You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Koushik Das <ko...@citrix.com> on 2013/02/11 14:38:01 UTC
RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
Updated the FS with API, Db changes and current deployment limitations. Also updated the UI section as to what all needs to be added.
Chiradeep,
I looked at the option of spinning up templates from ovf template but didn't find a way (was looking for some samples) to pass custom parameters like vnmc ip, password etc. while creating VM instance. So for now the ASA instance creation is a manual step similar to VNMC appliance. In case there is a way out, the auto-creation can be done as a future enhancement.
Thanks,
Koushik
> -----Original Message-----
> From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> Sent: Friday, January 25, 2013 1:39 AM
> To: CloudStack DeveloperList
> Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>
> Thanks for the FS updates.
> Good progress.
> I had forgotten about registering the ASA 1000v with VNMC < that makes it
> harder to spin these appliances up/down. However we can plan to login via
> the CLI just for this step.
>
> I believe it is better to use a pre-setup pool of ASA appliances. Let's say we
> start with N appliances (created via an admin API call to CloudStack).
> createASA1000vPool(ovf template id, zone, vnmc ip, N, increment,
> threshold) Then as the capacity reaches threshold%, the pool capacity is
> incremented by increment% asynchronously.
>
>
>
>
>
> On 1/21/13 12:46 AM, "Koushik Das" <ko...@citrix.com> wrote:
>
> >Thanks Chiradeep for explaining the vnmc/asa integration stuff that you
> >are working on and listing down all the use cases.
> >
> >Manan,
> >CLOUDSTACK-742 is covered as part of Chiradeep's work (refer use cases
> >#1 and #2 from the doc).
> >
> >-Koushik
> >
> >-----Original Message-----
> >From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> >Sent: Saturday, January 19, 2013 1:30 AM
> >To: CloudStack DeveloperList
> >Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >
> >Take a look here:
> >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Cisco+VNMC+i
> nteg
> >rat
> >i
> >on
> >
> >
> >This is something I had been prototyping without any real enthusiasm.
> >
> >There's 3 ways to control the ASA1000v:
> >1. By logging in via the CLI. Strongly against this.
> >2. By using VNMC
> >3. Via Cisco's Network Services Manager (NSM)[1]
> >
> >The NSM is comprehensive, covers a large range of physical and virtual
> >devices and has an easy northbound API. This would be my preferred
> >solution.
> >
> >However as of now (NSM v5.0.2), the ASA1000v is not supported.
> >It may also be the case that using VNMC may be a cheaper (albeit less
> >supported) option
> >
> >[1] http://www.cisco.com/en/US/products/ps11636/index.html
> >
> >On 1/17/13 9:26 PM, "Koushik Das" <ko...@citrix.com> wrote:
> >
> >>Manan,
> >>Can you answer the questions that Chiradeep has raised?
> >>
> >>Chiradeep,
> >>I saw that you have started working on asa/vnmc here
> >>(https://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo?p=i
> >>n
> >>cub
> >>ator-cloudstack.git;a=shortlog;h=refs/heads/cisco-vnmc-api-integration).
> >>I would like to understand the functionalities that you are planning
> >>to cover and what is the overlap between your work and the feature
> >>that Manan has proposed (supporting asa1000v as an external firewall).
> >>
> >>Thanks,
> >>Koushik
> >>
> >>> -----Original Message-----
> >>> From: Alex Huang [mailto:Alex.Huang@citrix.com]
> >>> Sent: Sunday, January 06, 2013 2:18 AM
> >>> To: cloudstack-dev@incubator.apache.org
> >>> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >>>
> >>> Manan,
> >>>
> >>> Can you address the issues that Chiradeep has brought up? I think
> >>>for a requirements discussion it is just as important to indicate
> >>>what we will not do or what is considered a feature of a later
> >>>release.
> >>>
> >>> --Alex
> >>>
> >>> > -----Original Message-----
> >>> > From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> >>> > Sent: Thursday, January 03, 2013 6:16 PM
> >>> > To: CloudStack DeveloperList
> >>> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >>> >
> >>> > There cannot be feature parity since the ASA1000v is only
> >>> > supported on VMWare.
> >>> >
> >>> > Should the ASA1000v be created on demand, or do we expect the
> >>> > admin to provision a pool of virtual ASAs?
> >>> >
> >>> > Should we support VXLAN as the isolation technology or VLANs?
> >>> >
> >>> >
> >>> > On 1/3/13 5:08 PM, "Manan Shah" <ma...@citrix.com> wrote:
> >>> >
> >>> > >Hi,
> >>> > >
> >>> > >I would like to propose a new feature for integrating Cisco ASA
> >>> > >1000v in CS 4.1. I have created a JIRA ticket and provided the
> >>> > >requirements at the following location. Please provide feedback
> >>> > >on the
> >>>requirements.
> >>> > >
> >>> > >JIRA Ticket: https://issues.apache.org/jira/browse/CLOUDSTACK-742
> >>> > >Requirements:
> >>> >
> >>>
> >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Integrate+Ci
> >>> >s
> >>> >c
> >>> > >o
> >>> > +ASA
> >>> > >+
> >>> > >1000v+as+a+FW+for+CloudStack
> >>> > >
> >>> > >Additional details would be provided in the FS.
> >>> > >
> >>> > >Regards,
> >>> > >Manan Shah
> >>> > >
> >>
> >
RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
Posted by Alex Huang <Al...@citrix.com>.
Yup. I don't believe there's one way to auto-scale VPXes. It's very difficult to get it right for one code to auto-scale everything. OTOH, you can actually expose APIs for admins to spin up with they need, including assigning ip addresses in the management network etc but the APIs should not be a CloudStack generic API. The plugin provider should just provide their own.
Pre-create is a good interim solution. The one problem with it is we have get back our old code that leave VMs outside of CloudStack's naming nomenclature alone. We used to do that precisely to share the resource pool with other VMs but we've lost that sometime in the 2.2 time frame. We need to bring that back. Without it, it means they have to have their own physical servers outside of CloudStack's management to spin up and down VPXes.
--Alex
> -----Original Message-----
> From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> Sent: Monday, February 11, 2013 9:57 AM
> To: Koushik Das; cloudstack-dev@incubator.apache.org
> Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>
> Yeah, the spinning up of virtual appliances on demand is a problem across
> almost all vendors:
> 1. The management ip of the virtual appliance needs to be programmed
> 2. There could be license management issues, or the VA needs to be
> registered with some kind of controller
> 3. The appliance may be need to be configured with a new password
>
> I see this as a problem with say Vyatta, Netscaler VPX, etc.
>
> For these appliances we can assume that the admin has pre-created enough
> appliances and configured them appropriately. We can also assume a 1-1
> mapping between VPC and appliance.
>
> On 2/11/13 5:38 AM, "Koushik Das" <ko...@citrix.com> wrote:
>
> >Updated the FS with API, Db changes and current deployment limitations.
> >Also updated the UI section as to what all needs to be added.
> >
> >Chiradeep,
> >I looked at the option of spinning up templates from ovf template but
> >didn't find a way (was looking for some samples) to pass custom
> >parameters like vnmc ip, password etc. while creating VM instance. So
> >for now the ASA instance creation is a manual step similar to VNMC
> >appliance. In case there is a way out, the auto-creation can be done as a
> >future enhancement.
> >
> >Thanks,
> >Koushik
> >
> >> -----Original Message-----
> >> From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> >> Sent: Friday, January 25, 2013 1:39 AM
> >> To: CloudStack DeveloperList
> >> Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >>
> >> Thanks for the FS updates.
> >> Good progress.
> >> I had forgotten about registering the ASA 1000v with VNMC < that makes
> >>it
> >> harder to spin these appliances up/down. However we can plan to login
> >>via
> >> the CLI just for this step.
> >>
> >> I believe it is better to use a pre-setup pool of ASA appliances. Let's
> >>say we
> >> start with N appliances (created via an admin API call to CloudStack).
> >> createASA1000vPool(ovf template id, zone, vnmc ip, N, increment,
> >> threshold) Then as the capacity reaches threshold%, the pool capacity is
> >> incremented by increment% asynchronously.
> >>
> >>
> >>
> >>
> >>
> >> On 1/21/13 12:46 AM, "Koushik Das" <ko...@citrix.com> wrote:
> >>
> >> >Thanks Chiradeep for explaining the vnmc/asa integration stuff that you
> >> >are working on and listing down all the use cases.
> >> >
> >> >Manan,
> >> >CLOUDSTACK-742 is covered as part of Chiradeep's work (refer use cases
> >> >#1 and #2 from the doc).
> >> >
> >> >-Koushik
> >> >
> >> >-----Original Message-----
> >> >From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> >> >Sent: Saturday, January 19, 2013 1:30 AM
> >> >To: CloudStack DeveloperList
> >> >Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >> >
> >> >Take a look here:
> >> >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Cisco+VNM
> C+i
> >> nteg
> >> >rat
> >> >i
> >> >on
> >> >
> >> >
> >> >This is something I had been prototyping without any real enthusiasm.
> >> >
> >> >There's 3 ways to control the ASA1000v:
> >> >1. By logging in via the CLI. Strongly against this.
> >> >2. By using VNMC
> >> >3. Via Cisco's Network Services Manager (NSM)[1]
> >> >
> >> >The NSM is comprehensive, covers a large range of physical and virtual
> >> >devices and has an easy northbound API. This would be my preferred
> >> >solution.
> >> >
> >> >However as of now (NSM v5.0.2), the ASA1000v is not supported.
> >> >It may also be the case that using VNMC may be a cheaper (albeit less
> >> >supported) option
> >> >
> >> >[1] http://www.cisco.com/en/US/products/ps11636/index.html
> >> >
> >> >On 1/17/13 9:26 PM, "Koushik Das" <ko...@citrix.com> wrote:
> >> >
> >> >>Manan,
> >> >>Can you answer the questions that Chiradeep has raised?
> >> >>
> >> >>Chiradeep,
> >> >>I saw that you have started working on asa/vnmc here
> >> >>(https://git-wip-us.apache.org/repos/asf/incubator-
> cloudstack/repo?p=i
> >> >>n
> >> >>cub
> >>
> >>>>ator-cloudstack.git;a=shortlog;h=refs/heads/cisco-vnmc-api-integration)
> >>>>.
> >> >>I would like to understand the functionalities that you are planning
> >> >>to cover and what is the overlap between your work and the feature
> >> >>that Manan has proposed (supporting asa1000v as an external firewall).
> >> >>
> >> >>Thanks,
> >> >>Koushik
> >> >>
> >> >>> -----Original Message-----
> >> >>> From: Alex Huang [mailto:Alex.Huang@citrix.com]
> >> >>> Sent: Sunday, January 06, 2013 2:18 AM
> >> >>> To: cloudstack-dev@incubator.apache.org
> >> >>> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >> >>>
> >> >>> Manan,
> >> >>>
> >> >>> Can you address the issues that Chiradeep has brought up? I think
> >> >>>for a requirements discussion it is just as important to indicate
> >> >>>what we will not do or what is considered a feature of a later
> >> >>>release.
> >> >>>
> >> >>> --Alex
> >> >>>
> >> >>> > -----Original Message-----
> >> >>> > From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> >> >>> > Sent: Thursday, January 03, 2013 6:16 PM
> >> >>> > To: CloudStack DeveloperList
> >> >>> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >> >>> >
> >> >>> > There cannot be feature parity since the ASA1000v is only
> >> >>> > supported on VMWare.
> >> >>> >
> >> >>> > Should the ASA1000v be created on demand, or do we expect the
> >> >>> > admin to provision a pool of virtual ASAs?
> >> >>> >
> >> >>> > Should we support VXLAN as the isolation technology or VLANs?
> >> >>> >
> >> >>> >
> >> >>> > On 1/3/13 5:08 PM, "Manan Shah" <ma...@citrix.com>
> wrote:
> >> >>> >
> >> >>> > >Hi,
> >> >>> > >
> >> >>> > >I would like to propose a new feature for integrating Cisco ASA
> >> >>> > >1000v in CS 4.1. I have created a JIRA ticket and provided the
> >> >>> > >requirements at the following location. Please provide feedback
> >> >>> > >on the
> >> >>>requirements.
> >> >>> > >
> >> >>> > >JIRA Ticket: https://issues.apache.org/jira/browse/CLOUDSTACK-
> 742
> >> >>> > >Requirements:
> >> >>> >
> >> >>>
> >> >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Integrate+Ci
> >> >>> >s
> >> >>> >c
> >> >>> > >o
> >> >>> > +ASA
> >> >>> > >+
> >> >>> > >1000v+as+a+FW+for+CloudStack
> >> >>> > >
> >> >>> > >Additional details would be provided in the FS.
> >> >>> > >
> >> >>> > >Regards,
> >> >>> > >Manan Shah
> >> >>> > >
> >> >>
> >> >
> >
RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
Posted by Koushik Das <ko...@citrix.com>.
> -----Original Message-----
> From: Chiradeep Vittal
> Sent: Tuesday, March 12, 2013 5:56 AM
> To: cloudstack-dev@incubator.apache.org; Koushik Das
> Cc: Manan Shah
> Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>
> - It might be better to support VPC instead of "isolated". Even if it means
> that some features are not supported initially. I feel that "isolated is a special
> case of "VPC", except for the firewall function.
I feel both can exist and once VPC stuff is completed then it can be documented appropriately
> - What about support for systemvm / NS as an LB appliance?
I am trying to think what would side-by-side mean in this case. For inline mode support is anything available in the CS framework?
> - Although the ASA DHCP server cannot be programmed, it might be
> desirable in enterprise use cases (where they may not care about
> userdata/metadata) to support the ASA DHCP server as a DHCP provider. In
> this case we have to figure out how to update the NIC information in
> CloudStack DB after the VM has acquired its IP.
This is a good to have use case. Will revisit after isolated and VPC scenarios are done.
>
>
> On 3/11/13 6:11 AM, "Koushik Das" <ko...@citrix.com> wrote:
>
> >Updated the FS with following changes:
> >
> >- Use case section updated, classified use cases that will be supported
> >for 4.2 and beyond. Also removed items like VSG and VXLAN support to
> >"Open items" section as not planning to do them as part of "ASA
> >integration".
> >- Updated the deployment model section and added HV limitation (Vmware
> >only feature)
> >- Also updated the API section with parameter details.
> >
> >Comments/feedback?
> >
> >Thanks,
> >Koushik
> >
> >> -----Original Message-----
> >> From: Koushik Das [mailto:koushik.das@citrix.com]
> >> Sent: Monday, February 11, 2013 7:08 PM
> >> To: cloudstack-dev@incubator.apache.org
> >> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >>
> >> Updated the FS with API, Db changes and current deployment limitations.
> >> Also updated the UI section as to what all needs to be added.
> >>
> >> Chiradeep,
> >> I looked at the option of spinning up templates from ovf template but
> >>didn't find a way (was looking for some samples) to pass custom
> >>parameters like vnmc ip, password etc. while creating VM instance.
> >>So for now the ASA instance creation is a manual step similar to VNMC
> >>appliance. In case there is a way out, the auto-creation can be done
> >>as a future enhancement.
> >>
> >> Thanks,
> >> Koushik
> >>
> >> > -----Original Message-----
> >> > From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> >> > Sent: Friday, January 25, 2013 1:39 AM
> >> > To: CloudStack DeveloperList
> >> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >> >
> >> > Thanks for the FS updates.
> >> > Good progress.
