apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix for CLOUDSTACK-444

Browse Source 
Signed-off-by: Radhika PC <radhika.puthiyetath@citrix.com>
Signed-off-by: Joe Brockmeier <jzb@zonker.net>
This commit is contained in:
Radhika PC 2012-11-05 19:18:12 +05:30 committed by Joe Brockmeier
parent 6e23cad126
commit cb3d8872c6
27 changed files with 1322 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docs/en-US/Installation_Guide.xml
View File

@ -54,6 +54,7 @@
<xi:include href="hypervisor-installation.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="choosing-a-deployment-architecture.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="aws-interface-compatibility.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="network-setup.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="networks.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="Revision_History_Install_Guide.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
</book>

25
docs/en-US/adv-zone-topology-req.xml Normal file
View File

@ -0,0 +1,25 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="adv-zone-topology-req">
<title>Advanced Zone Topology Requirements</title>
<para>With Advanced Networking, separate subnets must be used for private and public
networks.</para>
</section>

113
docs/en-US/basic-adv-networking.xml Normal file
View File

@ -0,0 +1,113 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="basic-adv-networking">
<title>Basic and Advanced Networking</title>
<para>&PRODUCT; provides two styles of networking:.</para>
<formalpara>
<title>Basic</title>
<para>For AWS-style networking. Provides a single network where guest isolation can be provided
through layer-3 means such as security groups (IP address source filtering). </para>
</formalpara>
<formalpara>
<title>Advanced</title>
<para>For more sophisticated network topologies. This network model provides the most
flexibility in defining guest networks, but requires more configuration steps than basic
networking.</para>
</formalpara>
<para>Each zone has either basic or advanced networking. Once the choice of networking model for a
zone has been made and configured in &PRODUCT;, it can not be changed. A zone is either
basic or advanced for its entire lifetime.</para>
<para>The following table compares the networking features in the two networking models.</para>
<informaltable>
<tgroup cols="3" align="left" colsep="1" rowsep="1">
<thead>
<row>
<entry><para>Networking Feature</para></entry>
<entry><para>Basic Network</para></entry>
<entry><para>Advanced Network</para></entry>
</row>
</thead>
<tbody>
<row>
<entry><para>Number of networks</para></entry>
<entry><para>Single network</para></entry>
<entry><para>Multiple networks</para></entry>
</row>
<row>
<entry><para>Firewall type</para></entry>
<entry><para>Physical</para></entry>
<entry><para>Physical and Virtual</para></entry>
</row>
<row>
<entry><para>Load balancer</para></entry>
<entry><para>Physical</para></entry>
<entry><para>Physical and Virtual</para></entry>
</row>
<row>
<entry><para>Isolation type</para></entry>
<entry><para>Layer 3</para></entry>
<entry><para>Layer 2 and Layer 3</para></entry>
</row>
<row>
<entry><para>VPN support</para></entry>
<entry><para>No</para></entry>
<entry><para>Yes</para></entry>
</row>
<row>
<entry><para>Port forwarding</para></entry>
<entry><para>Physical</para></entry>
<entry><para>Physical and Virtual</para></entry>
</row>
<row>
<entry><para>1:1 NAT</para></entry>
<entry><para>Physical</para></entry>
<entry><para>Physical and Virtual</para></entry>
</row>
<row>
<entry><para>Source NAT</para></entry>
<entry><para>No</para></entry>
<entry><para>Physical and Virtual</para></entry>
</row>
<row>
<entry><para>Userdata</para></entry>
<entry><para>Yes</para></entry>
<entry><para>Yes</para></entry>
</row>
<row>
<entry><para>Network usage monitoring</para></entry>
<entry><para>sFlow / netFlow at physical router</para></entry>
<entry><para>Hypervisor and Virtual Router</para></entry>
</row>
<row>
<entry><para>DNS and DHCP</para></entry>
<entry><para>Yes</para></entry>
<entry><para>Yes</para></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>The two types of networking may be in use in the same cloud. However, a given zone must use
either Basic Networking or Advanced Networking.</para>
<para>Different types of network traffic can be segmented on the same physical network. Guest
traffic can also be segmented by account. To isolate traffic, you can use separate VLANs. If you
are using separate VLANs on a single physical network, make sure the VLAN tags are in separate
numerical ranges.</para>
</section>

