From cb3d8872c65fa091fc67ade8c85f94292846e524 Mon Sep 17 00:00:00 2001 From: Radhika PC Date: Mon, 5 Nov 2012 19:18:12 +0530 Subject: [PATCH] fix for CLOUDSTACK-444 Signed-off-by: Radhika PC Signed-off-by: Joe Brockmeier --- docs/en-US/Installation_Guide.xml | 1 + docs/en-US/adv-zone-topology-req.xml | 25 +++ docs/en-US/basic-adv-networking.xml | 113 ++++++++++ docs/en-US/cisco3750-hardware.xml | 52 +++++ docs/en-US/cisco3750-layer2.xml | 45 ++++ docs/en-US/dell62xx-hardware.xml | 53 +++++ docs/en-US/dell62xx-layer2.xml | 49 +++++ docs/en-US/external-fw-topology-req.xml | 25 +++ .../external-guest-firewall-integration.xml | 201 ++++++++++++++++++ docs/en-US/external-guest-lb-integration.xml | 109 ++++++++++ docs/en-US/generic-firewall-provisions.xml | 37 ++++ .../guest-nw-usage-with-traffic-sentinel.xml | 73 +++++++ docs/en-US/hardware-config-eg.xml | 29 +++ docs/en-US/hardware-firewall.xml | 29 +++ docs/en-US/images/parallel-mode.png | Bin 0 -> 11520 bytes docs/en-US/kvm-topology-req.xml | 24 +++ docs/en-US/layer2-switch.xml | 41 ++++ docs/en-US/management-server-lb.xml | 61 ++++++ docs/en-US/network-setup.xml | 35 +++ docs/en-US/runtime-internal-comm-req.xml | 39 ++++ docs/en-US/security-req.xml | 24 +++ docs/en-US/set-zone-vlan-run-vm-max.xml | 65 ++++++ docs/en-US/storage-nw-topology-req.xml | 28 +++ docs/en-US/topology-req.xml | 31 +++ docs/en-US/vlan-allocation-eg.xml | 71 +++++++ docs/en-US/vmware-topology-req.xml | 38 ++++ docs/en-US/xenserver-topology-req.xml | 24 +++ 27 files changed, 1322 insertions(+) create mode 100644 docs/en-US/adv-zone-topology-req.xml create mode 100644 docs/en-US/basic-adv-networking.xml create mode 100644 docs/en-US/cisco3750-hardware.xml create mode 100644 docs/en-US/cisco3750-layer2.xml create mode 100644 docs/en-US/dell62xx-hardware.xml create mode 100644 docs/en-US/dell62xx-layer2.xml create mode 100644 docs/en-US/external-fw-topology-req.xml create mode 100644 docs/en-US/external-guest-firewall-integration.xml create mode 100644 docs/en-US/external-guest-lb-integration.xml create mode 100644 docs/en-US/generic-firewall-provisions.xml create mode 100644 docs/en-US/guest-nw-usage-with-traffic-sentinel.xml create mode 100644 docs/en-US/hardware-config-eg.xml create mode 100644 docs/en-US/hardware-firewall.xml create mode 100644 docs/en-US/images/parallel-mode.png create mode 100644 docs/en-US/kvm-topology-req.xml create mode 100644 docs/en-US/layer2-switch.xml create mode 100644 docs/en-US/management-server-lb.xml create mode 100644 docs/en-US/network-setup.xml create mode 100644 docs/en-US/runtime-internal-comm-req.xml create mode 100644 docs/en-US/security-req.xml create mode 100644 docs/en-US/set-zone-vlan-run-vm-max.xml create mode 100644 docs/en-US/storage-nw-topology-req.xml create mode 100644 docs/en-US/topology-req.xml create mode 100644 docs/en-US/vlan-allocation-eg.xml create mode 100644 docs/en-US/vmware-topology-req.xml create mode 100644 docs/en-US/xenserver-topology-req.xml diff --git a/docs/en-US/Installation_Guide.xml b/docs/en-US/Installation_Guide.xml index a40ceed0856..90f8748046d 100644 --- a/docs/en-US/Installation_Guide.xml +++ b/docs/en-US/Installation_Guide.xml @@ -54,6 +54,7 @@ + diff --git a/docs/en-US/adv-zone-topology-req.xml b/docs/en-US/adv-zone-topology-req.xml new file mode 100644 index 00000000000..3764e926ebe --- /dev/null +++ b/docs/en-US/adv-zone-topology-req.xml @@ -0,0 +1,25 @@ + + +%BOOK_ENTITIES; +]> + +
+ Advanced Zone Topology Requirements + With Advanced Networking, separate subnets must be used for private and public + networks. +
diff --git a/docs/en-US/basic-adv-networking.xml b/docs/en-US/basic-adv-networking.xml new file mode 100644 index 00000000000..46f0650e69f --- /dev/null +++ b/docs/en-US/basic-adv-networking.xml @@ -0,0 +1,113 @@ + + +%BOOK_ENTITIES; +]> + +
+ Basic and Advanced Networking + &PRODUCT; provides two styles of networking:. + + Basic + For AWS-style networking. Provides a single network where guest isolation can be provided + through layer-3 means such as security groups (IP address source filtering). + + + Advanced + For more sophisticated network topologies. This network model provides the most + flexibility in defining guest networks, but requires more configuration steps than basic + networking. + + Each zone has either basic or advanced networking. Once the choice of networking model for a + zone has been made and configured in &PRODUCT;, it can not be changed. A zone is either + basic or advanced for its entire lifetime. + The following table compares the networking features in the two networking models. + + + + + Networking Feature + Basic Network + Advanced Network + + + + + Number of networks + Single network + Multiple networks + + + Firewall type + Physical + Physical and Virtual + + + Load balancer + Physical + Physical and Virtual + + + Isolation type + Layer 3 + Layer 2 and Layer 3 + + + VPN support + No + Yes + + + Port forwarding + Physical + Physical and Virtual + + + 1:1 NAT + Physical + Physical and Virtual + + + Source NAT + No + Physical and Virtual + + + Userdata + Yes + Yes + + + Network usage monitoring + sFlow / netFlow at physical router + Hypervisor and Virtual Router + + + DNS and DHCP + Yes + Yes + + + + + The two types of networking may be in use in the same cloud. However, a given zone must use + either Basic Networking or Advanced Networking. + Different types of network traffic can be segmented on the same physical network. Guest + traffic can also be segmented by account. To isolate traffic, you can use separate VLANs. If you + are using separate VLANs on a single physical network, make sure the VLAN tags are in separate + numerical ranges. +
diff --git a/docs/en-US/cisco3750-hardware.xml b/docs/en-US/cisco3750-hardware.xml new file mode 100644 index 00000000000..b5266105074 --- /dev/null +++ b/docs/en-US/cisco3750-hardware.xml @@ -0,0 +1,52 @@ + + +%BOOK_ENTITIES; +]> + +
+ Cisco 3750 + The following steps show how a Cisco 3750 is configured for zone-level layer-3 switching. + These steps assume VLAN 201 is used to route untagged private IPs for pod 1, and pod 1’s layer-2 + switch is connected to GigabitEthernet1/0/1. + + + Setting VTP mode to transparent allows us to utilize VLAN IDs above 1000. Since we only + use VLANs up to 999, vtp transparent mode is not strictly required. + vtp mode transparent +vlan 200-999 +exit + + + Configure GigabitEthernet1/0/1. + interface GigabitEthernet1/0/1 +switchport trunk encapsulation dot1q +switchport mode trunk +switchport trunk native vlan 201 +exit + + + The statements configure GigabitEthernet1/0/1 as follows: + + + VLAN 201 is the native untagged VLAN for port GigabitEthernet1/0/1. + + + Cisco passes all VLANs by default. As a result, all VLANs (300-999) are passed to all the pod-level layer-2 switches. + + +
diff --git a/docs/en-US/cisco3750-layer2.xml b/docs/en-US/cisco3750-layer2.xml new file mode 100644 index 00000000000..e4fe1422056 --- /dev/null +++ b/docs/en-US/cisco3750-layer2.xml @@ -0,0 +1,45 @@ + + +%BOOK_ENTITIES; +]> + +
+ Cisco 3750 + The following steps show how a Cisco 3750 is configured for pod-level layer-2 + switching. + + + Setting VTP mode to transparent allows us to utilize VLAN IDs above 1000. Since we only + use VLANs up to 999, vtp transparent mode is not strictly required. + vtp mode transparent +vlan 300-999 +exit + + + Configure all ports to dot1q and set 201 as the native VLAN. + interface range GigabitEthernet 1/0/1-24 +switchport trunk encapsulation dot1q +switchport mode trunk +switchport trunk native vlan 201 +exit + + + By default, Cisco passes all VLANs. Cisco switches complain of the native VLAN IDs are + different when 2 ports are connected together. That’s why you must specify VLAN 201 as the + native VLAN on the layer-2 switch. +
diff --git a/docs/en-US/dell62xx-hardware.xml b/docs/en-US/dell62xx-hardware.xml new file mode 100644 index 00000000000..8bc7770ce86 --- /dev/null +++ b/docs/en-US/dell62xx-hardware.xml @@ -0,0 +1,53 @@ + + +%BOOK_ENTITIES; +]> + +
+ Dell 62xx + The following steps show how a Dell 62xx is configured for zone-level layer-3 switching. + These steps assume VLAN 201 is used to route untagged private IPs for pod 1, and pod 1’s layer-2 + switch is connected to Ethernet port 1/g1. + The Dell 62xx Series switch supports up to 1024 VLANs. + + + Configure all the VLANs in the database. + vlan database +vlan 200-999 +exit + + + Configure Ethernet port 1/g1. + interface ethernet 1/g1 +switchport mode general +switchport general pvid 201 +switchport general allowed vlan add 201 untagged +switchport general allowed vlan add 300-999 tagged +exit + + + The statements configure Ethernet port 1/g1 as follows: + + + VLAN 201 is the native untagged VLAN for port 1/g1. + + + All VLANs (300-999) are passed to all the pod-level layer-2 switches. + + +
diff --git a/docs/en-US/dell62xx-layer2.xml b/docs/en-US/dell62xx-layer2.xml new file mode 100644 index 00000000000..1c0eea07203 --- /dev/null +++ b/docs/en-US/dell62xx-layer2.xml @@ -0,0 +1,49 @@ + + +%BOOK_ENTITIES; +]> + +
+ Dell 62xx + The following steps show how a Dell 62xx is configured for pod-level layer-2 + switching. + + + Configure all the VLANs in the database. + vlan database +vlan 300-999 +exit + + + VLAN 201 is used to route untagged private IP addresses for pod 1, and pod 1 is connected to this layer-2 switch. + interface range ethernet all +switchport mode general +switchport general allowed vlan add 300-999 tagged +exit + + + The statements configure all Ethernet ports to function as follows: + + + All ports are configured the same way. + + + All VLANs (300-999) are passed through all the ports of the layer-2 switch. + + +