> >> > I had forgotten about registering the ASA 1000v with VNMC < that
> >> > makes it harder to spin these appliances up/down. However we can
> >> > plan to login via the CLI just for this step.
> >> >
> >> > I believe it is better to use a pre-setup pool of ASA appliances.
> >> > Let's say we start with N appliances (created via an admin API call
> >> > to
> >> CloudStack).
> >> > createASA1000vPool(ovf template id, zone, vnmc ip, N, increment,
> >> > threshold) Then as the capacity reaches threshold%, the pool
> >> > capacity is incremented by increment% asynchronously.
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > On 1/21/13 12:46 AM, "Koushik Das" <ko...@citrix.com> wrote:
> >> >
> >> > >Thanks Chiradeep for explaining the vnmc/asa integration stuff
> >> > >that you are working on and listing down all the use cases.
> >> > >
> >> > >Manan,
> >> > >CLOUDSTACK-742 is covered as part of Chiradeep's work (refer use
> >> > >cases
> >> > >#1 and #2 from the doc).
> >> > >
> >> > >-Koushik
> >> > >
> >> > >-----Original Message-----
> >> > >From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> >> > >Sent: Saturday, January 19, 2013 1:30 AM
> >> > >To: CloudStack DeveloperList
> >> > >Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >> > >
> >> > >Take a look here:
> >> >
> >>
> >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Cisco+VNMC+i
> >> > nteg
> >> > >rat
> >> > >i
> >> > >on
> >> > >
> >> > >
> >> > >This is something I had been prototyping without any real enthusiasm.
> >> > >
> >> > >There's 3 ways to control the ASA1000v:
> >> > >1. By logging in via the CLI. Strongly against this.
> >> > >2. By using VNMC
> >> > >3. Via Cisco's Network Services Manager (NSM)[1]
> >> > >
> >> > >The NSM is comprehensive, covers a large range of physical and
> >> > >virtual devices and has an easy northbound API. This would be my
> >> > >preferred solution.
> >> > >
> >> > >However as of now (NSM v5.0.2), the ASA1000v is not supported.
> >> > >It may also be the case that using VNMC may be a cheaper (albeit
> >> > >less
> >> > >supported) option
> >> > >
> >> > >[1] http://www.cisco.com/en/US/products/ps11636/index.html
> >> > >
> >> > >On 1/17/13 9:26 PM, "Koushik Das" <ko...@citrix.com> wrote:
> >> > >
> >> > >>Manan,
> >> > >>Can you answer the questions that Chiradeep has raised?
> >> > >>
> >> > >>Chiradeep,
> >> > >>I saw that you have started working on asa/vnmc here
> >> > >>(https://git-wip-us.apache.org/repos/asf/incubator-cloudstack/rep
> >> > >>o?p
> >> > >>=i
> >> > >>n
> >> > >>cub
> >> > >>ator-cloudstack.git;a=shortlog;h=refs/heads/cisco-vnmc-api-
> >> integration).
> >> > >>I would like to understand the functionalities that you are
> >> > >>planning to cover and what is the overlap between your work and
> >> > >>the feature that Manan has proposed (supporting asa1000v as an
> >> > >>external
> >>firewall).
> >> > >>
> >> > >>Thanks,
> >> > >>Koushik
> >> > >>
> >> > >>> -----Original Message-----
> >> > >>> From: Alex Huang [mailto:Alex.Huang@citrix.com]
> >> > >>> Sent: Sunday, January 06, 2013 2:18 AM
> >> > >>> To: cloudstack-dev@incubator.apache.org
> >> > >>> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into
> >> > >>> CloudStack
> >> > >>>
> >> > >>> Manan,
> >> > >>>
> >> > >>> Can you address the issues that Chiradeep has brought up? I
> >> > >>>think for a requirements discussion it is just as important to
> >> > >>>indicate what we will not do or what is considered a feature of
> >> > >>>a later release.
> >> > >>>
> >> > >>> --Alex
> >> > >>>
> >> > >>> > -----Original Message-----
> >> > >>> > From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> >> > >>> > Sent: Thursday, January 03, 2013 6:16 PM
> >> > >>> > To: CloudStack DeveloperList
> >> > >>> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into
> >> > >>> > CloudStack
> >> > >>> >
> >> > >>> > There cannot be feature parity since the ASA1000v is only
> >> > >>> > supported on VMWare.
> >> > >>> >
> >> > >>> > Should the ASA1000v be created on demand, or do we expect the
> >> > >>> > admin to provision a pool of virtual ASAs?
> >> > >>> >
> >> > >>> > Should we support VXLAN as the isolation technology or VLANs?
> >> > >>> >
> >> > >>> >
> >> > >>> > On 1/3/13 5:08 PM, "Manan Shah" <ma...@citrix.com>
> wrote:
> >> > >>> >
> >> > >>> > >Hi,
> >> > >>> > >
> >> > >>> > >I would like to propose a new feature for integrating Cisco
> >> > >>> > >ASA 1000v in CS 4.1. I have created a JIRA ticket and
> >> > >>> > >provided the requirements at the following location. Please
> >> > >>> > >provide feedback on the
> >> > >>>requirements.
> >> > >>> > >
> >> > >>> > >JIRA Ticket:
> >> > >>> > >https://issues.apache.org/jira/browse/CLOUDSTACK-742
> >> > >>> > >Requirements:
> >> > >>> >
> >> > >>>
> >> >
> >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Integrate+C
> >> > >i
> >> > >>> >s
> >> > >>> >c
> >> > >>> > >o
> >> > >>> > +ASA
> >> > >>> > >+
> >> > >>> > >1000v+as+a+FW+for+CloudStack
> >> > >>> > >
> >> > >>> > >Additional details would be provided in the FS.
> >> > >>> > >
> >> > >>> > >Regards,
> >> > >>> > >Manan Shah
> >> > >>> > >
> >> > >>
> >> > >
> >
RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
Posted by Koushik Das <ko...@citrix.com>.
Resending as I didn't see the mail on dev list.
> -----Original Message-----
> From: Koushik Das
> Sent: Tuesday, March 12, 2013 6:37 PM
> To: Chiradeep Vittal; cloudstack-dev@incubator.apache.org
> Cc: Manan Shah
> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>
>
>
> > -----Original Message-----
> > From: Chiradeep Vittal
> > Sent: Tuesday, March 12, 2013 5:56 AM
> > To: cloudstack-dev@incubator.apache.org; Koushik Das
> > Cc: Manan Shah
> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >
> > - It might be better to support VPC instead of "isolated". Even if it
> > means that some features are not supported initially. I feel that
> > "isolated is a special case of "VPC", except for the firewall function.
I feel both can exist and once VPC stuff is completed then it can be documented appropriately
> > - What about support for systemvm / NS as an LB appliance?
I am trying to think what would side-by-side mean in this case. For inline mode support is anything available in the CS framework?
> > - Although the ASA DHCP server cannot be programmed, it might be
> > desirable in enterprise use cases (where they may not care about
> > userdata/metadata) to support the ASA DHCP server as a DHCP provider.
> > In this case we have to figure out how to update the NIC information
> > in CloudStack DB after the VM has acquired its IP.
This is a good to have use case. Will revisit after isolated and VPC scenarios are done.
> >
> >
> > On 3/11/13 6:11 AM, "Koushik Das" <ko...@citrix.com> wrote:
> >
> > >Updated the FS with following changes:
> > >
> > >- Use case section updated, classified use cases that will be
> > >supported for 4.2 and beyond. Also removed items like VSG and VXLAN
> > >support to "Open items" section as not planning to do them as part of
> > >"ASA integration".
> > >- Updated the deployment model section and added HV limitation
> > >(Vmware only feature)
> > >- Also updated the API section with parameter details.
> > >
> > >Comments/feedback?
> > >
> > >Thanks,
> > >Koushik
> > >
> > >> -----Original Message-----
> > >> From: Koushik Das [mailto:koushik.das@citrix.com]
> > >> Sent: Monday, February 11, 2013 7:08 PM
> > >> To: cloudstack-dev@incubator.apache.org
> > >> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> > >>
> > >> Updated the FS with API, Db changes and current deployment
> limitations.
> > >> Also updated the UI section as to what all needs to be added.
> > >>
> > >> Chiradeep,
> > >> I looked at the option of spinning up templates from ovf template
> > >>but didn't find a way (was looking for some samples) to pass custom
> > >>parameters like vnmc ip, password etc. while creating VM instance.
> > >>So for now the ASA instance creation is a manual step similar to
> > >>VNMC appliance. In case there is a way out, the auto-creation can
> > >>be done as a future enhancement.
> > >>
> > >> Thanks,
> > >> Koushik
> > >>
> > >> > -----Original Message-----
> > >> > From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> > >> > Sent: Friday, January 25, 2013 1:39 AM
> > >> > To: CloudStack DeveloperList
> > >> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> > >> >
> > >> > Thanks for the FS updates.
> > >> > Good progress.
> > >> > I had forgotten about registering the ASA 1000v with VNMC < that
> > >> > makes it harder to spin these appliances up/down. However we can
> > >> > plan to login via the CLI just for this step.
> > >> >
> > >> > I believe it is better to use a pre-setup pool of ASA appliances.
> > >> > Let's say we start with N appliances (created via an admin API
> > >> > call to
> > >> CloudStack).
> > >> > createASA1000vPool(ovf template id, zone, vnmc ip, N, increment,
> > >> > threshold) Then as the capacity reaches threshold%, the pool
> > >> > capacity is incremented by increment% asynchronously.
> > >> >
> > >> >
> > >> >
> > >> >
> > >> >
> > >> > On 1/21/13 12:46 AM, "Koushik Das" <ko...@citrix.com> wrote:
> > >> >
> > >> > >Thanks Chiradeep for explaining the vnmc/asa integration stuff
> > >> > >that you are working on and listing down all the use cases.
> > >> > >
> > >> > >Manan,
> > >> > >CLOUDSTACK-742 is covered as part of Chiradeep's work (refer use
> > >> > >cases
> > >> > >#1 and #2 from the doc).
> > >> > >
> > >> > >-Koushik
> > >> > >
> > >> > >-----Original Message-----
> > >> > >From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> > >> > >Sent: Saturday, January 19, 2013 1:30 AM
> > >> > >To: CloudStack DeveloperList
> > >> > >Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> > >> > >
> > >> > >Take a look here:
> > >> >
> > >>
> >
> >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Cisco+VNMC+i
> > >> > nteg
> > >> > >rat
> > >> > >i
> > >> > >on
> > >> > >
> > >> > >
> > >> > >This is something I had been prototyping without any real
> enthusiasm.
> > >> > >
> > >> > >There's 3 ways to control the ASA1000v:
> > >> > >1. By logging in via the CLI. Strongly against this.
> > >> > >2. By using VNMC
> > >> > >3. Via Cisco's Network Services Manager (NSM)[1]
> > >> > >
> > >> > >The NSM is comprehensive, covers a large range of physical and
> > >> > >virtual devices and has an easy northbound API. This would be my
> > >> > >preferred solution.
> > >> > >
> > >> > >However as of now (NSM v5.0.2), the ASA1000v is not supported.
> > >> > >It may also be the case that using VNMC may be a cheaper (albeit
> > >> > >less
> > >> > >supported) option
> > >> > >
> > >> > >[1] http://www.cisco.com/en/US/products/ps11636/index.html
> > >> > >
> > >> > >On 1/17/13 9:26 PM, "Koushik Das" <ko...@citrix.com> wrote:
> > >> > >
> > >> > >>Manan,
> > >> > >>Can you answer the questions that Chiradeep has raised?
> > >> > >>
> > >> > >>Chiradeep,
> > >> > >>I saw that you have started working on asa/vnmc here
> > >> > >>(https://git-wip-us.apache.org/repos/asf/incubator-cloudstack/r
> > >> > >>ep
> > >> > >>o?p
> > >> > >>=i
> > >> > >>n
> > >> > >>cub
> > >> > >>ator-cloudstack.git;a=shortlog;h=refs/heads/cisco-vnmc-api-
> > >> integration).
> > >> > >>I would like to understand the functionalities that you are
> > >> > >>planning to cover and what is the overlap between your work and
> > >> > >>the feature that Manan has proposed (supporting asa1000v as an
> > >> > >>external
> > >>firewall).
> > >> > >>
> > >> > >>Thanks,
> > >> > >>Koushik
> > >> > >>
> > >> > >>> -----Original Message-----
> > >> > >>> From: Alex Huang [mailto:Alex.Huang@citrix.com]
> > >> > >>> Sent: Sunday, January 06, 2013 2:18 AM
> > >> > >>> To: cloudstack-dev@incubator.apache.org
> > >> > >>> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into
> > >> > >>> CloudStack
> > >> > >>>
> > >> > >>> Manan,
> > >> > >>>
> > >> > >>> Can you address the issues that Chiradeep has brought up? I
> > >> > >>>think for a requirements discussion it is just as important
> > >> > >>>to indicate what we will not do or what is considered a
> > >> > >>>feature of a later release.
> > >> > >>>
> > >> > >>> --Alex
> > >> > >>>
> > >> > >>> > -----Original Message-----
> > >> > >>> > From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> > >> > >>> > Sent: Thursday, January 03, 2013 6:16 PM
> > >> > >>> > To: CloudStack DeveloperList
> > >> > >>> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into
> > >> > >>> > CloudStack
> > >> > >>> >
> > >> > >>> > There cannot be feature parity since the ASA1000v is only
> > >> > >>> > supported on VMWare.
> > >> > >>> >
> > >> > >>> > Should the ASA1000v be created on demand, or do we expect
> > >> > >>> > the admin to provision a pool of virtual ASAs?
> > >> > >>> >
> > >> > >>> > Should we support VXLAN as the isolation technology or VLANs?
> > >> > >>> >
> > >> > >>> >
> > >> > >>> > On 1/3/13 5:08 PM, "Manan Shah" <ma...@citrix.com>
> > wrote:
> > >> > >>> >
> > >> > >>> > >Hi,
> > >> > >>> > >
> > >> > >>> > >I would like to propose a new feature for integrating
> > >> > >>> > >Cisco ASA 1000v in CS 4.1. I have created a JIRA ticket
> > >> > >>> > >and provided the requirements at the following location.
> > >> > >>> > >Please provide feedback on the
> > >> > >>>requirements.
> > >> > >>> > >
> > >> > >>> > >JIRA Ticket:
> > >> > >>> > >https://issues.apache.org/jira/browse/CLOUDSTACK-742
> > >> > >>> > >Requirements:
> > >> > >>> >
> > >> > >>>
> > >> >
> > >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Integrate+C
> > >> > >i
> > >> > >>> >s
> > >> > >>> >c
> > >> > >>> > >o
> > >> > >>> > +ASA
> > >> > >>> > >+
> > >> > >>> > >1000v+as+a+FW+for+CloudStack
> > >> > >>> > >
> > >> > >>> > >Additional details would be provided in the FS.
> > >> > >>> > >
> > >> > >>> > >Regards,
> > >> > >>> > >Manan Shah
> > >> > >>> > >
> > >> > >>
> > >> > >
> > >
Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
Posted by Chiradeep Vittal <Ch...@citrix.com>.
On 3/13/13 9:40 AM, "Koushik Das" <ko...@citrix.com> wrote:
>I am trying to understand the deployment model with Asa1000v for the VPC
>use case mentioned in FS
>- Cloud operator creates VPC network offering with source nat using
>ASA1000v as the service provider for firewall, source nat, port
>forwarding, ACL and routing. CloudStack system vm is used for DHCP,
>userdata and metadata, password server.