52
docs/en-US/cisco3750-hardware.xml Normal file
View File

@ -0,0 +1,52 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="cisco3750-hardware">
<title>Cisco 3750</title>
<para>The following steps show how a Cisco 3750 is configured for zone-level layer-3 switching.
These steps assume VLAN 201 is used to route untagged private IPs for pod 1, and pod 1s layer-2
switch is connected to GigabitEthernet1/0/1.</para>
<orderedlist>
<listitem>
<para>Setting VTP mode to transparent allows us to utilize VLAN IDs above 1000. Since we only
use VLANs up to 999, vtp transparent mode is not strictly required.</para>
<programlisting>vtp mode transparent
vlan 200-999
exit</programlisting>
</listitem>
<listitem>
<para>Configure GigabitEthernet1/0/1.</para>
<programlisting>interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 201
exit</programlisting>
</listitem>
</orderedlist>
<para>The statements configure GigabitEthernet1/0/1 as follows:</para>
<itemizedlist>
<listitem>
<para>VLAN 201 is the native untagged VLAN for port GigabitEthernet1/0/1.</para>
</listitem>
<listitem>
<para>Cisco passes all VLANs by default. As a result, all VLANs (300-999) are passed to all the pod-level layer-2 switches.</para>
</listitem>
</itemizedlist>
</section>

45
docs/en-US/cisco3750-layer2.xml Normal file
View File

@ -0,0 +1,45 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="cisco3750-layer2">
<title>Cisco 3750</title>
<para>The following steps show how a Cisco 3750 is configured for pod-level layer-2
switching.</para>
<orderedlist>
<listitem>
<para>Setting VTP mode to transparent allows us to utilize VLAN IDs above 1000. Since we only
use VLANs up to 999, vtp transparent mode is not strictly required.</para>
<programlisting>vtp mode transparent
vlan 300-999
exit</programlisting>
</listitem>
<listitem>
<para>Configure all ports to dot1q and set 201 as the native VLAN.</para>
<programlisting>interface range GigabitEthernet 1/0/1-24
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 201
exit</programlisting>
</listitem>
</orderedlist>
<para>By default, Cisco passes all VLANs. Cisco switches complain of the native VLAN IDs are
different when 2 ports are connected together. Thats why you must specify VLAN 201 as the
native VLAN on the layer-2 switch.</para>
</section>

53
docs/en-US/dell62xx-hardware.xml Normal file
View File

@ -0,0 +1,53 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="dell62xx-hardware">
<title>Dell 62xx</title>
<para>The following steps show how a Dell 62xx is configured for zone-level layer-3 switching.
These steps assume VLAN 201 is used to route untagged private IPs for pod 1, and pod 1s layer-2
switch is connected to Ethernet port 1/g1.</para>
<para>The Dell 62xx Series switch supports up to 1024 VLANs.</para>
<orderedlist>
<listitem>
<para>Configure all the VLANs in the database.</para>
<programlisting>vlan database
vlan 200-999
exit</programlisting>
</listitem>
<listitem>
<para>Configure Ethernet port 1/g1.</para>
<programlisting>interface ethernet 1/g1
switchport mode general
switchport general pvid 201
switchport general allowed vlan add 201 untagged
switchport general allowed vlan add 300-999 tagged
exit</programlisting>
</listitem>
</orderedlist>
<para>The statements configure Ethernet port 1/g1 as follows:</para>
<itemizedlist>
<listitem>
<para>VLAN 201 is the native untagged VLAN for port 1/g1.</para>
</listitem>
<listitem>
<para>All VLANs (300-999) are passed to all the pod-level layer-2 switches.</para>
</listitem>
</itemizedlist>
</section>

