diff --git a/docs/en-US/Installation_Guide.xml b/docs/en-US/Installation_Guide.xml
index a40ceed0856..90f8748046d 100644
--- a/docs/en-US/Installation_Guide.xml
+++ b/docs/en-US/Installation_Guide.xml
@@ -54,6 +54,7 @@
+
diff --git a/docs/en-US/adv-zone-topology-req.xml b/docs/en-US/adv-zone-topology-req.xml
new file mode 100644
index 00000000000..3764e926ebe
--- /dev/null
+++ b/docs/en-US/adv-zone-topology-req.xml
@@ -0,0 +1,25 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+ Advanced Zone Topology Requirements
+ With Advanced Networking, separate subnets must be used for private and public
+ networks.
+
diff --git a/docs/en-US/basic-adv-networking.xml b/docs/en-US/basic-adv-networking.xml
new file mode 100644
index 00000000000..46f0650e69f
--- /dev/null
+++ b/docs/en-US/basic-adv-networking.xml
@@ -0,0 +1,113 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+ Basic and Advanced Networking
+ &PRODUCT; provides two styles of networking:.
+
+ Basic
+ For AWS-style networking. Provides a single network where guest isolation can be provided
+ through layer-3 means such as security groups (IP address source filtering).
+
+
+ Advanced
+ For more sophisticated network topologies. This network model provides the most
+ flexibility in defining guest networks, but requires more configuration steps than basic
+ networking.
+
+ Each zone has either basic or advanced networking. Once the choice of networking model for a
+ zone has been made and configured in &PRODUCT;, it can not be changed. A zone is either
+ basic or advanced for its entire lifetime.
+ The following table compares the networking features in the two networking models.
+
+
+
+
+ Networking Feature
+ Basic Network
+ Advanced Network
+
+
+
+
+ Number of networks
+ Single network
+ Multiple networks
+
+
+ Firewall type
+ Physical
+ Physical and Virtual
+
+
+ Load balancer
+ Physical
+ Physical and Virtual
+
+
+ Isolation type
+ Layer 3
+ Layer 2 and Layer 3
+
+
+ VPN support
+ No
+ Yes
+
+
+ Port forwarding
+ Physical
+ Physical and Virtual
+
+
+ 1:1 NAT
+ Physical
+ Physical and Virtual
+
+
+ Source NAT
+ No
+ Physical and Virtual
+
+
+ Userdata
+ Yes
+ Yes
+
+
+ Network usage monitoring
+ sFlow / netFlow at physical router
+ Hypervisor and Virtual Router
+
+
+ DNS and DHCP
+ Yes
+ Yes
+
+
+
+
+ The two types of networking may be in use in the same cloud. However, a given zone must use
+ either Basic Networking or Advanced Networking.
+ Different types of network traffic can be segmented on the same physical network. Guest
+ traffic can also be segmented by account. To isolate traffic, you can use separate VLANs. If you
+ are using separate VLANs on a single physical network, make sure the VLAN tags are in separate
+ numerical ranges.
+
diff --git a/docs/en-US/cisco3750-hardware.xml b/docs/en-US/cisco3750-hardware.xml
new file mode 100644
index 00000000000..b5266105074
--- /dev/null
+++ b/docs/en-US/cisco3750-hardware.xml
@@ -0,0 +1,52 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+ Cisco 3750
+ The following steps show how a Cisco 3750 is configured for zone-level layer-3 switching.
+ These steps assume VLAN 201 is used to route untagged private IPs for pod 1, and pod 1’s layer-2
+ switch is connected to GigabitEthernet1/0/1.
+
+
+ Setting VTP mode to transparent allows us to utilize VLAN IDs above 1000. Since we only
+ use VLANs up to 999, vtp transparent mode is not strictly required.
+ vtp mode transparent
+vlan 200-999
+exit
+
+
+ Configure GigabitEthernet1/0/1.
+ interface GigabitEthernet1/0/1
+switchport trunk encapsulation dot1q
+switchport mode trunk
+switchport trunk native vlan 201
+exit
+
+
+ The statements configure GigabitEthernet1/0/1 as follows:
+
+
+ VLAN 201 is the native untagged VLAN for port GigabitEthernet1/0/1.
+
+
+ Cisco passes all VLANs by default. As a result, all VLANs (300-999) are passed to all the pod-level layer-2 switches.