>
>I looked at the Inter-VLAN routing FS
>(https://cwiki.apache.org/confluence/display/CLOUDSTACK/Inter-VLAN+Routing
>). For each network in VPC, a nic is created in the VPC VR. ACL rules are
>configured in VPC VR to allow traffic between these networks.
>Based on the VPC VR model I am trying to create the deployment model when
>Asa is used. Asa has 2 interfaces 'inside' and 'outside'. For isolated
>guest network scenario, inside is connected to the private network and
>outside connected to public network. I am trying to think how to map it
>for VPC case where there can be N private nics and 1 public nic.
>
>Chiradeep, can you share your thoughts on this?
>
>Thanks,
>Koushik
That surprises me, but it looks like it is true:
http://s.apache.org/Hc2
It appears that the assumption is that one VLAN = 1 tenant. Within the
VLAN you can create multiple tiers (web, app, db) and isolate them using
the VSG. This would be akin to using security groups within one tier to
provide isolation.
Note that all tiers would belong to the same subnet.
RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
Posted by Koushik Das <ko...@citrix.com>.
I am trying to understand the deployment model with Asa1000v for the VPC use case mentioned in FS
- Cloud operator creates VPC network offering with source nat using ASA1000v as the service provider for firewall, source nat, port forwarding, ACL and routing. CloudStack system vm is used for DHCP, userdata and metadata, password server.
I looked at the Inter-VLAN routing FS (https://cwiki.apache.org/confluence/display/CLOUDSTACK/Inter-VLAN+Routing). For each network in VPC, a nic is created in the VPC VR. ACL rules are configured in VPC VR to allow traffic between these networks.
Based on the VPC VR model I am trying to create the deployment model when Asa is used. Asa has 2 interfaces 'inside' and 'outside'. For isolated guest network scenario, inside is connected to the private network and outside connected to public network. I am trying to think how to map it for VPC case where there can be N private nics and 1 public nic.
Chiradeep, can you share your thoughts on this?
Thanks,
Koushik
> -----Original Message-----
> From: Chiradeep Vittal
> Sent: Tuesday, March 12, 2013 5:56 AM
> To: cloudstack-dev@incubator.apache.org; Koushik Das
> Cc: Manan Shah
> Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>
> - It might be better to support VPC instead of "isolated". Even if it means
> that some features are not supported initially. I feel that "isolated is a special
> case of "VPC", except for the firewall function.
> - What about support for systemvm / NS as an LB appliance?
> - Although the ASA DHCP server cannot be programmed, it might be
> desirable in enterprise use cases (where they may not care about
> userdata/metadata) to support the ASA DHCP server as a DHCP provider. In
> this case we have to figure out how to update the NIC information in
> CloudStack DB after the VM has acquired its IP.
>
>
> On 3/11/13 6:11 AM, "Koushik Das" <ko...@citrix.com> wrote:
>
> >Updated the FS with following changes:
> >
> >- Use case section updated, classified use cases that will be supported
> >for 4.2 and beyond. Also removed items like VSG and VXLAN support to
> >"Open items" section as not planning to do them as part of "ASA
> >integration".
> >- Updated the deployment model section and added HV limitation (Vmware
> >only feature)
> >- Also updated the API section with parameter details.
> >
> >Comments/feedback?
> >
> >Thanks,
> >Koushik
> >
> >> -----Original Message-----
> >> From: Koushik Das [mailto:koushik.das@citrix.com]
> >> Sent: Monday, February 11, 2013 7:08 PM
> >> To: cloudstack-dev@incubator.apache.org
> >> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >>
> >> Updated the FS with API, Db changes and current deployment limitations.
> >> Also updated the UI section as to what all needs to be added.
> >>
> >> Chiradeep,
> >> I looked at the option of spinning up templates from ovf template but
> >>didn't find a way (was looking for some samples) to pass custom
> >>parameters like vnmc ip, password etc. while creating VM instance.
> >>So for now the ASA instance creation is a manual step similar to VNMC
> >>appliance. In case there is a way out, the auto-creation can be done
> >>as a future enhancement.
> >>
> >> Thanks,
> >> Koushik
> >>
> >> > -----Original Message-----
> >> > From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> >> > Sent: Friday, January 25, 2013 1:39 AM
> >> > To: CloudStack DeveloperList
> >> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >> >
> >> > Thanks for the FS updates.
> >> > Good progress.
> >> > I had forgotten about registering the ASA 1000v with VNMC < that
> >> > makes it harder to spin these appliances up/down. However we can
> >> > plan to login via the CLI just for this step.
> >> >
> >> > I believe it is better to use a pre-setup pool of ASA appliances.
> >> > Let's say we start with N appliances (created via an admin API call
> >> > to
> >> CloudStack).
> >> > createASA1000vPool(ovf template id, zone, vnmc ip, N, increment,
> >> > threshold) Then as the capacity reaches threshold%, the pool
> >> > capacity is incremented by increment% asynchronously.
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > On 1/21/13 12:46 AM, "Koushik Das" <ko...@citrix.com> wrote:
> >> >
> >> > >Thanks Chiradeep for explaining the vnmc/asa integration stuff
> >> > >that you are working on and listing down all the use cases.
> >> > >
> >> > >Manan,
> >> > >CLOUDSTACK-742 is covered as part of Chiradeep's work (refer use
> >> > >cases
> >> > >#1 and #2 from the doc).
> >> > >
> >> > >-Koushik
> >> > >
> >> > >-----Original Message-----
> >> > >From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> >> > >Sent: Saturday, January 19, 2013 1:30 AM
> >> > >To: CloudStack DeveloperList
> >> > >Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >> > >
> >> > >Take a look here:
> >> >
> >>
> >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Cisco+VNMC+i
> >> > nteg
> >> > >rat
> >> > >i
> >> > >on
> >> > >
> >> > >
> >> > >This is something I had been prototyping without any real enthusiasm.
> >> > >
> >> > >There's 3 ways to control the ASA1000v:
> >> > >1. By logging in via the CLI. Strongly against this.
> >> > >2. By using VNMC
> >> > >3. Via Cisco's Network Services Manager (NSM)[1]
> >> > >
> >> > >The NSM is comprehensive, covers a large range of physical and
> >> > >virtual devices and has an easy northbound API. This would be my
> >> > >preferred solution.
> >> > >
> >> > >However as of now (NSM v5.0.2), the ASA1000v is not supported.
> >> > >It may also be the case that using VNMC may be a cheaper (albeit
> >> > >less
> >> > >supported) option
> >> > >
> >> > >[1] http://www.cisco.com/en/US/products/ps11636/index.html
> >> > >
> >> > >On 1/17/13 9:26 PM, "Koushik Das" <ko...@citrix.com> wrote:
> >> > >
> >> > >>Manan,
> >> > >>Can you answer the questions that Chiradeep has raised?
> >> > >>
> >> > >>Chiradeep,
> >> > >>I saw that you have started working on asa/vnmc here
> >> > >>(https://git-wip-us.apache.org/repos/asf/incubator-cloudstack/rep
> >> > >>o?p
> >> > >>=i
> >> > >>n
> >> > >>cub
> >> > >>ator-cloudstack.git;a=shortlog;h=refs/heads/cisco-vnmc-api-
> >> integration).
> >> > >>I would like to understand the functionalities that you are
> >> > >>planning to cover and what is the overlap between your work and
> >> > >>the feature that Manan has proposed (supporting asa1000v as an
> >> > >>external
> >>firewall).
> >> > >>
> >> > >>Thanks,
> >> > >>Koushik
> >> > >>
> >> > >>> -----Original Message-----
> >> > >>> From: Alex Huang [mailto:Alex.Huang@citrix.com]
> >> > >>> Sent: Sunday, January 06, 2013 2:18 AM
> >> > >>> To: cloudstack-dev@incubator.apache.org
> >> > >>> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into
> >> > >>> CloudStack
> >> > >>>
> >> > >>> Manan,
> >> > >>>
> >> > >>> Can you address the issues that Chiradeep has brought up? I
> >> > >>>think for a requirements discussion it is just as important to
> >> > >>>indicate what we will not do or what is considered a feature of
> >> > >>>a later release.
> >> > >>>
> >> > >>> --Alex
> >> > >>>
> >> > >>> > -----Original Message-----
> >> > >>> > From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> >> > >>> > Sent: Thursday, January 03, 2013 6:16 PM
> >> > >>> > To: CloudStack DeveloperList
> >> > >>> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into
> >> > >>> > CloudStack
> >> > >>> >
> >> > >>> > There cannot be feature parity since the ASA1000v is only
> >> > >>> > supported on VMWare.
> >> > >>> >
> >> > >>> > Should the ASA1000v be created on demand, or do we expect the
> >> > >>> > admin to provision a pool of virtual ASAs?
> >> > >>> >
> >> > >>> > Should we support VXLAN as the isolation technology or VLANs?
> >> > >>> >
> >> > >>> >
> >> > >>> > On 1/3/13 5:08 PM, "Manan Shah" <ma...@citrix.com>
> wrote:
> >> > >>> >
> >> > >>> > >Hi,
> >> > >>> > >
> >> > >>> > >I would like to propose a new feature for integrating Cisco
> >> > >>> > >ASA 1000v in CS 4.1. I have created a JIRA ticket and
> >> > >>> > >provided the requirements at the following location. Please
> >> > >>> > >provide feedback on the
> >> > >>>requirements.
> >> > >>> > >
> >> > >>> > >JIRA Ticket:
> >> > >>> > >https://issues.apache.org/jira/browse/CLOUDSTACK-742
> >> > >>> > >Requirements:
> >> > >>> >
> >> > >>>
> >> >
> >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Integrate+C
> >> > >i
> >> > >>> >s
> >> > >>> >c
> >> > >>> > >o
> >> > >>> > +ASA
> >> > >>> > >+
> >> > >>> > >1000v+as+a+FW+for+CloudStack
> >> > >>> > >
> >> > >>> > >Additional details would be provided in the FS.
> >> > >>> > >
> >> > >>> > >Regards,
> >> > >>> > >Manan Shah
> >> > >>> > >
> >> > >>
> >> > >
> >
Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
Posted by Manan Shah <ma...@citrix.com>.
My thinking is that most users would want the followingÅ
1. Either use VR for both FW and LB or use External Devices for both FW
and LB
2. Lower priority would be to use VR for one and External Device for
another
3. Between in-line and side-by-side, I think we should give higher
priority to in-line than side-by-side
So, I think it would be good if we can support LB functionality through
external device in 4.2.
Regards,
Manan Shah
On 3/21/13 5:49 AM, "Koushik Das" <ko...@citrix.com> wrote:
>Its already mentioned in FS that LB functionality is beyond 4.2.
>I haven't yet thought about these scenarios. Can you let me know what all
>configurations (in-line, side-by-side) needs to be supported? I am not
>sure about the use for side-by-side.
>
>> -----Original Message-----
>> From: Manan Shah [mailto:manan.shah@citrix.com]
>> Sent: Thursday, March 21, 2013 12:20 AM
>> To: cloudstack-dev@incubator.apache.org
>> Cc: Manan Shah
>> Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>>
>> Hi Koushik,
>>
>> Can you please confirm if the LB functionality (via VR or VPX) would be
>> supported in 4.2 or not?
>>
>> Regards,
>> Manan Shah
>>
>>
>>
>>
>> On 3/19/13 5:00 AM, "Koushik Das" <ko...@citrix.com> wrote:
>>
>> >Inline
>> >
>> >>
>> >> On 18/03/13 7:37 PM, "Sailaja Mada" <sa...@citrix.com> wrote:
>> >>
>> >> >+
>> >> >
>> >> >7) During Guest Network shutdown, Do we release the ASA association
>> >> >with Guest Network and Even change guest_port_profile configuration
>> >> >as Cloudstack releases VLAN and Network will go to allocated state?
>> >> >
>> >
>> >Yes. Necessary stuff should get cleaned up
>> >
>> >> >8) When the Guest Network is updated from ASA firewall offering to
>> >> >VR Offering , Please share the sequence of configuration steps
>> >> >called out @ ASA/VNMC?
>> >> >
>> >
>> >Not sure I understand the scenario completely. Can you elaborate on the
>> >use case that this is going to provide?
>> >
>> >> >Thanks,
>> >> >Sailaja.M
>> >> >
>> >> >-----Original Message-----
>> >> >From: Sailaja Mada [mailto:sailaja.mada@citrix.com]
>> >> >Sent: Monday, March 18, 2013 5:32 PM
>> >> >To: cloudstack-dev@incubator.apache.org; Koushik Das
>> >> >Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>> >> >
>> >> >Hi,
>> >> >
>> >> >1) Section: CiscoVNMCElement::implement() :
>> >> >
>> >> >1A) vservice_node is configured with fail-mode close . This is to
>> >> >drop the packets if there is no connectivity to VEM , It means ESXi
>> >> >host is not reachable. I see that we are going to configure with
>> >> >fail mode as close
>> >> >
>> >> >Is there any use case where packets will get forwarded with
>> >> >fail-mode open ?
>> >> >
>> >
>> >If required this can be moved to a configuration later on. For now
>> >'close' should be good.
>> >
>> >> >1B) vservice_node configuration has ip address 10.1.1.1 . Can you
>> >> >please share from where this IP address is picked up when the
>> >> >configuration is done thru cloudstack?
>> >> >
>> >
>> >ASA acts as the default gateway and this is the gateway IP.
>> >
>> >> >2) When the guest network is deleted/Account it deleted, Will you be
>> >> >deleting the vethernet asa in_port_profile defined @ VSM while
>> >> >releasing the VLAN .
>> >> >
>> >
>> >Yes
>> >
>> >> >3) Can you please update FS with Edge security profile details that
>> >> >will get configured @ ASA when firewall rules are configured from
>> >> Cloudstack.
>> >> >
>> >
>> >ESP is configured in VNMC. There will be rules created under NAT,
>> >Egress/Ingress ACLs
>> >
>> >> >4) When Guest Network is restarted what are the sequence of
>> >> >operations will happen when it has ASA firewall ?
>> >> >
>> >
>> >ASA firewall will get implemented as a network element that
>> >participates in the orchestration. Let me know what specific sequence
>> >are you referring to?
>> >
>> >> >5) Is there any change with API's that are used to configure
>> >> >Firewall rules?
>> >> >
>> >
>> >No
>> >
>> >> >6) Use Cases / Flow - I see that LB as Netscaler with isolated
>> >> >Network is not available. Are we supporting only VR?
>> >> >
>> >
>> >Not in 4.2. Its mentioned in FS.
>> >
>> >> >Please clarify.
>> >> >
>> >> >Thanks,
>> >> >Sailaja.M
>> >> >
>> >> >-----Original Message-----
>> >> >From: Koushik Das [mailto:koushik.das@citrix.com]
>> >> >Sent: Monday, March 11, 2013 6:41 PM
>> >> >To: Koushik Das; cloudstack-dev@incubator.apache.org
>> >> >Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>> >> >
>> >> >Updated the FS with following changes:
>> >> >
>> >> >- Use case section updated, classified use cases that will be
>> >> >supported for 4.2 and beyond. Also removed items like VSG and VXLAN
>> >> >support to "Open items" section as not planning to do them as part
>> >> >of "ASA integration".
>> >> >- Updated the deployment model section and added HV limitation
>> >> >(Vmware only feature)
>> >> >- Also updated the API section with parameter details.
>> >> >
>> >> >Comments/feedback?
