My thinking is that most users would want the followingÅ 1. Either use VR for both FW and LB or use External Devices for both FW and LB 2. Lower priority would be to use VR for one and External Device for another 3. Between in-line and side-by-side, I think we should give higher priority to in-line than side-by-side
So, I think it would be good if we can support LB functionality through external device in 4.2. Regards, Manan Shah On 3/21/13 5:49 AM, "Koushik Das" <koushik....@citrix.com> wrote: >Its already mentioned in FS that LB functionality is beyond 4.2. >I haven't yet thought about these scenarios. Can you let me know what all >configurations (in-line, side-by-side) needs to be supported? I am not >sure about the use for side-by-side. > >> -----Original Message----- >> From: Manan Shah [mailto:manan.s...@citrix.com] >> Sent: Thursday, March 21, 2013 12:20 AM >> To: cloudstack-...@incubator.apache.org >> Cc: Manan Shah >> Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack >> >> Hi Koushik, >> >> Can you please confirm if the LB functionality (via VR or VPX) would be >> supported in 4.2 or not? >> >> Regards, >> Manan Shah >> >> >> >> >> On 3/19/13 5:00 AM, "Koushik Das" <koushik....@citrix.com> wrote: >> >> >Inline >> > >> >> >> >> On 18/03/13 7:37 PM, "Sailaja Mada" <sailaja.m...@citrix.com> wrote: >> >> >> >> >+ >> >> > >> >> >7) During Guest Network shutdown, Do we release the ASA association >> >> >with Guest Network and Even change guest_port_profile configuration >> >> >as Cloudstack releases VLAN and Network will go to allocated state? >> >> > >> > >> >Yes. Necessary stuff should get cleaned up >> > >> >> >8) When the Guest Network is updated from ASA firewall offering to >> >> >VR Offering , Please share the sequence of configuration steps >> >> >called out @ ASA/VNMC? >> >> > >> > >> >Not sure I understand the scenario completely. Can you elaborate on the >> >use case that this is going to provide? >> > >> >> >Thanks, >> >> >Sailaja.M >> >> > >> >> >-----Original Message----- >> >> >From: Sailaja Mada [mailto:sailaja.m...@citrix.com] >> >> >Sent: Monday, March 18, 2013 5:32 PM >> >> >To: cloudstack-...@incubator.apache.org; Koushik Das >> >> >Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack >> >> > >> >> >Hi, >> >> > >> >> >1) Section: CiscoVNMCElement::implement() : >> >> > >> >> >1A) vservice_node is configured with fail-mode close . This is to >> >> >drop the packets if there is no connectivity to VEM , It means ESXi >> >> >host is not reachable. I see that we are going to configure with >> >> >fail mode as close >> >> > >> >> >Is there any use case where packets will get forwarded with >> >> >fail-mode open ? >> >> > >> > >> >If required this can be moved to a configuration later on. For now >> >'close' should be good. >> > >> >> >1B) vservice_node configuration has ip address 10.1.1.1 . Can you >> >> >please share from where this IP address is picked up when the >> >> >configuration is done thru cloudstack? >> >> > >> > >> >ASA acts as the default gateway and this is the gateway IP. >> > >> >> >2) When the guest network is deleted/Account it deleted, Will you be >> >> >deleting the vethernet asa in_port_profile defined @ VSM while >> >> >releasing the VLAN . >> >> > >> > >> >Yes >> > >> >> >3) Can you please update FS with Edge security profile details that >> >> >will get configured @ ASA when firewall rules are configured from >> >> Cloudstack. >> >> > >> > >> >ESP is configured in VNMC. There will be rules created under NAT, >> >Egress/Ingress ACLs >> > >> >> >4) When Guest Network is restarted what are the sequence of >> >> >operations will happen when it has ASA firewall ? >> >> > >> > >> >ASA firewall will get implemented as a network element that >> >participates in the orchestration. Let me know what specific sequence >> >are you referring to? >> > >> >> >5) Is there any change with API's that are used to configure >> >> >Firewall rules? >> >> > >> > >> >No >> > >> >> >6) Use Cases / Flow - I see that LB as Netscaler with isolated >> >> >Network is not available. Are we supporting only VR? >> >> > >> > >> >Not in 4.2. Its mentioned in FS. >> > >> >> >Please clarify. >> >> > >> >> >Thanks, >> >> >Sailaja.M >> >> > >> >> >-----Original Message----- >> >> >From: Koushik Das [mailto:koushik....