cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From clement mutz <c.m...@servitics.fr>
Subject Re: question about security group
Date Wed, 13 Aug 2014 14:44:06 GMT
Hi Tejas,

> Thanks you for your reply. I already trying to configure the firewall Rules (ex : http://i.imgur.com/oiGMMle.png).
> not access at my instances.

>> From the VM instance, are you able to ICMP ping the virtual router? If you cant,
>> then please check your network VLAN assignments and traffic label configurations

Yes very good point ! I can't ping the virtual router from the VM instance. 
So for validate my network I duplicate the network configuration creating by cloudstack on
another xenserver (same environment, same switch ...) ;) . 
So on another xenserver I created two VM (with xencenter) and PING worked.
Picture with network configuration creating by cloudstack (see vl41) http://i.imgur.com/K8Bo3kK.png
 .
Picture with network configuration creating by me on another xen pool http://i.imgur.com/ieYD5Oy.png

On Cloudstack my traffic label http://i.imgur.com/P7ZRbf7.png


> I haven't access system vm (console, secondary storage).

>> If you are not able to access the system VMs, then I would first
>> make sure my Zone network configuration and the hypervisor
>> network traffic types are configured correctly.

---------------------------------------------------------------
interfaces	| with isolation mode	| without isolation mode
administration	| Vl50	                | Vl50
public	        | NONE	                | Vl60
guest	        | Vl60	                | Vl50
Storage	        | Vl20	                | Vl20
---------------------------------------------------------------

Like you see It's traffic label configuration. With isolation mode cloudstack work without
problem.
With isolation mode I declared My guest network (labbel Vl60) like public network (testing).
And I can ping my Vms system console and storage and my instances by Public NIC.
I can ping the administration network too (not possible without isolation mode)

I make sure my zone network configuration (at 99%) because I created a advanced zone with
isolation mode and that worked (access) ;)



> My network is ok because when I configure my zone with security groups I have access
> system vm and at my instances.

>> Basic network and Advanced Networks work very differently. Advanced network uses
VLANs
>> which if configured incorrectly can lead to issues like the one you are facing.

Thank you but when I mean "configuration my zone with security group", I talk about advanced
network and I check "Isolation mode" :) .





Hi Clement,

Comments inline.

On 08-Aug-2014, at 12:18 am, clement mutz <c.mutz@servitics.fr> wrote:

> Thanks you for your reply. I already trying to configure the firewall Rules (ex : http://i.imgur.com/oiGMMle.png).
> not access at my instances.

>From the VM instance, are you able to ICMP ping the virtual router? If you cant,
then please check your network VLAN assignments and traffic label configurations


> I haven't access system vm (console, secondary storage).

If you are not able to access the system VMs, then I would first
make sure my Zone network configuration and the hypervisor
network traffic types are configured correctly.


> My network is ok because when I configure my zone with security groups I have access
> system vm and at my instances.

Basic network and Advanced Networks work very differently. Advanced network uses VLANs
which if configured incorrectly can lead to issues like the one you are facing.

> What's wrong with my configuration ? I forgot something ?

Start by running tcpdump along the network path and try to isolate
the faulty network configuration.


> Sorry my bad english. I learning ;)
>
> Thanks you very much.
>

No problems.




