You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Radhika Puthiyetath <ra...@citrix.com> on 2013/08/20 12:16:30 UTC
[Doc] Cisco VNMC Doc Is Ready for Review
Hi all
The doc is attached at https://issues.apache.org/jira/browse/CLOUDSTACK-906
Thanks in advance
-Radhika
RE: [Doc] Cisco VNMC Doc Is Ready for Review
Posted by Radhika Puthiyetath <ra...@citrix.com>.
Thanks Sailaja and Koushik.
I have fixed the following defects:
https://issues.apache.org/jira/browse/CLOUDSTACK-3115
https://issues.apache.org/jira/browse/CLOUDSTACK-4416
https://issues.apache.org/jira/browse/CLOUDSTACK-906
From: Sailaja Mada
Sent: Tuesday, August 20, 2013 4:23 PM
To: Radhika Puthiyetath; dev@cloudstack.apache.org; users@cloudstack.apache.org; Koushik Das
Subject: RE: [Doc] Cisco VNMC Doc Is Ready for Review
Hi Radhika,
As discussed with you please find the minutes below ( Review comments provided by Koushik & Myself)
==============================================================
Introduction :
Works only on isolated.
Remove: connection timeout, TCP intercept:
Use case: they are not use cases. What is listed is how to, not use cases. Check FS
Add that VNMC would work only on Nexus-enabled cluster.
Prerequisites: First configure Nexus in a vCenter environment (direct to the link)
2nd - Deploy and configure VNMC
3rd - Register Nexus with VNMC
4TH - Create inside and outside port profiles in Nexus. Direct to cloudstack nexus doc
5th - Deploy and configure ASA
6th - Register ASA with VNMC
Ensure that all devices are time-synced
VNMC is the service provider for Firewall, through which cloudstack can leverage firewall and sourceNAT services - update
Port profiles for both inside and outside network interfaces. This need to be pre-created on Nexus dvSwitch switch. Note down the inside port profile and provide that while adding the ASA appliance to CloudStack.
Not required: ESX host IP and Standalone or HA mode
Add: VNMC Host IP (Add ASA in VNMC mode)
Ensure that Cisco VNMC appliance is set up externally and then registered with CloudStack by using the admin API (ui also). A single VNMC instance manages multiple ASA1000v appliances.
One VNMC per Zone
One ASA per guest network. VLAN id is treated as a Tenant. Each guest network will have one VLAN ID, so one ASA per guest network
When a guest network is created with Cisco VNMC firewall provider, an additional public IP is acquired
along with the Source NAT IP. The Source NAT IP is used for the rules, whereas
the additional IP is used to for the ASA outside interface.
Ensure that this additional public IP is not released. You can identify this IP as soon as the network is in implemented state and before acquiring
any further public IPs. The additional IP is the one that is not marked as Source NAT. You can find the
IP used for the ASA outside interface by looking at the Cisco VNMC used in your guest network.
Click the Physical Network tab.
Inside Port Profile: The Inside Port Profile configured on Cisco Nexus1000v dvSwitch.
Thanks,
Sailaja.M
From: Radhika Puthiyetath
Sent: Tuesday, August 20, 2013 3:47 PM
To: dev@cloudstack.apache.org<ma...@cloudstack.apache.org>; users@cloudstack.apache.org<ma...@cloudstack.apache.org>; Koushik Das; Sailaja Mada
Subject: [Doc] Cisco VNMC Doc Is Ready for Review
Hi all
The doc is attached at https://issues.apache.org/jira/browse/CLOUDSTACK-906
Thanks in advance
-Radhika
RE: [Doc] Cisco VNMC Doc Is Ready for Review
Posted by Radhika Puthiyetath <ra...@citrix.com>.
Thanks Sailaja and Koushik.
