RE: IPv6 Issue in Cloudstack
Hi Hean, What type of network and hypervisor are you using? Also, which version of ACS? Regards, Alex -Original Message- From: Hean Seng Sent: 30 April 2021 08:34 To: users@cloudstack.apache.org Subject: IPv6 Issue in Cloudstack Hi I setup the IPv6 in VM. Outbound form VM is no issue, can ping all the Ipv6 ip outside . But Inboud th IPv6 IP in VM seems all not accessible . And seem there no Security Group to manange the IPv6 rules . The SG is only for IPv4. and I saw ipv6tables -L , there is a lot of rules there . Not sure is preconfigured by Cloudstack or Default Linux. And I guess that is blocking access Anybody have experience on enabling IPv6 in Cloudstack VM and the Ipv6table rules there ? -- Regards, Hean Seng
RE: VMware vSS, vDS recommended setups
Hi Matt, Adding from a more practical experience side of things (I've implemented a rather large ACS deployed across 17 datacenters around the world, so had quite a bit of experience with that) Assuming it's VMWare I'd echo what Rohit said and say that you really should go with dVS. I'd say that as a minimum you need 4x10Gb NICS (ideally 25Gb nowadays, but that depends a lot on the kind of traffic you expect to have). I'd segregate those in at least two dVSs, one for storage and one for everything else. If you have more NICs then you could go for 3 dVSs using the 3rd to segregate customer traffic from management. I'd recommend keeping it a simple L2 topology and let ESX load-balance the uplinks (the default policy works pretty well), you can then decide if you want to use active/backup or active/active per portgroup. You'll need to choose VLANs for Storage and for Management and let ACS know those when creating your Zone, all over VLANs come from your public IP ranges and the VLAN range you select for customers, those will automatically created by ACS. In your Storage dVS you'll end up with just a couple port groups and in the other you'll have a mgmt. portgroup (where your mgmt. VMKernel interface reside) plus one for each public IP range you add to ACS plus one per customer network. One thing to take in consideration is how many virtual ports your switch can handle (depends highly on make/model), if you setup 4k VLANs on all ports in a 48port switch you can easily overload it, so testing the limits of your switch is rather important. Hope this answers your question, if you have any more questions I'll be happy to help, I have some diagrams I can share, just need to find them. Cheers, Alex -Original Message- From: Rohit Yadav Sent: 27 April 2021 12:25 To: users@cloudstack.apache.org Subject: Re: VMware vSS, vDS recommended setups Hi Matt, Our best practices, networking and use of VMware are documented here: http://docs.cloudstack.apache.org/en/latest/conceptsandterminology/choosing_deployment_architecture.html#best-practices http://docs.cloudstack.apache.org/en/latest/conceptsandterminology/network_setup.html http://docs.cloudstack.apache.org/en/latest/installguide/hypervisor/vsphere.html In newer environments, I would suggest considering distributed vswitches. All other best practices of vSphere/vCenter should in general be followed, as CloudStack VMware plugin orchestrates most of things via vCenter (vim apis). If you're just starting out exploring CloudStack and haven't fixed on storage and hypervisor, you may want to consider your requirements and CloudStack support: http://docs.cloudstack.apache.org/en/latest/conceptsandterminology/choosing_deployment_architecture.html#choosing-a-hypervisor Regards. From: Matthew Ritchie Sent: Tuesday, April 27, 2021 15:38 To: users@cloudstack.apache.org Subject: VMware vSS, vDS recommended setups Hi all, Is there a best practices guide regarding the VMware vSS and vDS setup for Cloudstack? Maybe some recommendations based on your experience for the number of physical NICs on hosts, VLAN ID settings for the port groups, number of port groups etc.? I understand that this is a generic question and the answer depends on one's plan, but I am thinking that there may exist a minimal recommended setup as a baseline. best, Matt PS Maybe it is a good idea to gather some baseline network setups for the supported hosts... rohit.ya...@shapeblue.com www.shapeblue.com 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK @shapeblue
RE: VMware VDS Updates on 4.15?