diff --git a/docs/en-US/external-fw-topology-req.xml b/docs/en-US/external-fw-topology-req.xml new file mode 100644 index 00000000000..ab81496a30a --- /dev/null +++ b/docs/en-US/external-fw-topology-req.xml @@ -0,0 +1,25 @@ + + +%BOOK_ENTITIES; +]> + +
+ External Firewall Topology Requirements + When external firewall integration is in place, the public IP VLAN must still be trunked to + the Hosts. This is required to support the Secondary Storage VM and Console Proxy VM. +
diff --git a/docs/en-US/external-guest-firewall-integration.xml b/docs/en-US/external-guest-firewall-integration.xml new file mode 100644 index 00000000000..0b34dca1065 --- /dev/null +++ b/docs/en-US/external-guest-firewall-integration.xml @@ -0,0 +1,201 @@ + + +%BOOK_ENTITIES; +]> + +
+ External Guest Firewall Integration for Juniper SRX (Optional) + + Available only for guests using advanced networking. + + &PRODUCT; provides for direct management of the Juniper SRX series of firewalls. This + enables &PRODUCT; to establish static NAT mappings from public IPs to guest VMs, and to use + the Juniper device in place of the virtual router for firewall services. You can have one or + more Juniper SRX per zone. This feature is optional. If Juniper integration is not provisioned, + &PRODUCT; will use the virtual router for these services. + The Juniper SRX can optionally be used in conjunction with an external load balancer. + External Network elements can be deployed in a side-by-side or inline configuration. + + + + + + parallel-mode.png: adding a firewall and load balancer in parallel mode. + + + &PRODUCT; requires the Juniper to be configured as follows: + + Supported SRX software version is 10.3 or higher. + + + + Install your SRX appliance according to the vendor's instructions. + + + Connect one interface to the management network and one interface to the public network. + Alternatively, you can connect the same interface to both networks and a use a VLAN for the + public network. + + + Make sure "vlan-tagging" is enabled on the private interface. + + + Record the public and private interface names. If you used a VLAN for the public + interface, add a ".[VLAN TAG]" after the interface name. For example, if you are using + ge-0/0/3 for your public interface and VLAN tag 301, your public interface name would be + "ge-0/0/3.301". Your private interface name should always be untagged because the + &PRODUCT; software automatically creates tagged logical interfaces. + + + Create a public security zone and a private security zone. By default, these will + already exist and will be called "untrust" and "trust". Add the public interface to the + public zone and the private interface to the private zone. Note down the security zone + names. + + + Make sure there is a security policy from the private zone to the public zone that + allows all traffic. + + + Note the username and password of the account you want the &PRODUCT; software to log + in to when it is programming rules. + + + Make sure the "ssh" and "xnm-clear-text" system services are enabled. + + + If traffic metering is desired: + + + a. Create an incoming firewall filter and an outgoing firewall filter. These filters + should be the same names as your public security zone name and private security zone + name respectively. The filters should be set to be "interface-specific". For example, + here is the configuration where the public zone is "untrust" and the private zone is + "trust": + root@cloud-srx# show firewall +filter trust { + interface-specific; +} +filter untrust { + interface-specific; +} + + + Add the firewall filters to your public interface. For example, a sample + configuration output (for public interface ge-0/0/3.0, public security zone untrust, and + private security zone trust) is: + ge-0/0/3 { + unit 0 { + family inet { + filter { + input untrust; + output trust; + } + address 172.25.0.252/16; + } + } +} + + + + + Make sure all VLANs are brought to the private interface of the SRX. + + + After the &PRODUCT; Management Server is installed, log in to the &PRODUCT; UI as + administrator. + + + In the left navigation bar, click Infrastructure. + + + In Zones, click View More. + + + Choose the zone you want to work with. + + + Click the Network tab. + + + In the Network Service Providers node of the diagram, click Configure. (You might have + to scroll down to see this.) + + + Click SRX. + + + Click the Add New SRX button (+) and provide the following: + + + IP Address: The IP address of the SRX. + + + Username: The user name of the account on the SRX that &PRODUCT; should use. + + + Password: The password of the account. + + + Public Interface. The name of the public interface on the SRX. For example, + ge-0/0/2. A ".x" at