@citrix.com] >> >> >Sent: Monday, March 11, 2013 6:41 PM >> >> >To: Koushik Das; cloudstack-...@incubator.apache.org >> >> >Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack >> >> > >> >> >Updated the FS with following changes: >> >> > >> >> >- Use case section updated, classified use cases that will be >> >> >supported for 4.2 and beyond. Also removed items like VSG and VXLAN >> >> >support to "Open items" section as not planning to do them as part >> >> >of "ASA integration". >> >> >- Updated the deployment model section and added HV limitation >> >> >(Vmware only feature) >> >> >- Also updated the API section with parameter details. >> >> > >> >> >Comments/feedback? >> >> > >> >> >Thanks, >> >> >Koushik >> >> > >> >> >> -----Original Message----- >> >> >> From: Koushik Das [mailto:koushik....@citrix.com] >> >> >> Sent: Monday, February 11, 2013 7:08 PM >> >> >> To: cloudstack-...@incubator.apache.org >> >> >> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack >> >> >> >> >> >> Updated the FS with API, Db changes and current deployment >> >>limitations. >> >> >> Also updated the UI section as to what all needs to be added. >> >> >> >> >> >> Chiradeep, >> >> >> I looked at the option of spinning up templates from ovf template >> >> >>but didn't find a way (was looking for some samples) to pass custom >> >> >>parameters like vnmc ip, password etc. while creating VM instance. >> >> >>So for now the ASA instance creation is a manual step similar to >> >> >>VNMC appliance. In case there is a way out, the auto-creation can >> >> >>be done as a future enhancement. >> >> >> >> >> >> Thanks, >> >> >> Koushik >> >> >> >> >> >> > -----Original Message----- >> >> >> > From: Chiradeep Vittal [mailto:chiradeep.vit...@citrix.com] >> >> >> > Sent: Friday, January 25, 2013 1:39 AM >> >> >> > To: CloudStack DeveloperList >> >> >> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into CloudStack >> >> >> > >> >> >> > Thanks for the FS updates. >> >> >> > Good progress. >> >> >> > I had forgotten about registering the ASA 1000v with VNMC < that >> >> >> > makes it harder to spin these appliances up/down. However we can >> >> >> > plan to login via the CLI just for this step. >> >> >> > >> >> >> > I believe it is better to use a pre-setup pool of ASA >>appliances. >> >> >> > Let's say we start with N appliances (created via an admin API >> >> >> > call to >> >> >> CloudStack). >> >> >> > createASA1000vPool(ovf template id, zone, vnmc ip, N, increment, >> >> >> > threshold) Then as the capacity reaches threshold%, the pool >> >> >> > capacity is incremented by increment% asynchronously. >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > On 1/21/13 12:46 AM, "Koushik Das" <koushik....@citrix.com> >> wrote: >> >> >> > >> >> >> > >Thanks Chiradeep for explaining the vnmc/asa integration stuff >> >> >> > >that you are working on and listing down all the use cases. >> >> >> > > >> >> >> > >Manan, >> >> >> > >CLOUDSTACK-742 is covered as part of Chiradeep's work (refer >> >> >> > >use cases >> >> >> > >#1 and #2 from the doc). >> >> >> > > >> >> >> > >-Koushik >> >> >> > > >> >> >> > >-----Original Message----- >> >> >> > >From: Chiradeep Vittal [mailto:chiradeep.vit...