One request: Some answers seem guarded: "seems", "maybe", "probably". Of course we may not have all answers, but how do we track these uncertainties as they get resolved?
On 10/12/12 10:56 AM, "Sheng Yang" <sh...@yasker.org> wrote: >Hi Sanjeev, > >On Fri, Oct 12, 2012 at 4:52 AM, Sanjeev Neelarapu ><sanjeev.neelar...@citrix.com> wrote: >> Sheng, >> >> Following are the review comments on network-inline mode functional >>spec: >> 1.Feature Specifications: >> Only support "per zone"(shared) Source NAT for SRX: Does this mean >>traffic initiated from all the accounts guest vms will use only one ip >>as source IP ? > >Yes. > >> 2.Is it supported in upgraded environment? > >No. > >> 3.After upgrade from 2.2.x to 3.0.x can we change parallel mode >>deployment to inline mode (since we don't support upgrade from 2.2.x >>inline mode)? > >No. Since the information is binding with F5 not the network offering, >we cannot do that without adding a new F5 device. > >We can improve the feature later in future release to make it an >option for network offering, thus we can change it for network. > >> 4.Can we create Static NAT and Load Balancing rule on the same public >>IP(since conserve mode is on)? > >No. We cannot support conserve mode. It's due to static nat rule >created on SRX prevent other rule to be applied on the same ip. > >> 5.Is it supported in VPC(Instead of vpcVR can we use SRX for all the >>services in VPC Offering)? > >No. > >> 6.Are there any DB schema changes related to this feature? > >No. >> >> Following are review comments for "Remote access vpn on SRX": >> >> 1. Is it supported on Source NAT IP? > >We may have one change here - we may possibly only support source NAT >ip(in fact the external public ip of SRX), because seems SRX didn't >support using other IP to communicate with VPN gateway. I am still >working on this to try to find an solution. >> >> 2. Is enabling Remote access vpn on SRX and adding VPN user >>supported only by Admin ? > >Well, we have good reason to do so, since VPN is kind of precious >resource on SRX(which user need to pay), but since network owned by >the account, seems we still need to let user have the permission to do >that. >> >> 3. Any manual configuration is required on SRX to enable this >>functionality? > >There are probably some manual configuration needed, e.g. set default >policy for ike and ipsec. I am trying to keep it at minimal level. > >--Sheng >> >> Thanks, >> Sanjeev >> >> From: Sheng Yang >> Sent: Thursday, October 11, 2012 11:14 PM >> To: Sanjeev Neelarapu >> Cc: Haroon Abdelrahman; Sudha Ponnaganti; Srinivas Vejalla >> Subject: RE: F5 SRX in inline mode and Remote access vpn on SRX >> >> They are already on cwiki. >> >> >>https://cwiki.apache.org/CLOUDSTACK/network-inline-mode-functional-spec.h >>tml >> >>https://cwiki.apache.org/CLOUDSTACK/remote-access-vpn-support-on-srx.html >> >> --Sheng >> >> >> From: Sanjeev Neelarapu >> Sent: Thursday, October 11, 2012 12:14 AM >> To: Sheng Yang >> Cc: Haroon Abdelrahman; Sudha Ponnaganti; Srinivas Vejalla >> Subject: F5 SRX in inline mode and Remote access vpn on SRX >> >> Sheng, >> >> Can you place "F5 SRX in inline mode" and "Remote access vpn on SRX" >>FSs on cwiki , so that I can use them to share my review comments on ML. >> At present "Remote access vpn on SRX" FS is missing from cloud stack >>wiki as well. >> >> Thanks, >> Sanjeev