49
docs/en-US/dell62xx-layer2.xml Normal file
View File

@ -0,0 +1,49 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="dell62xx-layer2">
<title>Dell 62xx</title>
<para>The following steps show how a Dell 62xx is configured for pod-level layer-2
switching.</para>
<orderedlist>
<listitem>
<para>Configure all the VLANs in the database.</para>
<programlisting>vlan database
vlan 300-999
exit</programlisting>
</listitem>
<listitem>
<para>VLAN 201 is used to route untagged private IP addresses for pod 1, and pod 1 is connected to this layer-2 switch.</para>
<programlisting>interface range ethernet all
switchport mode general
switchport general allowed vlan add 300-999 tagged
exit</programlisting>
</listitem>
</orderedlist>
<para>The statements configure all Ethernet ports to function as follows:</para>
<itemizedlist>
<listitem>
<para>All ports are configured the same way.</para>
</listitem>
<listitem>
<para>All VLANs (300-999) are passed through all the ports of the layer-2 switch.</para>
</listitem>
</itemizedlist>
</section>

25
docs/en-US/external-fw-topology-req.xml Normal file
View File

@ -0,0 +1,25 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="external-fw-topology-req">
<title>External Firewall Topology Requirements</title>
<para>When external firewall integration is in place, the public IP VLAN must still be trunked to
the Hosts. This is required to support the Secondary Storage VM and Console Proxy VM.</para>
</section>

201
docs/en-US/external-guest-firewall-integration.xml Normal file
View File

@ -0,0 +1,201 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="external-guest-firewall-integration">
<title>External Guest Firewall Integration for Juniper SRX (Optional)</title>
<note>
<para>Available only for guests using advanced networking.</para>
</note>
<para>&PRODUCT; provides for direct management of the Juniper SRX series of firewalls. This
enables &PRODUCT; to establish static NAT mappings from public IPs to guest VMs, and to use
the Juniper device in place of the virtual router for firewall services. You can have one or
more Juniper SRX per zone. This feature is optional. If Juniper integration is not provisioned,
&PRODUCT; will use the virtual router for these services.</para>
<para>The Juniper SRX can optionally be used in conjunction with an external load balancer.
External Network elements can be deployed in a side-by-side or inline configuration.</para>
<mediaobject>
<imageobject>
<imagedata fileref="./images/parallel-mode.png"/>
</imageobject>
<textobject>
<phrase>parallel-mode.png: adding a firewall and load balancer in parallel mode.</phrase>
</textobject>
</mediaobject>
<para>&PRODUCT; requires the Juniper to be configured as follows:</para>
<note>
<para>Supported SRX software version is 10.3 or higher.</para>
</note>
<orderedlist>
<listitem>
<para>Install your SRX appliance according to the vendor's instructions.</para>
</listitem>
<listitem>
<para>Connect one interface to the management network and one interface to the public network.
Alternatively, you can connect the same interface to both networks and a use a VLAN for the
public network.</para>
</listitem>
<listitem>
<para>Make sure "vlan-tagging" is enabled on the private interface.</para>
</listitem>
<listitem>
<para>Record the public and private interface names. If you used a VLAN for the public
interface, add a ".[VLAN TAG]" after the interface name. For example, if you are using
ge-0/0/3 for your public interface and VLAN tag 301, your public interface name would be
"ge-0/0/3.301". Your private interface name should always be untagged because the
&PRODUCT; software automatically creates tagged logical interfaces.</para>
</listitem>
<listitem>
<para>Create a public security zone and a private security zone. By default, these will
already exist and will be called "untrust" and "trust". Add the public interface to the
public zone and the private interface to the private zone. Note down the security zone
names.</para>
</listitem>
<listitem>
<para>Make sure there is a security policy from the private zone to the public zone that