I have fixed the following defects:
https://issues.apache.org/jira/browse/CLOUDSTACK-3115
https://issues.apache.org/jira/browse/CLOUDSTACK-4416
https://issues.apache.org/jira/browse/CLOUDSTACK-906
From: Sailaja Mada
Sent: Tuesday, August 20, 2013 4:23 PM
To: Radhika Puthiyetath; dev@cloudstack.apache.org; users@cloudstack.apache.org; Koushik Das
Subject: RE: [Doc] Cisco VNMC Doc Is Ready for Review
Hi Radhika,
As discussed with you please find the minutes below ( Review comments provided by Koushik & Myself)
==============================================================
Introduction :
Works only on isolated.
Remove: connection timeout, TCP intercept:
Use case: they are not use cases. What is listed is how to, not use cases. Check FS
Add that VNMC would work only on Nexus-enabled cluster.
Prerequisites: First configure Nexus in a vCenter environment (direct to the link)
2nd - Deploy and configure VNMC
3rd - Register Nexus with VNMC
4TH - Create inside and outside port profiles in Nexus. Direct to cloudstack nexus doc
5th - Deploy and configure ASA
6th - Register ASA with VNMC
Ensure that all devices are time-synced
VNMC is the service provider for Firewall, through which cloudstack can leverage firewall and sourceNAT services - update
Port profiles for both inside and outside network interfaces. This need to be pre-created on Nexus dvSwitch switch. Note down the inside port profile and provide that while adding the ASA appliance to CloudStack.
Not required: ESX host IP and Standalone or HA mode
Add: VNMC Host IP (Add ASA in VNMC mode)
Ensure that Cisco VNMC appliance is set up externally and then registered with CloudStack by using the admin API (ui also). A single VNMC instance manages multiple ASA1000v appliances.
One VNMC per Zone
One ASA per guest network. VLAN id is treated as a Tenant. Each guest network will have one VLAN ID, so one ASA per guest network
When a guest network is created with Cisco VNMC firewall provider, an additional public IP is acquired
along with the Source NAT IP. The Source NAT IP is used for the rules, whereas
the additional IP is used to for the ASA outside interface.
Ensure that this additional public IP is not released. You can identify this IP as soon as the network is in implemented state and before acquiring
any further public IPs. The additional IP is the one that is not marked as Source NAT. You can find the
IP used for the ASA outside interface by looking at the Cisco VNMC used in your guest network.
Click the Physical Network tab.
Inside Port Profile: The Inside Port Profile configured on Cisco Nexus1000v dvSwitch.
Thanks,
Sailaja.M
From: Radhika Puthiyetath
Sent: Tuesday, August 20, 2013 3:47 PM
To: dev@cloudstack.apache.org<ma...@cloudstack.apache.org>; users@cloudstack.apache.org<ma...@cloudstack.apache.org>; Koushik Das; Sailaja Mada
Subject: [Doc] Cisco VNMC Doc Is Ready for Review
Hi all
The doc is attached at https://issues.apache.org/jira/browse/CLOUDSTACK-906
Thanks in advance
-Radhika
RE: [Doc] Cisco VNMC Doc Is Ready for Review
Posted by Sailaja Mada <sa...@citrix.com>.
Hi Radhika,
As discussed with you please find the minutes below ( Review comments provided by Koushik & Myself)
==============================================================
Introduction :
Works only on isolated.
Remove: connection timeout, TCP intercept:
Use case: they are not use cases. What is listed is how to, not use cases. Check FS
Add that VNMC would work only on Nexus-enabled cluster.
Prerequisites: First configure Nexus in a vCenter environment (direct to the link)
2nd - Deploy and configure VNMC
3rd - Register Nexus with VNMC
4TH - Create inside and outside port profiles in Nexus. Direct to cloudstack nexus doc
5th - Deploy and configure ASA
6th - Register ASA with VNMC
Ensure that all devices are time-synced
VNMC is the service provider for Firewall, through which cloudstack can leverage firewall and sourceNAT services - update
Port profiles for both inside and outside network interfaces. This need to be pre-created on Nexus dvSwitch switch. Note down the inside port profile and provide that while adding the ASA appliance to CloudStack.