+
+
+
diff --git a/docs/en-US/cisco3750-layer2.xml b/docs/en-US/cisco3750-layer2.xml
new file mode 100644
index 00000000000..e4fe1422056
--- /dev/null
+++ b/docs/en-US/cisco3750-layer2.xml
@@ -0,0 +1,45 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+ Cisco 3750
+ The following steps show how a Cisco 3750 is configured for pod-level layer-2
+ switching.
+
+
+ Setting VTP mode to transparent allows us to utilize VLAN IDs above 1000. Since we only
+ use VLANs up to 999, vtp transparent mode is not strictly required.
+ vtp mode transparent
+vlan 300-999
+exit
+
+
+ Configure all ports to dot1q and set 201 as the native VLAN.
+ interface range GigabitEthernet 1/0/1-24
+switchport trunk encapsulation dot1q
+switchport mode trunk
+switchport trunk native vlan 201
+exit
+
+
+ By default, Cisco passes all VLANs. Cisco switches complain of the native VLAN IDs are
+ different when 2 ports are connected together. That’s why you must specify VLAN 201 as the
+ native VLAN on the layer-2 switch.
+
diff --git a/docs/en-US/dell62xx-hardware.xml b/docs/en-US/dell62xx-hardware.xml
new file mode 100644
index 00000000000..8bc7770ce86
--- /dev/null
+++ b/docs/en-US/dell62xx-hardware.xml
@@ -0,0 +1,53 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+ Dell 62xx
+ The following steps show how a Dell 62xx is configured for zone-level layer-3 switching.
+ These steps assume VLAN 201 is used to route untagged private IPs for pod 1, and pod 1’s layer-2
+ switch is connected to Ethernet port 1/g1.
+ The Dell 62xx Series switch supports up to 1024 VLANs.
+
+
+ Configure all the VLANs in the database.
+ vlan database
+vlan 200-999
+exit
+
+
+ Configure Ethernet port 1/g1.
+ interface ethernet 1/g1
+switchport mode general
+switchport general pvid 201
+switchport general allowed vlan add 201 untagged
+switchport general allowed vlan add 300-999 tagged
+exit
+
+
+ The statements configure Ethernet port 1/g1 as follows:
+
+
+ VLAN 201 is the native untagged VLAN for port 1/g1.
+
+
+ All VLANs (300-999) are passed to all the pod-level layer-2 switches.
+
+
+
diff --git a/docs/en-US/dell62xx-layer2.xml b/docs/en-US/dell62xx-layer2.xml
new file mode 100644
index 00000000000..1c0eea07203
--- /dev/null
+++ b/docs/en-US/dell62xx-layer2.xml
@@ -0,0 +1,49 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+ Dell 62xx
+ The following steps show how a Dell 62xx is configured for pod-level layer-2
+ switching.
+
+
+ Configure all the VLANs in the database.
+ vlan database
+vlan 300-999
+exit
+
+
+ VLAN 201 is used to route untagged private IP addresses for pod 1, and pod 1 is connected to this layer-2 switch.
+ interface range ethernet all
+switchport mode general
+switchport general allowed vlan add 300-999 tagged
+exit
+
+
+ The statements configure all Ethernet ports to function as follows:
+
+
+ All ports are configured the same way.
+
+
+ All VLANs (300-999) are passed through all the ports of the layer-2 switch.
+
+
+
diff --git a/docs/en-US/external-fw-topology-req.xml b/docs/en-US/external-fw-topology-req.xml
new file mode 100644
index 00000000000..ab81496a30a
--- /dev/null
+++ b/docs/en-US/external-fw-topology-req.xml
@@ -0,0 +1,25 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+ External Firewall Topology Requirements
+ When external firewall integration is in place, the public IP VLAN must still be trunked to
+ the Hosts. This is required to support the Secondary Storage VM and Console Proxy VM.
+
diff --git a/docs/en-US/external-guest-firewall-integration.xml b/docs/en-US/external-guest-firewall-integration.xml
new file mode 100644
index 00000000000..0b34dca1065
--- /dev/null
+++ b/docs/en-US/external-guest-firewall-integration.xml
@@ -0,0 +1,201 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+ External Guest Firewall Integration for Juniper SRX (Optional)
+
+ Available only for guests using advanced networking.