allows all traffic.</para>
</listitem>
<listitem>
<para>Note the username and password of the account you want the &PRODUCT; software to log
in to when it is programming rules.</para>
</listitem>
<listitem>
<para>Make sure the "ssh" and "xnm-clear-text" system services are enabled.</para>
</listitem>
<listitem>
<para>If traffic metering is desired:</para>
<orderedlist>
<listitem>
<para>a. Create an incoming firewall filter and an outgoing firewall filter. These filters
should be the same names as your public security zone name and private security zone
name respectively. The filters should be set to be "interface-specific". For example,
here is the configuration where the public zone is "untrust" and the private zone is
"trust":</para>
<programlisting>root@cloud-srx# show firewall
filter trust {
interface-specific;
}
filter untrust {
interface-specific;
}</programlisting>
</listitem>
<listitem>
<para>Add the firewall filters to your public interface. For example, a sample
configuration output (for public interface ge-0/0/3.0, public security zone untrust, and
private security zone trust) is:</para>
<programlisting>ge-0/0/3 {
unit 0 {
family inet {
filter {
input untrust;
output trust;
}
address 172.25.0.252/16;
}
}
}</programlisting>
</listitem>
</orderedlist>
</listitem>
<listitem>
<para>Make sure all VLANs are brought to the private interface of the SRX.</para>
</listitem>
<listitem>
<para>After the &PRODUCT; Management Server is installed, log in to the &PRODUCT; UI as
administrator.</para>
</listitem>
<listitem>
<para>In the left navigation bar, click Infrastructure.</para>
</listitem>
<listitem>
<para>In Zones, click View More.</para>
</listitem>
<listitem>
<para>Choose the zone you want to work with.</para>
</listitem>
<listitem>
<para>Click the Network tab.</para>
</listitem>
<listitem>
<para>In the Network Service Providers node of the diagram, click Configure. (You might have
to scroll down to see this.)</para>
</listitem>
<listitem>
<para>Click SRX.</para>
</listitem>
<listitem>
<para>Click the Add New SRX button (+) and provide the following:</para>
<itemizedlist>
<listitem>
<para>IP Address: The IP address of the SRX.</para>
</listitem>
<listitem>
<para>Username: The user name of the account on the SRX that &PRODUCT; should use.</para>
</listitem>
<listitem>
<para>Password: The password of the account.</para>
</listitem>
<listitem>
<para>Public Interface. The name of the public interface on the SRX. For example,
ge-0/0/2. A ".x" at the end of the interface indicates the VLAN that is in use.</para>
</listitem>
<listitem>
<para>Private Interface: The name of the private interface on the SRX. For example,
ge-0/0/1. </para>
</listitem>
<listitem>
<para>Usage Interface: (Optional) Typically, the public interface is used to meter
traffic. If you want to use a different interface, specify its name here</para>
</listitem>
<listitem>
<para>Number of Retries: The number of times to attempt a command on the SRX before
failing. The default value is 2.</para>
</listitem>
<listitem>
<para>Timeout (seconds): The time to wait for a command on the SRX before considering it
failed. Default is 300 seconds.</para>
</listitem>
<listitem>
<para>Public Network: The name of the public network on the SRX. For example,
trust.</para>
</listitem>
<listitem>
<para>Private Network: The name of the private network on the SRX. For example,
untrust.</para>
</listitem>
<listitem>
<para>Capacity: The number of networks the device can handle</para>
</listitem>
<listitem>
<para>Dedicated: When marked as dedicated, this device will be dedicated to a single
account. When Dedicated is checked, the value in the Capacity field has no significance
implicitly, its value is 1</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>Click OK.</para>
</listitem>
<listitem>
<para>Click Global Settings. Set the parameter external.network.stats.interval to indicate how
often you want &PRODUCT; to fetch network usage statistics from the Juniper SRX. If you
are not using the SRX to gather network usage statistics, set to 0.</para>
</listitem>
</orderedlist>
</section>

