Revert "<message>" This reverts commit 5dd14f322c7332ebb5b9aee22f84209763e891e8.
Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/bb59c1e3 Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/bb59c1e3 Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/bb59c1e3 Branch: refs/heads/api_limit Commit: bb59c1e38529ac704eedc0b9ebd759313e60532d Parents: 5dd14f3 Author: Pranav Saxena <[email protected]> Authored: Fri Jan 11 15:51:28 2013 +0530 Committer: Pranav Saxena <[email protected]> Committed: Fri Jan 11 15:51:28 2013 +0530 ---------------------------------------------------------------------- docs/en-US/external-guest-firewall-integration.xml | 53 +++-- docs/en-US/external-guest-lb-integration.xml | 4 +- docs/en-US/hardware-firewall.xml | 9 +- docs/en-US/images/add-netscaler.png | Bin 22777 -> 0 bytes docs/en-US/images/parallel-inline-mode.png | Bin 145392 -> 0 bytes docs/en-US/inline-config-lb-fw.xml | 173 --------------- docs/en-US/lb-services.xml | 25 -- docs/en-US/management-server-lb.xml | 12 +- docs/en-US/network-setup.xml | 12 +- 9 files changed, 48 insertions(+), 240 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/bb59c1e3/docs/en-US/external-guest-firewall-integration.xml ---------------------------------------------------------------------- diff --git a/docs/en-US/external-guest-firewall-integration.xml b/docs/en-US/external-guest-firewall-integration.xml index bd9ac60..0b34dca 100644 --- a/docs/en-US/external-guest-firewall-integration.xml +++ b/docs/en-US/external-guest-firewall-integration.xml @@ -21,16 +21,23 @@ <section id="external-guest-firewall-integration"> <title>External Guest Firewall Integration for Juniper SRX (Optional)</title> <note> - <para>Available only for guests using advanced networking, both shared and isolated.</para> + <para>Available only for guests using advanced networking.</para> </note> <para>&PRODUCT; provides for direct management of the Juniper SRX series of firewalls. This - enables &PRODUCT; to establish staticNAT mappings from public IPs to guest VMs, and to use the - Juniper device in place of the virtual router for firewall services. You can have only one - Juniper SRX device per zone. This feature is optional. If Juniper integration is not - provisioned, &PRODUCT; will use the virtual router for these services.</para> + enables &PRODUCT; to establish static NAT mappings from public IPs to guest VMs, and to use + the Juniper device in place of the virtual router for firewall services. You can have one or + more Juniper SRX per zone. This feature is optional. If Juniper integration is not provisioned, + &PRODUCT; will use the virtual router for these services.</para> <para>The Juniper SRX can optionally be used in conjunction with an external load balancer. - External Network elements can be deployed in a side-by-side or inline configuration. For more - information, see <xref linkend="inline-config-lb-fw"/>.</para> + External Network elements can be deployed in a side-by-side or inline configuration.</para> + <mediaobject> + <imageobject> + <imagedata fileref="./images/parallel-mode.png"/> + </imageobject> + <textobject> + <phrase>parallel-mode.png: adding a firewall and load balancer in parallel mode.</phrase> + </textobject> + </mediaobject> <para>&PRODUCT; requires the Juniper to be configured as follows:</para> <note> <para>Supported SRX software version is 10.3 or higher.</para> @@ -51,22 +58,22 @@ <para>Record the public and private interface names. If you used a VLAN for the public interface, add a ".[VLAN TAG]" after the interface name. For example, if you are using ge-0/0/3 for your public interface and VLAN tag 301, your public interface name would be - "ge-0/0/3.301". Your private interface name should always be untagged because the &PRODUCT; - software automatically creates tagged logical interfaces.</para> + "ge-0/0/3.301". Your private interface name should always be untagged because the + &PRODUCT; software automatically creates tagged logical interfaces.</para> </listitem> <listitem> - <para>Create a public security zone and a private security zone. By default, these already - exist and are called "untrust" and "trust" zones. Add the public interface to the public - zone. &PRODUCT;automatically adds the private interface to private zone (trusted zone). Note - down the security zone names.