Google Git
Sign in
apache / cloudstack-docs / 24fae4506689cba80a9de75cb727fedc128ddff0 / . / en-US / vnmc-cisco.xml
blob: b0785fc953f3cfd0b436dfc9e7c6890f9d5a15be [file] [log] [blame]
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="vnmc-cisco">
<title>External Guest Firewall Integration for Cisco VNMC (Optional)</title>
<para>Cisco Virtual Network Management Center (VNMC) provides centralized multi-device and policy
management for Cisco Network Virtual Services. You can integrate Cisco VNMC with &PRODUCT; to
leverage the firewall and NAT service offered by ASA 1000v Cloud Firewall. Use it in a Cisco
Nexus 1000v dvSwitch-enabled cluster in &PRODUCT;. In such a deployment, you will be able to: </para>
<itemizedlist>
<listitem>
<para>Configure Cisco ASA 1000v firewalls. You can configure one per guest network.</para>
</listitem>
<listitem>
<para>Use Cisco ASA 1000v firewalls to create and apply security profiles that contain ACL
policy sets for both ingress and egress traffic.</para>
</listitem>
<listitem>
<para>Use Cisco ASA 1000v firewalls to create and apply Source NAT, Port Forwarding, and
Static NAT policy sets.</para>
</listitem>
</itemizedlist>
<para>&PRODUCT; supports Cisco VNMC on Cisco Nexus 1000v dvSwich-enabled VMware
hypervisors.</para>
<section id="deploy-vnmc">
<title>Using Cisco ASA 1000v Firewall, Cisco Nexus 1000v dvSwitch, and Cisco VNMC in a
Deployment</title>
<section id="notes-vnmc">
<title>Guidelines</title>
<itemizedlist>
<listitem>
<para>Cisco ASA 1000v firewall is supported only in Isolated Guest Networks.</para>
</listitem>
<listitem>
<para>Cisco ASA 1000v firewall is not supported on VPC.</para>
</listitem>
<listitem>
<para>Cisco ASA 1000v firewall is not supported for load balancing.</para>
</listitem>
<listitem>
<para>When a guest network is created with Cisco VNMC firewall provider, an additional
public IP is acquired along with the Source NAT IP. The Source NAT IP is used for the
rules, whereas the additional IP is used to for the ASA outside interface. Ensure that
this additional public IP is not released. You can identify this IP as soon as the
network is in implemented state and before acquiring any further public IPs. The
additional IP is the one that is not marked as Source NAT. You can find the IP used for
the ASA outside interface by looking at the Cisco VNMC used in your guest
network.</para>
</listitem>
<listitem>
<para>Use the public IP address range from a single subnet. You cannot add IP addresses
from different subnets.</para>
</listitem>
<listitem>
<para>Only one ASA instance per VLAN is allowed because multiple VLANS cannot be trunked
to ASA ports. Therefore, you can use only one ASA instance in a guest network.</para>
</listitem>
<listitem>
<para>Only one Cisco VNMC per zone is allowed.</para>
</listitem>
<listitem>
<para>Supported only in Inline mode deployment with load balancer.</para>
</listitem>
<listitem>
<para>The ASA firewall rule is applicable to all the public IPs in the guest network.
Unlike the firewall rules created on virtual router, a rule created on the ASA device is
not tied to a specific public IP.</para>
</listitem>
<listitem>
<para>Use a version of Cisco Nexus 1000v dvSwitch that support the vservice command. For
example: nexus-1000v.4.2.1.SV1.5.2b.bin</para>
<para>Cisco VNMC requires the vservice command to be available on the Nexus switch to
create a guest network in &PRODUCT;. </para>
</listitem>
</itemizedlist>
</section>
<section id="prereq-asa">
<title>Prerequisites</title>
<orderedlist>
<listitem>
<para>Configure Cisco Nexus 1000v dvSwitch in a vCenter environment.</para>
<para>Create Port profiles for both internal and external network interfaces on Cisco
Nexus 1000v dvSwitch. Note down the inside port profile, which needs to be provided
while adding the ASA appliance to &PRODUCT;.</para>
<para>For information on configuration, see <xref
linkend="vmware-vsphere-cluster-config-nexus-vswitch"/>.</para>
</listitem>
<listitem>
<para>Deploy and configure Cisco VNMC.</para>
<para>For more information, see <ulink
url="http://www.cisco.com/en/US/docs/switches/datacenter/vsg/sw/4_2_1_VSG_2_1_1/install_upgrade/guide/b_Cisco_VSG_for_VMware_vSphere_Rel_4_2_1_VSG_2_1_1_and_Cisco_VNMC_Rel_2_1_Installation_and_Upgrade_Guide_chapter_011.html"
>Installing Cisco Virtual Network Management Center</ulink> and <ulink
url="http://www.cisco.com/en/US/docs/unified_computing/vnmc/sw/1.2/VNMC_GUI_Configuration/b_VNMC_GUI_Configuration_Guide_1_2_chapter_010.html"
>Configuring Cisco Virtual Network Management Center</ulink>.</para>
</listitem>
<listitem>
<para>Register Cisco Nexus 1000v dvSwitch with Cisco VNMC.</para>
<para>For more information, see <ulink