Hi Mike, That doc is really out of date, dVS is supported for all network types now, I had it setup for mgmt, storage, public, etc… in my previous job (large ISP) and we even migrated from SVS to dVS without any downtime (ACS 4.11). And our lab at Shabeblue (4.15) also uses dVS, no issues there. If you run into any issues just let me know and I’d be glad to help. Cheers, Alex From: Andrija Panic Sent: 26 April 2021 22:55 To: users ; Alex Mattioli Subject: Re: VMware VDS Updates on 4.15? Hi Mike, I'll ask my colleague @Alex Mattioli to comment - I believe both are achievable with some effort. Best, On Mon, 26 Apr 2021 at 22:31, Corey, Mike mailto:mike.co...@sap.com>> wrote: No - I don't believe anyone responded back with my inquiry. As I stated in my email the latest on a VMware VDS is from version 4.11 and was wondering if compatibility/supportability has changed over the recent versions of either Apache CloudStack and/or VMware. Thanks! Mike -Original Message- From: Andrija Panic mailto:andrija.pa...@gmail.com>> Sent: Monday, April 26, 2021 4:10 PM To: users mailto:users@cloudstack.apache.org>> Subject: Re: VMware VDS Updates on 4.15? Hi Mike, I believe you got the answers elsewhere, am I right? Best, On Wed, 21 Apr 2021 at 21:19, Corey, Mike mailto:mike.co...@sap.com>> wrote: > Hi, > > > > I’m looking into using VMware Virtual Distributed Switches with my next > lab build. Has there been any new developments on using the VDS with > CloudStack? The latest info seems to be in the 4.11 notes, snippet below. > If I’m looking at this correctly, I cannot have my NFS Storage network on > the VDS…is that still the case with 4.15? > > > > Prerequisites and Guidelines > >- VMware VDS is supported only on Public and Guest traffic in >CloudStack. >- VMware VDS does not support multiple VDS per traffic type. If a user >has many VDS switches, only one can be used for Guest traffic and another >one for Public traffic. >- Additional switches of any type can be added for each cluster in the >same zone. While adding the clusters with different switch type, traffic >labels is overridden at the cluster level. >- Management and Storage network does not support VDS. Therefore, use >Standard Switch for these networks. >- When you remove a guest network, the corresponding dvportgroup will >not be removed on the vCenter. You must manually delete them on the > vCenter. > > > > Many thanks! > > Mike > > > > > > > > *Mike Corey* > > > Technology Senior Consultant, IT CS CTW Operation & Virtualization Service > US > > > *SAP AMERICA, INC.* 3999 West Chester Pike, Newtown Square, 19073 United > States > > > T +1 610 661 0905, M +1 484 274 2658, E > mike.co...@sap.com<mailto:mike.co...@sap.com> > > > > > > > -- Andrija Panić -- Andrija Panić
RE: Creating Default Firewall Rules
As far as I know not, but sounds like a very interesting future feature to me. Alex alex.matti...@shapeblue.com www.shapeblue.com 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK @shapeblue -Original Message- From: anonymousjones666 Sent: 15 April 2021 17:09 To: users@cloudstack.apache.org Subject: Creating Default Firewall Rules Is it possible to create a default firewall rule in all created CS firewalls. Example: If we wanted to block port 25 for all customers by default then allow/remove the rule for each customer when we permit ? Sent with [ProtonMail](https://protonmail.com) Secure Email.