</para> + <para>Create a public security zone and a private security zone. By default, these will + already exist and will be called "untrust" and "trust". Add the public interface to the + public zone and the private interface to the private zone. Note down the security zone + names.</para> </listitem> <listitem> <para>Make sure there is a security policy from the private zone to the public zone that allows all traffic.</para> </listitem> <listitem> - <para>Note the username and password of the account you want the &PRODUCT; software to log in - to when it is programming rules.</para> + <para>Note the username and password of the account you want the &PRODUCT; software to log + in to when it is programming rules.</para> </listitem> <listitem> <para>Make sure the "ssh" and "xnm-clear-text" system services are enabled.</para> @@ -117,13 +124,13 @@ filter untrust { <para>In the left navigation bar, click Infrastructure.</para> </listitem> <listitem> - <para>In Zones, click View All.</para> + <para>In Zones, click View More.</para> </listitem> <listitem> <para>Choose the zone you want to work with.</para> </listitem> <listitem> - <para>Click the Physical Network tab.</para> + <para>Click the Network tab.</para> </listitem> <listitem> <para>In the Network Service Providers node of the diagram, click Configure. (You might have @@ -153,6 +160,10 @@ filter untrust { ge-0/0/1. </para> </listitem> <listitem> + <para>Usage Interface: (Optional) Typically, the public interface is used to meter + traffic. If you want to use a different interface, specify its name here</para> + </listitem> + <listitem> <para>Number of Retries: The number of times to attempt a command on the SRX before failing. The default value is 2.</para> </listitem> @@ -169,12 +180,12 @@ filter untrust { untrust.</para> </listitem> <listitem> - <para>Capacity: The number of networks the device can handle.</para> + <para>Capacity: The number of networks the device can handle</para> </listitem> <listitem> <para>Dedicated: When marked as dedicated, this device will be dedicated to a single account. When Dedicated is checked, the value in the Capacity field has no significance - implicitly, its value is 1.</para> + implicitly, its value is 1</para> </listitem> </itemizedlist> </listitem> @@ -183,8 +194,8 @@ filter untrust { </listitem> <listitem> <para>Click Global Settings. Set the parameter external.network.stats.interval to indicate how - often you want &PRODUCT; to fetch network usage statistics from the Juniper SRX. If you are - not using the SRX to gather network usage statistics, set to 0.</para> + often you want &PRODUCT; to fetch network usage statistics from the Juniper SRX. If you + are not using the SRX to gather network usage statistics, set to 0.</para> </listitem> </orderedlist> </section> http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/bb59c1e3/docs/en-US/external-guest-lb-integration.xml ---------------------------------------------------------------------- diff --git a/docs/en-US/external-guest-lb-integration.xml b/docs/en-US/external-guest-lb-integration.xml index acbb514..5760f95 100644 --- a/docs/en-US/external-guest-lb-integration.xml +++ b/docs/en-US/external-guest-lb-integration.xml @@ -20,12 +20,10 @@ --> <section id="external-guest-lb-integration"> <title>External Guest Load Balancer Integration (Optional)</title> - <note> - <para>External load balancer devices are not supported in shared networks.</para> - </note> <para>&PRODUCT; can optionally use a Citrix NetScaler or BigIP F5 load balancer to provide load balancing services to guests. If this is not enabled, &PRODUCT; will use the software load balancer in the virtual router.</para> + <para>To install and enable an external load balancer for &PRODUCT; management:</para> <orderedlist> <listitem> <para>Set up the appliance according to the vendor's directions.</para> http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/bb59c1e3/docs/en-US/hardware-firewall.xml ---------------------------------------------------------------------- diff --git a/docs/en-US/hardware-firewall.xml b/docs/en-US/hardware-firewall.xml index 28269cc..df0568a 100644 --- a/docs/en-US/hardware-firewall.xml +++ b/docs/en-US/hardware-firewall.xml @@ -22,11 +22,8 @@ <title>Hardware Firewall</title> <para>All deployments should have a firewall protecting the management server; see Generic Firewall Provisions. Optionally, some deployments may also have a Juniper SRX firewall that will - be the default gateway for the guest networks; see <xref - linkend="external-guest-firewall-integration"/>.