>> >> >
>> >> >Thanks,
>> >> >Koushik
>> >> >
>> >> >> -----Original Message-----
>> >> >> From: Koushik Das [mailto:koushik.das@citrix.com]
>> >> >> Sent: Monday, February 11, 2013 7:08 PM
>> >> >> To: cloudstack-dev@incubator.apache.org
>> >> >> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>> >> >>
>> >> >> Updated the FS with API, Db changes and current deployment
>> >>limitations.
>> >> >> Also updated the UI section as to what all needs to be added.
>> >> >>
>> >> >> Chiradeep,
>> >> >> I looked at the option of spinning up templates from ovf template
>> >> >>but didn't find a way (was looking for some samples) to pass custom
>> >> >>parameters like vnmc ip, password etc. while creating VM instance.
>> >> >>So for now the ASA instance creation is a manual step similar to
>> >> >>VNMC appliance. In case there is a way out, the auto-creation can
>> >> >>be done as a future enhancement.
>> >> >>
>> >> >> Thanks,
>> >> >> Koushik
>> >> >>
>> >> >> > -----Original Message-----
>> >> >> > From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
>> >> >> > Sent: Friday, January 25, 2013 1:39 AM
>> >> >> > To: CloudStack DeveloperList
>> >> >> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>> >> >> >
>> >> >> > Thanks for the FS updates.
>> >> >> > Good progress.
>> >> >> > I had forgotten about registering the ASA 1000v with VNMC < that
>> >> >> > makes it harder to spin these appliances up/down. However we can
>> >> >> > plan to login via the CLI just for this step.
>> >> >> >
>> >> >> > I believe it is better to use a pre-setup pool of ASA
>>appliances.
>> >> >> > Let's say we start with N appliances (created via an admin API
>> >> >> > call to
>> >> >> CloudStack).
>> >> >> > createASA1000vPool(ovf template id, zone, vnmc ip, N, increment,
>> >> >> > threshold) Then as the capacity reaches threshold%, the pool
>> >> >> > capacity is incremented by increment% asynchronously.
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > On 1/21/13 12:46 AM, "Koushik Das" <ko...@citrix.com>
>> wrote:
>> >> >> >
>> >> >> > >Thanks Chiradeep for explaining the vnmc/asa integration stuff
>> >> >> > >that you are working on and listing down all the use cases.
>> >> >> > >
>> >> >> > >Manan,
>> >> >> > >CLOUDSTACK-742 is covered as part of Chiradeep's work (refer
>> >> >> > >use cases
>> >> >> > >#1 and #2 from the doc).
>> >> >> > >
>> >> >> > >-Koushik
>> >> >> > >
>> >> >> > >-----Original Message-----
>> >> >> > >From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
>> >> >> > >Sent: Saturday, January 19, 2013 1:30 AM
>> >> >> > >To: CloudStack DeveloperList
>> >> >> > >Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into
>> >> >> > >CloudStack
>> >> >> > >
>> >> >> > >Take a look here:
>> >> >> >
>> >> >>
>> >>
>> >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Cisco+VNMC+i
>> >> >> > nteg
>> >> >> > >rat
>> >> >> > >i
>> >> >> > >on
>> >> >> > >
>> >> >> > >
>> >> >> > >This is something I had been prototyping without any real
>> >>enthusiasm.
>> >> >> > >
>> >> >> > >There's 3 ways to control the ASA1000v:
>> >> >> > >1. By logging in via the CLI. Strongly against this.
>> >> >> > >2. By using VNMC
>> >> >> > >3. Via Cisco's Network Services Manager (NSM)[1]
>> >> >> > >
>> >> >> > >The NSM is comprehensive, covers a large range of physical and
>> >> >> > >virtual devices and has an easy northbound API. This would be
>> >> >> > >my preferred solution.
>> >> >> > >
>> >> >> > >However as of now (NSM v5.0.2), the ASA1000v is not supported.
>> >> >> > >It may also be the case that using VNMC may be a cheaper
>> >> >> > >(albeit less
>> >> >> > >supported) option
>> >> >> > >
>> >> >> > >[1] http://www.cisco.com/en/US/products/ps11636/index.html
>> >> >> > >
>> >> >> > >On 1/17/13 9:26 PM, "Koushik Das" <ko...@citrix.com>
>> wrote:
>> >> >> > >
>> >> >> > >>Manan,
>> >> >> > >>Can you answer the questions that Chiradeep has raised?
>> >> >> > >>
>> >> >> > >>Chiradeep,
>> >> >> > >>I saw that you have started working on asa/vnmc here
>> >> >> > >>(https://git-wip-us.apache.org/repos/asf/incubator-cloudstack/
>> >> >> > >>rep
>> >> >> > >>o
>> >> >> > >>?p
>> >> >> > >>=i
>> >> >> > >>n
>> >> >> > >>cub
>> >> >> > >>ator-cloudstack.git;a=shortlog;h=refs/heads/cisco-vnmc-api-
>> >> >> integration).
>> >> >> > >>I would like to understand the functionalities that you are
>> >> >> > >>planning to cover and what is the overlap between your work
>> >> >> > >>and the feature that Manan has proposed (supporting asa1000v
>> >> >> > >>as an
>> >> >>external firewall).
>> >> >> > >>
>> >> >> > >>Thanks,
>> >> >> > >>Koushik
>> >> >> > >>
>> >> >> > >>> -----Original Message-----
>> >> >> > >>> From: Alex Huang [mailto:Alex.Huang@citrix.com]
>> >> >> > >>> Sent: Sunday, January 06, 2013 2:18 AM
>> >> >> > >>> To: cloudstack-dev@incubator.apache.org
>> >> >> > >>> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into
>> >> >> > >>> CloudStack
>> >> >> > >>>
>> >> >> > >>> Manan,
>> >> >> > >>>
>> >> >> > >>> Can you address the issues that Chiradeep has brought up? I
>> >> >> > >>>think for a requirements discussion it is just as important
>> >> >> > >>>to indicate what we will not do or what is considered a
>> >> >> > >>>feature of a later release.
>> >> >> > >>>
>> >> >> > >>> --Alex
>> >> >> > >>>
>> >> >> > >>> > -----Original Message-----
>> >> >> > >>> > From: Chiradeep Vittal
>> >> >> > >>> > [mailto:Chiradeep.Vittal@citrix.com]
>> >> >> > >>> > Sent: Thursday, January 03, 2013 6:16 PM
>> >> >> > >>> > To: CloudStack DeveloperList
>> >> >> > >>> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into
>> >> >> > >>> > CloudStack
>> >> >> > >>> >
>> >> >> > >>> > There cannot be feature parity since the ASA1000v is only
>> >> >> > >>> > supported on VMWare.
>> >> >> > >>> >
>> >> >> > >>> > Should the ASA1000v be created on demand, or do we expect
>> >> >> > >>> > the admin to provision a pool of virtual ASAs?
>> >> >> > >>> >
>> >> >> > >>> > Should we support VXLAN as the isolation technology or
>> VLANs?
>> >> >> > >>> >
>> >> >> > >>> >
>> >> >> > >>> > On 1/3/13 5:08 PM, "Manan Shah" <ma...@citrix.com>
>> >> wrote:
>> >> >> > >>> >
>> >> >> > >>> > >Hi,
>> >> >> > >>> > >
>> >> >> > >>> > >I would like to propose a new feature for integrating
>> >> >> > >>> > >Cisco ASA 1000v in CS 4.1. I have created a JIRA ticket
>> >> >> > >>> > >and provided the requirements at the following location.
>> >> >> > >>> > >Please provide feedback on the
>> >> >> > >>>requirements.
>> >> >> > >>> > >
>> >> >> > >>> > >JIRA Ticket:
>> >> >> > >>> > >https://issues.apache.org/jira/browse/CLOUDSTACK-742
>> >> >> > >>> > >Requirements:
>> >> >> > >>> >
>> >> >> > >>>
>> >> >> >
>> >> >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Integrate+C
>> >> >> > >i
>> >> >> > >>> >s
>> >> >> > >>> >c
>> >> >> > >>> > >o
>> >> >> > >>> > +ASA
>> >> >> > >>> > >+
>> >> >> > >>> > >1000v+as+a+FW+for+CloudStack
>> >> >> > >>> > >
>> >> >> > >>> > >Additional details would be provided in the FS.
>> >> >> > >>> > >
>> >> >> > >>> > >Regards,
>> >> >> > >>> > >Manan Shah
>> >> >> > >>> > >
>> >> >> > >>
>> >> >> > >
>> >> >
>> >
>
RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
Posted by Koushik Das <ko...@citrix.com>.
Its already mentioned in FS that LB functionality is beyond 4.2.
I haven't yet thought about these scenarios. Can you let me know what all configurations (in-line, side-by-side) needs to be supported? I am not sure about the use for side-by-side.
> -----Original Message-----
> From: Manan Shah [mailto:manan.shah@citrix.com]
> Sent: Thursday, March 21, 2013 12:20 AM
> To: cloudstack-dev@incubator.apache.org
> Cc: Manan Shah
> Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>
> Hi Koushik,
>
> Can you please confirm if the LB functionality (via VR or VPX) would be
> supported in 4.2 or not?
>
> Regards,
> Manan Shah
>
>
>
>
> On 3/19/13 5:00 AM, "Koushik Das" <ko...@citrix.com> wrote:
>
> >Inline
> >
> >>
> >> On 18/03/13 7:37 PM, "Sailaja Mada" <sa...@citrix.com> wrote:
> >>
> >> >+
> >> >
> >> >7) During Guest Network shutdown, Do we release the ASA association
> >> >with Guest Network and Even change guest_port_profile configuration
> >> >as Cloudstack releases VLAN and Network will go to allocated state?
> >> >
> >
> >Yes. Necessary stuff should get cleaned up
> >
> >> >8) When the Guest Network is updated from ASA firewall offering to
> >> >VR Offering , Please share the sequence of configuration steps
> >> >called out @ ASA/VNMC?
> >> >
> >
> >Not sure I understand the scenario completely. Can you elaborate on the
> >use case that this is going to provide?
> >
> >> >Thanks,
> >> >Sailaja.M
> >> >
> >> >-----Original Message-----
> >> >From: Sailaja Mada [mailto:sailaja.mada@citrix.com]
> >> >Sent: Monday, March 18, 2013 5:32 PM
> >> >To: cloudstack-dev@incubator.apache.org; Koushik Das
> >> >Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >> >
> >> >Hi,
> >> >
> >> >1) Section: CiscoVNMCElement::implement() :
> >> >
> >> >1A) vservice_node is configured with fail-mode close . This is to
> >> >drop the packets if there is no connectivity to VEM , It means ESXi
> >> >host is not reachable. I see that we are going to configure with
> >> >fail mode as close
> >> >
> >> >Is there any use case where packets will get forwarded with
> >> >fail-mode open ?
> >> >
> >
> >If required this can be moved to a configuration later on. For now
> >'close' should be good.
> >
> >> >1B) vservice_node configuration has ip address 10.1.1.1 . Can you
> >> >please share from where this IP address is picked up when the
> >> >configuration is done thru cloudstack?
> >> >
> >
> >ASA acts as the default gateway and this is the gateway IP.
> >
> >> >2) When the guest network is deleted/Account it deleted, Will you be
> >> >deleting the vethernet asa in_port_profile defined @ VSM while
> >> >releasing the VLAN .
> >> >
> >
> >Yes
> >
> >> >3) Can you please update FS with Edge security profile details that
> >> >will get configured @ ASA when firewall rules are configured from
> >> Cloudstack.
> >> >
> >
> >ESP is configured in VNMC. There will be rules created under NAT,
> >Egress/Ingress ACLs
> >
> >> >4) When Guest Network is restarted what are the sequence of
> >> >operations will happen when it has ASA firewall ?
> >> >
> >
> >ASA firewall will get implemented as a network element that
> >participates in the orchestration. Let me know what specific sequence
> >are you referring to?
> >
> >> >5) Is there any change with API's that are used to configure
> >> >Firewall rules?
> >> >
> >
> >No
> >
> >> >6) Use Cases / Flow - I see that LB as Netscaler with isolated
> >> >Network is not available. Are we supporting only VR?
> >> >
> >
> >Not in 4.2. Its mentioned in FS.
> >
> >> >Please clarify.
> >> >
> >> >Thanks,
> >> >Sailaja.M
> >> >
> >> >-----Original Message-----
> >> >From: Koushik Das [mailto:koushik.das@citrix.com]
> >> >Sent: Monday, March 11, 2013 6:41 PM
> >> >To: Koushik Das; cloudstack-dev@incubator.apache.org
> >> >Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >> >
> >> >Updated the FS with following changes:
> >> >
> >> >- Use case section updated, classified use cases that will be
> >> >supported for 4.2 and beyond. Also removed items like VSG and VXLAN
> >> >support to "Open items" section as not planning to do them as part
> >> >of "ASA integration".
> >> >- Updated the deployment model section and added HV limitation
> >> >(Vmware only feature)
> >> >- Also updated the API section with parameter details.
> >> >
> >> >Comments/feedback?
> >> >
> >> >Thanks,
> >> >Koushik
> >> >
> >> >> -----Original Message-----
> >> >> From: Koushik Das [mailto:koushik.das@citrix.com]
> >> >> Sent: Monday, February 11, 2013 7:08 PM
> >> >> To: cloudstack-dev@incubator.apache.org
> >> >> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >> >>
> >> >> Updated the FS with API, Db changes and current deployment
> >>limitations.
> >> >> Also updated the UI section as to what all needs to be added.
> >> >>
> >> >> Chiradeep,
> >> >> I looked at the option of spinning up templates from ovf template
> >> >>but didn't find a way (was looking for some samples) to pass custom
> >> >>parameters like vnmc ip, password etc. while creating VM instance.
> >> >>So for now the ASA instance creation is a manual step similar to
> >> >>VNMC appliance. In case there is a way out, the auto-creation can
> >> >>be done as a future enhancement.
> >> >>
> >> >> Thanks,
> >> >> Koushik
> >> >>
> >> >> > -----Original Message-----
> >> >> > From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> >> >> > Sent: Friday, January 25, 2013 1:39 AM
> >> >> > To: CloudStack DeveloperList
> >> >> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >> >> >
> >> >> > Thanks for the FS updates.
> >> >> > Good progress.
> >> >> > I had forgotten about registering the ASA 1000v with VNMC < that
> >> >> > makes it harder to spin these appliances up/down. However we can
> >> >> > plan to login via the CLI just for this step.
> >> >> >
> >> >> > I believe it is better to use a pre-setup pool of ASA appliances.
> >> >> > Let's say we start with N appliances (created via an admin API
> >> >> > call to
> >> >> CloudStack).
> >> >> > createASA1000vPool(ovf template id, zone, vnmc ip, N, increment,
> >> >> > threshold) Then as the capacity reaches threshold%, the pool
> >> >> > capacity is incremented by increment% asynchronously.
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> > On 1/21/13 12:46 AM, "Koushik Das" <ko...@citrix.com>
> wrote:
> >> >> >
> >> >> > >Thanks Chiradeep for explaining the vnmc/asa integration stuff
> >> >> > >that you are working on and listing down all the use cases.
> >> >> > >
> >> >> > >Manan,
> >> >> > >CLOUDSTACK-742 is covered as part of Chiradeep's work (refer
> >> >> > >use cases
> >> >> > >#1 and #2 from the doc).