RE: Multiple Guest Subnets Default Network
Hi, Unfortunately I can't see the attachments. Would be good if you could upload it somewhere and send the link :) Cheers, Alex alex.matti...@shapeblue.com www.shapeblue.com 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK @shapeblue -Original Message- From: anonymousjones666 Sent: 15 April 2021 12:59 To: users@cloudstack.apache.org Subject: RE: Multiple Guest Subnets Default Network Yes you are right. We are using the legacy interface to add but when trying to use the subnet we can only use the subnet that was added during the network setup. See screenshot. Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Thursday, April 15, 2021 11:58 AM, anonymousjones666 wrote: > Hi Alex. > > To clarify:- > > Right now we have a single /28 assigned to the DefaultGuestNetwork which we > can assign to instances. > > What we want is to add another public subnet ( different to our initial /28 ) > and also use this subnet in the DefaultGuestNetwork so we have multiple IP > subnets to assign to any instance deployed using this network. > > To answer your question - we dont want to assign 2 IPs to instances rather > assign a single IP to any instance from multiple public subnets. From what I > see now we can only use the subnet ( /28 ) that was initially added when > setting up the guestnetwork. > > I have attached a screenshot of what we did but the second IP range > cannot be used when deploying an instance > > ‐‐‐ Original Message ‐‐‐ > On Thursday, April 15, 2021 11:58 AM, anonymousjones666 > anonymousjones...@protonmail.com wrote: > > > Hi Alex. > > To clarify:- > > Right now we have a single /28 assigned to the DefaultGuestNetwork which we > > can assign to instances. > > What we want is to add another public subnet ( different to our initial /28 > > ) and also use this subnet in the DefaultGuestNetwork so we have multiple > > IP subnets to assign to any instance deployed using this network. > > To answer your question - we dont want to assign 2 IPs to instances rather > > assign a single IP to any instance from multiple public subnets. From what > > I see now we can only use the subnet ( /28 ) that was initially added when > > setting up the guestnetwork. > > I have attached a screenshot of what we did but the second IP range > > cannot be used when deploying an instance Sent with ProtonMail Secure Email. > > ‐‐‐ Original Message ‐‐‐ > > On Thursday, April 15, 2021 11:09 AM, Alex Mattioli > > alex.matti...@shapeblue.com wrote: > > > > > Hi Mr 666. > > > Let me see if I got it right. You have two /28s with Public IPs and want > > > your VM to have one IP from each? > > > Cheers > > > Alex > > > alex.matti...@shapeblue.com > > > www.shapeblue.com > > > 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK > > > @shapeblue -Original Message- > > > From: anonymousjones666 anonymousjones...@protonmail.com.INVALID > > > Sent: 15 April 2021 12:00 > > > To: users@cloudstack.apache.org > > > Subject: Multiple Guest Subnets Default Network Hello Is it > > > possible to add multiple guest subnets to one guest network with CS 4.15 ? > > > As an example we have a /28 subnet ( public ) and can deploy instances > > > from this however, we can add another subnet to the defaultGuestNetwork ( > > > using the legacy dashbaord ) but when deploying an instance we can only > > > add an IP address from the initial /28 subnet and not the other we added. > > > Are there any options to add multiple public subnets to one single guest > > > network ? > > > Thank You
RE: Multiple Guest Subnets Default Network
Hi Mr 666. Let me see if I got it right. You have two /28s with Public IPs and want your VM to have one IP from each? Cheers Alex alex.matti...@shapeblue.com www.shapeblue.com 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK @shapeblue -Original Message- From: anonymousjones666 Sent: 15 April 2021 12:00 To: users@cloudstack.apache.org Subject: Multiple Guest Subnets Default Network Hello Is it possible to add multiple guest subnets to one guest network with CS 4.15 ? As an example we have a /28 subnet ( public ) and can deploy instances from this however, we can add another subnet to the defaultGuestNetwork ( using the legacy dashbaord ) but when deploying an instance we can only add an IP address from the initial /28 subnet and not the other we added. Are there any options to add multiple public subnets to one single guest network ? Thank You