</para> + be the default gateway for the guest networks; see <xref linkend="external-guest-firewall-integration"/>.</para> <xi:include href="generic-firewall-provisions.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> - <xi:include href="external-guest-firewall-integration.xml" - xmlns:xi="http://www.w3.org/2001/XInclude"/> - <xi:include href="lb-services.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> - <xi:include href="inline-config-lb-fw.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> + <xi:include href="external-guest-firewall-integration.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> + <xi:include href="external-guest-lb-integration.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> </section> http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/bb59c1e3/docs/en-US/images/add-netscaler.png ---------------------------------------------------------------------- diff --git a/docs/en-US/images/add-netscaler.png b/docs/en-US/images/add-netscaler.png deleted file mode 100644 index 53c1344..0000000 Binary files a/docs/en-US/images/add-netscaler.png and /dev/null differ http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/bb59c1e3/docs/en-US/images/parallel-inline-mode.png ---------------------------------------------------------------------- diff --git a/docs/en-US/images/parallel-inline-mode.png b/docs/en-US/images/parallel-inline-mode.png deleted file mode 100644 index c0c1555..0000000 Binary files a/docs/en-US/images/parallel-inline-mode.png and /dev/null differ http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/bb59c1e3/docs/en-US/inline-config-lb-fw.xml ---------------------------------------------------------------------- diff --git a/docs/en-US/inline-config-lb-fw.xml b/docs/en-US/inline-config-lb-fw.xml deleted file mode 100644 index dada3ff..0000000 --- a/docs/en-US/inline-config-lb-fw.xml +++ /dev/null @@ -1,173 +0,0 @@ -<?xml version='1.0' encoding='utf-8' ?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"; [ -<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent"> -%BOOK_ENTITIES; -]> -<!-- Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 - Unless required by applicable law or agreed to in writing, - software distributed under the License is distributed on an - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - KIND, either express or implied. See the License for the - specific language governing permissions and limitations - under the License. ---> -<section id="inline-config-lb-fw"> - <title>Configuring Network Devices in Inline and Side by Side Modes</title> - <para>The external network elements, such as load balancer and firewall devices, supported in - &PRODUCT; can be deployed in either of the following modes: Side by Side and Inline. Inline mode - was originally supported in &PRODUCT; 2.2.x versions, and is now added back in the 3.0.6 - release.</para> - <para>In Inline mode, one firewall device is placed in front of a load balancing device. The - firewall acts as the gateway for all incoming traffic, then redirect the load balancing traffic - to the load balancer behind it. The load balancer in this case will not have the direct access - to the public network. Deploying network devices in Inline mode ensures that the resources are - protected.</para> - <mediaobject> - <imageobject> - <imagedata fileref="./images/parallel-inline-mode.png"/> - </imageobject> - <textobject> - <phrase>parallel-inline-mode.png: external networks in different deployment modes</phrase> - </textobject> - </mediaobject> - <para>In Side by Side mode, a firewall device is deployed in parallel with the load balancer - device. So the traffic to the load balancer public IP is not routed through the firewall, and - therefore, is exposed to the public network. </para> - <mediaobject> - <imageobject> - <imagedata fileref="./images/parallel-mode.png"/> - </imageobject> - <textobject> - <phrase>parallel-mode.png: adding a firewall and load balancer in side by side mode</phrase> - </textobject> - </mediaobject> - <para>The following table gives you an overview of the supported services and devices for inline - and side by side mode.