url="http://www.cisco.com/en/US/docs/switches/datacenter/vsg/sw/4_2_1_VSG_1_2/vnmc_and_vsg_qi/guide/vnmc_vsg_install_5register.html#wp1064301"
>Registering a Cisco Nexus 1000V with Cisco VNMC</ulink>.</para>
</listitem>
<listitem>
<para>Create Inside and Outside port profiles in Cisco Nexus 1000v dvSwitch.</para>
<para>For more information, see <xref
linkend="vmware-vsphere-cluster-config-nexus-vswitch"/>.</para>
</listitem>
<listitem>
<para>Deploy and Cisco ASA 1000v appliance.</para>
<para>For more information, see <ulink
url="http://www.cisco.com/en/US/docs/security/asa/quick_start/asa1000V/setup_vnmc.html"
>Setting Up the ASA 1000V Using VNMC</ulink>.</para>
<para>Typically, you create a pool of ASA 1000v appliances and register them with
&PRODUCT;.</para>
<para>Specify the following while setting up a Cisco ASA 1000v instance:</para>
<itemizedlist>
<listitem>
<para>VNMC host IP. </para>
</listitem>
<listitem>
<para>Ensure that you add ASA appliance in VNMC mode.</para>
</listitem>
<listitem>
<para>Port profiles for the Management and HA network interfaces. This need to be
pre-created on Cisco Nexus 1000v dvSwitch.</para>
</listitem>
<listitem>
<para>Internal and external port profiles.</para>
</listitem>
<listitem>
<para>The Management IP for Cisco ASA 1000v appliance. Specify the gateway such that
the VNMC IP is reachable.</para>
</listitem>
<listitem>
<para>Administrator credentials</para>
</listitem>
<listitem>
<para>VNMC credentials</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>Register Cisco ASA 1000v with VNMC.</para>
<para>After Cisco ASA 1000v instance is powered on, register VNMC from the ASA
console.</para>
</listitem>
</orderedlist>
</section>
<section id="how-to-asa">
<title>Using Cisco ASA 1000v Services</title>
<orderedlist>
<listitem>
<para>Ensure that all the prerequisites are met.</para>
<para>See <xref linkend="prereq-asa"/>.</para>
</listitem>
<listitem>
<para>Add a VNMC instance.</para>
<para>See <xref linkend="add-vnmc"/>.</para>
</listitem>
<listitem>
<para>Add a ASA 1000v instance.</para>
<para>See <xref linkend="add-asa"/>.</para>
</listitem>
<listitem>
<para>Create a Network Offering and use Cisco VNMC as the service provider for desired
services.</para>
<para>See <xref linkend="asa-offering"/>.</para>
</listitem>
<listitem>
<para>Create an Isolated Guest Network by using the network offering you just
created.</para>
</listitem>
</orderedlist>
</section>
</section>
<section id="add-vnmc">
<title>Adding a VNMC Instance</title>
<orderedlist>
<listitem>
<para>Log in to the &PRODUCT; UI as administrator.</para>
</listitem>
<listitem>
<para>In the left navigation bar, click Infrastructure.</para>
</listitem>
<listitem>
<para>In Zones, click View More.</para>
</listitem>
<listitem>
<para>Choose the zone you want to work with.</para>
</listitem>
<listitem>
<para>Click the Physical Network tab.</para>
</listitem>
<listitem>
<para>In the Network Service Providers node of the diagram, click Configure. </para>
<para>You might have to scroll down to see this.</para>
</listitem>
<listitem>
<para>Click Cisco VNMC.</para>
</listitem>
<listitem>
<para>Click View VNMC Devices.</para>
</listitem>
<listitem>
<para>Click the Add VNMC Device and provide the following:</para>
<itemizedlist>
<listitem>
<para>Host: The IP address of the VNMC instance.</para>
</listitem>
<listitem>
<para>Username: The user name of the account on the VNMC instance that &PRODUCT; should
use.</para>
</listitem>
<listitem>
<para>Password: The password of the account.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>Click OK.</para>
</listitem>
</orderedlist>
</section>
<section id="add-asa">
<title>Adding an ASA 1000v Instance</title>
<orderedlist>
<listitem>
<para>Log in to the &PRODUCT; UI as administrator.</para>
</listitem>
<listitem>
<para>In the left navigation bar, click Infrastructure.</para>
</listitem>
<listitem>
<para>In Zones, click View More.</para>
</listitem>
<listitem>
<para>Choose the zone you want to work with.</para>
</listitem>
<listitem>
<para>Click the Physical Network tab.</para>
</listitem>
<listitem>
<para>In the Network Service Providers node of the diagram, click Configure. </para>
<para>You might have to scroll down to see this.</para>
</listitem>
<listitem>
<para>Click Cisco VNMC.</para>
</listitem>
<listitem>
<para>Click View ASA 1000v.</para>
</listitem>
<listitem>
<para>Click the Add CiscoASA1000v Resource and provide the following:</para>
<itemizedlist>
<listitem>
<para><emphasis role="bold">Host</emphasis>: The management IP address of the ASA 1000v
instance. The IP address is used to connect to ASA 1000V.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Inside Port Profile</emphasis>: The Inside Port Profile