RE: RE: RE: Virutal Router MTU
Hi Rafael, I've had very similar issues in the past, with SSL and TLS so playing well with fragmentation. It is the same use case indeed, in that case I needed jumbo frames for a certain network. I believe this should be implemented per-network, as a setting applied when the network is created (but editable and applied when the network is restarted with clean-up). I'll consult with my colleagues what's the best way forward and get back to you. Cheers, Alex From: Rafael del Valle Sent: 25 March 2021 09:06 To: Alex Mattioli Cc: d...@cloudstack.apache.org Subject: Re: RE: RE: Virutal Router MTU Hi Alex, I have now found all the detail of the 1400 MTU past incident that lead us to patch OpenNuebula VRs. The problem was detected because startTLS sessions failed in our email, persistently and to peers such as hotmail: 2019-01-26 14:58:06 + 02 9a1d30b6d6d1 SMTP-OUT:0001: SSL error remote 104.47.13.33:25, SSL_connect:failed in SSLv2/v3 read server hello A We investigated the issue together with the email platform vendor, and the problem persisted until we patched the MTU1400 issue. So this is a must implement for us. A workaround exists: patch VRs and use cloud-init to customize NICs in VMs. I am very happy to accept your collaboration offer :) Where should this patch implemented? It is actually a requirement of this VLAN (vlanIpRange) and propagates to Virtual Routers and NICs of the involved VMs. Is it the same in your use-case of Jumbo frames for storage oriented networks? Perhaps we should treat this setting just like a netmask or gateway setting. Shall we open an issue? Rafael alex.matti...@shapeblue.com www.shapeblue.com 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK @shapeblue On Wed, 2021-03-24 11:08 AM, Alex Mattioli mailto:alex.matti...@shapeblue.com>> wrote: Hi Raf, Can you share with us which SDWAN vendor it is? I've tried 4 different ones with ACS and they all worked fine, in all cases what I did was to set the MTU in the SDWAN appliance to be a bit lower than 1500 (in between 1422 and 1460, depending on SDWAN solution). In most network you'll end up with most of your traffic with an MTU of around 500-600 anyway, so larger MTU doesn't help that much, I'd highly recommend you run some traffic analysis to try to figure out what's the MTU distribution for your network traffic. With that said, I also had to change the MTU in VRs for a proof of concept on iSCSI between datacenters, in that situation I just wrote a script that would login to each VR and change the MTU of the public and private interfaces, it worked OK. I would strongly advise you not to change the MTU of the management interface, when I did (by mistake) the VRs lost communication with the management server. If you want to contribute by expanding cloudstack code to add a setting for VR MTU I'd be more than happy to collaborate with you on that. Hope this helps. Cheers, Alex alex.matti...@shapeblue.com<mailto:alex.matti...@shapeblue.com> http://www.shapeblue.com 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK @shapeblue -Original Message- From: Rafael del Valle <mailto:%3crva...@privaz.io.INVALID%3e> Sent: 24 March 2021 10:33 To: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org> Cc: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org>; d...@cloudstack.apache.org<mailto:d...@cloudstack.apache.org> Subject: Re: RE: Virutal Router MTU Hi Alex, In our particular use case the Public Network is an SD WAN and we have a requirement of slightly smaller MTU than the standard 1500. I have assumed that our traffic will be encapsulated into something else before delivery, I guess that is the reason for the requirement. What would be the easier way to add support for MTU tunning on VRs? I would be to contribute and implement it. Regards, On Wed, 2021-03-24 09:39 AM, Alex Mattioli <mailto:%3calex.matti...@shapeblue.com%3e> wrote: > Hi R, > > There's no ACS setting for the VR's MTU size. > Unless you are running storage traffic s in that network then jumbo frames > aren't of much use. I've ran some tests at the request of some customers in > my previous job, and with some very busy VRs and the performance gains for an > MTU of 9000 were statistically insignificant. > If your VRs are saturated your best option is to increase the > resources for its offering (if you need guidance with that, am happy > to provide it) > > Anyway, what's your use case for jumbo frames? > > Regards, > Alex > > alex.matti...@shapeblue.com<mailto:alex.matti...@shapeblue.com> > http://www.shapeblue.com > 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK > @shapeblue > > > > > -Original Message- > From: rva...@privaz.io.INVALID<mailto:rva...@privaz.io.INVALID> &q
