I am trying to understand the deployment model with Asa1000v for the VPC use case mentioned in FS - Cloud operator creates VPC network offering with source nat using ASA1000v as the service provider for firewall, source nat, port forwarding, ACL and routing. CloudStack system vm is used for DHCP, userdata and metadata, password server.
I looked at the Inter-VLAN routing FS (https://cwiki.apache.org/confluence/display/CLOUDSTACK/Inter-VLAN+Routing). For each network in VPC, a nic is created in the VPC VR. ACL rules are configured in VPC VR to allow traffic between these networks. Based on the VPC VR model I am trying to create the deployment model when Asa is used. Asa has 2 interfaces 'inside' and 'outside'. For isolated guest network scenario, inside is connected to the private network and outside connected to public network. I am trying to think how to map it for VPC case where there can be N private nics and 1 public nic. Chiradeep, can you share your thoughts on this? Thanks, Koushik > -----Original Message----- > From: Chiradeep Vittal > Sent: Tuesday, March 12, 2013 5:56 AM > To: cloudstack-dev@incubator.apache.org; Koushik Das > Cc: Manan Shah > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack > > - It might be better to support VPC instead of "isolated". Even if it means > that some features are not supported initially. I feel that "isolated is a > special > case of "VPC", except for the firewall function. > - What about support for systemvm / NS as an LB appliance? > - Although the ASA DHCP server cannot be programmed, it might be > desirable in enterprise use cases (where they may not care about > userdata/metadata) to support the ASA DHCP server as a DHCP provider. In > this case we have to figure out how to update the NIC information in > CloudStack DB after the VM has acquired its IP. > > > On 3/11/13 6:11 AM, "Koushik Das" <koushik....@citrix.com> wrote: > > >Updated the FS with following changes: > > > >- Use case section updated, classified use cases that will be supported > >for 4.2 and beyond. Also removed items like VSG and VXLAN support to > >"Open items" section as not planning to do them as part of "ASA > >integration". > >- Updated the deployment model section and added HV limitation (Vmware > >only feature) > >- Also updated the API section with parameter details. > > > >Comments/feedback? > > > >Thanks, > >Koushik > > > >> -----Original Message----- > >> From: Koushik Das [mailto:koushik....@citrix.com] > >> Sent: Monday, February 11, 2013 7:08 PM > >> To: cloudstack-dev@incubator.apache.org > >> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack > >> > >> Updated the FS with API, Db changes and current deployment limitations. > >> Also updated the UI section as to what all needs to be added. > >> > >> Chiradeep, > >> I looked at the option of spinning up templates from ovf template but > >>didn't find a way (was looking for some samples) to pass custom > >>parameters like vnmc ip, password etc. while creating VM instance. > >>So for now the ASA instance creation is a manual step similar to VNMC > >>appliance. In case there is a way out, the auto-creation can be done > >>as a future enhancement. > >> > >> Thanks, > >> Koushik > >> > >> > -----Original Message----- > >> > From: Chiradeep Vittal [mailto:chiradeep.vit...@citrix.com] > >> > Sent: Friday, January 25, 2013 1:39 AM > >> > To: CloudStack DeveloperList > >> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack > >> > > >> > Thanks for the FS updates. > >> > Good progress. > >> > I had forgotten about registering the ASA 1000v with VNMC < that > >> > makes it harder to spin these appliances up/down. However we can > >> > plan to login via the CLI just for this step. > >> > > >> > I believe it is better to use a pre-setup pool of ASA appliances. > >> > Let's say we start with N appliances (created via an admin API call > >> > to > >> CloudStack). > >> > createASA1000vPool(ovf template id, zone, vnmc ip, N, increment, > >> > threshold) Then as the capacity reaches threshold%, the pool > >> > capacity is incremented by increment% asynchronously. > >> > > >> > > >> > > >> > > >> > > >> > On 1/21/13 12:46 AM, "Koushik Das" <koushik....