mirror of
https://github.com/apache/cloudstack.git
synced 2025-11-03 04:12:31 +01:00
306 lines
12 KiB
XML
306 lines
12 KiB
XML
<?xml version='1.0' encoding='utf-8' ?>
|
|
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
|
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
|
|
%BOOK_ENTITIES;
|
|
]>
|
|
<!-- Licensed to the Apache Software Foundation (ASF) under one
|
|
or more contributor license agreements. See the NOTICE file
|
|
distributed with this work for additional information
|
|
regarding copyright ownership. The ASF licenses this file
|
|
to you under the Apache License, Version 2.0 (the
|
|
"License"); you may not use this file except in compliance
|
|
with the License. You may obtain a copy of the License at
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
Unless required by applicable law or agreed to in writing,
|
|
software distributed under the License is distributed on an
|
|
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
KIND, either express or implied. See the License for the
|
|
specific language governing permissions and limitations
|
|
under the License.
|
|
-->
|
|
<section id="vnmc-cisco">
|
|
<title>External Guest Firewall Integration for Cisco VNMC (Optional)</title>
|
|
<para>Cisco Virtual Network Management Center (VNMC) provides centralized multi-device and
|
|
policy management for Cisco Network Virtual Services. When Cisco VNMC is integrated with
|
|
ASA 1000v Cloud Firewall and Cisco Nexus 1000v dvSwitch in &PRODUCT; you will be able to: </para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Configure Cisco ASA 1000v Firewalls</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Create and apply security profiles that contain ACL policy sets for both ingress
|
|
and egress traffic, connection timeout, NAT policy sets, and TCP intercept</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<para>&PRODUCT; supports Cisco VNMC on Cisco Nexus 1000v dvSwich-enabled VMware
|
|
hypervisors.</para>
|
|
<section id="usecase-vnmc">
|
|
<title>Use Cases</title>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>A Cloud administrator adds VNMC as a network element by using the admin API
|
|
addCiscoVnmcResource after specifying the credentials</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>A Cloud administrator adds ASA 1000v appliances by using the admin API
|
|
addCiscoAsa1000vResource. You can configure one per guest network.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>A Cloud administrator creates an Isolated guest network offering by using ASA
|
|
1000v as the service provider for Firewall, Source NAT, Port Forwarding, and Static
|
|
NAT. </para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
<section id="deploy-vnmc">
|
|
<title>Cisco ASA 1000v Firewall, Cisco Nexus 1000v dvSwitch, and Cisco VNMC
|
|
Deployment</title>
|
|
<section id="prereq-asa">
|
|
<title>Prerequisites</title>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Ensure that Cisco ASA 1000v appliance is set up externally and then registered
|
|
with &PRODUCT; by using the admin API. Typically, you can create a pool of ASA
|
|
1000v appliances and register them with &PRODUCT;.</para>
|
|
<para>Specify the following to set up a Cisco ASA 1000v instance:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>ESX host IP</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Standalone or HA mode</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Port profiles for the Management and HA network interfaces. This need to
|
|
be pre-created on Nexus dvSwitch switch.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Port profiles for both internal and external network interfaces. This need
|
|
to be pre-created on Nexus dvSwitch switch, and to be updated appropriately
|
|
while implementing guest networks.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>The Management IP for Cisco ASA 1000v appliance. Specify the gateway such
|
|
that the VNMC IP is reachable.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Administrator credentials</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>VNMC credentials</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<para>After Cisco ASA 1000v instance is powered on, register VNMC from the ASA
|
|
console.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Ensure that Cisco VNMC appliance is set up externally and then registered with
|
|
&PRODUCT; by using the admin API. A single VNMC instance manages multiple ASA1000v
|
|
appliances.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Ensure that Cisco Nexus 1000v appliance is set up and configured in &PRODUCT;
|
|
when adding VMware cluster.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
<section id="how-to-asa">
|
|
<title>Using Cisco ASA 1000v Services</title>
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Ensure that all the prerequisites are met.</para>
|
|
<para>See <xref linkend="prereq-asa"/>.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Add a VNMC instance.</para>
|
|
<para>See <xref linkend="add-vnmc"/>.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Add a ASA 1000v instance.</para>
|
|
<para>See <xref linkend="add-asa"/>.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Create a Network Offering and use Cisco VNMC as the service provider for desired services.</para>
|
|
<para>See <xref linkend="asa-offering"/>.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Create an Isolated Guest Network by using the network offering you just created.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
</section>
|
|
<section id="add-vnmc">
|
|
<title>Adding a VNMC Instance</title>
