apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-11-04 00:02:37 +01:00
Code Issues Packages Projects Releases Wiki Activity

<message>

Browse Source
This commit is contained in:
Author Name 2013-01-11 15:45:18 +05:30 committed by Pranav Saxena
parent b2ca9fe7b0
commit 5dd14f322c
9 changed files with 240 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
docs/en-US/external-guest-firewall-integration.xml
View File

@ -21,23 +21,16 @@
<section id="external-guest-firewall-integration">
<title>External Guest Firewall Integration for Juniper SRX (Optional)</title>
<note>
<para>Available only for guests using advanced networking.</para>
<para>Available only for guests using advanced networking, both shared and isolated.</para>
</note>
<para>&PRODUCT; provides for direct management of the Juniper SRX series of firewalls. This
enables &PRODUCT; to establish static NAT mappings from public IPs to guest VMs, and to use
the Juniper device in place of the virtual router for firewall services. You can have one or
more Juniper SRX per zone. This feature is optional. If Juniper integration is not provisioned,
&PRODUCT; will use the virtual router for these services.</para>
enables &PRODUCT; to establish staticNAT mappings from public IPs to guest VMs, and to use the
Juniper device in place of the virtual router for firewall services. You can have only one
Juniper SRX device per zone. This feature is optional. If Juniper integration is not
provisioned, &PRODUCT; will use the virtual router for these services.</para>
<para>The Juniper SRX can optionally be used in conjunction with an external load balancer.
External Network elements can be deployed in a side-by-side or inline configuration.</para>
<mediaobject>
<imageobject>
<imagedata fileref="./images/parallel-mode.png"/>
</imageobject>
<textobject>
<phrase>parallel-mode.png: adding a firewall and load balancer in parallel mode.</phrase>
</textobject>
</mediaobject>
External Network elements can be deployed in a side-by-side or inline configuration. For more
information, see <xref linkend="inline-config-lb-fw"/>.</para>
<para>&PRODUCT; requires the Juniper to be configured as follows:</para>
<note>
<para>Supported SRX software version is 10.3 or higher.</para>
@ -58,22 +51,22 @@
<para>Record the public and private interface names. If you used a VLAN for the public
interface, add a ".[VLAN TAG]" after the interface name. For example, if you are using
ge-0/0/3 for your public interface and VLAN tag 301, your public interface name would be
"ge-0/0/3.301". Your private interface name should always be untagged because the
&PRODUCT; software automatically creates tagged logical interfaces.</para>
"ge-0/0/3.301". Your private interface name should always be untagged because the &PRODUCT;
software automatically creates tagged logical interfaces.</para>
</listitem>
<listitem>
<para>Create a public security zone and a private security zone. By default, these will
already exist and will be called "untrust" and "trust". Add the public interface to the
public zone and the private interface to the private zone. Note down the security zone
names.</para>
<para>Create a public security zone and a private security zone. By default, these already
exist and are called "untrust" and "trust" zones. Add the public interface to the public
zone. &PRODUCT;automatically adds the private interface to private zone (trusted zone). Note
down the security zone names.</para>
</listitem>
<listitem>
<para>Make sure there is a security policy from the private zone to the public zone that
allows all traffic.</para>
</listitem>
<listitem>
<para>Note the username and password of the account you want the &PRODUCT; software to log
in to when it is programming rules.</para>
<para>Note the username and password of the account you want the &PRODUCT; software to log in
to when it is programming rules.</para>
</listitem>
<listitem>
<para>Make sure the "ssh" and "xnm-clear-text" system services are enabled.</para>
@ -124,13 +117,13 @@ filter untrust {
<para>In the left navigation bar, click Infrastructure.</para>
</listitem>
<listitem>
<para>In Zones, click View More.</para>
<para>In Zones, click View All.</para>
</listitem>
<listitem>
<para>Choose the zone you want to work with.</para>
</listitem>
<listitem>
<para>Click the Network tab.</para>
<para>Click the Physical Network tab.</para>
</listitem>
<listitem>
<para>In the Network Service Providers node of the diagram, click Configure. (You might have
@ -159,10 +152,6 @@ filter untrust {
<para>Private Interface: The name of the private interface on the SRX. For example,
ge-0/0/1. </para>
</listitem>
<listitem>
<para>Usage Interface: (Optional) Typically, the public interface is used to meter
traffic. If you want to use a different interface, specify its name here</para>
</listitem>
<listitem>
<para>Number of Retries: The number of times to attempt a command on the SRX before
failing. The default value is 2.</para>
@ -180,12 +169,12 @@ filter untrust {
untrust.</para>
</listitem>
<listitem>
<para>Capacity: The number of networks the device can handle</para>
<para>Capacity: The number of networks the device can handle.</para>
</listitem>
<listitem>
<para>Dedicated: When marked as dedicated, this device will be dedicated to a single
account. When Dedicated is checked, the value in the Capacity field has no significance
implicitly, its value is 1</para>
implicitly, its value is 1.</para>
</listitem>
</itemizedlist>
</listitem>
@ -194,8 +183,8 @@ filter untrust {
</listitem>
<listitem>
<para>Click Global Settings. Set the parameter external.network.stats.interval to indicate how
often you want &PRODUCT; to fetch network usage statistics from the Juniper SRX. If you
are not using the SRX to gather network usage statistics, set to 0.</para>
often you want &PRODUCT; to fetch network usage statistics from the Juniper SRX. If you are
not using the SRX to gather network usage statistics, set to 0.</para>
</listitem>
</orderedlist>
</section>