+
+ &PRODUCT; provides for direct management of the Juniper SRX series of firewalls. This
+ enables &PRODUCT; to establish static NAT mappings from public IPs to guest VMs, and to use
+ the Juniper device in place of the virtual router for firewall services. You can have one or
+ more Juniper SRX per zone. This feature is optional. If Juniper integration is not provisioned,
+ &PRODUCT; will use the virtual router for these services.
+ The Juniper SRX can optionally be used in conjunction with an external load balancer.
+ External Network elements can be deployed in a side-by-side or inline configuration.
+
+
+
+
+
+ parallel-mode.png: adding a firewall and load balancer in parallel mode.
+
+
+ &PRODUCT; requires the Juniper to be configured as follows:
+
+ Supported SRX software version is 10.3 or higher.
+
+
+
+ Install your SRX appliance according to the vendor's instructions.
+
+
+ Connect one interface to the management network and one interface to the public network.
+ Alternatively, you can connect the same interface to both networks and a use a VLAN for the
+ public network.
+
+
+ Make sure "vlan-tagging" is enabled on the private interface.
+
+
+ Record the public and private interface names. If you used a VLAN for the public
+ interface, add a ".[VLAN TAG]" after the interface name. For example, if you are using
+ ge-0/0/3 for your public interface and VLAN tag 301, your public interface name would be
+ "ge-0/0/3.301". Your private interface name should always be untagged because the
+ &PRODUCT; software automatically creates tagged logical interfaces.
+
+
+ Create a public security zone and a private security zone. By default, these will
+ already exist and will be called "untrust" and "trust". Add the public interface to the
+ public zone and the private interface to the private zone. Note down the security zone
+ names.
+
+
+ Make sure there is a security policy from the private zone to the public zone that
+ allows all traffic.
+
+
+ Note the username and password of the account you want the &PRODUCT; software to log
+ in to when it is programming rules.
+
+
+ Make sure the "ssh" and "xnm-clear-text" system services are enabled.
+
+
+ If traffic metering is desired:
+
+
+ a. Create an incoming firewall filter and an outgoing firewall filter. These filters
+ should be the same names as your public security zone name and private security zone
+ name respectively. The filters should be set to be "interface-specific". For example,
+ here is the configuration where the public zone is "untrust" and the private zone is
+ "trust":
+ root@cloud-srx# show firewall
+filter trust {
+ interface-specific;
+}
+filter untrust {
+ interface-specific;
+}
+
+
+ Add the firewall filters to your public interface. For example, a sample
+ configuration output (for public interface ge-0/0/3.0, public security zone untrust, and
+ private security zone trust) is:
+ ge-0/0/3 {
+ unit 0 {
+ family inet {
+ filter {
+ input untrust;
+ output trust;
+ }
+ address 172.25.0.252/16;
+ }
+ }
+}
+
+
+
+
+ Make sure all VLANs are brought to the private interface of the SRX.
+
+
+ After the &PRODUCT; Management Server is installed, log in to the &PRODUCT; UI as
+ administrator.
+
+
+ In the left navigation bar, click Infrastructure.
+
+
+ In Zones, click View More.
+
+
+ Choose the zone you want to work with.
+
+
+ Click the Network tab.
+
+
+ In the Network Service Providers node of the diagram, click Configure. (You might have
+ to scroll down to see this.)
+
+
+ Click SRX.
+
+
+ Click the Add New SRX button (+) and provide the following:
+
+
+ IP Address: The IP address of the SRX.
+
+
+ Username: The user name of the account on the SRX that &PRODUCT; should use.
+
+
+ Password: The password of the account.
+
+
+ Public Interface. The name of the public interface on the SRX. For example,
+ ge-0/0/2. A ".x" at the end of the interface indicates the VLAN that is in use.
+
+
+ Private Interface: The name of the private interface on the SRX. For example,
+ ge-0/0/1.
+
+
+ Usage Interface: (Optional) Typically, the public interface is used to meter
+ traffic. If you want to use a different interface, specify its name here
+
+
+ Number of Retries: The number of times to attempt a command on the SRX before
+ failing. The default value is 2.
+
+
+ Timeout (seconds): The time to wait for a command on the SRX before considering it
+ failed. Default is 300 seconds.
+
+
+ Public Network: The name of the public network on the SRX. For example,
+ trust.