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Log in to the &PRODUCT; UI as administrator.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>In the left navigation bar, click Infrastructure.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>In Zones, click View More.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Choose the zone you want to work with.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click the Network tab.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>In the Network Service Providers node of the diagram, click Configure. </para>
|
|
<para>You might have to scroll down to see this.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click Cisco VNMC.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click View VNMC Devices</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click the Add VNMC Device and provide the following:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Host: The IP address of the VNMC instance.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Username: The user name of the account on the VNMC instance that &PRODUCT;
|
|
should use.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Password: The password of the account.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click OK.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
<section id="add-asa">
|
|
<title>Adding an ASA 1000v Instance</title>
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Log in to the &PRODUCT; UI as administrator.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>In the left navigation bar, click Infrastructure.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>In Zones, click View More.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Choose the zone you want to work with.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click the Network tab.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>In the Network Service Providers node of the diagram, click Configure. </para>
|
|
<para>You might have to scroll down to see this.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click Cisco VNMC.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click View ASA 1000v.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click the Add CiscoASA1000v Resource and provide the following:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Host: The management IP address of the ASA 1000v instance. The IP address is
|
|
used to connect to ASA 1000V.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Inside Port Profile: The Inside Port Profile configuration on Cisco
|
|
Nexus1000v dvSwitch.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Cluster: The VMware cluster to which you are adding the ASA 1000v
|
|
instance.</para>
|
|
<para>Ensure that the cluster is Cisco Nexus 1000v dvSwitch enabled.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click OK.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
<section id="asa-offering">
|
|
<title>Creating a Network Offering Using Cisco ASA 1000v</title>
|
|
<para>To have Cisco ASA 1000v support for a guest network, create a network offering as
|
|
follows: </para>
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Log in to the &PRODUCT; UI as a user or admin.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>From the Select Offering drop-down, choose Network Offering.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click Add Network Offering.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>In the dialog, make the following choices:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">Name</emphasis>: Any desired name for the network
|
|
offering.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Description</emphasis>: A short description of the
|
|
offering that can be displayed to users.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Network Rate</emphasis>: Allowed data transfer rate in
|
|
MB per second.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Traffic Type</emphasis>: The type of network traffic
|
|
that will be carried on the network.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Guest Type</emphasis>: Choose whether the guest
|
|
network is isolated or shared.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Persistent</emphasis>: Indicate whether the guest
|
|
network is persistent or not. The network that you can provision without having
|
|
to deploy a VM on it is termed persistent network. </para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">VPC</emphasis>: This option indicate whether the guest
|
|
network is Virtual Private Cloud-enabled. A Virtual Private Cloud (VPC) is a
|
|
private, isolated part of &PRODUCT;. A VPC can have its own virtual network
|
|
topology that resembles a traditional physical network. For more information on
|
|
VPCs, see <xref linkend="vpc"/>.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Specify VLAN</emphasis>: (Isolated guest networks
|
|
only) Indicate whether a VLAN should be specified when this offering is
|
|
used.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Supported Services</emphasis>: Use Cisco VNMC as the
|
|
service provider for Firewall, Source NAT, Port Forwarding, and Static NAT to
|
|
create an Isolated guest network offering.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">System Offering</emphasis>: Choose the system service
|
|
offering that you want virtual routers to use in this network.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Conserve mode</emphasis>: Indicate whether to use
|
|
conserve mode. In this mode, network resources are allocated only when the first
|
|
virtual machine starts in the network.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click OK </para>
|
|
<para>The network offering is created.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section></section> |