</para> - <informaltable> - <tgroup cols="4" align="left" colsep="1" rowsep="1"> - <colspec colwidth="1.08*" colname="c1" colnum="1"/> - <colspec colwidth="1.2*" colname="c2" colnum="2"/> - <colspec colnum="3" colname="c3" colwidth="1.0*"/> - <colspec colnum="4" colname="c4" colwidth="5.15*"/> - <thead> - <row> - <entry><para>Mode</para></entry> - <entry><para>Firewall</para></entry> - <entry><para>Load Balancer</para></entry> - <entry><para>Supported</para></entry> - </row> - </thead> - <tbody> - <row> - <entry><para>Side by Side</para></entry> - <entry><para>Virtual Router</para></entry> - <entry><para>F5</para></entry> - <entry><para>Yes</para></entry> - </row> - <row> - <entry><para>Side by Side</para></entry> - <entry><para>Virtual Router</para></entry> - <entry><para>Virtual Router</para></entry> - <entry><para>Yes</para></entry> - </row> - <row> - <entry><para>Side by Side</para></entry> - <entry><para>Virtual Router</para></entry> - <entry><para>NetScaler</para></entry> - <entry><para>Yes</para></entry> - </row> - <row> - <entry><para>Side by Side</para></entry> - <entry><para>Juniper SRX</para></entry> - <entry><para>F5</para></entry> - <entry><para>Yes</para></entry> - </row> - <row> - <entry><para>Side by Side</para></entry> - <entry><para>Juniper SRX</para></entry> - <entry><para>NetScaler</para></entry> - <entry><para>Yes</para></entry> - </row> - <row> - <entry><para>Inline</para></entry> - <entry><para>Virtual Router</para></entry> - <entry><para>F5</para></entry> - <entry><para>No</para></entry> - </row> - <row> - <entry><para>Inline</para></entry> - <entry><para>Virtual Router</para></entry> - <entry><para>NetScaler</para></entry> - <entry><para>No</para></entry> - </row> - <row> - <entry><para>Inline</para></entry> - <entry><para>Juniper SRX</para></entry> - <entry><para>F5</para></entry> - <entry><para>Yes</para></entry> - </row> - <row> - <entry><para>Inline</para></entry> - <entry><para>Juniper SRX</para></entry> - <entry><para>NetScaler</para></entry> - <entry><para>No</para></entry> - </row> - <row> - <entry><para>Inline</para></entry> - <entry><para>Juniper SRX</para></entry> - <entry><para>Virtual Router</para></entry> - <entry><para>No</para></entry> - </row> - </tbody> - </tgroup> - </informaltable> - <para>To configure SRX and F5 in Inline mode:</para> - <orderedlist> - <listitem> - <para>Configure F5 Big IP and Juniper SRX.</para> - <para>See the respective product documentation for more information.</para> - </listitem> - <listitem> - <para>Add SRX and F5 to the same zone in &PRODUCT;.</para> - <note> - <para>Ensure that you select per zone sourceNAT when creating the network offering. When - adding F5 BigIP, do not make it a dedicated device.</para> - </note> - </listitem> - <listitem> - <para>Enable both the devices.</para> - </listitem> - <listitem> - <para>Create a network offering:</para> - <para>Use SRX as provider for Firewall, Port Forwarding, SourceNAT, and StaticNat. Select F5 - BigIP as the service provider for Load Balancing. Use Virtual Router as the service provider - for DNS, DHCP, user data.</para> - </listitem> - <listitem> - <para>Select Inline mode.</para> - <para>For more information, see <phrase condition="admin"><xref - linkend="creating-network-offerings"/>.</phrase> - <phrase condition="install">Creating Network Offerings in the Administration Guide.</phrase> - </para> - </listitem> - <listitem> - <para>Start a new VM with this new network offering.</para> - </listitem> - <listitem> - <para>Add firewall and load balancing rules. For more information, see <phrase - condition="admin"><xref linkend="add-load-balancer-rule"/></phrase> - <phrase condition="install">Adding a Load Balancer Rule</phrase> and <phrase - condition="admin"><xref linkend="firewall-rules"/>.</phrase> - <phrase condition="install">IP Forwarding and Firewalling in the Administration - Guide.</phrase> - </para> - </listitem> - </orderedlist> -</section> http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/bb59c1e3/docs/en-US/lb-services.xml ---------------------------------------------------------------------- diff --git a/docs/en-US/lb-services.xml b/docs/en-US/lb-services.xml deleted file mode 100644 index 3bb79db..0000000 --- a/docs/en-US/lb-services.xml +++ /dev/null @@ -1,25 +0,0 @@ -<?xml version='1.0' encoding='utf-8' ?