109
docs/en-US/external-guest-lb-integration.xml Normal file
View File

@ -0,0 +1,109 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="external-guest-lb-integration">
<title>External Guest Load Balancer Integration (Optional)</title>
<para>&PRODUCT; can optionally use a Citrix NetScaler or BigIP F5 load balancer to provide load
balancing services to guests. If this is not enabled, &PRODUCT; will use the software load
balancer in the virtual router.</para>
<para>To install and enable an external load balancer for &PRODUCT; management:</para>
<orderedlist>
<listitem>
<para>Set up the appliance according to the vendor's directions.</para>
</listitem>
<listitem>
<para>Connect it to the networks carrying public traffic and management traffic (these could
be the same network).</para>
</listitem>
<listitem>
<para>Record the IP address, username, password, public interface name, and private interface
name. The interface names will be something like "1.1" or "1.2".</para>
</listitem>
<listitem>
<para>Make sure that the VLANs are trunked to the management network interface.</para>
</listitem>
<listitem>
<para>After the &PRODUCT; Management Server is installed, log in as administrator to the
&PRODUCT; UI.</para>
</listitem>
<listitem>
<para>In the left navigation bar, click Infrastructure.</para>
</listitem>
<listitem>
<para>In Zones, click View More.</para>
</listitem>
<listitem>
<para>Choose the zone you want to work with.</para>
</listitem>
<listitem>
<para>Click the Network tab.</para>
</listitem>
<listitem>
<para>In the Network Service Providers node of the diagram, click Configure. (You might have
to scroll down to see this.)</para>
</listitem>
<listitem>
<para>Click NetScaler or F5.</para>
</listitem>
<listitem>
<para>Click the Add button (+) and provide the following:</para>
<para>For NetScaler:</para>
<itemizedlist>
<listitem>
<para>IP Address: The IP address of the SRX.</para>
</listitem>
<listitem>
<para>Username/Password: The authentication credentials to access the device. &PRODUCT;
uses these credentials to access the device.</para>
</listitem>
<listitem>
<para>Type: The type of device that is being added. It could be F5 Big Ip Load Balancer,
NetScaler VPX, NetScaler MPX, or NetScaler SDX. For a comparison of the NetScaler types,
see the &PRODUCT; Administration Guide.</para>
</listitem>
<listitem>
<para>Public interface: Interface of device that is configured to be part of the public
network.</para>
</listitem>
<listitem>
<para>Private interface: Interface of device that is configured to be part of the private
network.</para>
</listitem>
<listitem>
<para>Number of retries. Number of times to attempt a command on the device before
considering the operation failed. Default is 2.</para>
</listitem>
<listitem>
<para>Capacity: The number of networks the device can handle.</para>
</listitem>
<listitem>
<para>Dedicated: When marked as dedicated, this device will be dedicated to a single
account. When Dedicated is checked, the value in the Capacity field has no significance
implicitly, its value is 1.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>Click OK.</para>
</listitem>
</orderedlist>
<para>The installation and provisioning of the external load balancer is finished. You can proceed
to add VMs and NAT or load balancing rules.</para>
</section>

37
docs/en-US/generic-firewall-provisions.xml Normal file
View File

@ -0,0 +1,37 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="generic-firewall-provisions">
<title>Generic Firewall Provisions</title>
<para>The hardware firewall is required to serve two purposes:</para>
<itemizedlist>
<listitem>
<para>Protect the Management Servers. NAT and port forwarding should be configured to direct
traffic from the public Internet to the Management Servers.</para>
</listitem>
<listitem>
<para>Route management network traffic between multiple zones. Site-to-site VPN should be
configured between multiple zones.</para>
</listitem>
</itemizedlist>
<para>To achieve the above purposes you must set up fixed configurations for the firewall.
Firewall rules and policies need not change as users are provisioned into the cloud. Any brand
of hardware firewall that supports NAT and site-to-site VPN can be used.</para>
</section>