+
+
+ Private Network: The name of the private network on the SRX. For example,
+ untrust.
+
+
+ Capacity: The number of networks the device can handle
+
+
+ Dedicated: When marked as dedicated, this device will be dedicated to a single
+ account. When Dedicated is checked, the value in the Capacity field has no significance
+ implicitly, its value is 1
+
+
+
+
+ Click OK.
+
+
+ Click Global Settings. Set the parameter external.network.stats.interval to indicate how
+ often you want &PRODUCT; to fetch network usage statistics from the Juniper SRX. If you
+ are not using the SRX to gather network usage statistics, set to 0.
+
+
+
diff --git a/docs/en-US/external-guest-lb-integration.xml b/docs/en-US/external-guest-lb-integration.xml
new file mode 100644
index 00000000000..5760f9559e6
--- /dev/null
+++ b/docs/en-US/external-guest-lb-integration.xml
@@ -0,0 +1,109 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+ External Guest Load Balancer Integration (Optional)
+ &PRODUCT; can optionally use a Citrix NetScaler or BigIP F5 load balancer to provide load
+ balancing services to guests. If this is not enabled, &PRODUCT; will use the software load
+ balancer in the virtual router.
+ To install and enable an external load balancer for &PRODUCT; management:
+
+
+ Set up the appliance according to the vendor's directions.
+
+
+ Connect it to the networks carrying public traffic and management traffic (these could
+ be the same network).
+
+
+ Record the IP address, username, password, public interface name, and private interface
+ name. The interface names will be something like "1.1" or "1.2".
+
+
+ Make sure that the VLANs are trunked to the management network interface.
+
+
+ After the &PRODUCT; Management Server is installed, log in as administrator to the
+ &PRODUCT; UI.
+
+
+ In the left navigation bar, click Infrastructure.
+
+
+ In Zones, click View More.
+
+
+ Choose the zone you want to work with.
+
+
+ Click the Network tab.
+
+
+ In the Network Service Providers node of the diagram, click Configure. (You might have
+ to scroll down to see this.)
+
+
+ Click NetScaler or F5.
+
+
+ Click the Add button (+) and provide the following:
+ For NetScaler:
+
+
+ IP Address: The IP address of the SRX.
+
+
+ Username/Password: The authentication credentials to access the device. &PRODUCT;
+ uses these credentials to access the device.
+
+
+ Type: The type of device that is being added. It could be F5 Big Ip Load Balancer,
+ NetScaler VPX, NetScaler MPX, or NetScaler SDX. For a comparison of the NetScaler types,
+ see the &PRODUCT; Administration Guide.
+
+
+ Public interface: Interface of device that is configured to be part of the public
+ network.
+
+
+ Private interface: Interface of device that is configured to be part of the private
+ network.
+
+
+ Number of retries. Number of times to attempt a command on the device before
+ considering the operation failed. Default is 2.
+
+
+ Capacity: The number of networks the device can handle.
+
+
+ Dedicated: When marked as dedicated, this device will be dedicated to a single
+ account. When Dedicated is checked, the value in the Capacity field has no significance
+ implicitly, its value is 1.
+
+
+
+
+ Click OK.
+
+
+ The installation and provisioning of the external load balancer is finished. You can proceed
+ to add VMs and NAT or load balancing rules.
+
diff --git a/docs/en-US/generic-firewall-provisions.xml b/docs/en-US/generic-firewall-provisions.xml
new file mode 100644
index 00000000000..53ae45a09e0
--- /dev/null
+++ b/docs/en-US/generic-firewall-provisions.xml
@@ -0,0 +1,37 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+ Generic Firewall Provisions
+ The hardware firewall is required to serve two purposes:
+
+
+ Protect the Management Servers. NAT and port forwarding should be configured to direct
+ traffic from the public Internet to the Management Servers.
+
+
+ Route management network traffic between multiple zones. Site-to-site VPN should be
+ configured between multiple zones.
+
+
+ To achieve the above purposes you must set up fixed configurations for the firewall.
+ Firewall rules and policies need not change as users are provisioned into the cloud. Any brand
+ of hardware firewall that supports NAT and site-to-site VPN can be used.
