mirror of
https://github.com/apache/cloudstack.git
synced 2025-10-26 08:42:29 +01:00
401 lines
18 KiB
XML
401 lines
18 KiB
XML
<?xml version='1.0' encoding='utf-8' ?>
|
|
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
|
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
|
|
%BOOK_ENTITIES;
|
|
]>
|
|
<!-- Licensed to the Apache Software Foundation (ASF) under one
|
|
or more contributor license agreements. See the NOTICE file
|
|
distributed with this work for additional information
|
|
regarding copyright ownership. The ASF licenses this file
|
|
to you under the Apache License, Version 2.0 (the
|
|
"License"); you may not use this file except in compliance
|
|
with the License. You may obtain a copy of the License at
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
Unless required by applicable law or agreed to in writing,
|
|
software distributed under the License is distributed on an
|
|
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
KIND, either express or implied. See the License for the
|
|
specific language governing permissions and limitations
|
|
under the License.
|
|
-->
|
|
<section id="vnmc-cisco">
|
|
<title>External Guest Firewall Integration for Cisco VNMC (Optional)</title>
|
|
<para>Cisco Virtual Network Management Center (VNMC) provides centralized multi-device and policy
|
|
management for Cisco Network Virtual Services. You can integrate Cisco VNMC with &PRODUCT; to
|
|
leverage the firewall and NAT service offered by ASA 1000v Cloud Firewall. Use it in a Cisco
|
|
Nexus 1000v dvSwitch-enabled cluster in &PRODUCT;. In such a deployment, you will be able to: </para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Configure Cisco ASA 1000v firewalls. You can configure one per guest network.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Use Cisco ASA 1000v firewalls to create and apply security profiles that contain ACL
|
|
policy sets for both ingress and egress traffic.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Use Cisco ASA 1000v firewalls to create and apply Source NAT, Port Forwarding, and
|
|
Static NAT policy sets.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<para>&PRODUCT; supports Cisco VNMC on Cisco Nexus 1000v dvSwich-enabled VMware
|
|
hypervisors.</para>
|
|
<section id="deploy-vnmc">
|
|
<title>Using Cisco ASA 1000v Firewall, Cisco Nexus 1000v dvSwitch, and Cisco VNMC in a
|
|
Deployment</title>
|
|
<section id="notes-vnmc">
|
|
<title>Guidelines</title>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Cisco ASA 1000v firewall is supported only in Isolated Guest Networks.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Cisco ASA 1000v firewall is not supported on VPC.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Cisco ASA 1000v firewall is not supported for load balancing.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>When a guest network is created with Cisco VNMC firewall provider, an additional
|
|
public IP is acquired along with the Source NAT IP. The Source NAT IP is used for the
|
|
rules, whereas the additional IP is used to for the ASA outside interface. Ensure that
|
|
this additional public IP is not released. You can identify this IP as soon as the
|
|
network is in implemented state and before acquiring any further public IPs. The
|
|
additional IP is the one that is not marked as Source NAT. You can find the IP used for
|
|
the ASA outside interface by looking at the Cisco VNMC used in your guest
|
|
network.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Use the public IP address range from a single subnet. You cannot add IP addresses
|
|
from different subnets.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Only one ASA instance per VLAN is allowed because multiple VLANS cannot be trunked
|
|
to ASA ports. Therefore, you can use only one ASA instance in a guest network.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Only one Cisco VNMC per zone is allowed.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Supported only in Inline mode deployment with load balancer.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>The ASA firewall rule is applicable to all the public IPs in the guest network.