4
docs/en-US/external-guest-lb-integration.xml
View File

@ -20,10 +20,12 @@
-->
<section id="external-guest-lb-integration">
<title>External Guest Load Balancer Integration (Optional)</title>
<note>
<para>External load balancer devices are not supported in shared networks.</para>
</note>
<para>&PRODUCT; can optionally use a Citrix NetScaler or BigIP F5 load balancer to provide load
balancing services to guests. If this is not enabled, &PRODUCT; will use the software load
balancer in the virtual router.</para>
<para>To install and enable an external load balancer for &PRODUCT; management:</para>
<orderedlist>
<listitem>
<para>Set up the appliance according to the vendor's directions.</para>

9
docs/en-US/hardware-firewall.xml
View File

@ -22,8 +22,11 @@
<title>Hardware Firewall</title>
<para>All deployments should have a firewall protecting the management server; see Generic
Firewall Provisions. Optionally, some deployments may also have a Juniper SRX firewall that will
be the default gateway for the guest networks; see <xref linkend="external-guest-firewall-integration"/>.</para>
be the default gateway for the guest networks; see <xref
linkend="external-guest-firewall-integration"/>.</para>
<xi:include href="generic-firewall-provisions.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="external-guest-firewall-integration.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="external-guest-lb-integration.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="external-guest-firewall-integration.xml"
xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="lb-services.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="inline-config-lb-fw.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
</section>

BIN
docs/en-US/images/add-netscaler.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

BIN
docs/en-US/images/parallel-inline-mode.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 142 KiB