@citrix.com] >> >> >> > >Sent: Saturday, January 19, 2013 1:30 AM >> >> >> > >To: CloudStack DeveloperList >> >> >> > >Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into >> >> >> > >CloudStack >> >> >> > > >> >> >> > >Take a look here: >> >> >> > >> >> >> >> >> >> >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Cisco+VNMC+i >> >> >> > nteg >> >> >> > >rat >> >> >> > >i >> >> >> > >on >> >> >> > > >> >> >> > > >> >> >> > >This is something I had been prototyping without any real >> >>enthusiasm. >> >> >> > > >> >> >> > >There's 3 ways to control the ASA1000v: >> >> >> > >1. By logging in via the CLI. Strongly against this. >> >> >> > >2. By using VNMC >> >> >> > >3. Via Cisco's Network Services Manager (NSM)[1] >> >> >> > > >> >> >> > >The NSM is comprehensive, covers a large range of physical and >> >> >> > >virtual devices and has an easy northbound API. This would be >> >> >> > >my preferred solution. >> >> >> > > >> >> >> > >However as of now (NSM v5.0.2), the ASA1000v is not supported. >> >> >> > >It may also be the case that using VNMC may be a cheaper >> >> >> > >(albeit less >> >> >> > >supported) option >> >> >> > > >> >> >> > >[1] http://www.cisco.com/en/US/products/ps11636/index.html >> >> >> > > >> >> >> > >On 1/17/13 9:26 PM, "Koushik Das" <koushik....@citrix.com> >> wrote: >> >> >> > > >> >> >> > >>Manan, >> >> >> > >>Can you answer the questions that Chiradeep has raised? >> >> >> > >> >> >> >> > >>Chiradeep, >> >> >> > >>I saw that you have started working on asa/vnmc here >> >> >> > >>(https://git-wip-us.apache.org/repos/asf/incubator-cloudstack/ >> >> >> > >>rep >> >> >> > >>o >> >> >> > >>?p >> >> >> > >>=i >> >> >> > >>n >> >> >> > >>cub >> >> >> > >>ator-cloudstack.git;a=shortlog;h=refs/heads/cisco-vnmc-api- >> >> >> integration). >> >> >> > >>I would like to understand the functionalities that you are >> >> >> > >>planning to cover and what is the overlap between your work >> >> >> > >>and the feature that Manan has proposed (supporting asa1000v >> >> >> > >>as an >> >> >>external firewall). >> >> >> > >> >> >> >> > >>Thanks, >> >> >> > >>Koushik >> >> >> > >> >> >> >> > >>> -----Original Message----- >> >> >> > >>> From: Alex Huang [mailto:alex.hu...@citrix.com] >> >> >> > >>> Sent: Sunday, January 06, 2013 2:18 AM >> >> >> > >>> To: cloudstack-...@incubator.apache.org >> >> >> > >>> Subject: RE: [DISCUSS] Integrate Cisco ASA 1000v into >> >> >> > >>> CloudStack >> >> >> > >>> >> >> >> > >>> Manan, >> >> >> > >>> >> >> >> > >>> Can you address the issues that Chiradeep has brought up? I >> >> >> > >>>think for a requirements discussion it is just as important >> >> >> > >>>to indicate what we will not do or what is considered a >> >> >> > >>>feature of a later release. >> >> >> > >>> >> >> >> > >>> --Alex >> >> >> > >>> >> >> >> > >>> > -----Original Message----- >> >> >> > >>> > From: Chiradeep Vittal >> >> >> > >>> > [mailto:chiradeep.vit...@citrix.com] >> >> >> > >>> > Sent: Thursday, January 03, 2013 6:16 PM >> >> >> > >>> > To: CloudStack DeveloperList >> >> >> > >>> > Subject: Re: [DISCUSS] Integrate Cisco ASA 1000v into >> >> >> > >>> > CloudStack >> >> >> > >>> > >> >> >> > >>> > There cannot be feature parity since the ASA1000v is only >> >> >> > >>> > supported on VMWare. >> >> >> > >>> > >> >> >> > >>> > Should the ASA1000v be created on demand, or do we expect >> >> >> > >>> > the admin to provision a pool of virtual ASAs? >> >> >> > >>> > >> >> >> > >>> > Should we support VXLAN as the isolation technology or >> VLANs? >> >> >> > >>> > >> >> >> > >>> > >> >> >> > >>> > On 1/3/13 5:08 PM, "Manan Shah" <manan.s...@citrix.com> >> >> wrote: >> >> >> > >>> > >> >> >> > >>> > >Hi, >> >> >> > >>> > > >> >> >> > >>> > >I would like to propose a new feature for integrating >> >> >> > >>> > >Cisco ASA 1000v in CS 4.1. I have created a JIRA ticket >> >> >> > >>> > >and provided the requirements at the following location. >> >> >> > >>> > >Please provide feedback on the >> >> >> > >>>requirements. >> >> >> > >>> > > >> >> >> > >>> > >JIRA Ticket: >> >> >> > >>> > >https://issues.apache.org/jira/browse/CLOUDSTACK-742 >> >> >> > >>> > >Requirements: >> >> >> > >>> > >> >> >> > >>> >> >> >> > >> >> >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Integrate+C >> >> >> > >i >> >> >> > >>> >s >> >> >> > >>> >c >> >> >> > >>> > >o >> >> >> > >>> > +ASA >> >> >> > >>> > >+ >> >> >> > >>> > >1000v+as+a+FW+for+CloudStack >> >> >> > >>> > > >> >> >> > >>> > >Additional details would be provided in the FS. >> >> >> > >>> > > >> >> >> > >>> > >Regards, >> >> >> > >>> > >Manan Shah >> >> >> > >>> > > >> >> >> > >> >> >> >> > > >> >> > >> > >