the end of the interface indicates the VLAN that is in use. + + + Private Interface: The name of the private interface on the SRX. For example, + ge-0/0/1. + + + Usage Interface: (Optional) Typically, the public interface is used to meter + traffic. If you want to use a different interface, specify its name here + + + Number of Retries: The number of times to attempt a command on the SRX before + failing. The default value is 2. + + + Timeout (seconds): The time to wait for a command on the SRX before considering it + failed. Default is 300 seconds. + + + Public Network: The name of the public network on the SRX. For example, + trust. + + + Private Network: The name of the private network on the SRX. For example, + untrust. + + + Capacity: The number of networks the device can handle + + + Dedicated: When marked as dedicated, this device will be dedicated to a single + account. When Dedicated is checked, the value in the Capacity field has no significance + implicitly, its value is 1 + + + + + Click OK. + + + Click Global Settings. Set the parameter external.network.stats.interval to indicate how + often you want &PRODUCT; to fetch network usage statistics from the Juniper SRX. If you + are not using the SRX to gather network usage statistics, set to 0. + + +
diff --git a/docs/en-US/external-guest-lb-integration.xml b/docs/en-US/external-guest-lb-integration.xml new file mode 100644 index 00000000000..5760f9559e6 --- /dev/null +++ b/docs/en-US/external-guest-lb-integration.xml @@ -0,0 +1,109 @@ + + +%BOOK_ENTITIES; +]> + +
+ External Guest Load Balancer Integration (Optional) + &PRODUCT; can optionally use a Citrix NetScaler or BigIP F5 load balancer to provide load + balancing services to guests. If this is not enabled, &PRODUCT; will use the software load + balancer in the virtual router. + To install and enable an external load balancer for &PRODUCT; management: + + + Set up the appliance according to the vendor's directions. + + + Connect it to the networks carrying public traffic and management traffic (these could + be the same network). + + + Record the IP address, username, password, public interface name, and private interface + name. The interface names will be something like "1.1" or "1.2". + + + Make sure that the VLANs are trunked to the management network interface. + + + After the &PRODUCT; Management Server is installed, log in as administrator to the + &PRODUCT; UI. + + + In the left navigation bar, click Infrastructure. + + + In Zones, click View More. + + + Choose the zone you want to work with. + + + Click the Network tab. + + + In the Network Service Providers node of the diagram, click Configure. (You might have + to scroll down to see this.) + + + Click NetScaler or F5. + + + Click the Add button (+) and provide the following: + For NetScaler: + + + IP Address: The IP address of the SRX. + + + Username/Password: The authentication credentials to access the device. &PRODUCT; + uses these credentials to access the device. + + + Type: The type of device that is being added. It could be F5 Big Ip Load Balancer, + NetScaler VPX, NetScaler MPX, or NetScaler SDX. For a comparison of the NetScaler types, + see the &PRODUCT; Administration Guide. + + + Public interface: Interface of device that is configured to be part of the public + network. + + + Private interface: Interface of device that is configured to be part of the private + network. + + + Number of retries. Number of times to attempt a command on the device before + considering the operation failed. Default is 2. + + + Capacity: The number of networks the device can handle. + + + Dedicated: When marked as dedicated, this device will be dedicated to a single + account. When Dedicated is checked, the value in the Capacity field has no significance + implicitly, its value is 1. + + + + + Click OK. + + + The installation and provisioning of the external load balancer is finished. You can proceed + to add VMs and NAT or load balancing rules. +
diff --git a/docs/en-US/generic-firewall-provisions.xml b/docs/en-US/generic-firewall-provisions.xml new file mode 100644 index 00000000000..53ae45a09e0 --- /dev/null +++ b/docs/en-US/generic-firewall-provisions.xml @@ -0,0 +1,37 @@ + + +%BOOK_ENTITIES; +]> + +
+ Generic Firewall Provisions + The hardware firewall is required to serve two purposes: + + + Protect the Management Servers. NAT and port forwarding should be configured to direct + traffic from the public Internet to the Management Servers. + + + Route management network traffic between multiple zones. Site-to-site VPN should be + configured between multiple zones. + + + To achieve the above purposes you must set up fixed configurations for the firewall. + Firewall rules and policies need not change as users are provisioned into the cloud. Any brand + of hardware firewall that supports NAT and site-to-site VPN can be used. +