173
docs/en-US/inline-config-lb-fw.xml Normal file
View File

@ -0,0 +1,173 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="inline-config-lb-fw">
<title>Configuring Network Devices in Inline and Side by Side Modes</title>
<para>The external network elements, such as load balancer and firewall devices, supported in
&PRODUCT; can be deployed in either of the following modes: Side by Side and Inline. Inline mode
was originally supported in &PRODUCT; 2.2.x versions, and is now added back in the 3.0.6
release.</para>
<para>In Inline mode, one firewall device is placed in front of a load balancing device. The
firewall acts as the gateway for all incoming traffic, then redirect the load balancing traffic
to the load balancer behind it. The load balancer in this case will not have the direct access
to the public network. Deploying network devices in Inline mode ensures that the resources are
protected.</para>
<mediaobject>
<imageobject>
<imagedata fileref="./images/parallel-inline-mode.png"/>
</imageobject>
<textobject>
<phrase>parallel-inline-mode.png: external networks in different deployment modes</phrase>
</textobject>
</mediaobject>
<para>In Side by Side mode, a firewall device is deployed in parallel with the load balancer
device. So the traffic to the load balancer public IP is not routed through the firewall, and
therefore, is exposed to the public network. </para>
<mediaobject>
<imageobject>
<imagedata fileref="./images/parallel-mode.png"/>
</imageobject>
<textobject>
<phrase>parallel-mode.png: adding a firewall and load balancer in side by side mode</phrase>
</textobject>
</mediaobject>
<para>The following table gives you an overview of the supported services and devices for inline
and side by side mode.</para>
<informaltable>
<tgroup cols="4" align="left" colsep="1" rowsep="1">
<colspec colwidth="1.08*" colname="c1" colnum="1"/>
<colspec colwidth="1.2*" colname="c2" colnum="2"/>
<colspec colnum="3" colname="c3" colwidth="1.0*"/>
<colspec colnum="4" colname="c4" colwidth="5.15*"/>
<thead>
<row>
<entry><para>Mode</para></entry>
<entry><para>Firewall</para></entry>
<entry><para>Load Balancer</para></entry>
<entry><para>Supported</para></entry>
</row>
</thead>
<tbody>
<row>
<entry><para>Side by Side</para></entry>
<entry><para>Virtual Router</para></entry>
<entry><para>F5</para></entry>
<entry><para>Yes</para></entry>
</row>
<row>
<entry><para>Side by Side</para></entry>
<entry><para>Virtual Router</para></entry>
<entry><para>Virtual Router</para></entry>
<entry><para>Yes</para></entry>
</row>
<row>
<entry><para>Side by Side</para></entry>
<entry><para>Virtual Router</para></entry>
<entry><para>NetScaler</para></entry>
<entry><para>Yes</para></entry>
</row>
<row>
<entry><para>Side by Side</para></entry>
<entry><para>Juniper SRX</para></entry>
<entry><para>F5</para></entry>
<entry><para>Yes</para></entry>
</row>
<row>
<entry><para>Side by Side</para></entry>
<entry><para>Juniper SRX</para></entry>
<entry><para>NetScaler</para></entry>
<entry><para>Yes</para></entry>
</row>
<row>
<entry><para>Inline</para></entry>
<entry><para>Virtual Router</para></entry>
<entry><para>F5</para></entry>
<entry><para>No</para></entry>
</row>
<row>
<entry><para>Inline</para></entry>
<entry><para>Virtual Router</para></entry>
<entry><para>NetScaler</para></entry>
<entry><para>No</para></entry>
</row>
<row>
<entry><para>Inline</para></entry>
<entry><para>Juniper SRX</para></entry>
<entry><para>F5</para></entry>
<entry><para>Yes</para></entry>
</row>
<row>
<entry><para>Inline</para></entry>
<entry><para>Juniper SRX</para></entry>
<entry><para>NetScaler</para></entry>
<entry><para>No</para></entry>
</row>
<row>
<entry><para>Inline</para></entry>
<entry><para>Juniper SRX</para></entry>
<entry><para>Virtual Router</para></entry>
<entry><para>No</para></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>To configure SRX and F5 in Inline mode:</para>
<orderedlist>
<listitem>
<para>Configure F5 Big IP and Juniper SRX.</para>
<para>See the respective product documentation for more information.</para>
</listitem>
<listitem>
<para>Add SRX and F5 to the same zone in &PRODUCT;.</para>
<note>
<para>Ensure that you select per zone sourceNAT when creating the network offering. When
adding F5 BigIP, do not make it a dedicated device.</para>
</note>
</listitem>
<listitem>
<para>Enable both the devices.</para>
</listitem>
<listitem>
<para>Create a network offering:</para>
<para>Use SRX as provider for Firewall, Port Forwarding, SourceNAT, and StaticNat. Select F5
BigIP as the service provider for Load Balancing. Use Virtual Router as the service provider
for DNS, DHCP, user data.</para>
</listitem>
<listitem>
<para>Select Inline mode.</para>
<para>For more information, see <phrase condition="admin"><xref
linkend="creating-network-offerings"/>.</phrase>
<phrase condition="install">Creating Network Offerings in the Administration Guide.</phrase>
</para>
</listitem>
<listitem>
<para>Start a new VM with this new network offering.</para>
</listitem>
<listitem>
<para>Add firewall and load balancing rules. For more information, see <phrase
condition="admin"><xref linkend="add-load-balancer-rule"/></phrase>
<phrase condition="install">Adding a Load Balancer Rule</phrase> and <phrase
condition="admin"><xref linkend="firewall-rules"/>.</phrase>
<phrase condition="install">IP Forwarding and Firewalling in the Administration
Guide.</phrase>
</para>
</listitem>
</orderedlist>
</section>

25
docs/en-US/lb-services.xml Normal file
View File

@ -0,0 +1,25 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="lb-services">
<title>Load Balancing Services</title>
<xi:include href="external-guest-lb-integration.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="management-server-lb.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
</section>

12
docs/en-US/management-server-lb.xml
View File

@ -19,12 +19,12 @@
under the License.
-->
<section id="management-server-lb">
<title>Setting Zone VLAN and Running VM Maximums</title>
<para>&PRODUCT; can use a load balancer to provide a virtual IP for multiple Management
Servers. The administrator is responsible for creating the load balancer rules for the
Management Servers. The application requires persistence or stickiness across multiple sessions.
The following chart lists the ports that should be load balanced and whether or not persistence
is required.</para>
<title>Management Server Load Balancing</title>
<para>&PRODUCT; can use a load balancer to provide a virtual IP for multiple Management Servers.
The administrator is responsible for creating the load balancer rules for the Management
Servers. The application requires persistence or stickiness across multiple sessions. The
following chart lists the ports that should be load balanced and whether or not persistence is
required.</para>
<para>Even if persistence is not required, enabling it is permitted.</para>
<informaltable>
<tgroup cols="4" align="left" colsep="1" rowsep="1">

12
docs/en-US/network-setup.xml
View File

@ -20,16 +20,16 @@
-->
<chapter id="network-setup">
<title>Network Setup</title>
<para>Achieving the correct networking setup is crucial to a successful &PRODUCT;
installation. This section contains information to help you make decisions and follow the right
procedures to get your network set up correctly.</para>
<para>Achieving the correct networking setup is crucial to a successful &PRODUCT; installation.
This section contains information to help you make decisions and follow the right procedures to
get your network set up correctly.</para>
<xi:include href="basic-adv-networking.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="vlan-allocation-eg.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="hardware-config-eg.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="layer2-switch.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="hardware-firewall.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="management-server-lb.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="topology-req.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="guest-nw-usage-with-traffic-sentinel.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="guest-nw-usage-with-traffic-sentinel.xml"
xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="set-zone-vlan-run-vm-max.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
</chapter>
</chapter>