Before we begin, please do read the following links for a basic understanding of CloudStack’s networking concepts.
- CloudStack Manual About Physical Networks Section
- CloudStack Advanced Network Tutorial Step by Step
- Understanding CloudStack’s Physical Networking Architecture
- Chapter 15. Managing Networks and Traffic
Confused yet? 🙂
Here is one more article for creating an Advanced Zone in CloudStack but follows a keep-it-simple principle. The assumptions are bare minimum must have requirements for a Advanced Zone.
- One CloudStack Management Server fully installed (csman1)
- One or more KVM hypervisors with 1 physical network interface (NIC)
- One RFC1918 private /24 subnet (192.168.44.0/24) to be used for “management” traffic with Internet access
- One public /24 public subnet (192.168.65.0/24 on VLAN 65) to be used for “public” traffic with Internet access and is assigned a VLAN. 192.168.65.10 – 192.168.65.199 range will be assigned for CloudStack use
- One RFC1918 /24 subnet (10.1.1.0/24) to be used for “guest” traffic
- A storage device whose interface is also on the management network (192.168.44.0/24) and is reachable from the management server and the KVM hypervisors directly
- An L3 capable Switch whose ports are configured to allow tagged VLAN traffic for ranges 100-109 (guest traffic) and 65 (public traffic)
Now, lets begin with the IP assignments. Please do refer the Network Interfaces configuration section from the RHEL manual if required.
- CloudStack management server (csman1) running on CentOS 6.5: 192.168.44.1
- The storage server (nas1): 192.168.44.2
- The CentOS 6.5 KVM hypervisor (kvm1): 192.168.44.3
- The default gateway for the management network: 192.168.44.254
- The default gateway for the public network: 192.168.65.254
- Management IP range dedicated to System VM communication: 192.168.44.20 to 192.168.44.30
- Public IP range dedicated to CloudStack use: 192.168.65.10 to 192.168.65.199
Next, lets configure bridged networking on the KVM host(s):
On the KVM host(s):
- Update /etc/sysconfig/network-scripts/ifcfg-eth0 as below:
- Update /etc/sysconfig/network-scripts/ifcfg-cloudbr0 as below:
Once you restart networking service, the bridge interfaces would be created as below where cloudbr0 is mapped to eth0.
[root@kvm1 ~]# brctl show
bridge name bridge id STP enabled interfaces
cloudbr0 8000.000c293bb945 no eth0
Once you have KVM reconfigured, please do verify connectivity (via ICMP ping) to:
- Between the management server and the hypervisors
- To the storage device/NAS
- To the default gateway
- A public IP address like Google DNS 188.8.131.52 to confirm Internet routing
Please ensure that you have configured your L3 switch to allow tagged VLAN traffic for VLAN 65 and VLAN 100 to VLAN 109. There are plenty of guides on the Internet which can help you configure VLANs for your network device.
Now, finally to the CloudStack Add Zone configuration wizard:
- Select Advanced Zone
- Set the Guest CIDR to “10.1.1.0/24”
- The default traffic types “Management”, “Guest” and “Public” are assigned to “Physical Network 1”. Keep it that way.
- This step is where all the magic happens – assign traffic labels correctly by clicking on the edit button for “Management”, “Guest” and “Public Traffic” icons. The KVM traffic label should be cloudbr0
- Add public traffic range 192.168.65.10 – 192.168.65.199 on VLAN65
- Add the first POD with the small reserved IP range (192.168.44.20-30 ) from the management subnet 192.168.44.0/24
- Assign the VLAN range (100-109) for guest traffic use
- Complete the steps for adding a Cluster, Host, primary storage and secondary storage and create the zone.
Thats about it.
Where to go from here…
- Add more hypervisor types like XenServer and VMware ESXi
- Add additional physical network interfaces
- Add dedicated NIC for storage traffic
- Add dedicated NIC for public traffic
- Add dedicated NIC for guest traffic
- Use bonded interface (LACP/LAGG) for fault tolerance and improve throughput
- Use tagged VLAN for management traffic on KVM hypervisor
- Add SDN technologies instead of VLAN isolation like GRE tunnels
- Enable security groups in an advanced network