diff --git a/docs/en-US/guest-nw-usage-with-traffic-sentinel.xml b/docs/en-US/guest-nw-usage-with-traffic-sentinel.xml new file mode 100644 index 00000000000..eb42d641c4b --- /dev/null +++ b/docs/en-US/guest-nw-usage-with-traffic-sentinel.xml @@ -0,0 +1,73 @@ + + +%BOOK_ENTITIES; +]> + +
+ Guest Network Usage Integration for Traffic Sentinel + To collect usage data for a guest network, &PRODUCT; needs to pull the data from an external + network statistics collector installed on the network. Metering statistics for guest networks + are available through &PRODUCT;’s integration with inMon Traffic Sentinel. + Traffic Sentinel is a network traffic usage data collection package. &PRODUCT; can feed + statistics from Traffic Sentinel into its own usage records, providing a basis for billing users + of cloud infrastructure. Traffic Sentinel uses the traffic monitoring protocol sFlow. Routers + and switches generate sFlow records and provide them for collection by Traffic Sentinel, then + &PRODUCT; queries the Traffic Sentinel database to obtain this information + To construct the query, &PRODUCT; determines what guest IPs were in use during the current + query interval. This includes both newly assigned IPs and IPs that were assigned in a previous + time period and continued to be in use. &PRODUCT; queries Traffic Sentinel for network + statistics that apply to these IPs during the time period they remained allocated in &PRODUCT;. + The returned data is correlated with the customer account that owned each IP and the timestamps + when IPs were assigned and released in order to create billable metering records in &PRODUCT;. + When the Usage Server runs, it collects this data. + To set up the integration between &PRODUCT; and Traffic Sentinel: + + + On your network infrastructure, install Traffic Sentinel and configure it to gather + traffic data. For installation and configuration steps, see inMon documentation at Traffic Sentinel Documentation. + + + In the Traffic Sentinel UI, configure Traffic Sentinel to accept script querying from + guest users. &PRODUCT; will be the guest user performing the remote queries to gather + network usage for one or more IP addresses. + Click File > Users > Access Control > Reports Query, then select Guest from the + drop-down list. + + + On &PRODUCT;, add the Traffic Sentinel host by calling the &PRODUCT; API command + addTrafficMonitor. Pass in the URL of the Traffic Sentinel as protocol + host + port + (optional); for example, http://10.147.28.100:8080. For the addTrafficMonitor command + syntax, see the API Reference at API + Documentation. + For information about how to call the &PRODUCT; API, see the Developer’s Guide at + CloudStack API Developer's Guide. + + + Log in to the &PRODUCT; UI as administrator. + + + Select Configuration from the Global Settings page, and set the following: + direct.network.stats.interval: How often you want &PRODUCT; to query Traffic + Sentinel. + + +
diff --git a/docs/en-US/hardware-config-eg.xml b/docs/en-US/hardware-config-eg.xml new file mode 100644 index 00000000000..3174bfa8576 --- /dev/null +++ b/docs/en-US/hardware-config-eg.xml @@ -0,0 +1,29 @@ + + +%BOOK_ENTITIES; +]> + +
+ Example Hardware Configuration + This section contains an example configuration of specific switch models for zone-level + layer-3 switching. It assumes VLAN management protocols, such as VTP or GVRP, have been + disabled. The example scripts must be changed appropriately if you choose to use VTP or + GVRP. + + +
diff --git a/docs/en-US/hardware-firewall.xml b/docs/en-US/hardware-firewall.xml new file mode 100644 index 00000000000..df0568aa2c2 --- /dev/null +++ b/docs/en-US/hardware-firewall.xml @@ -0,0 +1,29 @@ + + +%BOOK_ENTITIES; +]> + +
+ Hardware Firewall + All deployments should have a firewall protecting the management server; see Generic + Firewall Provisions. Optionally, some deployments may also have a Juniper SRX firewall that will + be the default gateway for the guest networks; see . + + + +
diff --git a/docs/en-US/images/parallel-mode.png b/docs/en-US/images/parallel-mode.png new file mode 100644 index 0000000000000000000000000000000000000000..3b67a17af9df64068506d825b919e6874e1fd01d GIT binary patch literal 11520 zcmeHtc{J4R|Myr5AyEj~qGIeMB1XzC%QU5kscdB}L<}R9WXn3FES0g0Z7d;KCS}Q3 zrpP*$$k_K~EHlIJWA5j6Kj%5mInVc>=bYy`zxxjd*LA($uj_hW@BMRyTbLPe9uhnR z0)aS<3@<}LAjT6Q5W{;`MqngMY+D%k#o!G!&;=EBoR|jwVRpWFRX3ty)5J(nfbonCevE6)HaIWyQ{|HxueAbJTrkrNRv(GD-`DY&Q z4qmn>s}GgW<&fjR#^Dm|sR~&GNPPb&n7os?-ym3SanCUmVIJeto3o z3s%ieBB{&R^cUUAdPHikK#)A#8e3&39zWYqyN9(nRb1p1y$48*{y^G=P?FiR~_^6B0p z2DC00eO||tIo8-y%7__Q0b(=^75R(DFsm49*dm@4-~eKdJ*2hA0K{0!tpl!oFUh^f zfK`k)U=IMq93b%o7I4YvBppx(yhi8Gx~31pti6c8OyATK*c6??k*R19bei*2IDJPT z%nv5|^ba8hbf=Ip&qX>z=zEs`7d9M%;eOrjROvC4M*wSiZ?8?e_7+`nuV`aoOaa7@ z!ux#mquA~E;*6tb%nA}4ETK0O9-nVGXSd}L`BT{AgY(o!