> >> >> > >
> >> >> > >-Koushik
> >> >> > >
> >> >> > >-----Original Message-----
> >> >> > >From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> >> >> > >Sent: Saturday, January 19, 2013 1:30 AM
> >> >> > >To: CloudStack DeveloperList
> >> >> > >Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into
> >> >> > >CloudStack
> >> >> > >
> >> >> > >Take a look here:
> >> >> >
> >> >>
> >>
> >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Cisco+VNMC+i
> >> >> > nteg
> >> >> > >rat
> >> >> > >i
> >> >> > >on
> >> >> > >
> >> >> > >
> >> >> > >This is something I had been prototyping without any real
> >>enthusiasm.
> >> >> > >
> >> >> > >There's 3 ways to control the ASA1000v:
> >> >> > >1. By logging in via the CLI. Strongly against this.
> >> >> > >2. By using VNMC
> >> >> > >3. Via Cisco's Network Services Manager (NSM)[1]
> >> >> > >
> >> >> > >The NSM is comprehensive, covers a large range of physical and
> >> >> > >virtual devices and has an easy northbound API. This would be
> >> >> > >my preferred solution.
> >> >> > >
> >> >> > >However as of now (NSM v5.0.2), the ASA1000v is not supported.
> >> >> > >It may also be the case that using VNMC may be a cheaper
> >> >> > >(albeit less
> >> >> > >supported) option
> >> >> > >
> >> >> > >[1] http://www.cisco.com/en/US/products/ps11636/index.html
> >> >> > >
> >> >> > >On 1/17/13 9:26 PM, "Koushik Das" <ko...@citrix.com>
> wrote:
> >> >> > >
> >> >> > >>Manan,
> >> >> > >>Can you answer the questions that Chiradeep has raised?
> >> >> > >>
> >> >> > >>Chiradeep,
> >> >> > >>I saw that you have started working on asa/vnmc here
> >> >> > >>(https://git-wip-us.apache.org/repos/asf/incubator-cloudstack/
> >> >> > >>rep
> >> >> > >>o
> >> >> > >>?p
> >> >> > >>=i
> >> >> > >>n
> >> >> > >>cub
> >> >> > >>ator-cloudstack.git;a=shortlog;h=refs/heads/cisco-vnmc-api-
> >> >> integration).
> >> >> > >>I would like to understand the functionalities that you are
> >> >> > >>planning to cover and what is the overlap between your work
> >> >> > >>and the feature that Manan has proposed (supporting asa1000v
> >> >> > >>as an
> >> >>external firewall).
> >> >> > >>
> >> >> > >>Thanks,
> >> >> > >>Koushik
> >> >> > >>
> >> >> > >>> -----Original Message-----
> >> >> > >>> From: Alex Huang [mailto:Alex.Huang@citrix.com]
> >> >> > >>> Sent: Sunday, January 06, 2013 2:18 AM
> >> >> > >>> To: cloudstack-dev@incubator.apache.org
> >> >> > >>> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into
> >> >> > >>> CloudStack
> >> >> > >>>
> >> >> > >>> Manan,
> >> >> > >>>
> >> >> > >>> Can you address the issues that Chiradeep has brought up? I
> >> >> > >>>think for a requirements discussion it is just as important
> >> >> > >>>to indicate what we will not do or what is considered a
> >> >> > >>>feature of a later release.
> >> >> > >>>
> >> >> > >>> --Alex
> >> >> > >>>
> >> >> > >>> > -----Original Message-----
> >> >> > >>> > From: Chiradeep Vittal
> >> >> > >>> > [mailto:Chiradeep.Vittal@citrix.com]
> >> >> > >>> > Sent: Thursday, January 03, 2013 6:16 PM
> >> >> > >>> > To: CloudStack DeveloperList
> >> >> > >>> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into
> >> >> > >>> > CloudStack
> >> >> > >>> >
> >> >> > >>> > There cannot be feature parity since the ASA1000v is only
> >> >> > >>> > supported on VMWare.
> >> >> > >>> >
> >> >> > >>> > Should the ASA1000v be created on demand, or do we expect
> >> >> > >>> > the admin to provision a pool of virtual ASAs?
> >> >> > >>> >
> >> >> > >>> > Should we support VXLAN as the isolation technology or
> VLANs?
> >> >> > >>> >
> >> >> > >>> >
> >> >> > >>> > On 1/3/13 5:08 PM, "Manan Shah" <ma...@citrix.com>
> >> wrote:
> >> >> > >>> >
> >> >> > >>> > >Hi,
> >> >> > >>> > >
> >> >> > >>> > >I would like to propose a new feature for integrating
> >> >> > >>> > >Cisco ASA 1000v in CS 4.1. I have created a JIRA ticket
> >> >> > >>> > >and provided the requirements at the following location.
> >> >> > >>> > >Please provide feedback on the
> >> >> > >>>requirements.
> >> >> > >>> > >
> >> >> > >>> > >JIRA Ticket:
> >> >> > >>> > >https://issues.apache.org/jira/browse/CLOUDSTACK-742
> >> >> > >>> > >Requirements:
> >> >> > >>> >
> >> >> > >>>
> >> >> >
> >> >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Integrate+C
> >> >> > >i
> >> >> > >>> >s
> >> >> > >>> >c
> >> >> > >>> > >o
> >> >> > >>> > +ASA
> >> >> > >>> > >+
> >> >> > >>> > >1000v+as+a+FW+for+CloudStack
> >> >> > >>> > >
> >> >> > >>> > >Additional details would be provided in the FS.
> >> >> > >>> > >
> >> >> > >>> > >Regards,
> >> >> > >>> > >Manan Shah
> >> >> > >>> > >
> >> >> > >>
> >> >> > >
> >> >
> >
Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
Posted by Manan Shah <ma...@citrix.com>.
Hi Koushik,
Can you please confirm if the LB functionality (via VR or VPX) would be
supported in 4.2 or not?
Regards,
Manan Shah
On 3/19/13 5:00 AM, "Koushik Das" <ko...@citrix.com> wrote:
>Inline
>
>>
>> On 18/03/13 7:37 PM, "Sailaja Mada" <sa...@citrix.com> wrote:
>>
>> >+
>> >
>> >7) During Guest Network shutdown, Do we release the ASA association
>> >with Guest Network and Even change guest_port_profile configuration as
>> >Cloudstack releases VLAN and Network will go to allocated state?
>> >
>
>Yes. Necessary stuff should get cleaned up
>
>> >8) When the Guest Network is updated from ASA firewall offering to VR
>> >Offering , Please share the sequence of configuration steps called out
>> >@ ASA/VNMC?
>> >
>
>Not sure I understand the scenario completely. Can you elaborate on the
>use case that this is going to provide?
>
>> >Thanks,
>> >Sailaja.M
>> >
>> >-----Original Message-----
>> >From: Sailaja Mada [mailto:sailaja.mada@citrix.com]
>> >Sent: Monday, March 18, 2013 5:32 PM
>> >To: cloudstack-dev@incubator.apache.org; Koushik Das
>> >Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>> >
>> >Hi,
>> >
>> >1) Section: CiscoVNMCElement::implement() :
>> >
>> >1A) vservice_node is configured with fail-mode close . This is to
>> >drop the packets if there is no connectivity to VEM , It means ESXi
>> >host is not reachable. I see that we are going to configure with fail
>> >mode as close
>> >
>> >Is there any use case where packets will get forwarded with fail-mode
>> >open ?
>> >
>
>If required this can be moved to a configuration later on. For now
>'close' should be good.
>
>> >1B) vservice_node configuration has ip address 10.1.1.1 . Can you
>> >please share from where this IP address is picked up when the
>> >configuration is done thru cloudstack?
>> >
>
>ASA acts as the default gateway and this is the gateway IP.
>
>> >2) When the guest network is deleted/Account it deleted, Will you be
>> >deleting the vethernet asa in_port_profile defined @ VSM while
>> >releasing the VLAN .
>> >
>
>Yes
>
>> >3) Can you please update FS with Edge security profile details that
>> >will get configured @ ASA when firewall rules are configured from
>> Cloudstack.
>> >
>
>ESP is configured in VNMC. There will be rules created under NAT,
>Egress/Ingress ACLs
>
>> >4) When Guest Network is restarted what are the sequence of operations
>> >will happen when it has ASA firewall ?
>> >
>
>ASA firewall will get implemented as a network element that participates
>in the orchestration. Let me know what specific sequence are you
>referring to?
>
>> >5) Is there any change with API's that are used to configure Firewall
>> >rules?
>> >
>
>No
>
>> >6) Use Cases / Flow - I see that LB as Netscaler with isolated
>> >Network is not available. Are we supporting only VR?
>> >
>
>Not in 4.2. Its mentioned in FS.
>
>> >Please clarify.
>> >
>> >Thanks,
>> >Sailaja.M
>> >
>> >-----Original Message-----
>> >From: Koushik Das [mailto:koushik.das@citrix.com]
>> >Sent: Monday, March 11, 2013 6:41 PM
>> >To: Koushik Das; cloudstack-dev@incubator.apache.org
>> >Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>> >
>> >Updated the FS with following changes:
>> >
>> >- Use case section updated, classified use cases that will be supported
>> >for 4.2 and beyond. Also removed items like VSG and VXLAN support to
>> >"Open items" section as not planning to do them as part of "ASA
>> >integration".
>> >- Updated the deployment model section and added HV limitation (Vmware
>> >only feature)
>> >- Also updated the API section with parameter details.
>> >
>> >Comments/feedback?
>> >
>> >Thanks,
>> >Koushik
>> >
>> >> -----Original Message-----
>> >> From: Koushik Das [mailto:koushik.das@citrix.com]
>> >> Sent: Monday, February 11, 2013 7:08 PM
>> >> To: cloudstack-dev@incubator.apache.org
>> >> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>> >>
>> >> Updated the FS with API, Db changes and current deployment
>>limitations.
>> >> Also updated the UI section as to what all needs to be added.
>> >>
>> >> Chiradeep,
>> >> I looked at the option of spinning up templates from ovf template but
>> >>didn't find a way (was looking for some samples) to pass custom
>> >>parameters like vnmc ip, password etc. while creating VM instance. So
>> >>for now the ASA instance creation is a manual step similar to VNMC
>> >>appliance. In case there is a way out, the auto-creation can be done
>> >>as a future enhancement.
>> >>
>> >> Thanks,
>> >> Koushik
>> >>
>> >> > -----Original Message-----
>> >> > From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
>> >> > Sent: Friday, January 25, 2013 1:39 AM
>> >> > To: CloudStack DeveloperList
>> >> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>> >> >
>> >> > Thanks for the FS updates.
>> >> > Good progress.
>> >> > I had forgotten about registering the ASA 1000v with VNMC < that
>> >> > makes it harder to spin these appliances up/down. However we can
>> >> > plan to login via the CLI just for this step.
>> >> >
>> >> > I believe it is better to use a pre-setup pool of ASA appliances.
>> >> > Let's say we start with N appliances (created via an admin API call
>> >> > to
>> >> CloudStack).
>> >> > createASA1000vPool(ovf template id, zone, vnmc ip, N, increment,
>> >> > threshold) Then as the capacity reaches threshold%, the pool
>> >> > capacity is incremented by increment% asynchronously.
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > On 1/21/13 12:46 AM, "Koushik Das" <ko...@citrix.com> wrote:
>> >> >
>> >> > >Thanks Chiradeep for explaining the vnmc/asa integration stuff
>> >> > >that you are working on and listing down all the use cases.
>> >> > >
>> >> > >Manan,
>> >> > >CLOUDSTACK-742 is covered as part of Chiradeep's work (refer use
>> >> > >cases
>> >> > >#1 and #2 from the doc).
>> >> > >
>> >> > >-Koushik
>> >> > >
>> >> > >-----Original Message-----
>> >> > >From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
>> >> > >Sent: Saturday, January 19, 2013 1:30 AM
>> >> > >To: CloudStack DeveloperList
>> >> > >Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>> >> > >
>> >> > >Take a look here:
>> >> >
>> >>
>> >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Cisco+VNMC+i
>> >> > nteg
>> >> > >rat
>> >> > >i
>> >> > >on
>> >> > >
>> >> > >
>> >> > >This is something I had been prototyping without any real
>>enthusiasm.
>> >> > >
>> >> > >There's 3 ways to control the ASA1000v:
>> >> > >1. By logging in via the CLI. Strongly against this.
>> >> > >2. By using VNMC
>> >> > >3. Via Cisco's Network Services Manager (NSM)[1]
>> >> > >
>> >> > >The NSM is comprehensive, covers a large range of physical and
>> >> > >virtual devices and has an easy northbound API. This would be my
>> >> > >preferred solution.
>> >> > >
>> >> > >However as of now (NSM v5.0.2), the ASA1000v is not supported.
>> >> > >It may also be the case that using VNMC may be a cheaper (albeit
>> >> > >less
>> >> > >supported) option
>> >> > >
>> >> > >[1] http://www.cisco.com/en/US/products/ps11636/index.html
>> >> > >
>> >> > >On 1/17/13 9:26 PM, "Koushik Das" <ko...@citrix.com> wrote:
>> >> > >
>> >> > >>Manan,
>> >> > >>Can you answer the questions that Chiradeep has raised?
>> >> > >>
>> >> > >>Chiradeep,
>> >> > >>I saw that you have started working on asa/vnmc here
>> >> > >>(https://git-wip-us.apache.org/repos/asf/incubator-cloudstack/rep
>> >> > >>o
>> >> > >>?p
>> >> > >>=i
>> >> > >>n
>> >> > >>cub
>> >> > >>ator-cloudstack.git;a=shortlog;h=refs/heads/cisco-vnmc-api-
>> >> integration).
>> >> > >>I would like to understand the functionalities that you are
>> >> > >>planning to cover and what is the overlap between your work and
>> >> > >>the feature that Manan has proposed (supporting asa1000v as an
>> >>external firewall).
>> >> > >>
>> >> > >>Thanks,
>> >> > >>Koushik
>> >> > >>
>> >> > >>> -----Original Message-----
>> >> > >>> From: Alex Huang [mailto:Alex.Huang@citrix.com]
>> >> > >>> Sent: Sunday, January 06, 2013 2:18 AM
>> >> > >>> To: cloudstack-dev@incubator.apache.org
>> >> > >>> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into
>> >> > >>> CloudStack
>> >> > >>>
>> >> > >>> Manan,
>> >> > >>>
>> >> > >>> Can you address the issues that Chiradeep has brought up? I
>> >> > >>>think for a requirements discussion it is just as important to
>> >> > >>>indicate what we will not do or what is considered a feature of
>> >> > >>>a later release.
>> >> > >>>
>> >> > >>> --Alex
>> >> > >>>
>> >> > >>> > -----Original Message-----
>> >> > >>> > From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
>> >> > >>> > Sent: Thursday, January 03, 2013 6:16 PM
>> >> > >>> > To: CloudStack DeveloperList
>> >> > >>> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into
>> >> > >>> > CloudStack
>> >> > >>> >
>> >> > >>> > There cannot be feature parity since the ASA1000v is only
>> >> > >>> > supported on VMWare.
>> >> > >>> >
>> >> > >>> > Should the ASA1000v be created on demand, or do we expect the
>> >> > >>> > admin to provision a pool of virtual ASAs?
>> >> > >>> >
>> >> > >>> > Should we support VXLAN as the isolation technology or VLANs?
>> >> > >>> >
>> >> > >>> >
>> >> > >>> > On 1/3/13 5:08 PM, "Manan Shah" <ma...@citrix.com>
>> wrote:
>> >> > >>> >
>> >> > >>> > >Hi,
>> >> > >>> > >
>> >> > >>> > >I would like to propose a new feature for integrating Cisco
>> >> > >>> > >ASA 1000v in CS 4.1. I have created a JIRA ticket and
>> >> > >>> > >provided the requirements at the following location. Please
>> >> > >>> > >provide feedback on the
>> >> > >>>requirements.