configured on Cisco Nexus1000v dvSwitch.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Cluster</emphasis>: The VMware cluster to which you are
adding the ASA 1000v instance.</para>
<para>Ensure that the cluster is Cisco Nexus 1000v dvSwitch enabled.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>Click OK.</para>
</listitem>
</orderedlist>
</section>
<section id="asa-offering">
<title>Creating a Network Offering Using Cisco ASA 1000v</title>
<para>To have Cisco ASA 1000v support for a guest network, create a network offering as follows: </para>
<orderedlist>
<listitem>
<para>Log in to the &PRODUCT; UI as a user or admin.</para>
</listitem>
<listitem>
<para>From the Select Offering drop-down, choose Network Offering.</para>
</listitem>
<listitem>
<para>Click Add Network Offering.</para>
</listitem>
<listitem>
<para>In the dialog, make the following choices:</para>
<itemizedlist>
<listitem>
<para><emphasis role="bold">Name</emphasis>: Any desired name for the network
offering.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Description</emphasis>: A short description of the offering
that can be displayed to users.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Network Rate</emphasis>: Allowed data transfer rate in MB
per second.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Traffic Type</emphasis>: The type of network traffic that
will be carried on the network.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Guest Type</emphasis>: Choose whether the guest network is
isolated or shared.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Persistent</emphasis>: Indicate whether the guest network is
persistent or not. The network that you can provision without having to deploy a VM on
it is termed persistent network. </para>
</listitem>
<listitem>
<para><emphasis role="bold">VPC</emphasis>: This option indicate whether the guest
network is Virtual Private Cloud-enabled. A Virtual Private Cloud (VPC) is a private,
isolated part of &PRODUCT;. A VPC can have its own virtual network topology that
resembles a traditional physical network. For more information on VPCs, see <xref
linkend="vpc"/>.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Specify VLAN</emphasis>: (Isolated guest networks only)
Indicate whether a VLAN should be specified when this offering is used.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Supported Services</emphasis>: Use Cisco VNMC as the service
provider for Firewall, Source NAT, Port Forwarding, and Static NAT to create an
Isolated guest network offering.</para>
</listitem>
<listitem>
<para><emphasis role="bold">System Offering</emphasis>: Choose the system service
offering that you want virtual routers to use in this network.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Conserve mode</emphasis>: Indicate whether to use conserve
mode. In this mode, network resources are allocated only when the first virtual
machine starts in the network.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>Click OK </para>
<para>The network offering is created.</para>
</listitem>
</orderedlist>
</section>
<section id="reuse-asa">
<title>Reusing ASA 1000v Appliance in new Guest Networks</title>
<para>You can reuse an ASA 1000v appliance in a new guest network after the necessary cleanup.
Typically, ASA 1000v is cleaned up when the logical edge firewall is cleaned up in VNMC. If
this cleanup does not happen, you need to reset the appliance to its factory settings for use
in new guest networks. As part of this, enable SSH on the appliance and store the SSH
credentials by registering on VNMC.</para>
<orderedlist>
<listitem>
<para>Open a command line on the ASA appliance:</para>
<orderedlist>
<listitem>
<para>Run the following:</para>
<programlisting>ASA1000V(config)# reload</programlisting>
<para>You are prompted with the following message:</para>
<programlisting>System config has been modified. Save? [Y]es/[N]o:"</programlisting>
</listitem>
<listitem>
<para>Enter N.</para>
<para>You will get the following confirmation message:</para>
<programlisting>"Proceed with reload? [confirm]"</programlisting>
</listitem>
<listitem>
<para>Restart the appliance.</para>
</listitem>
</orderedlist>
</listitem>
<listitem>
<para>Register the ASA 1000v appliance with the VNMC:</para>
<programlisting>ASA1000V(config)# vnmc policy-agent
ASA1000V(config-vnmc-policy-agent)# registration host vnmc_ip_address
ASA1000V(config-vnmc-policy-agent)# shared-secret key where key is the shared secret for authentication of the ASA 1000V connection to the Cisco VNMC</programlisting>
</listitem>
</orderedlist>
</section>
</section>