+
diff --git a/docs/en-US/guest-nw-usage-with-traffic-sentinel.xml b/docs/en-US/guest-nw-usage-with-traffic-sentinel.xml
new file mode 100644
index 00000000000..eb42d641c4b
--- /dev/null
+++ b/docs/en-US/guest-nw-usage-with-traffic-sentinel.xml
@@ -0,0 +1,73 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+ Guest Network Usage Integration for Traffic Sentinel
+ To collect usage data for a guest network, &PRODUCT; needs to pull the data from an external
+ network statistics collector installed on the network. Metering statistics for guest networks
+ are available through &PRODUCT;’s integration with inMon Traffic Sentinel.
+ Traffic Sentinel is a network traffic usage data collection package. &PRODUCT; can feed
+ statistics from Traffic Sentinel into its own usage records, providing a basis for billing users
+ of cloud infrastructure. Traffic Sentinel uses the traffic monitoring protocol sFlow. Routers
+ and switches generate sFlow records and provide them for collection by Traffic Sentinel, then
+ &PRODUCT; queries the Traffic Sentinel database to obtain this information
+ To construct the query, &PRODUCT; determines what guest IPs were in use during the current
+ query interval. This includes both newly assigned IPs and IPs that were assigned in a previous
+ time period and continued to be in use. &PRODUCT; queries Traffic Sentinel for network
+ statistics that apply to these IPs during the time period they remained allocated in &PRODUCT;.
+ The returned data is correlated with the customer account that owned each IP and the timestamps
+ when IPs were assigned and released in order to create billable metering records in &PRODUCT;.
+ When the Usage Server runs, it collects this data.
+ To set up the integration between &PRODUCT; and Traffic Sentinel:
+
+
+ On your network infrastructure, install Traffic Sentinel and configure it to gather
+ traffic data. For installation and configuration steps, see inMon documentation at Traffic Sentinel Documentation.
+
+
+ In the Traffic Sentinel UI, configure Traffic Sentinel to accept script querying from
+ guest users. &PRODUCT; will be the guest user performing the remote queries to gather
+ network usage for one or more IP addresses.
+ Click File > Users > Access Control > Reports Query, then select Guest from the
+ drop-down list.
+
+
+ On &PRODUCT;, add the Traffic Sentinel host by calling the &PRODUCT; API command
+ addTrafficMonitor. Pass in the URL of the Traffic Sentinel as protocol + host + port
+ (optional); for example, http://10.147.28.100:8080. For the addTrafficMonitor command
+ syntax, see the API Reference at API
+ Documentation.
+ For information about how to call the &PRODUCT; API, see the Developer’s Guide at
+ CloudStack API Developer's Guide.
+
+
+ Log in to the &PRODUCT; UI as administrator.
+
+
+ Select Configuration from the Global Settings page, and set the following:
+ direct.network.stats.interval: How often you want &PRODUCT; to query Traffic
+ Sentinel.
+
+
+
diff --git a/docs/en-US/hardware-config-eg.xml b/docs/en-US/hardware-config-eg.xml
new file mode 100644
index 00000000000..3174bfa8576
--- /dev/null
+++ b/docs/en-US/hardware-config-eg.xml
@@ -0,0 +1,29 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+ Example Hardware Configuration
+ This section contains an example configuration of specific switch models for zone-level
+ layer-3 switching. It assumes VLAN management protocols, such as VTP or GVRP, have been
+ disabled. The example scripts must be changed appropriately if you choose to use VTP or
+ GVRP.
+
+
+
diff --git a/docs/en-US/hardware-firewall.xml b/docs/en-US/hardware-firewall.xml
new file mode 100644
index 00000000000..df0568aa2c2
--- /dev/null
+++ b/docs/en-US/hardware-firewall.xml
@@ -0,0 +1,29 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+ Hardware Firewall
+ All deployments should have a firewall protecting the management server; see Generic
+ Firewall Provisions. Optionally, some deployments may also have a Juniper SRX firewall that will
+ be the default gateway for the guest networks; see .
+
+
+
+
diff --git a/docs/en-US/images/parallel-mode.png b/docs/en-US/images/parallel-mode.png
new file mode 100644
index 00000000000..3b67a17af9d
Binary files /dev/null and b/docs/en-US/images/parallel-mode.png differ
diff --git a/docs/en-US/kvm-topology-req.xml b/docs/en-US/kvm-topology-req.xml
new file mode 100644
index 00000000000..0dff491b364
--- /dev/null
+++ b/docs/en-US/kvm-topology-req.xml
@@ -0,0 +1,24 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+ KVM Topology Requirements
+ The Management Servers communicate with KVM hosts on port 22 (ssh).
