[
https://issues.apache.org/jira/browse/CLOUDSTACK-906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13744829#comment-13744829
]
Radhika Nair commented on CLOUDSTACK-906:
-----------------------------------------
Comments from Review (Koushik/Sailaja)
_______________________________
Work only on isolated.
Remove: connection timeout, TCP intercept:
Use case: they are not use cases. What is listed is how to, not use cases.
Check FS
Add that VNMC would work only on Nexus-enabled cluster.
Prerequisites: First configure Nexus in a vCenter environment (direct to the
link)
2nd – Deploy and configure VNMC
3rd – Register Nexus with VNMC
4TH – Create inside and outside port profiles in Nexus. Direct to cloudstack
nexus doc
5th – Deploy and configure ASA
6th – Register ASA with VNMC
Ensure that all devices are time-synced
VNMC is the service provider for Firewall, through which cloudstack can
leverage firewall and sourceNAT services - update
When Cisco VNMC is integrated with ASA 1000v Cloud Firewall and Cisco Nexus
1000v dvSwitch, you will be able to: (think about it..
Port profiles for both inside and outside network interfaces. This need to be
pre-created on
Nexus dvSwitch switch. Note down the inside port profile and provide that while
adding the ASA appliance to CloudStack.
Not required: ESX host IP and Standalone or HA mode
Add: VNMC Host IP (Add ASA in VNMC mode)
Ensure that Cisco VNMC appliance is set up externally and then registered with
CloudStack by
using the admin API (ui also). A single VNMC instance manages multiple ASA1000v
appliances.
One VNMC per Zone
One ASA per guest network. VLAN id is treated as a Tenant. Each guest network
will have one VLAN ID, so one ASA per guest network
When a guest network is created with Cisco VNMC firewall provider, an
additional public IP is acquired
along with the Source NAT IP. The Source NAT IP is used for the rules, whereas
the additional IP is used to for the ASA outside interface.
Ensure that this additional public IP is not released. You can identify this IP
as soon as the network is in implemented state and before acquiring
any further public IPs. The additional IP is the one that is not marked as
Source NAT. You can find the
IP used for the ASA outside interface by looking at the Cisco VNMC used in your
guest network.
Click the Physical Network tab.
Inside Port Profile: The Inside Port Profile configured on Cisco Nexus1000v
dvSwitch.
Sailaja/ Koushik : Nexus limitation – add, need Bug number
> [DOC] Document the firewall functionality of Cisco ASA 1000v within CloudStack
> ------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-906
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-906
> Project: CloudStack
> Issue Type: Sub-task
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Doc
> Reporter: David Nalley
> Assignee: Sailaja Mada
> Fix For: 4.2.0
>
> Attachments: Apache_CloudStack-4.2.0-Installation_Guide-en-US.pdf
>
>
> Document the firewall functionality of Cisco ASA 1000v within CloudStack
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
