Hi Security groups can be iptables or ebtables respectively, but you can also basically open everything in an out, the thing is, as soon as you use security groups, the guest network becomes the public network, which makes things much easier for an internal deployment, and I would not worry about the iptables, (you will see if you have a setup)
Regarding the separation of production and non-production machine, you can use "Affinity Groups" to avoid having machines on the same hypervisor. Alternatively, how about putting 2 Clusters in one Pod We do not use tags at all I would strongly suggest that you do test setup (prepare them in a way where you can wipe and start over) once you have seen and tested the frontend it gets a bit clearer. Also you setup really sounds as if you would want to use "Advanced Networking" with security groups, since you avoid the extra "Public" network, but you should put some work into preparing and planning of the network, a clean network setup really helps We have - one complete separate management network(vlan) with redundant management servers - one network(vlan) for the pod - one network (vlan) for storage - several networks(vlan) for guests The hypervisors hosts have - 8 bonded (802.3ad) 1Gbit interfaces in the storage network with a bridge on top of the bond (untagged) - the bridge has an IP - 2 bonded (802.3ad) interfaces with a bridge on top in the POD network (untagged) - the bridge has an IP - 4 bonded (802.3ad) interfaces with a bridge (actually there will be several bridges) on top for the guest network, but create one brigde (e.g. guestbr0) without IP before you configure cloudstack on top of the bond and use it during the configuration to assign to the "Guest" - The guest networks gateway is a high performance firewall to guarantee sufficient throughput - the other networks have their gateways on a separate firewall - the secondary storage is inside the storage network Hope that helps Regards Soeren -----Original Message----- From: Yiping Zhang [mailto:[email protected]] Sent: Freitag, 1. August 2014 21:59 To: [email protected] Subject: Re: questions on configuring advanced networking Hi, Soeren: Thanks for quick reply. I have not tried any setup of advanced networking yet in my lab, due to lack of available vlan setup in this environment. So I have lots of questions on the actual steps and choices to be made during various steps. First, using ³security group² implies using iptables to manage accessing to VM¹s, correct ? I was trying to make things simpler by not using ³security groups² and avoiding dealing with iptables rules, because this is an internal deployment. Also, I plan to dedicate zones to production and non-production domains, so that hypervisors for production zones will only host VM¹s for production and hypervisors for non-production zones will only host non-production VM¹s. Is this a reasonable approach ? Coming back to your answer, using advanced networking with security group. In this setup, I only need one zone to support all guest vlans. Then how do I best make sure that certain hypervisor dedicated for production will only host VM for production, and visa versa for non production hypervisors ? I assumed that one can use tags on various components for this purpose? Again, without actual hands-on experiences with tags, I find concept and use of ³tags² in CS are very confusing and poorly documented. I sort of understand that there are tags for host, network, and storage, but they all simply referred as tags in documents and which type of tags are consumed where are not very clear at all by simply reading docs. Thanks again, Yiping On 8/1/14, 12:21 PM, "Soeren Malchow" <[email protected]> wrote: >Dear Yiping, > >If you choose "Advanced" with security groups, then you have only the >"guestnetwork", we do this geustnetwork on a bond and then on a bridge >and the uplinks to the bond are tagged (do not forget to assign a vlan >tag during setup), then you are able to create more tagged networks. >This guest network can use an Cloudstack external Router or Firewall as >gateway and the network can be any IP range. >During setup you only create one guest vlan, but you can create >additional vlan later on. > >I hope that answers you question > >Cheers >soeren > >-----Original Message----- >From: Yiping Zhang [mailto:[email protected]] >Sent: Freitag, 1. August 2014 21:16 >To: [email protected] >Subject: questions on configuring advanced networking > >Hi, all: > >I am doing planning of a CloudStack deployment using advanced networking. > I have a few questions about configurations: > > 1. Since this is an internal deployment, most of zones won't really >need public IP, so how can I tell CS that I don't need VLAN for public >traffic ? Do I still need to give it something, say 192.168.1.0/24, >without actually configure such network ? > 2. I have multiple guest vlans to support, I assume I have to create >one zone for each of supported guest vlans, IOW, I assumed that there >can be only one guest CIDR for each zone. I have not found a definitive >answer to this question from docs, is this assumption correct ? > 3. I also assumed that different zones can use the same management >and storage VLANs, just reserve different ip ranges for systemVM's on >different zones. Is this correct ? > >Appreciate all helps. > >Best regards, > >Yiping
