Explore Cisco
How to Buy

Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco Cloud Network Automation Provisioner for the Microsoft Cloud Platform-Administrator Portal Guide, Release 1.1

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Cisco Cloud Network Automation Provisioner for the Microsoft Cloud Platform-Administrator Portal Guide, Release 1.1

Chapter Title

Managing Container Plans

Results

Updated:
March 31, 2016

Chapter: Managing Container Plans

Managing Container Plans

The Service Provider administrator can use the Cisco CNAP Admin Portal to:

  • Display summary information about a container
  • Delete a container
  • Display and modify gateway information about a container:

Look at information about a gateway.

Add a gateway (you cannot configure a WAN Gateway until a tenant has created a container and the container is active).

Modify a gateway.

Delete a gateway.

  • Display and modify firewall information about a container:

View summary information about a firewall.

View the hierarchy of information on the Firewall tab.

Set up a tenant perimeter firewall.

Change the policy map for a service policy.

Add a new class map.

Change a class map.

Create a new network Access Control List (ACL).

Change an Access List.

Create a new object group.

Change an object group.

  • Display load balancer information about a container:

Confirm the licensing of a Citrix NetScaler VPX.

Look at load balancer information about a container.

Note Since Cisco CNAP is also pushing configurations for the automation of work flows on devices, certain precautions need to be followed when manually configuring devices to avoid disrupting Cisco CNAP-based automation. Changing configurations pushed from Cisco CNAP will cause the automated provisioning system to malfunction, which in some cases could cause all automated provisioning to stop until the error conditions are manually remediated. In general on the data center provider edge, all configurations under the tenant VRFs pushed by Cisco CNAP should not be edited or changed, including sub-interfaces and routing. Similarly on the Cisco APIC, the Cisco APIC tenants configured by Cisco CNAP should only be changed by Cisco CNAP. Any configurations pushed by Cisco CNAP should not be manually edited. For more information, see Installing Cisco Cloud Network Automation Provisioner for the Microsoft Cloud Platform, Release 1.1.

Viewing Summary Information about Containers Managed by Cisco CNAP

The Tenants tab displays a list of all the tenant containers currently managed by Cisco CNAP, as shown on the Tenants Tab screen.

Figure 5-1 Tenants Tab Screen

 

Each container row visible on the Tenants tab shows the following information:

  • Cont ID—The ID of the container.
  • Cloud—Name of the Cloud Service in SCVMM to which the container is associated.
  • Container Name—Descriptive name of the container.
  • Container State—The current state of the container:

Active

Creating

Inactive

  • Firewall—The status of all Firewall Services associated with a particular container.
  • Network—Total number of networks in the container.
  • SLB—The status of all Load Balancer Services associated with a particular container.
  • Type—The type of container, which in the current release is only Zinc.
  • WAN—The status of each of the WAN Gateway Services (MPLS VPN, Site-to-Site and Remote Access VPN, or Internet Access) associated with a particular container.
  • Tiers—The number of tiers currently configured in the container.
  • Created On:—Displays the date and time when the container was created.
  • Modified On:—Displays the date and time when the container was last modified.

Viewing Summary Information about a Container

Step 1 To display summary information about a specific container, on the Tenants tab click on the row with the container you want to view, as shown in the following screen.

Figure 5-2 Tenants Tab—Container Selected

 

You see the Tenants Summary screen.

Figure 5-3 Tenants Summary Screen

 

The Tenants Summary screen displays a list of the WAN Gateway services configured in the container (only MPLS VPN in current release) and a list of all the perimeter network services configured in the container (firewall, tiers, DMZ, etc.).

Specific information above the WAN Gateway and Perimeter tables includes:

  • Container Name:—Displays the container name.
  • Container Type:—Displays the container type name.
  • Hosting Cloud:—Displays the Hosting Cloud name.
  • Status:—Displays the container status. The icons indicate (icons are only meaningful on initial configuration as status is not routinely monitored):

Green—Container is Active.

Red—Container is Inactive.

Yellow—Container state is Creating.

  • Created On:—Displays the date and time when the container was created.
  • Modified On:—Displays the date and time when the container was last modified.
  • WAN Gateways—Displays the total count of WAN gateways. For example, if MPLS VPN and Site-to-Site were part of the container, the displayed text would be WAN Gateways (2). The icon indicates the status of the WAN Gateway(s): Green, Red, and Gray (icons are only meaningful on initial configuration as status is not routinely monitored).
  • Firewalls—Displays the total count of firewalls. For example, if one firewall was part of the container, the displayed text would be Firewalls (1). The icon indicates the status of the firewall(s): Green, Red, and Gray (icons are only meaningful on initial configuration as status is not routinely monitored).
  • Load Balancers—Displays the total count of Load Balancers. For example, if two tiers have an SLB, the displayed text would be Load Balancers (2). The Citrix NetScaler VPX resides in tier1 by design, but it can load balance any server in tier1, tier2, and tier3. The icon indicates the status of the load balancer(s): Green, Red, and Gray (icons are only meaningful on initial configuration as status is not routinely monitored).
  • Active Networks—Displays the total count of active networks configured on the container. For example, if there were five total networks, the displayed text would be Active Networks (5).