RE: RE: Virutal Router MTU
Hi Raf, Can you share with us which SDWAN vendor it is? I've tried 4 different ones with ACS and they all worked fine, in all cases what I did was to set the MTU in the SDWAN appliance to be a bit lower than 1500 (in between 1422 and 1460, depending on SDWAN solution). In most network you'll end up with most of your traffic with an MTU of around 500-600 anyway, so larger MTU doesn't help that much, I'd highly recommend you run some traffic analysis to try to figure out what's the MTU distribution for your network traffic. With that said, I also had to change the MTU in VRs for a proof of concept on iSCSI between datacenters, in that situation I just wrote a script that would login to each VR and change the MTU of the public and private interfaces, it worked OK. I would strongly advise you not to change the MTU of the management interface, when I did (by mistake) the VRs lost communication with the management server. If you want to contribute by expanding cloudstack code to add a setting for VR MTU I'd be more than happy to collaborate with you on that. Hope this helps. Cheers, Alex alex.matti...@shapeblue.com www.shapeblue.com 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK @shapeblue -Original Message- From: Rafael del Valle Sent: 24 March 2021 10:33 To: users@cloudstack.apache.org Cc: users@cloudstack.apache.org; d...@cloudstack.apache.org Subject: Re: RE: Virutal Router MTU Hi Alex, In our particular use case the Public Network is an SD WAN and we have a requirement of slightly smaller MTU than the standard 1500. I have assumed that our traffic will be encapsulated into something else before delivery, I guess that is the reason for the requirement. What would be the easier way to add support for MTU tunning on VRs? I would be to contribute and implement it. Regards, On Wed, 2021-03-24 09:39 AM, Alex Mattioli wrote: > Hi R, > > There's no ACS setting for the VR's MTU size. > Unless you are running storage traffic s in that network then jumbo frames > aren't of much use. I've ran some tests at the request of some customers in > my previous job, and with some very busy VRs and the performance gains for an > MTU of 9000 were statistically insignificant. > If your VRs are saturated your best option is to increase the > resources for its offering (if you need guidance with that, am happy > to provide it) > > Anyway, what's your use case for jumbo frames? > > Regards, > Alex > > alex.matti...@shapeblue.com > http://www.shapeblue.com > 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK > @shapeblue > > > > > -Original Message- > From: rva...@privaz.io.INVALID " > target="_blank"> > Sent: 24 March 2021 09:23 > To: users@cloudstack.apache.org > Subject: Virutal Router MTU > > Hi! > > I can see in the Global Parameters that it is possible to specify the MTU for > secondary storage VM. > > Is it possible to configure the MTU for a virtual router? how? > > Regards, > R. >
RE: Virutal Router MTU
Hi R, There's no ACS setting for the VR's MTU size. Unless you are running storage traffic s in that network then jumbo frames aren't of much use. I've ran some tests at the request of some customers in my previous job, and with some very busy VRs and the performance gains for an MTU of 9000 were statistically insignificant. If your VRs are saturated your best option is to increase the resources for its offering (if you need guidance with that, am happy to provide it) Anyway, what's your use case for jumbo frames? Regards, Alex alex.matti...@shapeblue.com www.shapeblue.com 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK @shapeblue -Original Message- From: rva...@privaz.io.INVALID Sent: 24 March 2021 09:23 To: users@cloudstack.apache.org Subject: Virutal Router MTU Hi! I can see in the Global Parameters that it is possible to specify the MTU for secondary storage VM. Is it possible to configure the MTU for a virtual router? how? Regards, R.
