From 04db0e0dc91c70f48318880535d39ba826fcb864 Mon Sep 17 00:00:00 2001 From: radhikap Date: Wed, 21 Aug 2013 17:36:42 +0530 Subject: [PATCH] CLOUDSTACK-4416 and CLOUDSTACK-906 cisco vnmc doc reviews --- docs/en-US/vnmc-cisco.xml | 174 ++++++++++++++++++++++++-------------- 1 file changed, 112 insertions(+), 62 deletions(-) diff --git a/docs/en-US/vnmc-cisco.xml b/docs/en-US/vnmc-cisco.xml index 7c721785c7e..b0785fc953f 100644 --- a/docs/en-US/vnmc-cisco.xml +++ b/docs/en-US/vnmc-cisco.xml @@ -21,62 +21,127 @@
External Guest Firewall Integration for Cisco VNMC (Optional) Cisco Virtual Network Management Center (VNMC) provides centralized multi-device and policy - management for Cisco Network Virtual Services. When Cisco VNMC is integrated with ASA 1000v - Cloud Firewall and Cisco Nexus 1000v dvSwitch in &PRODUCT; you will be able to: + management for Cisco Network Virtual Services. You can integrate Cisco VNMC with &PRODUCT; to + leverage the firewall and NAT service offered by ASA 1000v Cloud Firewall. Use it in a Cisco + Nexus 1000v dvSwitch-enabled cluster in &PRODUCT;. In such a deployment, you will be able to: - Configure Cisco ASA 1000v Firewalls + Configure Cisco ASA 1000v firewalls. You can configure one per guest network. - Create and apply security profiles that contain ACL policy sets for both ingress and - egress traffic, connection timeout, NAT policy sets, and TCP intercept + Use Cisco ASA 1000v firewalls to create and apply security profiles that contain ACL + policy sets for both ingress and egress traffic. + + + Use Cisco ASA 1000v firewalls to create and apply Source NAT, Port Forwarding, and + Static NAT policy sets. &PRODUCT; supports Cisco VNMC on Cisco Nexus 1000v dvSwich-enabled VMware hypervisors. -
- Use Cases - - - A Cloud administrator adds VNMC as a network element by using the admin API - addCiscoVnmcResource after specifying the credentials - - - A Cloud administrator adds ASA 1000v appliances by using the admin API - addCiscoAsa1000vResource. You can configure one per guest network. - - - A Cloud administrator creates an Isolated guest network offering by using ASA 1000v as - the service provider for Firewall, Source NAT, Port Forwarding, and Static NAT. - - -
Using Cisco ASA 1000v Firewall, Cisco Nexus 1000v dvSwitch, and Cisco VNMC in a Deployment -
- Prerequisites +
+ Guidelines - Ensure that Cisco ASA 1000v appliance is set up externally and then registered with - &PRODUCT; by using the admin API. Typically, you can create a pool of ASA 1000v - appliances and register them with &PRODUCT;. - Specify the following to set up a Cisco ASA 1000v instance: + Cisco ASA 1000v firewall is supported only in Isolated Guest Networks. + + + Cisco ASA 1000v firewall is not supported on VPC. + + + Cisco ASA 1000v firewall is not supported for load balancing. + + + When a guest network is created with Cisco VNMC firewall provider, an additional + public IP is acquired along with the Source NAT IP. The Source NAT IP is used for the + rules, whereas the additional IP is used to for the ASA outside interface. Ensure that + this additional public IP is not released. You can identify this IP as soon as the + network is in implemented state and before acquiring any further public IPs. The + additional IP is the one that is not marked as Source NAT. You can find the IP used for + the ASA outside interface by looking at the Cisco VNMC used in your guest + network. + + + Use the public IP address range from a single subnet. You cannot add IP addresses + from different subnets. + + + Only one ASA instance per VLAN is allowed because multiple VLANS cannot be trunked + to ASA ports. Therefore, you can use only one ASA instance in a guest network. + + + Only one Cisco VNMC per zone is allowed. + + + Supported only in Inline mode deployment with load balancer. + + + The ASA firewall rule is applicable to all the public IPs in the guest network. + Unlike the firewall rules created on virtual router, a rule created on the ASA device is + not tied to a specific public IP. + + + Use a version of Cisco Nexus 1000v dvSwitch that support the vservice command. For + example: nexus-1000v.4.2.1.SV1.5.2b.bin + Cisco VNMC requires the vservice command to be available on the Nexus switch to + create a guest network in &PRODUCT;. + + +