&2ukw4g=CXeC;;J5G(rG zdPm1A|16Ddq6#@M;PLX99%TcMl9Bct7~Z)ee!q-#RRDo>b#2|L^_hmQTpw6ziWcI# z=67R2IV(?>?_9p~)H$t+7dkBf$CmC$4YEGwwHcW7D=YqaNmQYSuqFjFo+zK$|47B; z9)XyKhfWkG_WLI4UiYYYATICH_}Wj5(eRW-$r+VyA0CS|4arl#2(TG0est-I6x_)1 zy!j!x`n(}gAyu-l-%WWug_T*5O$?=f*)3K$WahP9np$7g(==0<^YLlZEacs|#IDEL zrDD9*A5a}IS>g(*^Z=${P}cD`3*$pTb=1q#J52e}@pgc398}l20__Qt+`I-6pA*at>j!s98KLtSr zo+?wmCxD z5D92$q@=&t7m@;?so@q1?Ysvx=W84e|iH<;iO}9t1EIEpp(z z0>V6(4_<1KK>go@Hk4`ACynOYgFVz$Ko<)+;Q15GUup+bt zr(YEvo8D4*(lMF^lXwl=kx2sm6u7ww3OF6eZU~Bvc&@N}`|y#iUa3m%PL--_=z?W2 zROw8&|Hl(z8WQZHI)vw*3~YPCCyBN(oZJ;8ozo3CT^W(6DuRYyuhoc2V!G_?Fv>KQ zvLq+QpabTqqdq&YGY-!j)HfuIUymzodIrPiSxx@*dNLIy8wk=mT6aJa^w;iKUQ%5X ziLBEpgJ5XS<5=UH>oXUu4H5@=_ye8Zc6E`lAq^H=Yk*YVNk(|(f9 zHp0jQLZ2LMg}i3EyrYVDf4*kw!7J^0!7!^JV18(*zlt)}F-#rdpR8oz;z}$<2dR(r<(pLfQt{qcVJX8}sKU>ng zs7;v@aR!I_7~sBL2Gdrek~lHrcFSAmBhrHBGA{jEL|=_2P3Ak#2%T{AUv&z|8vot+ zI@2y)DY<5s8y$~u{uIpxSPy61ae!=MtDYutX0kFNN940TSCbQyU!*ghT8Cb8VPMe45F! zT{Je!i@FOHh&xy<5(l_MZe+f#Cv^e4MZ&ggpKf7aF9aw2)W?wr{C1`ngT2>?*pUFu zw9E(D@s{2k+Q-n!>MO4_Yl0}`g&o3IVZ`h7`(+m?a&qE}J2N*vEUWFd?3QXGwoyMl zoyteEyk>jk5S+PJIo%MEGsnI*&9nK)=u>Lk`uRhm6@ulElA!=uzT_5300xGv_`NE% zf6Gtj+7wq?#06%~9P zuy~cCTUB0T4dGiBqEvM5whH;}c7ikt^Ih4-%^2~giL=@hLU!Qwu*n{$${y7LSNS#G zgZeKt_V@GaY52T7s ztElUJf6B@T{e?1VGuW?1AqMU-uz^^gWIPvbYWYtyzka6_>YN0;s@>~nm#VzxRIiY% zd&SC1vetc}oP_YuTuBtl{CfXPa6JrB&=IytaSC#b!#AZtEPgjF?gUK9ENcdB^fnU~ zgd7u8P@(HdBH6CTrUi8$3Dg%kp&=V?{y8Q`$dz{n)M@B5amH`8y%X_aNNQHHU0%#6 zairE$qo0-LLiem11lQX1By(u4~^k zYExdUB$~1{}TTAoX17Q`*D+gyU%~h6jPH3Eu#c#bG`i>@9 z<1At?#L2^DZ|NJp?ZSZR{z=z4!9R12rcb~?UC6i{)DR)kEId!s{sf;v$4;35G;xt*o>v_-P4aDuUO$t@!W89U4-{ zQ9+??Y(5G2(0rMkXE0@Ksd~);%xkdqPM=lnP_-Y{>lN>gO-{2n z)GPRN_AB6MAIq^6#IeNpQX*#gWJ)YM4(A2gRSuWvjUB30 zOuTU~%nic1=UO$$(x_F;YBw^M&e zdNoIT9Yb~*Rpk}*3IQ_B+Ednb7M@+70%*Tgq)d`=MWULN0(Zq^e0_Iuc}C_q5XrJ{ zoPa~1TkMP2Nv)kxT>mw>nrx``pHETzm`}Iom8PG$yhipkT$V{>rVTIof?3^ zt2D}FY^N)NR#`euAai<hN(_L z5gUsm8EFG9AK9TT1qw|9hoJ&t2uiJdjfJN(IJ%_V^;U08TJY3t#r38hyV?<)Y*UJ{ z#8}(8DO+%h=p=G+y|I;4Zl1Lnv>xQ-BVe{yJ_=z+EA0~Tn6feh^9~Ws^N2NxRU);6 zdPh~U>??xcChSqXd(wD&p1O5zCXRo{e6cC?fd<3u{7lAtxrGqkuy22PQ068E1JlJ+&1iz|N(xDUtS^ zd2cbT8kbiV3#{%pSzgrIy)|zdx)*IX%>D@JgIi82j08$VyKlKh&0;Y=f)F8dpipS3 zeIu6z#TAu9!B=+u93Z=^_6ujvXw->k#qY3VQ3?ZA&=e`B?CuB<^nU35hG=WMoxEW5 zLsFP1usQC?soL3eU?rlX9NU78i`Z~z$v6*~rhf=oBj`$`?H}v&84}v7eY?BV*P89& zuM|WvrpFY!W^_OppC_vL>@>7;a&r$U^r3v6{o^4k)0Lz#%ZSuov#xMsJNvt5Nk`s2 z^1^l>OvX9cu$qtsVt(nD86xI}=f`ZTsnj`-%KBLD{-J%0ShlJd-#p6=z(8@>eXn zYSqOK{suUHP41>iQxHa-DgAK(T6vjKMT^x3$c8`j*i$qZfC1!hkkT@vrfE$2!zY4L zr=Tg1OU~<<)_ghKmFfJK&`#UA9X@hYq4?X{l)ztS3+I2!)X=~_r>GUs#NhHS(a>?M zapJ!Rn=Xc@qJRJumqY8<27${~`{*yZ5Fm92!3rdd%>#0eju~eC!Yg^Cfeg&k#0A8P z0bTyV^AM<9Kb1RAcrXJgw>6KmISAtbKY8#55T~Ga?Z+R&fg%Sk*}@b8*wK4|F&-W8 zLsvrE5S_ndM>=4Kb(cAcF943D=8e)=9dOrmhVd+nw{||Th!uyy?lH2inLSZK4adb7 z9|sn_hARE=0v36>G#XM)17+}OV{O(sao#s#|7rbh0mSpOmu>+O#A80C3g|M8y+~@f z#JyQUsMSK;@l3EO#UCtzP_VnB=2}V=p&UW`k@dw5db8o8NW)?cS zNqV~h@!3NDiKBhzolc47SHcL#4NYRO&zg~`EqG-0aNJxK_QJ=^LaW6T zOQ$oC5ZLA7=gC0JBJrAnKEm+#Gh7*-&pgPNys)Tx^TIB5wPLz;H)r0lWPZ}F@A!hy z$S`7ud`WX#CSw>uFyDy>Y6&+})E8agx^&t3gZf5rS2bS}yL0@47n`-oCCPRHm<|$& zK=oKHmsR<3W*3pqeh*iLpl&WBHWspMWh2qXcPl6=kYxwuL(uSH%<@DGY^=LxNdU4n zvOsj@?dGNq;63<<`;{%nOR1Z8?0Lw|sU_3;4cJo$WnZIf_Y zn!W-;D|5%&(Qh%_%6iB;EtA@a)6iUw8F1V3?j0^LvrxYpPRuTGeg(VRi_7ibolAZ@ zqCwr9Bx{qm_?$%m5g}N5kIo}`(3Fiu$d2D`{oEq$tEKN&$}Y9s5vX#Yut=po5kOf) z#NzLQ7|nNo(){W^_3&jpUe2u~%e(x>5YjdMJj#@C>peEj+JRpEGR}2tWaCURRJ;1o zYk)#QJ?0ss1CihDwz%~uo1+^v5?A1FCTz`0#ORHUg;DEGvNH}{jG*ic=hXS;s$Ctz z1XCI_qm)0u=Hwm#ZNizeT}9$K<{5Rq^8=REQ*R2pEc(@L0M#RQDi$*_iqf#t8 z@;TmDepG4A?&5?O8kzlY%50&B90US+Tf5vObPb6JN0P3oQoc}QXsv_-CHz5X)#K&6 z+tjGX7Qjs3TQZf+&cX>)AwUN=-xKl5gqVRsWFF~;`M>yFzkgjw&uzOq)n>( z+g_rxc@Vh}fgro=Zb#2wxd);C@+?#XSYl3pDld23fCtkaX^Iy!eFVy^d4XzATxqa^ z?PnjLg3??g5>^DBxfhp}l`Ywr#IL+XCEL#m7E>lrA4}$YVa|TC?`eI)#PYO**H+3j z$>?Zte<{8GG)Y6^jRL{Z1Ay5b;FTG)utFYa&G$REVca@v@7`dq@4v!@Bi>5{GSW5` zf@J9HgL8F5B}_h0-O^Cu`h@#)KRkhY4`v(xYLgvT4)a?WG>X6Rs?enITy8a(RC%WB zcKlK&`C6j;)eVE7)X@O7rRQeWp-XGUg5-lISfzoGC0*juCAtdP!4DfiG8PNB4<)Tbw{|kNx;c#< z!zez5(zL#e-Rbwj&0TMMW>{P)?w>`;>RiC9+%gf2h^gWPlc1a zT*0TG&8VVgZo3<-t`TRLvj*&y@hhHJ%vzwWC66%Z)ODHLyciW@pI>ZSfZR;n7oSr84=-dx2g)#oXmV*Lo@7}h#>6YANH$)UJt zW2?`Y?8A|UCz`VbA6Z{rJjY*gh3Vci1(c#GP=RjwI zSw(Z&@ZDuhYSmikt1<^~R#Tv-l5*SfjAB+PdZhywjAU#}VPp;f8ax5@hVkia$0SjH zw1xyN^K_phQYnCts{*=&5z^3lsjm5pP8H$|=u&a@ueaEaiKE)GVYog8w#CGe* zJ15}th$XPRmOJ?ie(_FJNg(I4aoK9=wst>`>yg#+JOHkTx{ zKp{J953)NUSCx}=f%pjpH>$G(ZR0~=zDx6fJf{Vurp0cLAeot2p94A5*QE4t3Sgl~ zx0Y1Ry$Un*I6MT1+#!1Q-?e~otq@60=EH1ayr2K$KKcJP&iA~3! zvY{Yna271$A>U;X<^rt1CvlVo_`0Mc#CSk>mPH5*y(x~WpDN3=W99Jv`g7vQw{t&P z*E+u(HF*k)HC~p}ih@NnH!yFXz8&4`hnF5_Is}!ji-|K{J|zou*&Q8+Vu1ngi@o~M zun2`aDS$`~v#Pw$Ur<%Sd$Q*x!LR5>v0}tf6Z(@&zuKg5a=F$>RW_xQ=%=tZLTTTw zs$^0t-nndbOE$a&7~S{qIc(k@wL*NFN3u#dBB8s-?B{<^W{Kh`9L-x(Vz_hkegi|| zCq9D)l&_XYx3O%0V$+4YlxRdjarorT=D8isQEnT_Fx$!gQ?mvrrb_N+i@Pn^XD7H# zAlpT&1rkt!)rNaj(yMbk=+cQLOZwc;m^q2VVg!woyyy?U6E7pdVYd03FMCbEb?et!4YlK?