Not required: ESX host IP and Standalone or HA mode
Add: VNMC Host IP (Add ASA in VNMC mode)
Ensure that Cisco VNMC appliance is set up externally and then registered with CloudStack by using the admin API (ui also). A single VNMC instance manages multiple ASA1000v appliances.
One VNMC per Zone
One ASA per guest network. VLAN id is treated as a Tenant. Each guest network will have one VLAN ID, so one ASA per guest network
When a guest network is created with Cisco VNMC firewall provider, an additional public IP is acquired
along with the Source NAT IP. The Source NAT IP is used for the rules, whereas
the additional IP is used to for the ASA outside interface.
Ensure that this additional public IP is not released. You can identify this IP as soon as the network is in implemented state and before acquiring
any further public IPs. The additional IP is the one that is not marked as Source NAT. You can find the
IP used for the ASA outside interface by looking at the Cisco VNMC used in your guest network.
Click the Physical Network tab.
Inside Port Profile: The Inside Port Profile configured on Cisco Nexus1000v dvSwitch.
Thanks,
Sailaja.M
From: Radhika Puthiyetath
Sent: Tuesday, August 20, 2013 3:47 PM
To: dev@cloudstack.apache.org; users@cloudstack.apache.org; Koushik Das; Sailaja Mada
Subject: [Doc] Cisco VNMC Doc Is Ready for Review
Hi all
The doc is attached at https://issues.apache.org/jira/browse/CLOUDSTACK-906
Thanks in advance
-Radhika
RE: [Doc] Cisco VNMC Doc Is Ready for Review
Posted by Sailaja Mada <sa...@citrix.com>.
Hi Radhika,
As discussed with you please find the minutes below ( Review comments provided by Koushik & Myself)
==============================================================
Introduction :
Works only on isolated.
Remove: connection timeout, TCP intercept:
Use case: they are not use cases. What is listed is how to, not use cases. Check FS
Add that VNMC would work only on Nexus-enabled cluster.
Prerequisites: First configure Nexus in a vCenter environment (direct to the link)
2nd - Deploy and configure VNMC
3rd - Register Nexus with VNMC
4TH - Create inside and outside port profiles in Nexus. Direct to cloudstack nexus doc
5th - Deploy and configure ASA
6th - Register ASA with VNMC
Ensure that all devices are time-synced
VNMC is the service provider for Firewall, through which cloudstack can leverage firewall and sourceNAT services - update
Port profiles for both inside and outside network interfaces. This need to be pre-created on Nexus dvSwitch switch. Note down the inside port profile and provide that while adding the ASA appliance to CloudStack.
Not required: ESX host IP and Standalone or HA mode
Add: VNMC Host IP (Add ASA in VNMC mode)
Ensure that Cisco VNMC appliance is set up externally and then registered with CloudStack by using the admin API (ui also). A single VNMC instance manages multiple ASA1000v appliances.
One VNMC per Zone
One ASA per guest network. VLAN id is treated as a Tenant. Each guest network will have one VLAN ID, so one ASA per guest network
When a guest network is created with Cisco VNMC firewall provider, an additional public IP is acquired
along with the Source NAT IP. The Source NAT IP is used for the rules, whereas
the additional IP is used to for the ASA outside interface.
Ensure that this additional public IP is not released. You can identify this IP as soon as the network is in implemented state and before acquiring
any further public IPs. The additional IP is the one that is not marked as Source NAT. You can find the
IP used for the ASA outside interface by looking at the Cisco VNMC used in your guest network.
Click the Physical Network tab.
Inside Port Profile: The Inside Port Profile configured on Cisco Nexus1000v dvSwitch.
Thanks,
Sailaja.M
From: Radhika Puthiyetath
Sent: Tuesday, August 20, 2013 3:47 PM
To: dev@cloudstack.apache.org; users@cloudstack.apache.org; Koushik Das; Sailaja Mada
Subject: [Doc] Cisco VNMC Doc Is Ready for Review
Hi all
The doc is attached at https://issues.apache.org/jira/browse/CLOUDSTACK-906
Thanks in advance
-Radhika