+
diff --git a/docs/en-US/layer2-switch.xml b/docs/en-US/layer2-switch.xml
new file mode 100644
index 00000000000..acef5a7c207
--- /dev/null
+++ b/docs/en-US/layer2-switch.xml
@@ -0,0 +1,41 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+ Layer-2 Switch
+ The layer-2 switch is the access switching layer inside the pod.
+
+
+ It should trunk all VLANs into every computing host.
+
+
+ It should switch traffic for the management network containing computing and storage
+ hosts. The layer-3 switch will serve as the gateway for the management network.
+
+
+
+ Example Configurations
+ This section contains example configurations for specific switch models for pod-level
+ layer-2 switching. It assumes VLAN management protocols such as VTP or GVRP have been
+ disabled. The scripts must be changed appropriately if you choose to use VTP or GVRP.
+
+
+
+
diff --git a/docs/en-US/management-server-lb.xml b/docs/en-US/management-server-lb.xml
new file mode 100644
index 00000000000..c62e1efc0a0
--- /dev/null
+++ b/docs/en-US/management-server-lb.xml
@@ -0,0 +1,61 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+ Setting Zone VLAN and Running VM Maximums
+ CloudPlatform can use a load balancer to provide a virtual IP for multiple Management
+ Servers. The administrator is responsible for creating the load balancer rules for the
+ Management Servers. The application requires persistence or stickiness across multiple sessions.
+ The following chart lists the ports that should be load balanced and whether or not persistence
+ is required.
+ Even if persistence is not required, enabling it is permitted.
+
+
+
+
+ Source Port
+ Destination Port
+ Protocol
+ Persistence Required?
+
+
+
+
+ 80 or 443
+ 8080 (or 20400 with AJP)
+ HTTP (or AJP)
+ Yes
+
+
+ 8250
+ 8250
+ TCP
+ Yes
+
+
+ 8096
+ 8096
+ HTTP
+ No
+
+
+
+
+
diff --git a/docs/en-US/network-setup.xml b/docs/en-US/network-setup.xml
new file mode 100644
index 00000000000..153227df83f
--- /dev/null
+++ b/docs/en-US/network-setup.xml
@@ -0,0 +1,35 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+ Network Setup
+ Achieving the correct networking setup is crucial to a successful &PRODUCT;
+ installation. This section contains information to help you make decisions and follow the right
+ procedures to get your network set up correctly.
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/en-US/runtime-internal-comm-req.xml b/docs/en-US/runtime-internal-comm-req.xml
new file mode 100644
index 00000000000..f4539dd0307
--- /dev/null
+++ b/docs/en-US/runtime-internal-comm-req.xml
@@ -0,0 +1,39 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+ Runtime Internal Communications Requirements
+
+
+ The Management Servers communicate with each other to coordinate tasks. This
+ communication uses TCP on ports 8250 and 9090.
+
+
+ The console proxy VMs connect to all hosts in the zone over the management traffic
+ network. Therefore the management traffic network of any given pod in the zone must have
+ connectivity to the management traffic network of all other pods in the zone.
+
+
+ The secondary storage VMs and console proxy VMs connect to the Management Server on
+ port 8250. If you are using multiple Management Servers, the load balanced IP address of the
+ Management Servers on port 8250 must be reachable.
+
+
+
diff --git a/docs/en-US/security-req.xml b/docs/en-US/security-req.xml
new file mode 100644
index 00000000000..a4869b43a70
--- /dev/null
+++ b/docs/en-US/security-req.xml
@@ -0,0 +1,24 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+ Security Requirements
+ The public Internet must not be able to access port 8096 or port 8250 on the Management Server.
+
diff --git a/docs/en-US/set-zone-vlan-run-vm-max.xml b/docs/en-US/set-zone-vlan-run-vm-max.xml
new file mode 100644
index 00000000000..2159b753ce7
--- /dev/null
+++ b/docs/en-US/set-zone-vlan-run-vm-max.xml
@@ -0,0 +1,65 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+ Setting Zone VLAN and Running VM Maximums
+ In the external networking case, every VM in a zone must have a unique guest IP address.