|
|
Unlike the firewall rules created on virtual router, a rule created on the ASA device is
|
|
not tied to a specific public IP.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Use a version of Cisco Nexus 1000v dvSwitch that support the vservice command. For
|
|
example: nexus-1000v.4.2.1.SV1.5.2b.bin</para>
|
|
<para>Cisco VNMC requires the vservice command to be available on the Nexus switch to
|
|
create a guest network in &PRODUCT;. </para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
<section id="prereq-asa">
|
|
<title>Prerequisites</title>
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Configure Cisco Nexus 1000v dvSwitch in a vCenter environment.</para>
|
|
<para>Create Port profiles for both internal and external network interfaces on Cisco
|
|
Nexus 1000v dvSwitch. Note down the inside port profile, which needs to be provided
|
|
while adding the ASA appliance to &PRODUCT;.</para>
|
|
<para>For information on configuration, see <xref
|
|
linkend="vmware-vsphere-cluster-config-nexus-vswitch"/>.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Deploy and configure Cisco VNMC.</para>
|
|
<para>For more information, see <ulink
|
|
url="http://www.cisco.com/en/US/docs/switches/datacenter/vsg/sw/4_2_1_VSG_2_1_1/install_upgrade/guide/b_Cisco_VSG_for_VMware_vSphere_Rel_4_2_1_VSG_2_1_1_and_Cisco_VNMC_Rel_2_1_Installation_and_Upgrade_Guide_chapter_011.html"
|
|
>Installing Cisco Virtual Network Management Center</ulink> and <ulink
|
|
url="http://www.cisco.com/en/US/docs/unified_computing/vnmc/sw/1.2/VNMC_GUI_Configuration/b_VNMC_GUI_Configuration_Guide_1_2_chapter_010.html"
|
|
>Configuring Cisco Virtual Network Management Center</ulink>.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Register Cisco Nexus 1000v dvSwitch with Cisco VNMC.</para>
|
|
<para>For more information, see <ulink
|
|
url="http://www.cisco.com/en/US/docs/switches/datacenter/vsg/sw/4_2_1_VSG_1_2/vnmc_and_vsg_qi/guide/vnmc_vsg_install_5register.html#wp1064301"
|
|
>Registering a Cisco Nexus 1000V with Cisco VNMC</ulink>.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Create Inside and Outside port profiles in Cisco Nexus 1000v dvSwitch.</para>
|
|
<para>For more information, see <xref
|
|
linkend="vmware-vsphere-cluster-config-nexus-vswitch"/>.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Deploy and Cisco ASA 1000v appliance.</para>
|
|
<para>For more information, see <ulink
|
|
url="http://www.cisco.com/en/US/docs/security/asa/quick_start/asa1000V/setup_vnmc.html"
|
|
>Setting Up the ASA 1000V Using VNMC</ulink>.</para>
|
|
<para>Typically, you create a pool of ASA 1000v appliances and register them with
|
|
&PRODUCT;.</para>
|
|
<para>Specify the following while setting up a Cisco ASA 1000v instance:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>VNMC host IP. </para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Ensure that you add ASA appliance in VNMC mode.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Port profiles for the Management and HA network interfaces. This need to be
|
|
pre-created on Cisco Nexus 1000v dvSwitch.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Internal and external port profiles.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>The Management IP for Cisco ASA 1000v appliance. Specify the gateway such that
|
|
the VNMC IP is reachable.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Administrator credentials</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>VNMC credentials</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Register Cisco ASA 1000v with VNMC.</para>
|
|
<para>After Cisco ASA 1000v instance is powered on, register VNMC from the ASA
|
|
console.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
<section id="how-to-asa">
|
|
<title>Using Cisco ASA 1000v Services</title>
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Ensure that all the prerequisites are met.</para>
|
|
<para>See <xref linkend="prereq-asa"/>.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Add a VNMC instance.</para>
|
|
<para>See <xref linkend="add-vnmc"/>.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Add a ASA 1000v instance.</para>
|
|
<para>See <xref linkend="add-asa"/>.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Create a Network Offering and use Cisco VNMC as the service provider for desired
|
|
services.</para>
|
|
<para>See <xref linkend="asa-offering"/>.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Create an Isolated Guest Network by using the network offering you just
|
|
created.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
</section>
|
|
<section id="add-vnmc">
|
|
<title>Adding a VNMC Instance</title>
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Log in to the &PRODUCT; UI as administrator.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>In the left navigation bar, click Infrastructure.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>In Zones, click View More.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Choose the zone you want to work with.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click the Physical Network tab.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>In the Network Service Providers node of the diagram, click Configure. </para>
|
|
<para>You might have to scroll down to see this.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click Cisco VNMC.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click View VNMC Devices.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click the Add VNMC Device and provide the following:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Host: The IP address of the VNMC instance.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Username: The user name of the account on the VNMC instance that &PRODUCT; should
|
|
use.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Password: The password of the account.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click OK.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
<section id="add-asa">
|
|
<title>Adding an ASA 1000v Instance</title>