73
docs/en-US/guest-nw-usage-with-traffic-sentinel.xml Normal file
View File

@ -0,0 +1,73 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="guest-nw-usage-with-traffic-sentinel">
<title>Guest Network Usage Integration for Traffic Sentinel</title>
<para>To collect usage data for a guest network, &PRODUCT; needs to pull the data from an external
network statistics collector installed on the network. Metering statistics for guest networks
are available through &PRODUCT;s integration with inMon Traffic Sentinel.</para>
<para>Traffic Sentinel is a network traffic usage data collection package. &PRODUCT; can feed
statistics from Traffic Sentinel into its own usage records, providing a basis for billing users
of cloud infrastructure. Traffic Sentinel uses the traffic monitoring protocol sFlow. Routers
and switches generate sFlow records and provide them for collection by Traffic Sentinel, then
&PRODUCT; queries the Traffic Sentinel database to obtain this information</para>
<para>To construct the query, &PRODUCT; determines what guest IPs were in use during the current
query interval. This includes both newly assigned IPs and IPs that were assigned in a previous
time period and continued to be in use. &PRODUCT; queries Traffic Sentinel for network
statistics that apply to these IPs during the time period they remained allocated in &PRODUCT;.
The returned data is correlated with the customer account that owned each IP and the timestamps
when IPs were assigned and released in order to create billable metering records in &PRODUCT;.
When the Usage Server runs, it collects this data.</para>
<para>To set up the integration between &PRODUCT; and Traffic Sentinel:</para>
<orderedlist>
<listitem>
<para>On your network infrastructure, install Traffic Sentinel and configure it to gather
traffic data. For installation and configuration steps, see inMon documentation at <ulink
url="http://inmon.com.">Traffic Sentinel Documentation</ulink>.</para>
</listitem>
<listitem>
<para>In the Traffic Sentinel UI, configure Traffic Sentinel to accept script querying from
guest users. &PRODUCT; will be the guest user performing the remote queries to gather
network usage for one or more IP addresses.</para>
<para>Click File > Users > Access Control > Reports Query, then select Guest from the
drop-down list.</para>
</listitem>
<listitem>
<para>On &PRODUCT;, add the Traffic Sentinel host by calling the &PRODUCT; API command
addTrafficMonitor. Pass in the URL of the Traffic Sentinel as protocol + host + port
(optional); for example, http://10.147.28.100:8080. For the addTrafficMonitor command
syntax, see the API Reference at <ulink
url="http://incubator.apache.org/cloudstack/docs/api/index.html">API
Documentation</ulink>.</para>
<para>For information about how to call the &PRODUCT; API, see the Developers Guide at
<ulink
url="http://incubator.apache.org/cloudstack/docs/en-US/Apache_CloudStack/4.0.0-incubating/html/API_Developers_Guide/index.html"
>CloudStack API Developer's Guide</ulink>.</para>
</listitem>
<listitem>
<para>Log in to the &PRODUCT; UI as administrator.</para>
</listitem>
<listitem>
<para>Select Configuration from the Global Settings page, and set the following:</para>
<para>direct.network.stats.interval: How often you want &PRODUCT; to query Traffic
Sentinel.</para>
</listitem>
</orderedlist>
</section>

29
docs/en-US/hardware-config-eg.xml Normal file
View File

@ -0,0 +1,29 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="hardware-config-eg">
<title>Example Hardware Configuration</title>
<para>This section contains an example configuration of specific switch models for zone-level
layer-3 switching. It assumes VLAN management protocols, such as VTP or GVRP, have been
disabled. The example scripts must be changed appropriately if you choose to use VTP or
GVRP.</para>
<xi:include href="dell62xx-hardware.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="cisco3750-hardware.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
</section>

29
docs/en-US/hardware-firewall.xml Normal file
View File

@ -0,0 +1,29 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="hardware-firewall">
<title>Hardware Firewall</title>
<para>All deployments should have a firewall protecting the management server; see Generic
Firewall Provisions. Optionally, some deployments may also have a Juniper SRX firewall that will
be the default gateway for the guest networks; see <xref linkend="external-guest-firewall-integration"/>.</para>
<xi:include href="generic-firewall-provisions.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="external-guest-firewall-integration.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="external-guest-lb-integration.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
</section>

BIN
docs/en-US/images/parallel-mode.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

24
docs/en-US/kvm-topology-req.xml Normal file
View File

@ -0,0 +1,24 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="kvm-topology-req">
<title>KVM Topology Requirements</title>
<para>The Management Servers communicate with KVM hosts on port 22 (ssh).</para>
</section>

41
docs/en-US/layer2-switch.xml Normal file
View File

@ -0,0 +1,41 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="layer2-switch">
<title>Layer-2 Switch</title>
<para>The layer-2 switch is the access switching layer inside the pod.</para>
<itemizedlist>
<listitem>
<para>It should trunk all VLANs into every computing host.</para>
</listitem>
<listitem>
<para>It should switch traffic for the management network containing computing and storage
hosts. The layer-3 switch will serve as the gateway for the management network.</para>
</listitem>
</itemizedlist>
<formalpara>
<title>Example Configurations</title>
<para>This section contains example configurations for specific switch models for pod-level
layer-2 switching. It assumes VLAN management protocols such as VTP or GVRP have been
disabled. The scripts must be changed appropriately if you choose to use VTP or GVRP.</para>
</formalpara>
<xi:include href="dell62xx-layer2.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="cisco3750-layer2.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
</section>