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"; [ -<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent"> -%BOOK_ENTITIES; -]> -<!-- Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 - Unless required by applicable law or agreed to in writing, - software distributed under the License is distributed on an - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - KIND, either express or implied. See the License for the - specific language governing permissions and limitations - under the License. ---> -<section id="lb-services"> - <title>Load Balancing Services</title> - <xi:include href="external-guest-lb-integration.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> - <xi:include href="management-server-lb.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> -</section> http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/bb59c1e3/docs/en-US/management-server-lb.xml ---------------------------------------------------------------------- diff --git a/docs/en-US/management-server-lb.xml b/docs/en-US/management-server-lb.xml index f427578..85a8622 100644 --- a/docs/en-US/management-server-lb.xml +++ b/docs/en-US/management-server-lb.xml @@ -19,12 +19,12 @@ under the License. --> <section id="management-server-lb"> - <title>Management Server Load Balancing</title> - <para>&PRODUCT; can use a load balancer to provide a virtual IP for multiple Management Servers. - The administrator is responsible for creating the load balancer rules for the Management - Servers. The application requires persistence or stickiness across multiple sessions. The - following chart lists the ports that should be load balanced and whether or not persistence is - required.</para> + <title>Setting Zone VLAN and Running VM Maximums</title> + <para>&PRODUCT; can use a load balancer to provide a virtual IP for multiple Management + Servers. The administrator is responsible for creating the load balancer rules for the + Management Servers. The application requires persistence or stickiness across multiple sessions. + The following chart lists the ports that should be load balanced and whether or not persistence + is required.</para> <para>Even if persistence is not required, enabling it is permitted.</para> <informaltable> <tgroup cols="4" align="left" colsep="1" rowsep="1"> http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/bb59c1e3/docs/en-US/network-setup.xml ---------------------------------------------------------------------- diff --git a/docs/en-US/network-setup.xml b/docs/en-US/network-setup.xml index 192c8e2..ceee190 100644 --- a/docs/en-US/network-setup.xml +++ b/docs/en-US/network-setup.xml @@ -20,16 +20,16 @@ --> <chapter id="network-setup"> <title>Network Setup</title> - <para>Achieving the correct networking setup is crucial to a successful &PRODUCT; installation. - This section contains information to help you make decisions and follow the right procedures to - get your network set up correctly.</para> + <para>Achieving the correct networking setup is crucial to a successful &PRODUCT; + installation. This section contains information to help you make decisions and follow the right + procedures to get your network set up correctly.</para> <xi:include href="basic-adv-networking.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> <xi:include href="vlan-allocation-eg.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> <xi:include href="hardware-config-eg.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> <xi:include href="layer2-switch.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> <xi:include href="hardware-firewall.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> + <xi:include href="management-server-lb.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> <xi:include href="topology-req.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> - <xi:include href="guest-nw-usage-with-traffic-sentinel.xml" - xmlns:xi="http://www.w3.org/2001/XInclude"/> + <xi:include href="guest-nw-usage-with-traffic-sentinel.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> <xi:include href="set-zone-vlan-run-vm-max.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> -</chapter> + </chapter>