=-JzvjFpdtAZmZOm`wvLlc8jk99i;zU6Nss69|RP6X3{p74l*b- zY`;H|w1IEAfTOdTm><=+u#ZtC|CXBY*U?ABkrKcD=9Dz@M*3tKoq+qw*jdAUg7b2( zp`Ceq2#K9%ME=kTP9_x(YhNiL* z)h+@1$OllPSe*CbJRxv;R)*;4m>ft79xRcfp!`^3elpEyhuta7b~yKhlt&}%(%NBD z3d4b2kDk*H%XF-AcJ%9M2ZJb-d;j7+RY2(6S$A2)G=JR4q&DTiDHB787d<=Wlx%_O z-DbZ9`Bco@4$gBoj1bI;Inn)$R+K<;3#a1a`>+SqeFB`xYGOc=YiR`uR?-qiL!Mhn0~MZDn&82{35Nyg3)e_3J|4 zR)p;z223O`67_W51zU5p`pLH*`q+1Th^(hWNblhr$KG;xizL0~T z7<&o2%#GzfUfNSNZ?bPvRfQiznltxIO7THe*+80phm0UbjJLe9)Y|DAmwux`jsES; zh{-a8eYGZ)HR%h4@9Fy&DLsNij^KIhJ-|o*8pb<>M5}V}iY^O=l+2`mL+&XZ-O^Ft zW&|H{&<`S!gj}wbYqfM^iy8(=9M;+2uY`Qw z3Ex7x3%JA;rFw9GThZkol>4!CGd%6Ch*$i_1>n8#&N+1SEuXJT68qBXS#p)m*Pl1K~I?vJb*p6`?$sOb2-(r_>kw4@e&m-rIl<;_ut2nAy31 z62;jw#9F$aaUdRN;xPROL^eIu?>!yF+w*bEmHmlfnKP?YI;)h*u-T=34AN(}74srG zL2%e+w8cIF(lz^K8=XM!YW}xw!`U;}9?-R_lVTu%+gH%U zYf2$E=;Lf3e>7eF@%NT`noRBrhR^}JrarVgz27&2_MUGJAL!b4y30_=^zyzugk)bx zhtluJ6qEe9LvMe=*6M3Rh1H(fyuP9N=*_Era1FU<)9wX(ccEDO$^{~^zuR&+Q^FvW zZZ`2(y1k(L*5OhG%Kn@}Hyaowuf1mfTD!9;XKJG96VGk(AG-WQ;YPdf`Hqe;zhDi~ z+{e(f>ptg4Kl%6hoc+^%&lkkx4oNf{ct8ZwO&Iq~vMHh_FD_z0%PVl4oG@A?31nP) z?gjrY{8v2xD#gF1@UN%%PyFN4IrNyaNxUxoA*UG7ixzv`&$jo(^EgnhM`@^->^-@B z1~dSl-F7;&_mc81@VC-To2)qSK9fTigyDFalD7BE^W{b0ky)-v*>m7+rXnlQI$?G4 zWdvSiiX8-=EoFAJ@$9`6{TJZ>cM<*GWxDgZJGgemQWbc$3^LL)yIiDu`{{oHtu5-E literal 0 HcmV?d00001 diff --git a/docs/en-US/kvm-topology-req.xml b/docs/en-US/kvm-topology-req.xml new file mode 100644 index 00000000000..0dff491b364 --- /dev/null +++ b/docs/en-US/kvm-topology-req.xml @@ -0,0 +1,24 @@ + + +%BOOK_ENTITIES; +]> + +
+ KVM Topology Requirements + The Management Servers communicate with KVM hosts on port 22 (ssh). +
diff --git a/docs/en-US/layer2-switch.xml b/docs/en-US/layer2-switch.xml new file mode 100644 index 00000000000..acef5a7c207 --- /dev/null +++ b/docs/en-US/layer2-switch.xml @@ -0,0 +1,41 @@ + + +%BOOK_ENTITIES; +]> + +
+ Layer-2 Switch + The layer-2 switch is the access switching layer inside the pod. + + + It should trunk all VLANs into every computing host. + + + It should switch traffic for the management network containing computing and storage + hosts. The layer-3 switch will serve as the gateway for the management network. + + + + Example Configurations + This section contains example configurations for specific switch models for pod-level + layer-2 switching. It assumes VLAN management protocols such as VTP or GVRP have been + disabled. The scripts must be changed appropriately if you choose to use VTP or GVRP. + + + +
diff --git a/docs/en-US/management-server-lb.xml b/docs/en-US/management-server-lb.xml new file mode 100644 index 00000000000..c62e1efc0a0 --- /dev/null +++ b/docs/en-US/management-server-lb.xml @@ -0,0 +1,61 @@ + + +%BOOK_ENTITIES; +]> + +
+ Setting Zone VLAN and Running VM Maximums + CloudPlatform can use a load balancer to provide a virtual IP for multiple Management + Servers. The administrator is responsible for creating the load balancer rules for the + Management Servers. The application requires persistence or stickiness across multiple sessions. + The following chart lists the ports that should be load balanced and whether or not persistence + is required. + Even if persistence is not required, enabling it is permitted. + + + + + Source Port + Destination Port + Protocol + Persistence Required? + + + + + 80 or 443 + 8080 (or 20400 with AJP) + HTTP (or AJP) + Yes + + + 8250 + 8250 + TCP + Yes + + + 8096 + 8096 + HTTP + No + + + + +
diff --git a/docs/en-US/network-setup.xml b/docs/en-US/network-setup.xml new file mode 100644 index 00000000000..153227df83f --- /dev/null +++ b/docs/en-US/network-setup.xml @@ -0,0 +1,35 @@ + + +%BOOK_ENTITIES; +]> + + + Network Setup + Achieving the correct networking setup is crucial to a successful &PRODUCT; + installation. This section contains information to help you make decisions and follow the right + procedures to get your network set up correctly. + + + + + + + + + + diff --git a/docs/en-US/runtime-internal-comm-req.xml b/docs/en-US/runtime-internal-comm-req.xml new file mode 100644 index 00000000000..f4539dd0307 --- /dev/null +++ b/docs/en-US/runtime-internal-comm-req.xml @@ -0,0 +1,39 @@ + + +%BOOK_ENTITIES; +]> + +
+ Runtime Internal Communications Requirements + + + The Management Servers communicate with each other to coordinate tasks. This + communication uses TCP on ports 8250 and 9090. + + + The console proxy VMs connect to all hosts in the zone over the management traffic + network. Therefore the management traffic network of any given pod in the zone must have + connectivity to the management traffic network of all other pods in the zone. + + + The secondary storage VMs and console proxy VMs connect to the Management Server on + port 8250. If you are using multiple Management Servers, the load balanced IP address of the + Management Servers on port 8250 must be reachable. + + +