61
docs/en-US/management-server-lb.xml Normal file
View File

@ -0,0 +1,61 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="management-server-lb">
<title>Setting Zone VLAN and Running VM Maximums</title>
<para>CloudPlatform can use a load balancer to provide a virtual IP for multiple Management
Servers. The administrator is responsible for creating the load balancer rules for the
Management Servers. The application requires persistence or stickiness across multiple sessions.
The following chart lists the ports that should be load balanced and whether or not persistence
is required.</para>
<para>Even if persistence is not required, enabling it is permitted.</para>
<informaltable>
<tgroup cols="4" align="left" colsep="1" rowsep="1">
<thead>
<row>
<entry><para>Source Port</para></entry>
<entry><para>Destination Port</para></entry>
<entry><para>Protocol</para></entry>
<entry><para>Persistence Required?</para></entry>
</row>
</thead>
<tbody>
<row>
<entry><para>80 or 443</para></entry>
<entry><para>8080 (or 20400 with AJP)</para></entry>
<entry><para>HTTP (or AJP)</para></entry>
<entry><para>Yes</para></entry>
</row>
<row>
<entry><para>8250</para></entry>
<entry><para>8250</para></entry>
<entry><para>TCP</para></entry>
<entry><para>Yes</para></entry>
</row>
<row>
<entry><para>8096</para></entry>
<entry><para>8096</para></entry>
<entry><para>HTTP</para></entry>
<entry><para>No</para></entry>
</row>
</tbody>
</tgroup>
</informaltable>
</section>

35
docs/en-US/network-setup.xml Normal file
View File

@ -0,0 +1,35 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<chapter id="network-setup">
<title>Network Setup</title>
<para>Achieving the correct networking setup is crucial to a successful &PRODUCT;
installation. This section contains information to help you make decisions and follow the right
procedures to get your network set up correctly.</para>
<xi:include href="basic-adv-networking.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="vlan-allocation-eg.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="hardware-config-eg.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="layer2-switch.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="hardware-firewall.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="management-server-lb.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="topology-req.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="guest-network-usage-integration.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="set-zone-vlan-run-vm-max.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
</chapter>

39
docs/en-US/runtime-internal-comm-req.xml Normal file
View File

@ -0,0 +1,39 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="runtime-internal-comm-req">
<title>Runtime Internal Communications Requirements</title>
<itemizedlist>
<listitem>
<para>The Management Servers communicate with each other to coordinate tasks. This
communication uses TCP on ports 8250 and 9090.</para>
</listitem>
<listitem>
<para>The console proxy VMs connect to all hosts in the zone over the management traffic
network. Therefore the management traffic network of any given pod in the zone must have
connectivity to the management traffic network of all other pods in the zone.</para>
</listitem>
<listitem>
<para>The secondary storage VMs and console proxy VMs connect to the Management Server on
port 8250. If you are using multiple Management Servers, the load balanced IP address of the
Management Servers on port 8250 must be reachable.</para>
</listitem>
</itemizedlist>
</section>

24
docs/en-US/security-req.xml Normal file
View File

@ -0,0 +1,24 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="security-req">
<title>Security Requirements</title>
<para>The public Internet must not be able to access port 8096 or port 8250 on the Management Server.</para>
</section>

65
docs/en-US/set-zone-vlan-run-vm-max.xml Normal file
View File

@ -0,0 +1,65 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="set-zone-vlan-run-vm-max">
<title>Setting Zone VLAN and Running VM Maximums</title>
<para>In the external networking case, every VM in a zone must have a unique guest IP address.
There are two variables that you need to consider in determining how to configure &PRODUCT;
to support this: how many Zone VLANs do you expect to have and how many VMs do you expect to
have running in the Zone at any one time.</para>
<para>Use the following table to determine how to configure &PRODUCT; for your
deployment.</para>
<informaltable>
<tgroup cols="3" align="left" colsep="1" rowsep="1">
<thead>
<row>
<entry><para>guest.vlan.bits</para></entry>
<entry><para>Maximum Running VMs per Zone</para></entry>
<entry><para>Maximum Zone VLANs</para></entry>
</row>
</thead>
<tbody>
<row>
<entry><para>12</para></entry>
<entry><para>4096</para></entry>
<entry><para>4094</para></entry>
</row>
<row>
<entry><para>11</para></entry>
<entry><para>8192</para></entry>
<entry><para>2048</para></entry>
</row>
<row>
<entry><para>10</para></entry>
<entry><para>16384</para></entry>
<entry><para>1024</para></entry>
</row>
<row>
<entry><para>10</para></entry>
<entry><para>32768</para></entry>
<entry><para>512</para></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>Based on your deployment's needs, choose the appropriate value of guest.vlan.bits. Set it as
described in Edit the Global Configuration Settings (Optional) section and restart the
Management Server.</para>
</section>

