/docs/en-US/hardware-firewall.xml b/docs/en-US/hardware-firewall.xml
index db48032..efab3c7 100644
--- a/docs/en-US/hardware-firewall.xml
+++ b/docs/en-US/hardware-firewall.xml
@@ -22,9 +22,11 @@
<title>Hardware Firewall</title>
<para>All deployments should have a firewall protecting the management server; see Generic
Firewall Provisions. Optionally, some deployments may also have a Juniper SRX firewall that will
- be the default gateway for the guest networks; see <xref linkend="external-guest-firewall-integration"/>.</para>
+ be the default gateway for the guest networks; see <xref
+ linkend="external-guest-firewall-integration"/>.</para>
<xi:include href="generic-firewall-provisions.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
- <xi:include href="external-guest-firewall-integration.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
-<!-- <xi:include href="cisco-vnmc.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> -->
+ <xi:include href="external-guest-firewall-integration.xml"
+ xmlns:xi="http://www.w3.org/2001/XInclude"/>
+ <xi:include href="vnmc-cisco.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="external-guest-lb-integration.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
</section>
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/4380dee8/docs/en-US/vnmc-cisco.xml
----------------------------------------------------------------------
diff --git a/docs/en-US/vnmc-cisco.xml b/docs/en-US/vnmc-cisco.xml
index 6181348..809c151 100644
--- a/docs/en-US/vnmc-cisco.xml
+++ b/docs/en-US/vnmc-cisco.xml
@@ -20,16 +20,16 @@
-->
<section id="vnmc-cisco">
<title>External Guest Firewall Integration for Cisco VNMC (Optional)</title>
- <para>Cisco Virtual Network Management Center (VNMC) provides centralized multi-device and
- policy management for Cisco Network Virtual Services. When Cisco VNMC is integrated with
- ASA 1000v Cloud Firewall and Cisco Nexus 1000v dvSwitch in &PRODUCT; you will be able to: </para>
+ <para>Cisco Virtual Network Management Center (VNMC) provides centralized multi-device and policy
+ management for Cisco Network Virtual Services. When Cisco VNMC is integrated with ASA 1000v
+ Cloud Firewall and Cisco Nexus 1000v dvSwitch in &PRODUCT; you will be able to: </para>
<itemizedlist>
<listitem>
<para>Configure Cisco ASA 1000v Firewalls</para>
</listitem>
<listitem>
- <para>Create and apply security profiles that contain ACL policy sets for both ingress
- and egress traffic, connection timeout, NAT policy sets, and TCP intercept</para>
+ <para>Create and apply security profiles that contain ACL policy sets for both ingress and
+ egress traffic, connection timeout, NAT policy sets, and TCP intercept</para>
</listitem>
</itemizedlist>
<para>&PRODUCT; supports Cisco VNMC on Cisco Nexus 1000v dvSwich-enabled VMware
@@ -46,22 +46,21 @@
addCiscoAsa1000vResource. You can configure one per guest network.</para>
</listitem>
<listitem>
- <para>A Cloud administrator creates an Isolated guest network offering by using ASA
- 1000v as the service provider for Firewall, Source NAT, Port Forwarding, and Static
- NAT. </para>
+ <para>A Cloud administrator creates an Isolated guest network offering by using ASA 1000v as
+ the service provider for Firewall, Source NAT, Port Forwarding, and Static NAT. </para>
</listitem>
</itemizedlist>
</section>
<section id="deploy-vnmc">
- <title>Cisco ASA 1000v Firewall, Cisco Nexus 1000v dvSwitch, and Cisco VNMC
+ <title>Using Cisco ASA 1000v Firewall, Cisco Nexus 1000v dvSwitch, and Cisco VNMC in a
Deployment</title>
<section id="prereq-asa">
<title>Prerequisites</title>
<itemizedlist>
<listitem>
- <para>Ensure that Cisco ASA 1000v appliance is set up externally and then registered
- with &PRODUCT; by using the admin API. Typically, you can create a pool of ASA
- 1000v appliances and register them with &PRODUCT;.</para>
+ <para>Ensure that Cisco ASA 1000v appliance is set up externally and then registered with
+ &PRODUCT; by using the admin API. Typically, you can create a pool of ASA 1000v
+ appliances and register them with &PRODUCT;.</para>
<para>Specify the following to set up a Cisco ASA 1000v instance:</para>
<itemizedlist>
<listitem>
@@ -71,17 +70,17 @@