RE: Use Case Bare Metal CloudStack
Hi Felipe, As far as I know baremetal in ACS hasn't been used much, the code should still be functional but without much new. If you can share your use can then we might be able to assist further. Cheers, Alexandre Mattioli alex.matti...@shapeblue.com www.shapeblue.com 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK @shapeblue -Original Message- From: Felipe Rossi Sent: 16 March 2021 15:21 To: users@cloudstack.apache.org Subject: Use Case Bare Metal CloudStack Hello All, We are studying about using Bare Metal on Cloud, but documentation is not good and cant help us. We would like to know if someone on community has a use case or can share knowledge about this feature on Cloud Stack. Att / Regards Felipe Rossi | BRASCLOUD *CEO* *Cloud Architect* fel...@brascloud.com.br | www.brascloud.com.br Contact + 55 45 99116-0094 / +55 45 3326-4568
RE: Cloudstack lab
Hi Craig, Building on what Rohit and others explained, it depends a lot on your goal as well. If you want to develop software for ACS, then the simulator is probably the way to go. If you want to dig into the physical infrastructure with multiple hypervisor types, etc..etc.. then your best bet is most likely to be one "large" hypervisor (8 cores, 32GB RAM), with that you can run a pretty realistic nested environment with NFS servers, multiple zones, etc If the goal is to actually simulate a physical infra, then a bunch of PIs is a good option. So, before building an actual lab I'd recommend you come up with some goals for your lab setup. Hope this helps, Cheers, Alex alex.matti...@shapeblue.com www.shapeblue.com 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK @shapeblue -Original Message- From: Rohit Yadav Sent: 07 March 2021 15:41 To: users@cloudstack.apache.org Subject: Re: Cloudstack lab Hi Craig, The simulator is a dummy hypervisor that essentially uses the database (MySQL) to simulate resources (such as hosts, VMs, disks etc) while using the same orchestration/business logic as would any hypervisor. The CloudStack kernel/plugin based orchestration architecture allows developers to build feature that are agnostic of hypervisors/storage to be developed using the Simulator. For my blog, you can attempt all-in-a-single RasberryPi4 as long as you've got the 8GB model, with the 4GB model it's possible but such a setup will eat all the available memory pretty soon (running CloudStack mgmt server, agent, mysql and nfs all). The toy setup I've got at home has one 4GB-ram rpi4 for mgmt server and two 8GB-ram rpi4s for KVM hosts, I run Ceph on all three of them, and on the mgmt server I run NFS server and Ceph dashboard. Regards. From: Craig Dunn Sent: Saturday, March 6, 2021 21:50 To: users@cloudstack.apache.org Subject: Re: Cloudstack lab Hi Thanks for the info Rohit, I actually found your blog when googling just didn't recognize your name on here. What's the difference between the simulator and a full install? Also on your blog is everything installed on one pi? I assume it is but wanted to check. Thanks rohit.ya...@shapeblue.com www.shapeblue.com 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK @shapeblue On Sat, 6 Mar 2021, 13:02 Rohit Yadav, wrote: > For basic app development, go for simulator based development: > > https://github.com/shapeblue/hackerbook/blob/master/2-dev.md#simulator > -based-development > > If you've KVM or VMware workstation/fusion, you can try an appliance > based development as well. For KVM you can see: > https://github.com/shapeblue/hackerbook/blob/master/2-dev.md#mbx-based > -development (though I need to update that section on using the new > mbx) > > RaspberryPi4 based toy development/testing setup is also possible but > iteration on it may be slow (for users > https://rohityadav.cloud/blog/cloudstack-rpi4-kvm/). > > Regards. > > > > From: Craig Dunn > Sent: Friday, March 5, 2021 20:25 > To: users@cloudstack.apache.org > Subject: Re: Cloudstack lab > > sorry I just thought as it was a simulator deployments wouldnt work > > On Fri, 5 Mar 2021 at 14:48, Rakesh v >http://www.rakeshv@gmail.com>> wrote: > > > I'm not sure what you mean by deployment won't work. You can deploy > > VM very well and you can hack into DB as well > > > > Sent from my iPhone > > > > > On Mar 5, 2021, at 3:13 PM, Craig Dunn .invalid> > > wrote: > > > > > > thanks thats looks interesting, I know its a simulation so > > > deployments probably dont work but is there a DB and stuff you can play > > > with? > > > > > >> On Fri, 5 Mar 2021 at 13:40, Rakesh v > > >> http://www.rakeshv@gmail.com>> > > wrote: > > >> > > >> You can probably try running the docker simulator > > >> > > >> Sent from my iPhone > > >> > > >>> On Mar 5, 2021, at 