+
+ Prerequisites + + + Configure Cisco Nexus 1000v dvSwitch in a vCenter environment. + Create Port profiles for both internal and external network interfaces on Cisco + Nexus 1000v dvSwitch. Note down the inside port profile, which needs to be provided + while adding the ASA appliance to &PRODUCT;. + For information on configuration, see . + + + Deploy and configure Cisco VNMC. + For more information, see Installing Cisco Virtual Network Management Center and Configuring Cisco Virtual Network Management Center. + + + Register Cisco Nexus 1000v dvSwitch with Cisco VNMC. + For more information, see Registering a Cisco Nexus 1000V with Cisco VNMC. + + + Create Inside and Outside port profiles in Cisco Nexus 1000v dvSwitch. + For more information, see . + + + Deploy and Cisco ASA 1000v appliance. + For more information, see Setting Up the ASA 1000V Using VNMC. + Typically, you create a pool of ASA 1000v appliances and register them with + &PRODUCT;. + Specify the following while setting up a Cisco ASA 1000v instance: - ESX host IP + VNMC host IP. - Standalone or HA mode + Ensure that you add ASA appliance in VNMC mode. Port profiles for the Management and HA network interfaces. This need to be - pre-created on Nexus dvSwitch switch. + pre-created on Cisco Nexus 1000v dvSwitch. - Port profiles for both internal and external network interfaces. This need to be - pre-created on Nexus dvSwitch switch, and to be updated appropriately while - implementing guest networks. + Internal and external port profiles. The Management IP for Cisco ASA 1000v appliance. Specify the gateway such that @@ -89,29 +154,13 @@ VNMC credentials + + + Register Cisco ASA 1000v with VNMC. After Cisco ASA 1000v instance is powered on, register VNMC from the ASA console. - - Ensure that Cisco VNMC appliance is set up externally and then registered with - &PRODUCT; by using the admin API. A single VNMC instance manages multiple ASA1000v - appliances. - - - Ensure that Cisco Nexus 1000v appliance is set up and configured in &PRODUCT; when - adding VMware cluster. - - -
-
- Guidelines - When a guest network is created with Cisco VNMC firewall provider, an additional public - IP is acquired along with the Source NAT IP. The Source NAT IP is used for the ASA outside - interface, whereas the additional IP is used to workaround an ASA limitation. Ensure that - this additional public IP is not released. You can identify this IP as soon as the network - is in implemented state and before acquiring any further public IPs. The additional IP is - the one that is not marked as Source NAT. You can find the IP used for the ASA outside - interface by looking at the Cisco VNMC used in your guest network. +
Using Cisco ASA 1000v Services @@ -156,7 +205,7 @@ Choose the zone you want to work with. - Click the Network tab. + Click the Physical Network tab. In the Network Service Providers node of the diagram, click Configure. @@ -166,7 +215,7 @@ Click Cisco VNMC. - Click View VNMC Devices + Click View VNMC Devices. Click the Add VNMC Device and provide the following: @@ -204,7 +253,7 @@ Choose the zone you want to work with. - Click the Network tab. + Click the Physical Network tab. In the Network Service Providers node of the diagram, click Configure. @@ -220,15 +269,16 @@ Click the Add CiscoASA1000v Resource and provide the following: - Host: The management IP address of the ASA 1000v instance. The IP address is used - to connect to ASA 1000V. + Host: The management IP address of the ASA 1000v + instance. The IP address is used to connect to ASA 1000V. - Inside Port Profile: The Inside Port Profile configuration on Cisco Nexus1000v - dvSwitch. + Inside Port Profile: The Inside Port Profile + configured on Cisco Nexus1000v dvSwitch. - Cluster: The VMware cluster to which you are adding the ASA 1000v instance. + Cluster: The VMware cluster to which you are + adding the ASA 1000v instance. Ensure that the cluster is Cisco Nexus 1000v dvSwitch enabled.