Hi Soeren, If we want to create advanced zone with security groups we must choose zone type as advanced and isolation type as security groups in the zone creation wizard(which is the first page in UI once we click on the add zone tab). In advanced zone with security groups all the guest traffic is assumed as public traffic so there would not be a public traffic in Physical network creation. System vms public nics would get the ip addresses from the guest traffic range. So you may have to change the NAT settings on firewall accordingly.
Thanks, Sanjeev -----Original Message----- From: Soeren Malchow [mailto:soeren.malc...@mcon.net] Sent: Monday, July 28, 2014 5:47 AM To: users@cloudstack.apache.org Subject: Stuck with Advanced Networking Dear all, i have a problem with advanced networking, i seem not to be able to wrap my brain around this, I think I am missing something specific - and I am not sure if the setup is as intended I have the following setup 1 x Server with Cloudstack Management installed, IP: 192.168.10.11, Gateway 192.168.10.1, Netmask: /23 1 x Storage Server with 2 NFS Exports for Primary and Secondary Storage, IP: 192.168.10.21 1 x KVM Server -with an IP in the Management Network 192.168.10.101 - The management server run fine (the network interface is bonded (802.3ad) to twp stacked switches) - The storage runs fine and can be mounted on the KVm and on the management server - The template is downloaded and in the secondary storage - the KVM server is configured as follows o 1 x bond (802.3ad) with 4 physical links for the management network (192.168.10.0/23) the IP address 192.168.10.101 is actually on a bridge that is on top of the bond <-- snip --> auto bond0 iface bond0 inet manual bond-mode 4 bond-miimon 100 bond-lacp-rate 1 bond-slaves em1 em2 em3 em4 auto mgmtbr0 iface mgmtbr0 inet static address 192.168.10.101 netmask 255.255.254.0 network 192.168.10.0 broadcast 192.168.11.255 gateway 192.168.10.1 dns-nameservers 192.168.10.1 bridge_ports bond0 bridge_fd 5 bridge_stp off bridge_maxwait 1 iface mgmtbr inet6 static address XXXX:XXXX:XXXX:17:0:5:0:101 netmask 96 gateway XXXX:XXXX:XXXX:17:0:5:0:1 dns-nameservers XXXX:XXXX:XXXX:17:0:5:0:1 <-- snip --> For the public and guest networks I prepared similar bonds, the bond1 has only the "public VLAN" tagged on the switch side, the bond2 has ~50 VLANs tagged on the switch side - in both cases it is correctly tagged on the Link Aggregation Interface, we tested it manually and it works fine. <-- snip --> # Public network auto bond1 iface bond1 inet manual bond-mode 4 bond-miimon 100 bond-lacp-rate 1 bond-slaves p3p1 p3p2 auto publicbr0 iface publicbr0 inet manual bridge_ports bond1 bridge_fd 5 bridge_stp off bridge_maxwait 1 # Guest network auto bond2 iface bond2 inet manual bond-mode 4 bond-miimon 100 bond-lacp-rate 1 bond-slaves p3p3 p3p4 auto guestbr0 iface guestbr0 inet manual bridge_ports bond2 bridge_fd 5 bridge_stp off bridge_maxwait 1 <--snip --> The target is to have advanced networking with security groups The public IPs should be in 192.168.14.0/23 The Guest IPs for the start in 192.168.16.0/24 During setup I enter the following Step 2 - Setup Zone - DNS: 192.168.14.1 - Internal DNS: 192.168.10.1 - Hypervisor: KVM - DefaultSharedNetworkOfferingWithSGService selected - The rest stays empty Step 3 - Physical Network - Here I already do not understand why there is no "public network" - I change "Physical Network 1" to Network01 - Ilsolation: VLAN - "Management" and "Storage" go here, both with "mgmtbr0" as traffic label - Next Network is "Network02" - One of the "Guests" go here and the label is "guestbr0" Step 3 - POD - PodName: Pod01 - Reserved System Gateway: 192.168.10.1 (it is in the management network) - Netmask: 255.255.254.0 - Start reserved IP: 192.168.10.150 - End reserved IP: 192.168.10.199 Step 3 - Guest traffic - Gateway: 192.168.16.1 - Netmask: 255.255.255.0 - Geust Start IP: 192.168.16.10 - Guest End IP: 192.168.16.150 - VLAN ID: 1016 Step 3 - Storage traffic - Gateway: 192.168.10.1 - Netmask 255.255.254.0 - VLAN ID: empty (traffic is not tagged, see bond0 setup) - Start IP: 192.168.10.200 (directly after the POD IPs) - End IP: 192.168.10.249 Step 4 - Cluster - Give it a Name Step 5 - Host - Hostname: 192.168.10.101 (KVM Server IP) - Username and password with root / the_password Step 5 - Storage - Primary and secondary storage from 192.168.10.21 (different exports) After this the setup finishes successfully. And now I am stuck, - Am I supposed to use the 192.168.16.0/24 network basically as a public network and NAT to these IPs on our firewall ? - Also, if I try to check the console of the secondary storage VM which is running, I get a connection reset (to reach this I created the 192.168.16.1 on the layer3 switch as a gateway - before I did that I got a timeout) - If I try to download an ISO file to install something new, I can not download at all Any advice where to go from here. And sorry for this exhausting email - but it thought it might be better to be very specific Thanks in advance Soeren