2:39 PM, Craig Dunn > .invalid> > > >> wrote: > > >>> > > >>> Hey all, > > >>> > > >>> I have been reading the cloudstack hackers book which was shared > > >>> last > > >> week, > > >>> which is really interesting. My employer uses cloudstack as > > >>> their > main > > >>> platform. so I have some Cloudstack experience. > > >>> > > >>> However I would like to know more and I think the only way is to > > >>> get > a > > >> lab > > >>> going so I can break/fix it. As I live in a tiny flat I dont > > >>> have the > > >> room > > >>> for a rack or full of servers, so I was thinking if I could do > > >>> it > with > > >>> raspberry pi's, I would need a few 1 for the management server, > another > > >> for > > >>> the database, another to run VMWare. I dont expect to run > > >>> anything of > > any > > >>> substance but as a testing environment and as a learning tool > > >>> would > > this > > >> be > > >>> possible? > > >>>
RE: Storage and storage network setups
Hi Vash, Your understanding is correct indeed and your approach sounds solid, but I'd recommend (if possible at all for you) to already start with a separate storage network, although possible, is quite a bit of work to add a separate storage network later on (and you'd need deep knowledge of ACS to be able to carry that out). Primary storage traffic will depend more on the type of workload you run on your VMs than on the actual number of VMs. I've had ACS zones with 20VMs saturate 20Gbps and other zones with thousands of VMs use at the most 3Gbps. I'd recommend to try and analyse what kind of traffic you are likely to have, the number of hosts and try to figure out what you need. With that said, nowadays the safe bet would be to go with 4 x 25Gbps per host, or at least 4 x 10 (again, depending on how large your hosts are). Hope that helps. Cheers, Alex alex.matti...@shapeblue.com www.shapeblue.com 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK @shapeblue -Original Message- From: vas...@gmx.de Sent: 03 March 2021 21:55 To: users@cloudstack.apache.org Subject: Storage and storage network setups Hi, as I am taking a closer look into cloudstack, i wanted to ask some questions regarding storage and storage networks. First my understanding of different setups - please correct me if my understanding was wrong. As far as I understand (until now ;-) ) there are several ways of providing dedicated storage networks for the use of primary and secondary storage. In the "basic" setup, storage traffic and management traffic would be transfert via the same interface (in the docs named "cloudbr0"). The next way of configuring storage / a storage network would be to give the secondary storage it's own physical network - usully named storage nework in the docs - which can be configured during a zone-setup and using a own Tag. Still management traffic and primary storage traffic would share the same interface. The third possible setup regarding storage / storage network would be to provide the hosts an dedicated nic for primary storage. This physical network won't need a dedicated traffic label as the hypervisor on the hosts would be able to connect to the storage-targets /-shares directly via the dedicated interface and IP-Address. This way only on the management labeled physical network only management would be transfered . The traffic for primary / secondary storage would be separated (combining storage-labeled physical network and direct attached storage network for the hosts). Another point i would need some information are in regards of changeing the above mentionend setups. So that in an small-scale setup i would start with the "minimal" approach using one interface for management and primary- / secondary storage and when needed e.g. separate the primary storage from management traffic? Last but not least can anybody suggest a suitable bandwith for a primary storage network or can provide reallife experience for example how 50 vms are running while using an 10Gb/s network for primary storage? (I know there are several other factors beside the actural network bandwith. This is just to get an impression about the performance of the system). Thanks in advance! Chris
RE: Pfsense like external firewall with CloudStack
