cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Koushik Das <koushik....@citrix.com>
Subject RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
Date Tue, 19 Mar 2013 12:00:20 GMT
Inline

> 
> On 18/03/13 7:37 PM, "Sailaja Mada" <sailaja.mada@citrix.com> wrote:
> 
> >+
> >
> >7) During Guest Network shutdown, Do we release the ASA association
> >with Guest Network and Even change guest_port_profile configuration as
> >Cloudstack releases VLAN and Network will go to allocated state?
> >

Yes. Necessary stuff should get cleaned up

> >8) When the Guest Network is updated from ASA firewall  offering to VR
> >Offering ,  Please share the sequence of configuration steps called out
> >@ ASA/VNMC?
> >

Not sure I understand the scenario completely. Can you elaborate on the use case that this
is going to provide?

> >Thanks,
> >Sailaja.M
> >
> >-----Original Message-----
> >From: Sailaja Mada [mailto:sailaja.mada@citrix.com]
> >Sent: Monday, March 18, 2013 5:32 PM
> >To: cloudstack-dev@incubator.apache.org; Koushik Das
> >Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >
> >Hi,
> >
> >1) Section: CiscoVNMCElement::implement() :
> >
> >1A) vservice_node  is configured with fail-mode close .  This is to
> >drop the packets if there is no connectivity to VEM , It means ESXi
> >host is not reachable. I see that we are going to configure with fail
> >mode as close
> >
> >Is there any use case where packets will get forwarded with fail-mode
> >open ?
> >

If required this can be moved to a configuration later on. For now 'close' should be good.

> >1B) vservice_node   configuration has ip address 10.1.1.1 .  Can you
> >please share from where this IP address is picked up when the
> >configuration is done thru cloudstack?
> >

ASA acts as the default gateway and this is the gateway IP.

> >2) When the guest network is deleted/Account it deleted, Will you be
> >deleting the vethernet asa in_port_profile defined @ VSM while
> >releasing the VLAN .
> >

Yes

> >3) Can you please update  FS with Edge security profile details that
> >will get configured @ ASA when firewall rules are configured from
> Cloudstack.
> >

ESP is configured in VNMC. There will be rules created under NAT, Egress/Ingress ACLs

> >4) When Guest Network is restarted what are the sequence of operations
> >will happen when it  has ASA firewall ?
> >

ASA firewall will get implemented as a network element that participates in the orchestration.
Let me know what specific sequence are you referring to?

> >5) Is there  any change with API's that are used to configure Firewall
> >rules?
> >

No

> >6) Use Cases / Flow  -  I see that LB as Netscaler with isolated
> >Network is not available.  Are we supporting only VR?
> >

Not in 4.2. Its mentioned in FS.