>> >> > >>> > >
>> >> > >>> > >JIRA Ticket:
>> >> > >>> > >https://issues.apache.org/jira/browse/CLOUDSTACK-742
>> >> > >>> > >Requirements:
>> >> > >>> >
>> >> > >>>
>> >> >
>> >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Integrate+C
>> >> > >i
>> >> > >>> >s
>> >> > >>> >c
>> >> > >>> > >o
>> >> > >>> > +ASA
>> >> > >>> > >+
>> >> > >>> > >1000v+as+a+FW+for+CloudStack
>> >> > >>> > >
>> >> > >>> > >Additional details would be provided in the FS.
>> >> > >>> > >
>> >> > >>> > >Regards,
>> >> > >>> > >Manan Shah
>> >> > >>> > >
>> >> > >>
>> >> > >
>> >
>
RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
Posted by Koushik Das <ko...@citrix.com>.
Inline
>
> On 18/03/13 7:37 PM, "Sailaja Mada" <sa...@citrix.com> wrote:
>
> >+
> >
> >7) During Guest Network shutdown, Do we release the ASA association
> >with Guest Network and Even change guest_port_profile configuration as
> >Cloudstack releases VLAN and Network will go to allocated state?
> >
Yes. Necessary stuff should get cleaned up
> >8) When the Guest Network is updated from ASA firewall offering to VR
> >Offering , Please share the sequence of configuration steps called out
> >@ ASA/VNMC?
> >
Not sure I understand the scenario completely. Can you elaborate on the use case that this is going to provide?
> >Thanks,
> >Sailaja.M
> >
> >-----Original Message-----
> >From: Sailaja Mada [mailto:sailaja.mada@citrix.com]
> >Sent: Monday, March 18, 2013 5:32 PM
> >To: cloudstack-dev@incubator.apache.org; Koushik Das
> >Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >
> >Hi,
> >
> >1) Section: CiscoVNMCElement::implement() :
> >
> >1A) vservice_node is configured with fail-mode close . This is to
> >drop the packets if there is no connectivity to VEM , It means ESXi
> >host is not reachable. I see that we are going to configure with fail
> >mode as close
> >
> >Is there any use case where packets will get forwarded with fail-mode
> >open ?
> >
If required this can be moved to a configuration later on. For now 'close' should be good.
> >1B) vservice_node configuration has ip address 10.1.1.1 . Can you
> >please share from where this IP address is picked up when the
> >configuration is done thru cloudstack?
> >
ASA acts as the default gateway and this is the gateway IP.
> >2) When the guest network is deleted/Account it deleted, Will you be
> >deleting the vethernet asa in_port_profile defined @ VSM while
> >releasing the VLAN .
> >
Yes
> >3) Can you please update FS with Edge security profile details that
> >will get configured @ ASA when firewall rules are configured from
> Cloudstack.
> >
ESP is configured in VNMC. There will be rules created under NAT, Egress/Ingress ACLs
> >4) When Guest Network is restarted what are the sequence of operations
> >will happen when it has ASA firewall ?
> >
ASA firewall will get implemented as a network element that participates in the orchestration. Let me know what specific sequence are you referring to?
> >5) Is there any change with API's that are used to configure Firewall
> >rules?
> >
No
> >6) Use Cases / Flow - I see that LB as Netscaler with isolated
> >Network is not available. Are we supporting only VR?
> >
Not in 4.2. Its mentioned in FS.
> >Please clarify.
> >
> >Thanks,
> >Sailaja.M
> >
> >-----Original Message-----
> >From: Koushik Das [mailto:koushik.das@citrix.com]
> >Sent: Monday, March 11, 2013 6:41 PM
> >To: Koushik Das; cloudstack-dev@incubator.apache.org
> >Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >
> >Updated the FS with following changes:
> >
> >- Use case section updated, classified use cases that will be supported
> >for 4.2 and beyond. Also removed items like VSG and VXLAN support to
> >"Open items" section as not planning to do them as part of "ASA
> >integration".
> >- Updated the deployment model section and added HV limitation (Vmware
> >only feature)
> >- Also updated the API section with parameter details.
> >
> >Comments/feedback?
> >
> >Thanks,
> >Koushik
> >
> >> -----Original Message-----
> >> From: Koushik Das [mailto:koushik.das@citrix.com]
> >> Sent: Monday, February 11, 2013 7:08 PM
> >> To: cloudstack-dev@incubator.apache.org
> >> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >>
> >> Updated the FS with API, Db changes and current deployment limitations.
> >> Also updated the UI section as to what all needs to be added.
> >>
> >> Chiradeep,
> >> I looked at the option of spinning up templates from ovf template but
> >>didn't find a way (was looking for some samples) to pass custom
> >>parameters like vnmc ip, password etc. while creating VM instance. So
> >>for now the ASA instance creation is a manual step similar to VNMC
> >>appliance. In case there is a way out, the auto-creation can be done
> >>as a future enhancement.
> >>
> >> Thanks,
> >> Koushik
> >>
> >> > -----Original Message-----
> >> > From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> >> > Sent: Friday, January 25, 2013 1:39 AM
> >> > To: CloudStack DeveloperList
> >> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >> >
> >> > Thanks for the FS updates.
> >> > Good progress.
> >> > I had forgotten about registering the ASA 1000v with VNMC < that
> >> > makes it harder to spin these appliances up/down. However we can
> >> > plan to login via the CLI just for this step.
> >> >
> >> > I believe it is better to use a pre-setup pool of ASA appliances.
> >> > Let's say we start with N appliances (created via an admin API call
> >> > to
> >> CloudStack).
> >> > createASA1000vPool(ovf template id, zone, vnmc ip, N, increment,
> >> > threshold) Then as the capacity reaches threshold%, the pool
> >> > capacity is incremented by increment% asynchronously.
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > On 1/21/13 12:46 AM, "Koushik Das" <ko...@citrix.com> wrote:
> >> >
> >> > >Thanks Chiradeep for explaining the vnmc/asa integration stuff
> >> > >that you are working on and listing down all the use cases.
> >> > >
> >> > >Manan,
> >> > >CLOUDSTACK-742 is covered as part of Chiradeep's work (refer use
> >> > >cases
> >> > >#1 and #2 from the doc).
> >> > >
> >> > >-Koushik
> >> > >
> >> > >-----Original Message-----
> >> > >From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> >> > >Sent: Saturday, January 19, 2013 1:30 AM
> >> > >To: CloudStack DeveloperList
> >> > >Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >> > >
> >> > >Take a look here:
> >> >
> >>
> >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Cisco+VNMC+i
> >> > nteg
> >> > >rat
> >> > >i
> >> > >on
> >> > >
> >> > >
> >> > >This is something I had been prototyping without any real enthusiasm.
> >> > >
> >> > >There's 3 ways to control the ASA1000v:
> >> > >1. By logging in via the CLI. Strongly against this.
> >> > >2. By using VNMC
> >> > >3. Via Cisco's Network Services Manager (NSM)[1]
> >> > >
> >> > >The NSM is comprehensive, covers a large range of physical and
> >> > >virtual devices and has an easy northbound API. This would be my
> >> > >preferred solution.
> >> > >
> >> > >However as of now (NSM v5.0.2), the ASA1000v is not supported.
> >> > >It may also be the case that using VNMC may be a cheaper (albeit
> >> > >less
> >> > >supported) option
> >> > >
> >> > >[1] http://www.cisco.com/en/US/products/ps11636/index.html
> >> > >
> >> > >On 1/17/13 9:26 PM, "Koushik Das" <ko...@citrix.com> wrote:
> >> > >
> >> > >>Manan,
> >> > >>Can you answer the questions that Chiradeep has raised?
> >> > >>
> >> > >>Chiradeep,
> >> > >>I saw that you have started working on asa/vnmc here
> >> > >>(https://git-wip-us.apache.org/repos/asf/incubator-cloudstack/rep
> >> > >>o
> >> > >>?p
> >> > >>=i
> >> > >>n
> >> > >>cub
> >> > >>ator-cloudstack.git;a=shortlog;h=refs/heads/cisco-vnmc-api-
> >> integration).
> >> > >>I would like to understand the functionalities that you are
> >> > >>planning to cover and what is the overlap between your work and
> >> > >>the feature that Manan has proposed (supporting asa1000v as an
> >>external firewall).
> >> > >>
> >> > >>Thanks,
> >> > >>Koushik
> >> > >>
> >> > >>> -----Original Message-----
> >> > >>> From: Alex Huang [mailto:Alex.Huang@citrix.com]
> >> > >>> Sent: Sunday, January 06, 2013 2:18 AM
> >> > >>> To: cloudstack-dev@incubator.apache.org
> >> > >>> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into
> >> > >>> CloudStack
> >> > >>>
> >> > >>> Manan,
> >> > >>>
> >> > >>> Can you address the issues that Chiradeep has brought up? I
> >> > >>>think for a requirements discussion it is just as important to
> >> > >>>indicate what we will not do or what is considered a feature of
> >> > >>>a later release.
> >> > >>>
> >> > >>> --Alex
> >> > >>>
> >> > >>> > -----Original Message-----
> >> > >>> > From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> >> > >>> > Sent: Thursday, January 03, 2013 6:16 PM
> >> > >>> > To: CloudStack DeveloperList
> >> > >>> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into
> >> > >>> > CloudStack
> >> > >>> >
> >> > >>> > There cannot be feature parity since the ASA1000v is only
> >> > >>> > supported on VMWare.
> >> > >>> >
> >> > >>> > Should the ASA1000v be created on demand, or do we expect the
> >> > >>> > admin to provision a pool of virtual ASAs?
> >> > >>> >
> >> > >>> > Should we support VXLAN as the isolation technology or VLANs?
> >> > >>> >
> >> > >>> >
> >> > >>> > On 1/3/13 5:08 PM, "Manan Shah" <ma...@citrix.com>
> wrote:
> >> > >>> >
> >> > >>> > >Hi,
> >> > >>> > >
> >> > >>> > >I would like to propose a new feature for integrating Cisco
> >> > >>> > >ASA 1000v in CS 4.1. I have created a JIRA ticket and
> >> > >>> > >provided the requirements at the following location. Please
> >> > >>> > >provide feedback on the
> >> > >>>requirements.
> >> > >>> > >
> >> > >>> > >JIRA Ticket:
> >> > >>> > >https://issues.apache.org/jira/browse/CLOUDSTACK-742
> >> > >>> > >Requirements:
> >> > >>> >
> >> > >>>
> >> >
> >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Integrate+C
> >> > >i
> >> > >>> >s
> >> > >>> >c
> >> > >>> > >o
> >> > >>> > +ASA
> >> > >>> > >+
> >> > >>> > >1000v+as+a+FW+for+CloudStack
> >> > >>> > >
> >> > >>> > >Additional details would be provided in the FS.
> >> > >>> > >
> >> > >>> > >Regards,
> >> > >>> > >Manan Shah
> >> > >>> > >
> >> > >>
> >> > >
> >
RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
Posted by Sailaja Mada <sa...@citrix.com>.
+
7) During Guest Network shutdown, Do we release the ASA association with Guest Network and Even change guest_port_profile configuration as Cloudstack releases VLAN and Network will go to allocated state?
8) When the Guest Network is updated from ASA firewall offering to VR Offering , Please share the sequence of configuration steps called out @ ASA/VNMC?
Thanks,
Sailaja.M
-----Original Message-----
From: Sailaja Mada [mailto:sailaja.mada@citrix.com]
Sent: Monday, March 18, 2013 5:32 PM
To: cloudstack-dev@incubator.apache.org; Koushik Das
Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
Hi,
1) Section: CiscoVNMCElement::implement() :
1A) vservice_node is configured with fail-mode close . This is to drop the packets if there is no connectivity to VEM , It means ESXi host is not reachable. I see that we are going to configure with fail mode as close
Is there any use case where packets will get forwarded with fail-mode open ?
1B) vservice_node configuration has ip address 10.1.1.1 . Can you please share from where this IP address is picked up when the configuration is done thru cloudstack?
2) When the guest network is deleted/Account it deleted, Will you be deleting the vethernet asa in_port_profile defined @ VSM while releasing the VLAN .
3) Can you please update FS with Edge security profile details that will get configured @ ASA when firewall rules are configured from Cloudstack.
4) When Guest Network is restarted what are the sequence of operations will happen when it has ASA firewall ?
5) Is there any change with API's that are used to configure Firewall rules?
6) Use Cases / Flow - I see that LB as Netscaler with isolated Network is not available. Are we supporting only VR?
Please clarify.
Thanks,
Sailaja.M
-----Original Message-----
From: Koushik Das [mailto:koushik.das@citrix.com]
Sent: Monday, March 11, 2013 6:41 PM
To: Koushik Das; cloudstack-dev@incubator.apache.org
Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
Updated the FS with following changes:
- Use case section updated, classified use cases that will be supported for 4.2 and beyond. Also removed items like VSG and VXLAN support to "Open items" section as not planning to do them as part of "ASA integration".
- Updated the deployment model section and added HV limitation (Vmware only feature)
- Also updated the API section with parameter details.
Comments/feedback?
Thanks,
Koushik
> -----Original Message-----
> From: Koushik Das [mailto:koushik.das@citrix.com]
> Sent: Monday, February 11, 2013 7:08 PM
> To: cloudstack-dev@incubator.apache.org
> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>
> Updated the FS with API, Db changes and current deployment limitations.
> Also updated the UI section as to what all needs to be added.
>
> Chiradeep,
> I looked at the option of spinning up templates from ovf template but
> didn't find a way (was looking for some samples) to pass custom
> parameters like vnmc ip, password etc. while creating VM instance. So
> for now the ASA instance creation is a manual step similar to VNMC
> appliance. In case there is a way out, the auto-creation can be done as a future enhancement.
>
> Thanks,
> Koushik
>
> > -----Original Message-----
> > From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> > Sent: Friday, January 25, 2013 1:39 AM
> > To: CloudStack DeveloperList
> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >
> > Thanks for the FS updates.
> > Good progress.
> > I had forgotten about registering the ASA 1000v with VNMC < that
> > makes it harder to spin these appliances up/down. However we can
> > plan to login via the CLI just for this step.
> >
> > I believe it is better to use a pre-setup pool of ASA appliances.
> > Let's say we start with N appliances (created via an admin API call
> > to
> CloudStack).
> > createASA1000vPool(ovf template id, zone, vnmc ip, N, increment,
> > threshold) Then as the capacity reaches threshold%, the pool
> > capacity is incremented by increment% asynchronously.
> >
> >
> >
> >
> >
> > On 1/21/13 12:46 AM, "Koushik Das" <ko...@citrix.com> wrote:
> >
> > >Thanks Chiradeep for explaining the vnmc/asa integration stuff that
> > >you are working on and listing down all the use cases.
> > >
> > >Manan,
> > >CLOUDSTACK-742 is covered as part of Chiradeep's work (refer use
> > >cases
> > >#1 and #2 from the doc).
> > >
> > >-Koushik
> > >
> > >-----Original Message-----
> > >From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> > >Sent: Saturday, January 19, 2013 1:30 AM
> > >To: CloudStack DeveloperList
> > >Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> > >
> > >Take a look here:
> >
> >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Cisco+VNMC+i
> > nteg
> > >rat
> > >i
> > >on
> > >
> > >
> > >This is something I had been prototyping without any real enthusiasm.