@citrix.com> wrote: > >> > > >> > >Thanks Chiradeep for explaining the vnmc/asa integration stuff > >> > >that you are working on and listing down all the use cases. > >> > > > >> > >Manan, > >> > >CLOUDSTACK-742 is covered as part of Chiradeep's work (refer use > >> > >cases > >> > >#1 and #2 from the doc). > >> > > > >> > >-Koushik > >> > > > >> > >-----Original Message----- > >> > >From: Chiradeep Vittal [mailto:chiradeep.vit...@citrix.com] > >> > >Sent: Saturday, January 19, 2013 1:30 AM > >> > >To: CloudStack DeveloperList > >> > >Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack > >> > > > >> > >Take a look here: > >> > > >> > >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Cisco+VNMC+i > >> > nteg > >> > >rat > >> > >i > >> > >on > >> > > > >> > > > >> > >This is something I had been prototyping without any real enthusiasm. > >> > > > >> > >There's 3 ways to control the ASA1000v: > >> > >1. By logging in via the CLI. Strongly against this. > >> > >2. By using VNMC > >> > >3. Via Cisco's Network Services Manager (NSM)[1] > >> > > > >> > >The NSM is comprehensive, covers a large range of physical and > >> > >virtual devices and has an easy northbound API. This would be my > >> > >preferred solution. > >> > > > >> > >However as of now (NSM v5.0.2), the ASA1000v is not supported. > >> > >It may also be the case that using VNMC may be a cheaper (albeit > >> > >less > >> > >supported) option > >> > > > >> > >[1] http://www.cisco.com/en/US/products/ps11636/index.html > >> > > > >> > >On 1/17/13 9:26 PM, "Koushik Das" <koushik....@citrix.com> wrote: > >> > > > >> > >>Manan, > >> > >>Can you answer the questions that Chiradeep has raised? > >> > >> > >> > >>Chiradeep, > >> > >>I saw that you have started working on asa/vnmc here > >> > >>(https://git-wip-us.apache.org/repos/asf/incubator-cloudstack/rep > >> > >>o?p > >> > >>=i > >> > >>n > >> > >>cub > >> > >>ator-cloudstack.git;a=shortlog;h=refs/heads/cisco-vnmc-api- > >> integration). > >> > >>I would like to understand the functionalities that you are > >> > >>planning to cover and what is the overlap between your work and > >> > >>the feature that Manan has proposed (supporting asa1000v as an > >> > >>external > >>firewall). > >> > >> > >> > >>Thanks, > >> > >>Koushik > >> > >> > >> > >>> -----Original Message----- > >> > >>> From: Alex Huang [mailto:alex.hu...@citrix.com] > >> > >>> Sent: Sunday, January 06, 2013 2:18 AM > >> > >>> To: cloudstack-dev@incubator.apache.org > >> > >>> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into > >> > >>> CloudStack > >> > >>> > >> > >>> Manan, > >> > >>> > >> > >>> Can you address the issues that Chiradeep has brought up? I > >> > >>>think for a requirements discussion it is just as important to > >> > >>>indicate what we will not do or what is considered a feature of > >> > >>>a later release. > >> > >>> > >> > >>> --Alex > >> > >>> > >> > >>> > -----Original Message----- > >> > >>> > From: Chiradeep Vittal [mailto:chiradeep.vit...@citrix.com] > >> > >>> > Sent: Thursday, January 03, 2013 6:16 PM > >> > >>> > To: CloudStack DeveloperList > >> > >>> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into > >> > >>> > CloudStack > >> > >>> > > >> > >>> > There cannot be feature parity since the ASA1000v is only > >> > >>> > supported on VMWare. > >> > >>> > > >> > >>> > Should the ASA1000v be created on demand, or do we expect the > >> > >>> > admin to provision a pool of virtual ASAs? > >> > >>> > > >> > >>> > Should we support VXLAN as the isolation technology or VLANs? > >> > >>> > > >> > >>> > > >> > >>> > On 1/3/13 5:08 PM, "Manan Shah" <manan.s...@citrix.com> > wrote: > >> > >>> > > >> > >>> > >Hi, > >> > >>> > > > >> > >>> > >I would like to propose a new feature for integrating Cisco > >> > >>> > >ASA 1000v in CS 4.1. I have created a JIRA ticket and > >> > >>> > >provided the requirements at the following location. Please > >> > >>> > >provide feedback on the > >> > >>>requirements. > >> > >>> > > > >> > >>> > >JIRA Ticket: > >> > >>> > >https://issues.apache.org/jira/browse/CLOUDSTACK-742 > >> > >>> > >Requirements: > >> > >>> > > >> > >>> > >> > > >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Integrate+C > >> > >i > >> > >>> >s > >> > >>> >c > >> > >>> > >o > >> > >>> > +ASA > >> > >>> > >+ > >> > >>> > >1000v+as+a+FW+for+CloudStack > >> > >>> > > > >> > >>> > >Additional details would be provided in the FS. > >> > >>> > > > >> > >>> > >Regards, > >> > >>> > >Manan Shah > >> > >>> > > > >> > >> > >> > > > >
