Contents
| 1 | Introduction |
2 | CEE Based on Extreme Switch |
| 2.1 | Prerequisites |
| 2.1.1 | Required Hardware and Software |
| 2.1.2 | Documents |
| 2.1.3 | Conditions |
| 2.2 | L2 Connection to BGW |
| 2.3 | L3 Connection to BGW Using Neutron Router |
1 Introduction
This document describes how to configure external tenant Border Gateway (BGW) and Firewall (FW) connections to the Cloud Execution Environment (CEE) region. This guideline provides a high-level overview, as the BGW or FW is not part of the CEE region, so the actual BGW present at the actual deployment is not known.
- Note:
- For more information about the CEE region configuration, refer to the Configuration File Guide.
2 CEE Based on Extreme Switch
This section provides Layer 2 (L2) and Layer 3 (L3) guidelines for the case where Neutron is configured to use an ML2 mechanism driver and an L3 service plug-in for Extreme switches.
2.1 Prerequisites
This section describes the prerequisites that must be fulfilled before external connectivity can be achieved.
2.1.1 Required Hardware and Software
The following hardware and software is required for the BGW:
- Appropriate number of optical 10 GE or 40 GE interfaces, IEEE 802.3
- Support for Virtual Routers (VRs)
- Support for VLAN tagging
- Support of VRRP v3, IETF RFC 5798
- Support for link aggregation, IEEE 802.1AX-2008. Minimum members of links, Active/passive LACP
2.1.2 Documents
Before starting the configuration procedure, ensure that the following information and documents are available:
- Information about product name, software version, platform, operating system, and hardware.
- Information about how to collect data and log files. For more information, refer to data collection guidelines for the BGW.
- Information about how to carry out backup and restore procedures. For more information, refer to backup and restore guidelines for the BGW.
- Some of the recovery steps require physical access to the products for pressing buttons, replacing hardware, and so on. For more information about physical access and handling, refer to Personal Health and Safety Information and System Safety Information.
- Some of the recovery steps require instructions. For a detailed description, refer to the applicable documentation of the BGW.
2.1.3 Conditions
The following conditions must apply before the configuration is performed:
- Configuration input data for the applicable BGW is available.
Refer to the applicable documentation of the BGW regarding configuration.
- Note:
- Consider the time for producing the applicable configuration data.
- The proper BGW software package is installed.
- Connectivity between CEE and BGW is in place.
- Connectivity between BGW and FW is in place.
- The VLAN ranges for external connection must be aligned. The VLAN ID range for CEE external tenant connectivity must be reserved before the CEE installation. For information about ranges, refer to the section "Networking API v2.0 extensions" in the OpenStack API Complete Reference.
2.2 L2 Connection to BGW
This section describes how to connect CEE to the BGW using an L2 network. For more information on Neutron, refer to the sections "Networking API v2.0" and "Networking API v2.0 extensions" in the OpenStack API Complete Reference.
Figure 0 L2 Connection to BGW
Figure 1 L2 Connection to BGW
Do the following:
- Configure the BGW to be able to handle incoming and outgoing traffic. For more information, refer to the DC Firewall Hardening Guide.
- Create VRs in the BGWs as shown
in fig-L2Multieps Figure 1.
- Note:
- There can be one or several VLANs connected to the VR, and one or several VRs can be connected to the applicable port towards CEE. There can also be one or several VLANs connected to the FW.
- Configure the VR with its applicable parameters. Both IPv4 and IPv6 can be used.
- After a VR is created, create applicable VLANs. It is recommended to choose VLAN names that reflect what they are used for. VLAN ports connected to CEE must be in the reserved range, specified in Section 2.1.3.
- To achieve redundancy
on the VRs, configure VRRP v.3 on the VLANs interfacing CEE.
- Note:
- Use the same VLAN ID in BGW-1 and BGW-2.
- Add VLANs to applicable ports connected to CEE.
- Add VLANs on the ports connected to the FWs and VRs.
2.3 L3 Connection to BGW Using Neutron Router
This section describes how to connect VMs via Neutron router to BGW on L3. For more information on Neutron, refer to the sections "Networking API v2.0" and "Networking API v2.0 extensions" in the OpenStack API Complete Reference. fig-L3eps Figure 2 shows the connection, without showing the VMs.
Figure 1 L3 Connection to BGW Using Neutron Router
Figure 2 L3 Connection to BGW Using Neutron Router
Do the following:
- Create VRs in the BGWs as shown in fig-L3eps Figure 2.
- Configure the VR with its applicable parameters. Only IPv4 is applicable.
- After a VR is created, create applicable VLANs in the VR.
- Create two VLANs to achieve redundancy, one for BGW-1 and one for BGW-2. The connections to the BGWs must be Layer 3 point-to-point links, that is, a /30 subnet. It is recommended to choose VLAN names that reflect what they are used for. The VLAN IDs used for the connectivity to CEE must be in the reserved range, specified in Section 2.1.3.
- Add the applicable ports to the VR.
- Add VLANs to applicable ports connected to CEE.
- Add VLANs on the ports connected to FWs and VRs.