<para>Standalone or HA mode</para>
</listitem>
<listitem>
- <para>Port profiles for the Management and HA network interfaces. This need to
- be pre-created on Nexus dvSwitch switch.</para>
+ <para>Port profiles for the Management and HA network interfaces. This need to be
+ pre-created on Nexus dvSwitch switch.</para>
</listitem>
<listitem>
- <para>Port profiles for both internal and external network interfaces. This need
- to be pre-created on Nexus dvSwitch switch, and to be updated appropriately
- while implementing guest networks.</para>
+ <para>Port profiles for both internal and external network interfaces. This need to be
+ pre-created on Nexus dvSwitch switch, and to be updated appropriately while
+ implementing guest networks.</para>
</listitem>
<listitem>
- <para>The Management IP for Cisco ASA 1000v appliance. Specify the gateway such
- that the VNMC IP is reachable.</para>
+ <para>The Management IP for Cisco ASA 1000v appliance. Specify the gateway such that
+ the VNMC IP is reachable.</para>
</listitem>
<listitem>
<para>Administrator credentials</para>
@@ -99,11 +98,21 @@
appliances.</para>
</listitem>
<listitem>
- <para>Ensure that Cisco Nexus 1000v appliance is set up and configured in &PRODUCT;
- when adding VMware cluster.</para>
+ <para>Ensure that Cisco Nexus 1000v appliance is set up and configured in &PRODUCT; when
+ adding VMware cluster.</para>
</listitem>
</itemizedlist>
</section>
+ <section id="notes-vnmc">
+ <title>Guidelines</title>
+ <para>When a guest network is created with Cisco VNMC firewall provider, an additional public
+ IP is by default acquired along with the Source NAT IP. The Source NAT IP is used for the
+ ASA outside interface, whereas the addition IP is used to workaround an ASA limitation.
+ Ensure that this additional public IP is not released. You can identify this IP as soon as
+ the network is in implemented state and before acquiring any further public IPs. The
+ additional IP is the one that is not marked as Source NAT. You can find the IP used for the
+ ASA outside interface by looking at the Cisco VNMC used in your guest network.</para>
+ </section>
<section id="how-to-asa">
<title>Using Cisco ASA 1000v Services</title>
<orderedlist>
@@ -120,11 +129,13 @@
<para>See <xref linkend="add-asa"/>.</para>
</listitem>
<listitem>
- <para>Create a Network Offering and use Cisco VNMC as the service provider for desired services.</para>
+ <para>Create a Network Offering and use Cisco VNMC as the service provider for desired
+ services.</para>
<para>See <xref linkend="asa-offering"/>.</para>
</listitem>
<listitem>
- <para>Create an Isolated Guest Network by using the network offering you just created.</para>
+ <para>Create an Isolated Guest Network by using the network offering you just
+ created.</para>
</listitem>
</orderedlist>
</section>
@@ -164,8 +175,8 @@
<para>Host: The IP address of the VNMC instance.</para>
</listitem>
<listitem>
- <para>Username: The user name of the account on the VNMC instance that &PRODUCT;
- should use.</para>
+ <para>Username: The user name of the account on the VNMC instance that &PRODUCT; should
+ use.</para>
</listitem>
<listitem>
<para>Password: The password of the account.</para>
@@ -209,16 +220,15 @@
<para>Click the Add CiscoASA1000v Resource and provide the following:</para>
<itemizedlist>
<listitem>
- <para>Host: The management IP address of the ASA 1000v instance. The IP address is
- used to connect to ASA 1000V.</para>
+ <para>Host: The management IP address of the ASA 1000v instance. The IP address is used
+ to connect to ASA 1000V.</para>
</listitem>
<listitem>
- <para>Inside Port Profile: The Inside Port Profile configuration on Cisco
- Nexus1000v dvSwitch.</para>
+ <para>Inside Port Profile: The Inside Port Profile configuration on Cisco Nexus1000v
+ dvSwitch.</para>
</listitem>
<listitem>
- <para>Cluster: The VMware cluster to which you are adding the ASA 1000v
- instance.</para>
+ <para>Cluster: The VMware cluster to which you are adding the ASA 1000v instance.</para>
<para>Ensure that the cluster is Cisco Nexus 1000v dvSwitch enabled.</para>
</listitem>
</itemizedlist>
@@ -230,8 +240,7 @@
</section>
<section id="asa-offering">
<title>Creating a Network Offering Using Cisco ASA 1000v</title>