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Log in to the &PRODUCT; UI as administrator.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>In the left navigation bar, click Infrastructure.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>In Zones, click View More.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Choose the zone you want to work with.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click the Physical Network tab.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>In the Network Service Providers node of the diagram, click Configure. </para>
|
|
<para>You might have to scroll down to see this.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click Cisco VNMC.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click View ASA 1000v.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click the Add CiscoASA1000v Resource and provide the following:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">Host</emphasis>: The management IP address of the ASA 1000v
|
|
instance. The IP address is used to connect to ASA 1000V.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Inside Port Profile</emphasis>: The Inside Port Profile
|
|
configured on Cisco Nexus1000v dvSwitch.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Cluster</emphasis>: The VMware cluster to which you are
|
|
adding the ASA 1000v instance.</para>
|
|
<para>Ensure that the cluster is Cisco Nexus 1000v dvSwitch enabled.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click OK.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
<section id="asa-offering">
|
|
<title>Creating a Network Offering Using Cisco ASA 1000v</title>
|
|
<para>To have Cisco ASA 1000v support for a guest network, create a network offering as follows: </para>
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Log in to the &PRODUCT; UI as a user or admin.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>From the Select Offering drop-down, choose Network Offering.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click Add Network Offering.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>In the dialog, make the following choices:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">Name</emphasis>: Any desired name for the network
|
|
offering.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Description</emphasis>: A short description of the offering
|
|
that can be displayed to users.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Network Rate</emphasis>: Allowed data transfer rate in MB
|
|
per second.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Traffic Type</emphasis>: The type of network traffic that
|
|
will be carried on the network.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Guest Type</emphasis>: Choose whether the guest network is
|
|
isolated or shared.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Persistent</emphasis>: Indicate whether the guest network is
|
|
persistent or not. The network that you can provision without having to deploy a VM on
|
|
it is termed persistent network. </para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">VPC</emphasis>: This option indicate whether the guest
|
|
network is Virtual Private Cloud-enabled. A Virtual Private Cloud (VPC) is a private,
|
|
isolated part of &PRODUCT;. A VPC can have its own virtual network topology that
|
|
resembles a traditional physical network. For more information on VPCs, see <xref
|
|
linkend="vpc"/>.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Specify VLAN</emphasis>: (Isolated guest networks only)
|
|
Indicate whether a VLAN should be specified when this offering is used.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Supported Services</emphasis>: Use Cisco VNMC as the service
|
|
provider for Firewall, Source NAT, Port Forwarding, and Static NAT to create an
|
|
Isolated guest network offering.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">System Offering</emphasis>: Choose the system service
|
|
offering that you want virtual routers to use in this network.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Conserve mode</emphasis>: Indicate whether to use conserve
|
|
mode. In this mode, network resources are allocated only when the first virtual
|
|
machine starts in the network.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click OK </para>
|
|
<para>The network offering is created.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
<section id="reuse-asa">
|
|
<title>Reusing ASA 1000v Appliance in new Guest Networks</title>
|
|
<para>You can reuse an ASA 1000v appliance in a new guest network after the necessary cleanup.
|
|
Typically, ASA 1000v is cleaned up when the logical edge firewall is cleaned up in VNMC. If
|
|
this cleanup does not happen, you need to reset the appliance to its factory settings for use
|
|
in new guest networks. As part of this, enable SSH on the appliance and store the SSH
|
|
credentials by registering on VNMC.</para>
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Open a command line on the ASA appliance:</para>
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Run the following:</para>
|
|
<programlisting>ASA1000V(config)# reload</programlisting>
|
|
<para>You are prompted with the following message:</para>
|
|
<programlisting>System config has been modified. Save? [Y]es/[N]o:"</programlisting>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Enter N.</para>
|
|
<para>You will get the following confirmation message:</para>
|
|
<programlisting>"Proceed with reload? [confirm]"</programlisting>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Restart the appliance.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Register the ASA 1000v appliance with the VNMC:</para>
|
|
<programlisting>ASA1000V(config)# vnmc policy-agent
|
|
ASA1000V(config-vnmc-policy-agent)# registration host vnmc_ip_address
|
|
ASA1000V(config-vnmc-policy-agent)# shared-secret key where key is the shared secret for authentication of the ASA 1000V connection to the Cisco VNMC</programlisting>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
</section>
|