> >Please clarify.
> >
> >Thanks,
> >Sailaja.M
> >
> >-----Original Message-----
> >From: Koushik Das [mailto:koushik.das@citrix.com]
> >Sent: Monday, March 11, 2013 6:41 PM
> >To: Koushik Das; cloudstack-dev@incubator.apache.org
> >Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >
> >Updated the FS with following changes:
> >
> >- Use case section updated, classified use cases that will be supported
> >for 4.2 and beyond. Also removed items like VSG and VXLAN support to
> >"Open items" section as not planning to do them as part of "ASA
> >integration".
> >- Updated the deployment model section and added HV limitation (Vmware
> >only feature)
> >- Also updated the API section with parameter details.
> >
> >Comments/feedback?
> >
> >Thanks,
> >Koushik
> >
> >> -----Original Message-----
> >> From: Koushik Das [mailto:koushik.das@citrix.com]
> >> Sent: Monday, February 11, 2013 7:08 PM
> >> To: cloudstack-dev@incubator.apache.org
> >> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >>
> >> Updated the FS with API, Db changes and current deployment limitations.
> >> Also updated the UI section as to what all needs to be added.
> >>
> >> Chiradeep,
> >> I looked at the option of spinning up templates from ovf template but
> >>didn't find a way (was looking for some samples) to pass custom
> >>parameters like vnmc  ip, password etc. while creating VM instance. So
> >>for now the ASA instance creation is a manual step similar to VNMC
> >>appliance. In case there is a way out, the auto-creation can be done
> >>as a future enhancement.
> >>
> >> Thanks,
> >> Koushik
> >>
> >> > -----Original Message-----
> >> > From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> >> > Sent: Friday, January 25, 2013 1:39 AM
> >> > To: CloudStack DeveloperList
> >> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >> >
> >> > Thanks for the FS updates.
> >> > Good progress.
> >> > I had forgotten about registering the ASA 1000v with VNMC < that
> >> > makes it harder to spin these appliances up/down. However we can
> >> > plan to login via the CLI just for this step.
> >> >
> >> > I believe it is better to use a pre-setup pool of ASA appliances.
> >> > Let's say we start with N appliances (created via an admin API call
> >> > to
> >> CloudStack).
> >> > createASA1000vPool(ovf template id, zone, vnmc ip, N, increment,
> >> > threshold) Then as the capacity reaches threshold%, the pool
> >> > capacity is incremented by increment% asynchronously.
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > On 1/21/13 12:46 AM, "Koushik Das" <koushik.das@citrix.com> wrote:
> >> >
> >> > >Thanks Chiradeep for explaining the vnmc/asa integration stuff
> >> > >that you are working on and listing down all the use cases.
> >> > >
> >> > >Manan,
> >> > >CLOUDSTACK-742 is covered as part of Chiradeep's work (refer use
> >> > >cases
> >> > >#1 and #2 from the doc).
> >> > >
> >> > >-Koushik
> >> > >
> >> > >-----Original Message-----
> >> > >From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> >> > >Sent: Saturday, January 19, 2013 1:30 AM
> >> > >To: CloudStack DeveloperList
> >> > >Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack
> >> > >
> >> > >Take a look here:
> >> >
> >>
> >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Cisco+VNMC+i
> >> > nteg
> >> > >rat
> >> > >i
> >> > >on
> >> > >
> >> > >
> >> > >This is something I had been prototyping without any real enthusiasm.
> >> > >
> >> > >There's 3 ways to control the ASA1000v:
> >> > >1. By logging in via the CLI. Strongly against this.
> >> > >2. By using VNMC
> >> > >3. Via Cisco's Network Services Manager (NSM)[1]
> >> > >
> >> > >The NSM is comprehensive, covers a large range of physical and
> >> > >virtual devices and has an easy northbound API. This would be my
> >> > >preferred solution.
> >> > >
> >> > >However as of now (NSM v5.0.2), the ASA1000v  is not supported.
> >> > >It may also be the case that using VNMC may be a cheaper (albeit
> >> > >less
> >> > >supported) option
> >> > >
> >> > >[1] http://www.cisco.com/en/US/products/ps11636/index.html
> >> > >
> >> > >On 1/17/13 9:26 PM, "Koushik Das" <koushik.das@citrix.com> wrote:
> >> > >
> >> > >>Manan,
> >> > >>Can you answer the questions that Chiradeep has raised?
> >> > >>
> >> > >>Chiradeep,
> >> > >>I saw that you have started working on asa/vnmc here
> >> > >>(https://git-wip-us.apache.org/repos/asf/incubator-cloudstack/rep
> >> > >>o
> >> > >>?p
> >> > >>=i
> >> > >>n
> >> > >>cub
> >> > >>ator-cloudstack.git;a=shortlog;h=refs/heads/cisco-vnmc-api-
> >> integration).
> >> > >>I would like to understand the functionalities that you are
> >> > >>planning to cover and what is the overlap between your work and
> >> > >>the feature that Manan has proposed (supporting asa1000v as an
> >>external firewall).
> >> > >>
> >> > >>Thanks,
> >> > >>Koushik
> >> > >>
> >> > >>> -----Original Message-----
> >> > >>> From: Alex Huang [mailto:Alex.Huang@citrix.com]
> >> > >>> Sent: Sunday, January 06, 2013 2:18 AM
> >> > >>> To: cloudstack-dev@incubator.apache.org
> >> > >>> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into
> >> > >>> CloudStack
> >> > >>>
> >> > >>> Manan,
> >> > >>>
> >> > >>> Can you address the issues that Chiradeep has brought up?
 I
> >> > >>>think for a  requirements discussion it is just as important
to
> >> > >>>indicate what we will not do  or what is considered a feature
of
> >> > >>>a later release.
> >> > >>>
> >> > >>> --Alex
> >> > >>>
> >> > >>> > -----Original Message-----
> >> > >>> > From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> >> > >>> > Sent: Thursday, January 03, 2013 6:16 PM
> >> > >>> > To: CloudStack DeveloperList
> >> > >>> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into
> >> > >>> > CloudStack
> >> > >>> >
> >> > >>> > There cannot be feature parity since the ASA1000v is
only
> >> > >>> > supported on VMWare.
> >> > >>> >
> >> > >>> > Should the ASA1000v be created on demand, or do we expect
the
> >> > >>> > admin to provision a pool of virtual ASAs?
> >> > >>> >
> >> > >>> > Should we support VXLAN as the isolation technology or
VLANs?
> >> > >>> >
> >> > >>> >
> >> > >>> > On 1/3/13 5:08 PM, "Manan Shah" <manan.shah@citrix.com>
> wrote:
> >> > >>> >
> >> > >>> > >Hi,
> >> > >>> > >
> >> > >>> > >I would like to propose a new feature for integrating
Cisco
> >> > >>> > >ASA 1000v in CS 4.1. I have created a JIRA ticket
and
> >> > >>> > >provided the requirements at the following location.
 Please
> >> > >>> > >provide feedback on the
> >> > >>>requirements.
> >> > >>> > >
> >> > >>> > >JIRA Ticket:
> >> > >>> > >https://issues.apache.org/jira/browse/CLOUDSTACK-742
> >> > >>> > >Requirements:
> >> > >>> >
> >> > >>>
> >> >
> >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Integrate+C
> >> > >i
> >> > >>> >s
> >> > >>> >c
> >> > >>> > >o
> >> > >>> > +ASA
> >> > >>> > >+
> >> > >>> > >1000v+as+a+FW+for+CloudStack
> >> > >>> > >
> >> > >>> > >Additional details would be provided in the FS.
> >> > >>> > >
> >> > >>> > >Regards,
> >> > >>> > >Manan Shah
> >> > >>> > >
> >> > >>
> >> > >
> >


Mime
View raw message