> > >
> > >There's 3 ways to control the ASA1000v:
> > >1. By logging in via the CLI. Strongly against this.
> > >2. By using VNMC
> > >3. Via Cisco's Network Services Manager (NSM)[1]
> > >
> > >The NSM is comprehensive, covers a large range of physical and
> > >virtual devices and has an easy northbound API. This would be my
> > >preferred solution.
> > >
> > >However as of now (NSM v5.0.2), the ASA1000v is not supported.
> > >It may also be the case that using VNMC may be a cheaper (albeit
> > >less
> > >supported) option
> > >
> > >[1] http://www.cisco.com/en/US/products/ps11636/index.html
> > >
> > >On 1/17/13 9:26 PM, "Koushik Das" <ko...@citrix.com> wrote:
> > >
> > >>Manan,
> > >>Can you answer the questions that Chiradeep has raised?
> > >>
> > >>Chiradeep,
> > >>I saw that you have started working on asa/vnmc here
> > >>(https://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
> > >>?p
> > >>=i
> > >>n
> > >>cub
> > >>ator-cloudstack.git;a=shortlog;h=refs/heads/cisco-vnmc-api-
> integration).
> > >>I would like to understand the functionalities that you are
> > >>planning to cover and what is the overlap between your work and
> > >>the feature that Manan has proposed (supporting asa1000v as an external firewall).
> > >>
> > >>Thanks,
> > >>Koushik
> > >>
> > >>> -----Original Message-----
> > >>> From: Alex Huang [mailto:Alex.Huang@citrix.com]
> > >>> Sent: Sunday, January 06, 2013 2:18 AM
> > >>> To: cloudstack-dev@incubator.apache.org
> > >>> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> > >>>
> > >>> Manan,
> > >>>
> > >>> Can you address the issues that Chiradeep has brought up? I
> > >>>think for a requirements discussion it is just as important to
> > >>>indicate what we will not do or what is considered a feature of
> > >>>a later release.
> > >>>
> > >>> --Alex
> > >>>
> > >>> > -----Original Message-----
> > >>> > From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> > >>> > Sent: Thursday, January 03, 2013 6:16 PM
> > >>> > To: CloudStack DeveloperList
> > >>> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into
> > >>> > CloudStack
> > >>> >
> > >>> > There cannot be feature parity since the ASA1000v is only
> > >>> > supported on VMWare.
> > >>> >
> > >>> > Should the ASA1000v be created on demand, or do we expect the
> > >>> > admin to provision a pool of virtual ASAs?
> > >>> >
> > >>> > Should we support VXLAN as the isolation technology or VLANs?
> > >>> >
> > >>> >
> > >>> > On 1/3/13 5:08 PM, "Manan Shah" <ma...@citrix.com> wrote:
> > >>> >
> > >>> > >Hi,
> > >>> > >
> > >>> > >I would like to propose a new feature for integrating Cisco
> > >>> > >ASA 1000v in CS 4.1. I have created a JIRA ticket and
> > >>> > >provided the requirements at the following location. Please
> > >>> > >provide feedback on the
> > >>>requirements.
> > >>> > >
> > >>> > >JIRA Ticket:
> > >>> > >https://issues.apache.org/jira/browse/CLOUDSTACK-742
> > >>> > >Requirements:
> > >>> >
> > >>>
> > >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Integrate+Ci
> > >>> >s
> > >>> >c
> > >>> > >o
> > >>> > +ASA
> > >>> > >+
> > >>> > >1000v+as+a+FW+for+CloudStack
> > >>> > >
> > >>> > >Additional details would be provided in the FS.
> > >>> > >
> > >>> > >Regards,
> > >>> > >Manan Shah
> > >>> > >
> > >>
> > >
RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
Posted by Sailaja Mada <sa...@citrix.com>.
Hi,
1) Section: CiscoVNMCElement::implement() :
1A) vservice_node is configured with fail-mode close . This is to drop the packets if there is no connectivity to VEM , It means ESXi host is not reachable. I see that we are going to configure with fail mode as close
Is there any use case where packets will get forwarded with fail-mode open ?
1B) vservice_node configuration has ip address 10.1.1.1 . Can you please share from where this IP address is picked up when the configuration is done thru cloudstack?
2) When the guest network is deleted/Account it deleted, Will you be deleting the vethernet asa in_port_profile defined @ VSM while releasing the VLAN .
3) Can you please update FS with Edge security profile details that will get configured @ ASA when firewall rules are configured from Cloudstack.
4) When Guest Network is restarted what are the sequence of operations will happen when it has ASA firewall ?
5) Is there any change with API's that are used to configure Firewall rules?
6) Use Cases / Flow - I see that LB as Netscaler with isolated Network is not available. Are we supporting only VR?
Please clarify.
Thanks,
Sailaja.M
-----Original Message-----
From: Koushik Das [mailto:koushik.das@citrix.com]
Sent: Monday, March 11, 2013 6:41 PM
To: Koushik Das; cloudstack-dev@incubator.apache.org
Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
Updated the FS with following changes:
- Use case section updated, classified use cases that will be supported for 4.2 and beyond. Also removed items like VSG and VXLAN support to "Open items" section as not planning to do them as part of "ASA integration".
- Updated the deployment model section and added HV limitation (Vmware only feature)
- Also updated the API section with parameter details.
Comments/feedback?
Thanks,
Koushik
> -----Original Message-----
> From: Koushik Das [mailto:koushik.das@citrix.com]
> Sent: Monday, February 11, 2013 7:08 PM
> To: cloudstack-dev@incubator.apache.org
> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>
> Updated the FS with API, Db changes and current deployment limitations.
> Also updated the UI section as to what all needs to be added.
>
> Chiradeep,
> I looked at the option of spinning up templates from ovf template but
> didn't find a way (was looking for some samples) to pass custom
> parameters like vnmc ip, password etc. while creating VM instance. So
> for now the ASA instance creation is a manual step similar to VNMC
> appliance. In case there is a way out, the auto-creation can be done as a future enhancement.
>
> Thanks,
> Koushik
>
> > -----Original Message-----
> > From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> > Sent: Friday, January 25, 2013 1:39 AM
> > To: CloudStack DeveloperList
> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >
> > Thanks for the FS updates.
> > Good progress.
> > I had forgotten about registering the ASA 1000v with VNMC < that
> > makes it harder to spin these appliances up/down. However we can
> > plan to login via the CLI just for this step.
> >
> > I believe it is better to use a pre-setup pool of ASA appliances.
> > Let's say we start with N appliances (created via an admin API call
> > to
> CloudStack).
> > createASA1000vPool(ovf template id, zone, vnmc ip, N, increment,
> > threshold) Then as the capacity reaches threshold%, the pool
> > capacity is incremented by increment% asynchronously.
> >
> >
> >
> >
> >
> > On 1/21/13 12:46 AM, "Koushik Das" <ko...@citrix.com> wrote:
> >
> > >Thanks Chiradeep for explaining the vnmc/asa integration stuff that
> > >you are working on and listing down all the use cases.
> > >
> > >Manan,
> > >CLOUDSTACK-742 is covered as part of Chiradeep's work (refer use
> > >cases
> > >#1 and #2 from the doc).
> > >
> > >-Koushik
> > >
> > >-----Original Message-----
> > >From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> > >Sent: Saturday, January 19, 2013 1:30 AM
> > >To: CloudStack DeveloperList
> > >Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> > >
> > >Take a look here:
> >
> >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Cisco+VNMC+i
> > nteg
> > >rat
> > >i
> > >on
> > >
> > >
> > >This is something I had been prototyping without any real enthusiasm.
> > >
> > >There's 3 ways to control the ASA1000v:
> > >1. By logging in via the CLI. Strongly against this.
> > >2. By using VNMC
> > >3. Via Cisco's Network Services Manager (NSM)[1]
> > >
> > >The NSM is comprehensive, covers a large range of physical and
> > >virtual devices and has an easy northbound API. This would be my
> > >preferred solution.
> > >
> > >However as of now (NSM v5.0.2), the ASA1000v is not supported.
> > >It may also be the case that using VNMC may be a cheaper (albeit
> > >less
> > >supported) option
> > >
> > >[1] http://www.cisco.com/en/US/products/ps11636/index.html
> > >
> > >On 1/17/13 9:26 PM, "Koushik Das" <ko...@citrix.com> wrote:
> > >
> > >>Manan,
> > >>Can you answer the questions that Chiradeep has raised?
> > >>
> > >>Chiradeep,
> > >>I saw that you have started working on asa/vnmc here
> > >>(https://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
> > >>?p
> > >>=i
> > >>n
> > >>cub
> > >>ator-cloudstack.git;a=shortlog;h=refs/heads/cisco-vnmc-api-
> integration).
> > >>I would like to understand the functionalities that you are
> > >>planning to cover and what is the overlap between your work and
> > >>the feature that Manan has proposed (supporting asa1000v as an external firewall).
> > >>
> > >>Thanks,
> > >>Koushik
> > >>
> > >>> -----Original Message-----
> > >>> From: Alex Huang [mailto:Alex.Huang@citrix.com]
> > >>> Sent: Sunday, January 06, 2013 2:18 AM
> > >>> To: cloudstack-dev@incubator.apache.org
> > >>> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> > >>>
> > >>> Manan,
> > >>>
> > >>> Can you address the issues that Chiradeep has brought up? I
> > >>>think for a requirements discussion it is just as important to
> > >>>indicate what we will not do or what is considered a feature of
> > >>>a later release.
> > >>>
> > >>> --Alex
> > >>>
> > >>> > -----Original Message-----
> > >>> > From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> > >>> > Sent: Thursday, January 03, 2013 6:16 PM
> > >>> > To: CloudStack DeveloperList
> > >>> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into
> > >>> > CloudStack
> > >>> >
> > >>> > There cannot be feature parity since the ASA1000v is only
> > >>> > supported on VMWare.
> > >>> >
> > >>> > Should the ASA1000v be created on demand, or do we expect the
> > >>> > admin to provision a pool of virtual ASAs?
> > >>> >
> > >>> > Should we support VXLAN as the isolation technology or VLANs?
> > >>> >
> > >>> >
> > >>> > On 1/3/13 5:08 PM, "Manan Shah" <ma...@citrix.com> wrote:
> > >>> >
> > >>> > >Hi,
> > >>> > >
> > >>> > >I would like to propose a new feature for integrating Cisco
> > >>> > >ASA 1000v in CS 4.1. I have created a JIRA ticket and
> > >>> > >provided the requirements at the following location. Please
> > >>> > >provide feedback on the
> > >>>requirements.
> > >>> > >
> > >>> > >JIRA Ticket:
> > >>> > >https://issues.apache.org/jira/browse/CLOUDSTACK-742
> > >>> > >Requirements:
> > >>> >
> > >>>
> > >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Integrate+Ci
> > >>> >s
> > >>> >c
> > >>> > >o
> > >>> > +ASA
> > >>> > >+
> > >>> > >1000v+as+a+FW+for+CloudStack
> > >>> > >
> > >>> > >Additional details would be provided in the FS.
> > >>> > >
> > >>> > >Regards,
> > >>> > >Manan Shah
> > >>> > >
> > >>
> > >
Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
Posted by Chiradeep Vittal <Ch...@citrix.com>.
- It might be better to support VPC instead of "isolated". Even if it
means that some features are not supported initially. I feel that
"isolated is a special case of "VPC", except for the firewall function.
- What about support for systemvm / NS as an LB appliance?
- Although the ASA DHCP server cannot be programmed, it might be
desirable in enterprise use cases (where they may not care about
userdata/metadata) to support the ASA DHCP server as a DHCP provider. In
this case we have to figure out how to update the NIC information in
CloudStack DB after the VM has acquired its IP.
On 3/11/13 6:11 AM, "Koushik Das" <ko...@citrix.com> wrote:
>Updated the FS with following changes:
>
>- Use case section updated, classified use cases that will be supported
>for 4.2 and beyond. Also removed items like VSG and VXLAN support to
>"Open items" section as not planning to do them as part of "ASA
>integration".
>- Updated the deployment model section and added HV limitation (Vmware
>only feature)
>- Also updated the API section with parameter details.
>
>Comments/feedback?
>
>Thanks,
>Koushik
>
>> -----Original Message-----
>> From: Koushik Das [mailto:koushik.das@citrix.com]
>> Sent: Monday, February 11, 2013 7:08 PM
>> To: cloudstack-dev@incubator.apache.org
>> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>>
>> Updated the FS with API, Db changes and current deployment limitations.
>> Also updated the UI section as to what all needs to be added.
>>
>> Chiradeep,
>> I looked at the option of spinning up templates from ovf template but
>>didn't
>> find a way (was looking for some samples) to pass custom parameters like
>> vnmc ip, password etc. while creating VM instance. So for now the ASA
>> instance creation is a manual step similar to VNMC appliance. In case
>>there is
>> a way out, the auto-creation can be done as a future enhancement.
>>
>> Thanks,
>> Koushik
>>
>> > -----Original Message-----
>> > From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
>> > Sent: Friday, January 25, 2013 1:39 AM
>> > To: CloudStack DeveloperList
>> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>> >
>> > Thanks for the FS updates.
>> > Good progress.
>> > I had forgotten about registering the ASA 1000v with VNMC < that makes
>> > it harder to spin these appliances up/down. However we can plan to
>> > login via the CLI just for this step.
>> >
>> > I believe it is better to use a pre-setup pool of ASA appliances.
>> > Let's say we start with N appliances (created via an admin API call to
>> CloudStack).
>> > createASA1000vPool(ovf template id, zone, vnmc ip, N, increment,
>> > threshold) Then as the capacity reaches threshold%, the pool capacity
>> > is incremented by increment% asynchronously.
>> >
>> >
>> >
>> >
>> >
>> > On 1/21/13 12:46 AM, "Koushik Das" <ko...@citrix.com> wrote:
>> >
>> > >Thanks Chiradeep for explaining the vnmc/asa integration stuff that
>> > >you are working on and listing down all the use cases.
>> > >
>> > >Manan,
>> > >CLOUDSTACK-742 is covered as part of Chiradeep's work (refer use
>> > >cases
>> > >#1 and #2 from the doc).
>> > >
>> > >-Koushik
>> > >
>> > >-----Original Message-----
>> > >From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
>> > >Sent: Saturday, January 19, 2013 1:30 AM
>> > >To: CloudStack DeveloperList
>> > >Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>> > >
>> > >Take a look here:
>> >
>> >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Cisco+VNMC+i
>> > nteg
>> > >rat
>> > >i
>> > >on
>> > >
>> > >
>> > >This is something I had been prototyping without any real enthusiasm.
>> > >
>> > >There's 3 ways to control the ASA1000v:
>> > >1. By logging in via the CLI. Strongly against this.
>> > >2. By using VNMC
>> > >3. Via Cisco's Network Services Manager (NSM)[1]
>> > >
>> > >The NSM is comprehensive, covers a large range of physical and
>> > >virtual devices and has an easy northbound API. This would be my
>> > >preferred solution.
>> > >
>> > >However as of now (NSM v5.0.2), the ASA1000v is not supported.
>> > >It may also be the case that using VNMC may be a cheaper (albeit less
>> > >supported) option
>> > >
>> > >[1] http://www.cisco.com/en/US/products/ps11636/index.html
>> > >
>> > >On 1/17/13 9:26 PM, "Koushik Das" <ko...@citrix.com> wrote:
>> > >
>> > >>Manan,
>> > >>Can you answer the questions that Chiradeep has raised?