+ There are two variables that you need to consider in determining how to configure &PRODUCT;
+ to support this: how many Zone VLANs do you expect to have and how many VMs do you expect to
+ have running in the Zone at any one time.
+ Use the following table to determine how to configure &PRODUCT; for your
+ deployment.
+
+
+
+
+ guest.vlan.bits
+ Maximum Running VMs per Zone
+ Maximum Zone VLANs
+
+
+
+
+ 12
+ 4096
+ 4094
+
+
+ 11
+ 8192
+ 2048
+
+
+ 10
+ 16384
+ 1024
+
+
+ 10
+ 32768
+ 512
+
+
+
+
+ Based on your deployment's needs, choose the appropriate value of guest.vlan.bits. Set it as
+ described in Edit the Global Configuration Settings (Optional) section and restart the
+ Management Server.
+
diff --git a/docs/en-US/storage-nw-topology-req.xml b/docs/en-US/storage-nw-topology-req.xml
new file mode 100644
index 00000000000..a594babea37
--- /dev/null
+++ b/docs/en-US/storage-nw-topology-req.xml
@@ -0,0 +1,28 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+ Storage Network Topology Requirements
+ The secondary storage NFS export is mounted by the secondary storage VM. Secondary storage
+ traffic goes over the management traffic network, even if there is a separate storage network.
+ Primary storage traffic goes over the storage network, if available. If you choose to place
+ secondary storage NFS servers on the storage network, you must make sure there is a route from
+ the management traffic network to the storage network.
+
diff --git a/docs/en-US/topology-req.xml b/docs/en-US/topology-req.xml
new file mode 100644
index 00000000000..65c9c2ea5c6
--- /dev/null
+++ b/docs/en-US/topology-req.xml
@@ -0,0 +1,31 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+ Topology Requirements
+
+
+
+
+
+
+
+
+
diff --git a/docs/en-US/vlan-allocation-eg.xml b/docs/en-US/vlan-allocation-eg.xml
new file mode 100644
index 00000000000..3ffd1666730
--- /dev/null
+++ b/docs/en-US/vlan-allocation-eg.xml
@@ -0,0 +1,71 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+ VLAN Allocation Example
+ VLANs are required for public and guest traffic. The following is an example of a VLAN
+ allocation scheme:
+
+
+
+
+ VLAN IDs
+ Traffic type
+ Scope
+
+
+
+
+ less than 500
+ Management traffic. Reserved for administrative purposes.
+ &PRODUCT; software can access this, hypervisors, system VMs.
+
+
+ 500-599
+ VLAN carrying public traffic.
+ &PRODUCT; accounts.
+
+
+ 600-799
+ VLANs carrying guest traffic.
+ &PRODUCT; accounts. Account-specific VLAN is chosen from this
+ pool.
+
+
+ 800-899
+ VLANs carrying guest traffic.
+ &PRODUCT; accounts. Account-specific VLAN chosen by &PRODUCT; admin to assign
+ to that account.
+
+
+ 900-999
+ VLAN carrying guest traffic
+ &PRODUCT; accounts. Can be scoped by project, domain, or all
+ accounts.
+
+
+ greater than 1000
+ Reserved for future use
+
+
+
+
+
+
diff --git a/docs/en-US/vmware-topology-req.xml b/docs/en-US/vmware-topology-req.xml
new file mode 100644
index 00000000000..cf6ae4d455e
--- /dev/null
+++ b/docs/en-US/vmware-topology-req.xml
@@ -0,0 +1,38 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+ VMware Topology Requirements
+
+
+ The Management Server and secondary storage VMs must be able to access vCenter and all
+ ESXi hosts in the zone. To allow the necessary access through the firewall, keep port 443
+ open.
+
+
+ The Management Servers communicate with VMware vCenter servers on port 443
+ (HTTPs).
+
+
+ The Management Servers communicate with the System VMs on port 3922 (ssh) on the
+ management traffic network.
+
+
+
diff --git a/docs/en-US/xenserver-topology-req.xml b/docs/en-US/xenserver-topology-req.xml
new file mode 100644
index 00000000000..12b9b077fe7
--- /dev/null
+++ b/docs/en-US/xenserver-topology-req.xml
@@ -0,0 +1,24 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+ XenServer Topology Requirements
+ The Management Servers communicate with XenServer hosts on ports 22 (ssh), 80 (HTTP), and 443 (HTTPs).
+