diff --git a/docs/en-US/security-req.xml b/docs/en-US/security-req.xml new file mode 100644 index 00000000000..a4869b43a70 --- /dev/null +++ b/docs/en-US/security-req.xml @@ -0,0 +1,24 @@ + + +%BOOK_ENTITIES; +]> + +
+ Security Requirements + The public Internet must not be able to access port 8096 or port 8250 on the Management Server. +
diff --git a/docs/en-US/set-zone-vlan-run-vm-max.xml b/docs/en-US/set-zone-vlan-run-vm-max.xml new file mode 100644 index 00000000000..2159b753ce7 --- /dev/null +++ b/docs/en-US/set-zone-vlan-run-vm-max.xml @@ -0,0 +1,65 @@ + + +%BOOK_ENTITIES; +]> + +
+ Setting Zone VLAN and Running VM Maximums + In the external networking case, every VM in a zone must have a unique guest IP address. + There are two variables that you need to consider in determining how to configure &PRODUCT; + to support this: how many Zone VLANs do you expect to have and how many VMs do you expect to + have running in the Zone at any one time. + Use the following table to determine how to configure &PRODUCT; for your + deployment. + + + + + guest.vlan.bits + Maximum Running VMs per Zone + Maximum Zone VLANs + + + + + 12 + 4096 + 4094 + + + 11 + 8192 + 2048 + + + 10 + 16384 + 1024 + + + 10 + 32768 + 512 + + + + + Based on your deployment's needs, choose the appropriate value of guest.vlan.bits. Set it as + described in Edit the Global Configuration Settings (Optional) section and restart the + Management Server. +
diff --git a/docs/en-US/storage-nw-topology-req.xml b/docs/en-US/storage-nw-topology-req.xml new file mode 100644 index 00000000000..a594babea37 --- /dev/null +++ b/docs/en-US/storage-nw-topology-req.xml @@ -0,0 +1,28 @@ + + +%BOOK_ENTITIES; +]> + +
+ Storage Network Topology Requirements + The secondary storage NFS export is mounted by the secondary storage VM. Secondary storage + traffic goes over the management traffic network, even if there is a separate storage network. + Primary storage traffic goes over the storage network, if available. If you choose to place + secondary storage NFS servers on the storage network, you must make sure there is a route from + the management traffic network to the storage network. +
diff --git a/docs/en-US/topology-req.xml b/docs/en-US/topology-req.xml new file mode 100644 index 00000000000..65c9c2ea5c6 --- /dev/null +++ b/docs/en-US/topology-req.xml @@ -0,0 +1,31 @@ + + +%BOOK_ENTITIES; +]> + +
+ Topology Requirements + + + + + + + + +
diff --git a/docs/en-US/vlan-allocation-eg.xml b/docs/en-US/vlan-allocation-eg.xml new file mode 100644 index 00000000000..3ffd1666730 --- /dev/null +++ b/docs/en-US/vlan-allocation-eg.xml @@ -0,0 +1,71 @@ + + +%BOOK_ENTITIES; +]> + +
+ VLAN Allocation Example + VLANs are required for public and guest traffic. The following is an example of a VLAN + allocation scheme: + + + + + VLAN IDs + Traffic type + Scope + + + + + less than 500 + Management traffic. Reserved for administrative purposes. + &PRODUCT; software can access this, hypervisors, system VMs. + + + 500-599 + VLAN carrying public traffic. + &PRODUCT; accounts. + + + 600-799 + VLANs carrying guest traffic. + &PRODUCT; accounts. Account-specific VLAN is chosen from this + pool. + + + 800-899 + VLANs carrying guest traffic. + &PRODUCT; accounts. Account-specific VLAN chosen by &PRODUCT; admin to assign + to that account. + + + 900-999 + VLAN carrying guest traffic + &PRODUCT; accounts. Can be scoped by project, domain, or all + accounts. + + + greater than 1000 + Reserved for future use + + + + + +
diff --git a/docs/en-US/vmware-topology-req.xml b/docs/en-US/vmware-topology-req.xml new file mode 100644 index 00000000000..cf6ae4d455e --- /dev/null +++ b/docs/en-US/vmware-topology-req.xml @@ -0,0 +1,38 @@ + + +%BOOK_ENTITIES; +]> + +
+ VMware Topology Requirements + + + The Management Server and secondary storage VMs must be able to access vCenter and all + ESXi hosts in the zone. To allow the necessary access through the firewall, keep port 443 + open. + + + The Management Servers communicate with VMware vCenter servers on port 443 + (HTTPs). + + + The Management Servers communicate with the System VMs on port 3922 (ssh) on the + management traffic network. + + +
diff --git a/docs/en-US/xenserver-topology-req.xml b/docs/en-US/xenserver-topology-req.xml new file mode 100644 index 00000000000..12b9b077fe7 --- /dev/null +++ b/docs/en-US/xenserver-topology-req.xml @@ -0,0 +1,24 @@ + + +%BOOK_ENTITIES; +]> + +
+ XenServer Topology Requirements + The Management Servers communicate with XenServer hosts on ports 22 (ssh), 80 (HTTP), and 443 (HTTPs). +