28
docs/en-US/storage-nw-topology-req.xml Normal file
View File

@ -0,0 +1,28 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="storage-nw-topology-req">
<title>Storage Network Topology Requirements</title>
<para>The secondary storage NFS export is mounted by the secondary storage VM. Secondary storage
traffic goes over the management traffic network, even if there is a separate storage network.
Primary storage traffic goes over the storage network, if available. If you choose to place
secondary storage NFS servers on the storage network, you must make sure there is a route from
the management traffic network to the storage network.</para>
</section>

31
docs/en-US/topology-req.xml Normal file
View File

@ -0,0 +1,31 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="topology-req">
<title>Topology Requirements</title>
<xi:include href="security-req.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="runtime-internal-comm-req.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="storage-nw-topology-req.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="external-fw-topology-req.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="adv-zone-topology-req.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="xenserver-topology-req.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="vmware-topology-req.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="kvm-topology-req.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
</section>

71
docs/en-US/vlan-allocation-eg.xml Normal file
View File

@ -0,0 +1,71 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="vlan-allocation-eg">
<title>VLAN Allocation Example</title>
<para>VLANs are required for public and guest traffic. The following is an example of a VLAN
allocation scheme:</para>
<informaltable>
<tgroup cols="3" align="left" colsep="1" rowsep="1">
<thead>
<row>
<entry><para>VLAN IDs</para></entry>
<entry><para>Traffic type</para></entry>
<entry><para>Scope</para></entry>
</row>
</thead>
<tbody>
<row>
<entry><para>less than 500</para></entry>
<entry><para>Management traffic. Reserved for administrative purposes.</para></entry>
<entry><para>&PRODUCT; software can access this, hypervisors, system VMs.</para></entry>
</row>
<row>
<entry><para>500-599</para></entry>
<entry><para>VLAN carrying public traffic.</para></entry>
<entry><para>&PRODUCT; accounts.</para></entry>
</row>
<row>
<entry><para>600-799</para></entry>
<entry><para>VLANs carrying guest traffic.</para></entry>
<entry><para>&PRODUCT; accounts. Account-specific VLAN is chosen from this
pool.</para></entry>
</row>
<row>
<entry><para>800-899</para></entry>
<entry><para>VLANs carrying guest traffic.</para></entry>
<entry><para>&PRODUCT; accounts. Account-specific VLAN chosen by &PRODUCT; admin to assign
to that account.</para></entry>
</row>
<row>
<entry><para>900-999</para></entry>
<entry><para>VLAN carrying guest traffic</para></entry>
<entry><para>&PRODUCT; accounts. Can be scoped by project, domain, or all
accounts.</para></entry>
</row>
<row>
<entry><para>greater than 1000</para></entry>
<entry><para>Reserved for future use</para></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
</section>

38
docs/en-US/vmware-topology-req.xml Normal file
View File

@ -0,0 +1,38 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="vmware-topology-req">
<title>VMware Topology Requirements</title>
<itemizedlist>
<listitem>
<para>The Management Server and secondary storage VMs must be able to access vCenter and all
ESXi hosts in the zone. To allow the necessary access through the firewall, keep port 443
open.</para>
</listitem>
<listitem>
<para>The Management Servers communicate with VMware vCenter servers on port 443
(HTTPs).</para>
</listitem>
<listitem>
<para>The Management Servers communicate with the System VMs on port 3922 (ssh) on the
management traffic network.</para>
</listitem>
</itemizedlist>
</section>

24
docs/en-US/xenserver-topology-req.xml Normal file
View File

@ -0,0 +1,24 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="xenserver-topology-req">
<title>XenServer Topology Requirements</title>
<para>The Management Servers communicate with XenServer hosts on ports 22 (ssh), 80 (HTTP), and 443 (HTTPs).</para>
</section>