- <para>To have Cisco ASA 1000v support for a guest network, create a network offering as
- follows: </para>
+ <para>To have Cisco ASA 1000v support for a guest network, create a network offering as follows: </para>
<orderedlist>
<listitem>
<para>Log in to the &PRODUCT; UI as a user or admin.</para>
@@ -250,51 +259,50 @@
offering.</para>
</listitem>
<listitem>
- <para><emphasis role="bold">Description</emphasis>: A short description of the
- offering that can be displayed to users.</para>
+ <para><emphasis role="bold">Description</emphasis>: A short description of the offering
+ that can be displayed to users.</para>
</listitem>
<listitem>
- <para><emphasis role="bold">Network Rate</emphasis>: Allowed data transfer rate in
- MB per second.</para>
+ <para><emphasis role="bold">Network Rate</emphasis>: Allowed data transfer rate in MB
+ per second.</para>
</listitem>
<listitem>
- <para><emphasis role="bold">Traffic Type</emphasis>: The type of network traffic
- that will be carried on the network.</para>
+ <para><emphasis role="bold">Traffic Type</emphasis>: The type of network traffic that
+ will be carried on the network.</para>
</listitem>
<listitem>
- <para><emphasis role="bold">Guest Type</emphasis>: Choose whether the guest
- network is isolated or shared.</para>
+ <para><emphasis role="bold">Guest Type</emphasis>: Choose whether the guest network is
+ isolated or shared.</para>
</listitem>
<listitem>
- <para><emphasis role="bold">Persistent</emphasis>: Indicate whether the guest
- network is persistent or not. The network that you can provision without having
- to deploy a VM on it is termed persistent network. </para>
+ <para><emphasis role="bold">Persistent</emphasis>: Indicate whether the guest network is
+ persistent or not. The network that you can provision without having to deploy a VM on
+ it is termed persistent network. </para>
</listitem>
<listitem>
<para><emphasis role="bold">VPC</emphasis>: This option indicate whether the guest
- network is Virtual Private Cloud-enabled. A Virtual Private Cloud (VPC) is a
- private, isolated part of &PRODUCT;. A VPC can have its own virtual network
- topology that resembles a traditional physical network. For more information on
- VPCs, see <xref linkend="vpc"/>.</para>
+ network is Virtual Private Cloud-enabled. A Virtual Private Cloud (VPC) is a private,
+ isolated part of &PRODUCT;. A VPC can have its own virtual network topology that
+ resembles a traditional physical network. For more information on VPCs, see <xref
+ linkend="vpc"/>.</para>
</listitem>
<listitem>
- <para><emphasis role="bold">Specify VLAN</emphasis>: (Isolated guest networks
- only) Indicate whether a VLAN should be specified when this offering is
- used.</para>
+ <para><emphasis role="bold">Specify VLAN</emphasis>: (Isolated guest networks only)
+ Indicate whether a VLAN should be specified when this offering is used.</para>
</listitem>
<listitem>
- <para><emphasis role="bold">Supported Services</emphasis>: Use Cisco VNMC as the
- service provider for Firewall, Source NAT, Port Forwarding, and Static NAT to
- create an Isolated guest network offering.</para>
+ <para><emphasis role="bold">Supported Services</emphasis>: Use Cisco VNMC as the service
+ provider for Firewall, Source NAT, Port Forwarding, and Static NAT to create an
+ Isolated guest network offering.</para>
</listitem>
<listitem>
<para><emphasis role="bold">System Offering</emphasis>: Choose the system service
offering that you want virtual routers to use in this network.</para>
</listitem>
<listitem>
- <para><emphasis role="bold">Conserve mode</emphasis>: Indicate whether to use
- conserve mode. In this mode, network resources are allocated only when the first
- virtual machine starts in the network.</para>
+ <para><emphasis role="bold">Conserve mode</emphasis>: Indicate whether to use conserve
+ mode. In this mode, network resources are allocated only when the first virtual
+ machine starts in the network.</para>
</listitem>
</itemizedlist>
</listitem>
@@ -303,4 +311,5 @@
<para>The network offering is created.</para>
</listitem>
</orderedlist>
- </section></section>
\ No newline at end of file
+ </section>
+</section>