>> > >>
>> > >>Chiradeep,
>> > >>I saw that you have started working on asa/vnmc here
>> > >>(https://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo?p
>> > >>=i
>> > >>n
>> > >>cub
>> > >>ator-cloudstack.git;a=shortlog;h=refs/heads/cisco-vnmc-api-
>> integration).
>> > >>I would like to understand the functionalities that you are planning
>> > >>to cover and what is the overlap between your work and the feature
>> > >>that Manan has proposed (supporting asa1000v as an external
>>firewall).
>> > >>
>> > >>Thanks,
>> > >>Koushik
>> > >>
>> > >>> -----Original Message-----
>> > >>> From: Alex Huang [mailto:Alex.Huang@citrix.com]
>> > >>> Sent: Sunday, January 06, 2013 2:18 AM
>> > >>> To: cloudstack-dev@incubator.apache.org
>> > >>> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>> > >>>
>> > >>> Manan,
>> > >>>
>> > >>> Can you address the issues that Chiradeep has brought up? I think
>> > >>>for a requirements discussion it is just as important to indicate
>> > >>>what we will not do or what is considered a feature of a later
>> > >>>release.
>> > >>>
>> > >>> --Alex
>> > >>>
>> > >>> > -----Original Message-----
>> > >>> > From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
>> > >>> > Sent: Thursday, January 03, 2013 6:16 PM
>> > >>> > To: CloudStack DeveloperList
>> > >>> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>> > >>> >
>> > >>> > There cannot be feature parity since the ASA1000v is only
>> > >>> > supported on VMWare.
>> > >>> >
>> > >>> > Should the ASA1000v be created on demand, or do we expect the
>> > >>> > admin to provision a pool of virtual ASAs?
>> > >>> >
>> > >>> > Should we support VXLAN as the isolation technology or VLANs?
>> > >>> >
>> > >>> >
>> > >>> > On 1/3/13 5:08 PM, "Manan Shah" <ma...@citrix.com> wrote:
>> > >>> >
>> > >>> > >Hi,
>> > >>> > >
>> > >>> > >I would like to propose a new feature for integrating Cisco ASA
>> > >>> > >1000v in CS 4.1. I have created a JIRA ticket and provided the
>> > >>> > >requirements at the following location. Please provide
>> > >>> > >feedback on the
>> > >>>requirements.
>> > >>> > >
>> > >>> > >JIRA Ticket:
>> > >>> > >https://issues.apache.org/jira/browse/CLOUDSTACK-742
>> > >>> > >Requirements:
>> > >>> >
>> > >>>
>> > >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Integrate+Ci
>> > >>> >s
>> > >>> >c
>> > >>> > >o
>> > >>> > +ASA
>> > >>> > >+
>> > >>> > >1000v+as+a+FW+for+CloudStack
>> > >>> > >
>> > >>> > >Additional details would be provided in the FS.
>> > >>> > >
>> > >>> > >Regards,
>> > >>> > >Manan Shah
>> > >>> > >
>> > >>
>> > >
>
RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
Posted by Koushik Das <ko...@citrix.com>.
Updated the FS with following changes:
- Use case section updated, classified use cases that will be supported for 4.2 and beyond. Also removed items like VSG and VXLAN support to "Open items" section as not planning to do them as part of "ASA integration".
- Updated the deployment model section and added HV limitation (Vmware only feature)
- Also updated the API section with parameter details.
Comments/feedback?
Thanks,
Koushik
> -----Original Message-----
> From: Koushik Das [mailto:koushik.das@citrix.com]
> Sent: Monday, February 11, 2013 7:08 PM
> To: cloudstack-dev@incubator.apache.org
> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>
> Updated the FS with API, Db changes and current deployment limitations.
> Also updated the UI section as to what all needs to be added.
>
> Chiradeep,
> I looked at the option of spinning up templates from ovf template but didn't
> find a way (was looking for some samples) to pass custom parameters like
> vnmc ip, password etc. while creating VM instance. So for now the ASA
> instance creation is a manual step similar to VNMC appliance. In case there is
> a way out, the auto-creation can be done as a future enhancement.
>
> Thanks,
> Koushik
>
> > -----Original Message-----
> > From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> > Sent: Friday, January 25, 2013 1:39 AM
> > To: CloudStack DeveloperList
> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >
> > Thanks for the FS updates.
> > Good progress.
> > I had forgotten about registering the ASA 1000v with VNMC < that makes
> > it harder to spin these appliances up/down. However we can plan to
> > login via the CLI just for this step.
> >
> > I believe it is better to use a pre-setup pool of ASA appliances.
> > Let's say we start with N appliances (created via an admin API call to
> CloudStack).
> > createASA1000vPool(ovf template id, zone, vnmc ip, N, increment,
> > threshold) Then as the capacity reaches threshold%, the pool capacity
> > is incremented by increment% asynchronously.
> >
> >
> >
> >
> >
> > On 1/21/13 12:46 AM, "Koushik Das" <ko...@citrix.com> wrote:
> >
> > >Thanks Chiradeep for explaining the vnmc/asa integration stuff that
> > >you are working on and listing down all the use cases.
> > >
> > >Manan,
> > >CLOUDSTACK-742 is covered as part of Chiradeep's work (refer use
> > >cases
> > >#1 and #2 from the doc).
> > >
> > >-Koushik
> > >
> > >-----Original Message-----
> > >From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> > >Sent: Saturday, January 19, 2013 1:30 AM
> > >To: CloudStack DeveloperList
> > >Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> > >
> > >Take a look here:
> >
> >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Cisco+VNMC+i
> > nteg
> > >rat
> > >i
> > >on
> > >
> > >
> > >This is something I had been prototyping without any real enthusiasm.
> > >
> > >There's 3 ways to control the ASA1000v:
> > >1. By logging in via the CLI. Strongly against this.
> > >2. By using VNMC
> > >3. Via Cisco's Network Services Manager (NSM)[1]
> > >
> > >The NSM is comprehensive, covers a large range of physical and
> > >virtual devices and has an easy northbound API. This would be my
> > >preferred solution.
> > >
> > >However as of now (NSM v5.0.2), the ASA1000v is not supported.
> > >It may also be the case that using VNMC may be a cheaper (albeit less
> > >supported) option
> > >
> > >[1] http://www.cisco.com/en/US/products/ps11636/index.html
> > >
> > >On 1/17/13 9:26 PM, "Koushik Das" <ko...@citrix.com> wrote:
> > >
> > >>Manan,
> > >>Can you answer the questions that Chiradeep has raised?
> > >>
> > >>Chiradeep,
> > >>I saw that you have started working on asa/vnmc here
> > >>(https://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo?p
> > >>=i
> > >>n
> > >>cub
> > >>ator-cloudstack.git;a=shortlog;h=refs/heads/cisco-vnmc-api-
> integration).
> > >>I would like to understand the functionalities that you are planning
> > >>to cover and what is the overlap between your work and the feature
> > >>that Manan has proposed (supporting asa1000v as an external firewall).
> > >>
> > >>Thanks,
> > >>Koushik
> > >>
> > >>> -----Original Message-----
> > >>> From: Alex Huang [mailto:Alex.Huang@citrix.com]
> > >>> Sent: Sunday, January 06, 2013 2:18 AM
> > >>> To: cloudstack-dev@incubator.apache.org
> > >>> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> > >>>
> > >>> Manan,
> > >>>
> > >>> Can you address the issues that Chiradeep has brought up? I think
> > >>>for a requirements discussion it is just as important to indicate
> > >>>what we will not do or what is considered a feature of a later
> > >>>release.
> > >>>
> > >>> --Alex
> > >>>
> > >>> > -----Original Message-----
> > >>> > From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> > >>> > Sent: Thursday, January 03, 2013 6:16 PM
> > >>> > To: CloudStack DeveloperList
> > >>> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> > >>> >
> > >>> > There cannot be feature parity since the ASA1000v is only
> > >>> > supported on VMWare.
> > >>> >
> > >>> > Should the ASA1000v be created on demand, or do we expect the
> > >>> > admin to provision a pool of virtual ASAs?
> > >>> >
> > >>> > Should we support VXLAN as the isolation technology or VLANs?
> > >>> >
> > >>> >
> > >>> > On 1/3/13 5:08 PM, "Manan Shah" <ma...@citrix.com> wrote:
> > >>> >
> > >>> > >Hi,
> > >>> > >
> > >>> > >I would like to propose a new feature for integrating Cisco ASA
> > >>> > >1000v in CS 4.1. I have created a JIRA ticket and provided the
> > >>> > >requirements at the following location. Please provide
> > >>> > >feedback on the
> > >>>requirements.
> > >>> > >
> > >>> > >JIRA Ticket:
> > >>> > >https://issues.apache.org/jira/browse/CLOUDSTACK-742
> > >>> > >Requirements:
> > >>> >
> > >>>
> > >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Integrate+Ci
> > >>> >s
> > >>> >c
> > >>> > >o
> > >>> > +ASA
> > >>> > >+
> > >>> > >1000v+as+a+FW+for+CloudStack
> > >>> > >
> > >>> > >Additional details would be provided in the FS.
> > >>> > >
> > >>> > >Regards,
> > >>> > >Manan Shah
> > >>> > >
> > >>
> > >
Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
Posted by Chiradeep Vittal <Ch...@citrix.com>.
Yeah, the spinning up of virtual appliances on demand is a problem across
almost all vendors:
1. The management ip of the virtual appliance needs to be programmed
2. There could be license management issues, or the VA needs to be
registered with some kind of controller
3. The appliance may be need to be configured with a new password
I see this as a problem with say Vyatta, Netscaler VPX, etc.
For these appliances we can assume that the admin has pre-created enough
appliances and configured them appropriately. We can also assume a 1-1
mapping between VPC and appliance.
On 2/11/13 5:38 AM, "Koushik Das" <ko...@citrix.com> wrote:
>Updated the FS with API, Db changes and current deployment limitations.
>Also updated the UI section as to what all needs to be added.
>
>Chiradeep,
>I looked at the option of spinning up templates from ovf template but
>didn't find a way (was looking for some samples) to pass custom
>parameters like vnmc ip, password etc. while creating VM instance. So
>for now the ASA instance creation is a manual step similar to VNMC
>appliance. In case there is a way out, the auto-creation can be done as a
>future enhancement.
>
>Thanks,
>Koushik
>
>> -----Original Message-----
>> From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
>> Sent: Friday, January 25, 2013 1:39 AM
>> To: CloudStack DeveloperList
>> Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>>
>> Thanks for the FS updates.
>> Good progress.
>> I had forgotten about registering the ASA 1000v with VNMC < that makes
>>it
>> harder to spin these appliances up/down. However we can plan to login
>>via
>> the CLI just for this step.
>>
>> I believe it is better to use a pre-setup pool of ASA appliances. Let's
>>say we
>> start with N appliances (created via an admin API call to CloudStack).
>> createASA1000vPool(ovf template id, zone, vnmc ip, N, increment,
>> threshold) Then as the capacity reaches threshold%, the pool capacity is
>> incremented by increment% asynchronously.
>>
>>
>>
>>
>>
>> On 1/21/13 12:46 AM, "Koushik Das" <ko...@citrix.com> wrote:
>>
>> >Thanks Chiradeep for explaining the vnmc/asa integration stuff that you
>> >are working on and listing down all the use cases.
>> >
>> >Manan,
>> >CLOUDSTACK-742 is covered as part of Chiradeep's work (refer use cases
>> >#1 and #2 from the doc).
>> >
>> >-Koushik
>> >
>> >-----Original Message-----
>> >From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
>> >Sent: Saturday, January 19, 2013 1:30 AM
>> >To: CloudStack DeveloperList
>> >Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>> >
>> >Take a look here:
>> >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Cisco+VNMC+i
>> nteg
>> >rat
>> >i
>> >on
>> >
>> >
>> >This is something I had been prototyping without any real enthusiasm.
>> >
>> >There's 3 ways to control the ASA1000v:
>> >1. By logging in via the CLI. Strongly against this.
>> >2. By using VNMC
>> >3. Via Cisco's Network Services Manager (NSM)[1]
>> >
>> >The NSM is comprehensive, covers a large range of physical and virtual
>> >devices and has an easy northbound API. This would be my preferred
>> >solution.
>> >
>> >However as of now (NSM v5.0.2), the ASA1000v is not supported.
>> >It may also be the case that using VNMC may be a cheaper (albeit less
>> >supported) option
>> >
>> >[1] http://www.cisco.com/en/US/products/ps11636/index.html
>> >
>> >On 1/17/13 9:26 PM, "Koushik Das" <ko...@citrix.com> wrote:
>> >
>> >>Manan,
>> >>Can you answer the questions that Chiradeep has raised?
>> >>
>> >>Chiradeep,
>> >>I saw that you have started working on asa/vnmc here
>> >>(https://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo?p=i
>> >>n
>> >>cub
>>
>>>>ator-cloudstack.git;a=shortlog;h=refs/heads/cisco-vnmc-api-integration)
>>>>.
>> >>I would like to understand the functionalities that you are planning
>> >>to cover and what is the overlap between your work and the feature
>> >>that Manan has proposed (supporting asa1000v as an external firewall).
>> >>
>> >>Thanks,
>> >>Koushik
>> >>
>> >>> -----Original Message-----
>> >>> From: Alex Huang [mailto:Alex.Huang@citrix.com]
>> >>> Sent: Sunday, January 06, 2013 2:18 AM
>> >>> To: cloudstack-dev@incubator.apache.org
>> >>> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>> >>>
>> >>> Manan,
>> >>>
>> >>> Can you address the issues that Chiradeep has brought up? I think
>> >>>for a requirements discussion it is just as important to indicate
>> >>>what we will not do or what is considered a feature of a later
>> >>>release.
>> >>>
>> >>> --Alex
>> >>>
>> >>> > -----Original Message-----
>> >>> > From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
>> >>> > Sent: Thursday, January 03, 2013 6:16 PM
>> >>> > To: CloudStack DeveloperList
>> >>> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
>> >>> >
>> >>> > There cannot be feature parity since the ASA1000v is only
>> >>> > supported on VMWare.
>> >>> >
>> >>> > Should the ASA1000v be created on demand, or do we expect the
>> >>> > admin to provision a pool of virtual ASAs?
>> >>> >
>> >>> > Should we support VXLAN as the isolation technology or VLANs?
>> >>> >
>> >>> >
>> >>> > On 1/3/13 5:08 PM, "Manan Shah" <ma...@citrix.com> wrote:
>> >>> >
>> >>> > >Hi,
>> >>> > >
>> >>> > >I would like to propose a new feature for integrating Cisco ASA
>> >>> > >1000v in CS 4.1. I have created a JIRA ticket and provided the
>> >>> > >requirements at the following location. Please provide feedback
>> >>> > >on the
>> >>>requirements.
>> >>> > >
>> >>> > >JIRA Ticket: https://issues.apache.org/jira/browse/CLOUDSTACK-742
>> >>> > >Requirements:
>> >>> >
>> >>>
>> >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Integrate+Ci
>> >>> >s
>> >>> >c
>> >>> > >o
>> >>> > +ASA
>> >>> > >+
>> >>> > >1000v+as+a+FW+for+CloudStack
>> >>> > >
>> >>> > >Additional details would be provided in the FS.
>> >>> > >
>> >>> > >Regards,
>> >>> > >Manan Shah
>> >>> > >
>> >>
>> >
>