Hi, Soeren: Thanks a lot for detailed explanations, really appreciated.
I now have enough initial info to ask for extra VLANs from our networking group. Hopeful I’ll have a setup to get my hands on for some real test. Have a good weekend. Yiping On 8/1/14, 4:14 PM, "Soeren Malchow" <[email protected]> wrote: >Hi > >Security groups can be iptables or ebtables respectively, but you can >also basically open everything in an out, the thing is, as soon as you >use security groups, the guest network becomes the public network, which >makes things much easier for an internal deployment, and I would not >worry about the iptables, (you will see if you have a setup) > >Regarding the separation of production and non-production machine, you >can use "Affinity Groups" to avoid having machines on the same hypervisor. >Alternatively, how about putting 2 Clusters in one Pod > >We do not use tags at all > >I would strongly suggest that you do test setup (prepare them in a way >where you can wipe and start over) once you have seen and tested the >frontend it gets a bit clearer. > >Also you setup really sounds as if you would want to use "Advanced >Networking" with security groups, since you avoid the extra "Public" >network, but you should put some work into preparing and planning of the >network, a clean network setup really helps > >We have >- one complete separate management network(vlan) with redundant >management servers >- one network(vlan) for the pod >- one network (vlan) for storage >- several networks(vlan) for guests > >The hypervisors hosts have >- 8 bonded (802.3ad) 1Gbit interfaces in the storage network with a >bridge on top of the bond (untagged) - the bridge has an IP >- 2 bonded (802.3ad) interfaces with a bridge on top in the POD network >(untagged) - the bridge has an IP >- 4 bonded (802.3ad) interfaces with a bridge (actually there will be >several bridges) on top for the guest network, but create one brigde >(e.g. guestbr0) without IP before you configure cloudstack on top of the >bond and use it during the configuration to assign to the "Guest" > >- The guest networks gateway is a high performance firewall to guarantee >sufficient throughput >- the other networks have their gateways on a separate firewall >- the secondary storage is inside the storage network > >Hope that helps > > >Regards >Soeren > > >-----Original Message----- >From: Yiping Zhang [mailto:[email protected]] >Sent: Freitag, 1. August 2014 21:59 >To: [email protected] >Subject: Re: questions on configuring advanced networking > >Hi, Soeren: > >Thanks for quick reply. > >I have not tried any setup of advanced networking yet in my lab, due to >lack of available vlan setup in this environment. So I have lots of >questions on the actual steps and choices to be made during various steps. > >First, using ³security group² implies using iptables to manage accessing >to VM¹s, correct ? I was trying to make things simpler by not using >³security groups² and avoiding dealing with iptables rules, because this >is an internal deployment. Also, I plan to dedicate zones to production >and non-production domains, so that hypervisors for production zones will >only host VM¹s for production and hypervisors for non-production zones >will only host non-production VM¹s. Is this a reasonable approach ? > >Coming back to your answer, using advanced networking with security group. >In this setup, I only need one zone to support all guest vlans. Then how >do I best make sure that certain hypervisor dedicated for production will >only host VM for production, and visa versa for non production >hypervisors ? I assumed that one can use tags on various components for >this purpose? > Again, without actual hands-on experiences with tags, I find concept and >use of ³tags² in CS are very confusing and poorly documented. I sort of >understand that there are tags for host, network, and storage, but they >all simply referred as tags in documents and which type of tags are >consumed where are not very clear at all by simply reading docs. > >Thanks again, > >Yiping > >On 8/1/14, 12:21 PM, "Soeren Malchow" <[email protected]> wrote: > >>Dear Yiping, >> >>If you choose "Advanced" with security groups, then you have only the >>"guestnetwork", we do this geustnetwork on a bond and then on a bridge >>and the uplinks to the bond are tagged (do not forget to assign a vlan >>tag during setup), then you are able to create more tagged networks. >>This guest network can use an Cloudstack external Router or Firewall as >>gateway and the network can be any IP range. >>During setup you only create one guest vlan, but you can create >>additional vlan later on. >> >>I hope that answers you question >> >>Cheers >>soeren >> >>-----Original Message----- >>From: Yiping Zhang [mailto:[email protected]] >>Sent: Freitag, 1. August 2014 21:16 >>To: [email protected] >>Subject: questions on configuring advanced networking >> >>Hi, all: >> >>I am doing planning of a CloudStack deployment using advanced networking. >> I have a few questions about configurations: >> >> 1. Since this is an internal deployment, most of zones won't really >>need public IP, so how can I tell CS that I don't need VLAN for public >>traffic ? Do I still need to give it something, say 192.168.1.0/24, >>without actually configure such network ? >> 2. I have multiple guest vlans to support, I assume I have to create >>one zone for each of supported guest vlans, IOW, I assumed that there >>can be only one guest CIDR for each zone. I have not found a definitive >>answer to this question from docs, is this assumption correct ? >> 3. I also assumed that different zones can use the same management >>and storage VLANs, just reserve different ip ranges for systemVM's on >>different zones. Is this correct ? >> >>Appreciate all helps. >> >>Best regards, >> >>Yiping >
