incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sheng Yang <sh...@yasker.org>
Subject Re: FW: F5 SRX in inline mode and Remote access vpn on SRX
Date Fri, 12 Oct 2012 17:56:04 GMT
Hi Sanjeev,

On Fri, Oct 12, 2012 at 4:52 AM, Sanjeev Neelarapu
<sanjeev.neelarapu@citrix.com> wrote:
> Sheng,
>
> Following are the review comments on network-inline mode functional spec:
> 1.Feature Specifications:
> Only support "per zone"(shared) Source NAT for SRX: Does this mean traffic initiated
from all the accounts guest vms will use only one ip as source IP ?

Yes.

> 2.Is it supported in upgraded environment?

No.

> 3.After upgrade from 2.2.x to 3.0.x can we change parallel mode deployment to inline
mode (since we don't support upgrade from 2.2.x inline mode)?

No. Since the information is binding with F5 not the network offering,
we cannot do that without adding a new F5 device.

We can improve the feature later in future release to make it an
option for network offering, thus we can change it for network.

> 4.Can we create Static NAT and Load Balancing rule on the same public IP(since conserve
mode is on)?

No. We cannot support conserve mode. It's due to static nat rule
created on SRX prevent other rule to be applied on the same ip.

> 5.Is it supported in VPC(Instead of vpcVR can we use SRX for all the services in VPC
Offering)?

No.

> 6.Are there any DB schema changes related to this feature?

No.
>
> Following are review comments for "Remote access vpn on SRX":
>
> 1.      Is it supported on Source NAT IP?

We may have one change here - we may possibly only support source NAT
ip(in fact the external public ip of SRX), because seems SRX didn't
support using other IP to communicate with VPN gateway. I am still
working on this to try to find an solution.
>
> 2.      Is enabling Remote access vpn on SRX and adding VPN user supported only by Admin
?

Well, we have good reason to do so, since VPN is kind of precious
resource on SRX(which user need to pay), but since network owned by
the account, seems we still need to let user have the permission to do
that.
>
> 3.      Any manual configuration is required on SRX to enable this functionality?

There are probably some manual configuration needed, e.g. set default
policy for ike and ipsec. I am trying to keep it at minimal level.

--Sheng
>
> Thanks,
> Sanjeev
>
> From: Sheng Yang
> Sent: Thursday, October 11, 2012 11:14 PM
> To: Sanjeev Neelarapu
> Cc: Haroon Abdelrahman; Sudha Ponnaganti; Srinivas Vejalla
> Subject: RE: F5 SRX in inline mode and Remote access vpn on SRX
>
> They are already on cwiki.
>
> https://cwiki.apache.org/CLOUDSTACK/network-inline-mode-functional-spec.html
> https://cwiki.apache.org/CLOUDSTACK/remote-access-vpn-support-on-srx.html
>
> --Sheng
>
>
> From: Sanjeev Neelarapu
> Sent: Thursday, October 11, 2012 12:14 AM
> To: Sheng Yang
> Cc: Haroon Abdelrahman; Sudha Ponnaganti; Srinivas Vejalla
> Subject: F5 SRX in inline mode and Remote access vpn on SRX
>
> Sheng,
>
> Can you place "F5 SRX in inline mode" and "Remote access vpn on SRX" FSs on cwiki , so
that I can use them to share my review comments on ML.
> At present "Remote access vpn on SRX" FS is missing from cloud stack wiki as well.
>
> Thanks,
> Sanjeev

Mime
View raw message