> Clément
>
>
>
>
> Comments inline.
>
> On 07-Aug-2014, at 6:24 pm, clement mutz <c.mutz@servitics.fr> wrote:
>
>> Hi Shanker,
>>
>>> Look under Network -> Select View -> Security Groups.
>>
>> Thanks you, but the problem appear when I choose a advanced zone without security
group. So I can't see  Security Groups(http://i.imgur.com/WR18PPl.png) ;)
>>
>
> Advanced zones you dont have security groups by default. Only EGRESS and INGRESS rules.
>
>> How I can to configure the different access without security group ?
>
> Looking at your screenshot, go to Network -> Isolated Network (vl400) -> Egress
Rules and
> Network -> Isolated Network (vl400) -> Source NAT -> Configuration -> Firewall
Rules.
>
>>
>>> The ML strips out attachment. You can use http://imgur.com to share images.
>>
>> Thanks for your information :)
>>
>> I can't choose Security group, when I created a zone with public network (I mean
with nic public)  (http://i.imgur.com/52bjasU.png and http://i.imgur.com/UN9RXR2.png)...
>> I don't understand why.
>> When I created a zone with security group no problem, I can use ACC Ingress and Egress
rules but I haven't public interface (http://i.imgur.com/EhBAbvC.png and http://i.imgur.com/GjhFOZD.png).
>>
>>
>>
>>
>>
>> ----- Mail original -----
>> De: "Shanker Balan" <shanker.balan@shapeblue.com>
>> À: "CloudStack-Users" <users@cloudstack.apache.org>
>> Envoyé: Jeudi 7 Août 2014 13:49:40
>> Objet: Re: question about security group
>>
>> Comments inline.
>>
>> On 07-Aug-2014, at 3:44 pm, clement mutz <c.mutz@servitics.fr> wrote:
>>
>>> Hi Tejas,
>>>
>>> I cannot see the security group in network tab.
>>
>> Look under Network -> Select View -> Security Groups.
>>
>>>
>>> I can't choose Security group, when I created a zone with public network (I mean
with nic public)  (picture 1 and 2)... I don't understand why.
>>> When I created a zone with security group no problem, I can use ACC Ingress and
Egress rules but I haven't public interface (picture 3 and 4).
>>>
>>
>> The ML strips out attachment. You can use http://imgur.com to share images.
>>
>> --
>> @shankerbalan
>>
>> M: +91 98860 60539 | O: +91 (80) 67935867
>> shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
>> ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore
- 560 055
>>
>> Find out more about ShapeBlue and our range of CloudStack related services
>>
>> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
>>
>> This email and any attachments to it may be confidential and are intended solely
for the use of the individual to whom it is addressed. Any views or opinions expressed are
solely those of the author and do not necessarily represent those of Shape Blue Ltd or related
companies. If you are not the intended recipient of this email, you must neither take any
action based upon its contents, nor copy or show it to anyone. Please contact the sender if
you believe you have received this email in error. Shape Blue Ltd is a company incorporated
in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and
is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company
incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty
Ltd is a company registered by The Republic of South Africa and is traded under license from
Shape Blue Ltd. ShapeBlue is a registered trademark.
>
> --
> @shankerbalan
>
> M: +91 98860 60539 | O: +91 (80) 67935867
> shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
> ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore -
560 055
>
> Find out more about ShapeBlue and our range of CloudStack related services
>
> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are intended solely for
the use of the individual to whom it is addressed. Any views or opinions expressed are solely
those of the author and do not necessarily represent those of Shape Blue Ltd or related companies.
If you are not the intended recipient of this email, you must neither take any action based
upon its contents, nor copy or show it to anyone. Please contact the sender if you believe
you have received this email in error. Shape Blue Ltd is a company incorporated in England
& Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated
under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated
in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
registered by The Republic of South Africa and is traded under license from Shape Blue Ltd.
ShapeBlue is a registered trademark.

--
@shankerbalan

M: +91 98860 60539 | O: +91 (80) 67935867
shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560
055

Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use
of the individual to whom it is addressed. Any views or opinions expressed are solely those
of the author and do not necessarily represent those of Shape Blue Ltd or related companies.
If you are not the intended recipient of this email, you must neither take any action based
upon its contents, nor copy or show it to anyone. Please contact the sender if you believe
you have received this email in error. Shape Blue Ltd is a company incorporated in England
& Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated
under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated
in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
registered by The Republic of South Africa and is traded under license from Shape Blue Ltd.
ShapeBlue is a registered trademark.

Mime
View raw message