Hi Vivek, You mean that you want the virtual appliance to be in a network in one of the VPC tiers? If so, am not sure how that would work, maybe StaticNAT works, but your routing will be quite messy. I always placed the FW virtual appliance in a Guest Network by itself and set that to be on the same VLAN of the Private Gateway. Cheers, Alex alex.matti...@shapeblue.com www.shapeblue.com 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK @shapeblue -Original Message- From: Vivek Kumar Sent: 30 April 2020 10:54 To: users@cloudstack.apache.org Subject: Re: Pfsense like external firewall with CloudStack Hello Alex, Thanks for the response. I have implemented second case multiple time multiple times when I create s2s between my firewall and end customer’s device, and then extend the connectivity from firewall to VR via Private Gateway and that works pretty perfect. But in this particular case we can’t use firewall so that’s why I wanted to use any virtually appliance under a VPC which can give me any alternative, So how do we achieve the connectivity of Virtual appliance since Tier will use the private subnet so if I use the Static NAT with PFsense will it work ? Because in pfsense it will always identified as a private IP. Vivek Kumar This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential and/or privileged. If you are not the intended recipient please delete the original message and any copy of it from your computer system. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited unless proper authorization has been obtained for such action. If you have received this communication in error, please notify the sender immediately. Although IndiQus attempts to sweep e-mail and attachments for viruses, it does not guarantee that both are virus-free and accepts no liability for any damage sustained as a result of viruses. > On 30-Apr-2020, at 2:11 PM, Alex Mattioli wrote: > > Hi Vivek, > I've actually done exactly that with both PaloAlto and Checkpoint firewalls. > In one case created the VPC with a "public" IP in the same network as the > FW's Inside interface, which is a bit too much work to be honest (and can get > messy). > In another case in a POC I just used the VPC's Private Gateway function to > connect it to the FW, which could then be either physical or virtual. > > Cheers, > Alex Mattioli > > alex.matti...@shapeblue.com > www.shapeblue.com > 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK > @shapeblue > > > > > -Original Message- > From: Vivek Kumar > Sent: 29 April 2020 21:39 > To: users@cloudstack.apache.org > Subject: Pfsense like external firewall with CloudStack > > Hello Folks, > > Have someone ever tried to deploy a pfsense or any other virtual firewall > appliance under a VPC to extend the security feature. Let’s say if I want to > use site-to-site between my tiers and remote destination and I don’t want to > use VR for site-to-site. Has someone tried that scenario ? > > Let me give an use case, I have a VPC with multiple Tier and VMs running, I > am using a old version of CloudStack 4.7.1 with XenServer 7.0 in this we > don’t have options to choose options like IKE Hash SHA256,384,512 and same > for ESP Hash , IKE DH group 14,15,16 ( which is pretty much available in 4.13 > ). So I want to establish a site-2-site using these security parameters > which doesn’t exist in my version of CloudStack. Is there any way to achieve > it for my older version ? So I wanted to check if someone has worked on this > scenario and use any third party firewall appliance. > > > > Vivek Kumar > >
RE: Pfsense like external firewall with CloudStack
Hi Vivek, I've actually done exactly that with both PaloAlto and Checkpoint firewalls. In one case created the VPC with a "public" IP in the same network as the FW's Inside interface, which is a bit too much work to be honest (and can get messy). In another case in a POC I just used the VPC's Private Gateway function to connect it to the FW, which could then be either physical or virtual. Cheers, Alex Mattioli alex.matti...@shapeblue.com www.shapeblue.com 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK @shapeblue -Original Message- From: Vivek Kumar Sent: 29 April 2020 21:39 To: users@cloudstack.apache.org Subject: Pfsense like external firewall with CloudStack Hello Folks, Have someone ever tried to deploy a pfsense or any other virtual firewall appliance under a VPC to extend the security feature. Let’s say if I want to use site-to-site between my tiers and remote destination and I don’t want to use VR for site-to-site. Has someone tried that scenario ? Let me give an use case, I have a VPC with multiple Tier and VMs running, I am using a old version of CloudStack 4.7.1 with XenServer 7.0 in this we don’t have options to choose options like IKE Hash SHA256,384,512 and same for ESP Hash , IKE DH group 14,15,16 ( which is pretty much available in 4.13 ). So I want to establish a site-2-site using these security parameters which doesn’t exist in my version of CloudStack. Is there any way to achieve it for my older version ? So I wanted to check if someone has worked on this scenario and use any third party firewall appliance. Vivek Kumar