You can collapse and expand the table information using the triangles, as shown in the following sample screens for the MPLS VPN WAN Gateway, Perimeter Firewall, and Perimeter Tier 1.

Figure 5-4 Summary Tab—WAN Gateway MPLS VPN Details

 

Using MPLS VPN as an example, the information in the WAN Gateway table includes:

  • MPLSVPN and name—Gateway type, name of the gateway, and an icon to indicate the status of the VPN (icons are only meaningful on initial configuration as status is not routinely monitored).
  • Import RT—Displays the RT based on your network design.
  • Export RT—Displays the RT based on your network design.
  • Route Descriptor—Displays the descriptor based on your network design.
  • VRF—Generated by Cisco CNAP based on the abbreviation of the container ID.
  • Primary IP—External PE IP Address in dotted format.
  • Secondary IP—External PE IP Address in dotted format.
  • Mask—External PE Mask in dotted format
  • Created On:—Displays the date and time when the WAN Gateway was created.
  • Modified On:—Displays the date and time when the WAN Gateway was last modified.

Information in the Perimeter table is based on the currently selected Cloud Service and includes information about firewalls and tiers (in the current release, public for backups and recovery for DMZ are not used).

Figure 5-5 Summary Tab—Perimeter Firewall Details

 

Using Zone Based Firewall as an example, the information in the Perimeter table includes:

  • Zone Based Firewall and name—Firewall type, name of the firewall, and an icon to indicate the status of the firewall (icons are only meaningful on initial configuration as status is not routinely monitored).
  • Primary IP—External PE IP Address
  • Primary Mask—External PE Mask
  • Secondary IP—External PE IP Address
  • Secondary Mask—External PE Mask
  • Created On:—Displays the date and time when the firewall was created in the form.
  • Modified On:—Displays the date and time when the firewall was last modified.

Figure 5-6 Summary Tab—Perimeter Tier Details

 

Information in the Perimeter table for each Tier includes:

  • Seg 1—IP Address of the tier segment.
  • Created On:—Displays the date and time when the Tier 1 was created in the form mm-dd-yyyy hh:mm:ss.
  • Modified On:—Displays the date and time when the tier was last modified in the form mm-dd-yyyy hh:mm:ss.

Deleting a Container

Note When you delete a container, all information about the container is deleted from the Cisco CNAP database and none of the deleted information can be recovered.

Step 1 To delete a container, on the Tenants tab click on the row with the container you want to delete, as shown in the following screen.

Figure 5-7 Tenants Tab—Container Selected

 

You see the Tenants Summary screen.

Figure 5-8 Tenants Summary Screen

 

Step 2 You can use the Containers: pull-down menu to select a different container to delete. To delete the selected container, at the bottom of the screen click Remove.

You see a screen asking you to confirm the deletion, as shown in the following screen.

Figure 5-9 Confirm Container Deletion

 

Step 3 Click Yes to delete the container or No to cancel the deletion.

 

Setting Up and Managing WAN Gateways

Tenants can access their cloud networks via a WAN. This section describes the provisioning of WAN Gateways for tenant containers, which in this release includes two options:

  • Automated provisioning of MPLS L3VPN-based access for the tenant, including provisioning of the Data Center WAN Edge/PE.
  • No automated provisioning of the Data Center PE. A VLAN-based hand-off from the Data Center PE to the Data Center Fabric/network is provisioned for each tenant.

On the gateway tab screen, you can:

  • Look at information about a gateway.
  • Add a gateway.

You should not configure a WAN Gateway until a tenant has created a container and the container is active. Check that the container is created and shown as active before provisioning the WAN Gateway.

  • Modify a gateway.
  • Remove a gateway.

Step 1 To display gateway information about a specific container, on the Tenants tab click on the row with the container you want to view, as shown in the following screen.

Figure 5-10 Tenants Tab—Container Selected Screen

 

You see the Tenants Summary screen.

Figure 5-11 Tenants Summary Screen

 

Step 2 Click the Gateway tab.

You see the Tenant Gateway screen. The screen below shows an example for MPLS.

Figure 5-12 Tenant Gateway Screen—MPLS

 

The screen displays the following information:

  • Container Name:—Displays the container name.
  • Container Type:—Displays the container type name, which in the current release is limited to Zinc.
  • Hosting Cloud:—Displays the Hosting Cloud name.
  • Status:—Displays the WAN Gateway status. The icons indicate (icons are only meaningful on initial configuration as status is not routinely monitored):

Green—WAN Gateway is Active.

Red—WAN Gateway is Inactive.

Yellow—WAN Gateway state is Creating.

  • Name:—Displays the name in the form <abbreviation>-mpls-vpn.
  • Gateway Type:—MPLS VPN
  • Description:—Descriptive name.

The MPLS VPN Backbone and PE fields are described in the next section on Setting Up a WAN Gateway.

 

Understanding the Difference Between Auto-provisioning and Manually Provisioning WAN Gateways

During container creation, you can specify whether you want to auto-provision WAN Edge/PE. If you select Autoprovision WAN Edge/PE, then during WAN setup you enter MPLS VPN information, such as route targets and route descriptor, and Cisco CNAP automatically selects a VLAN from the infrastructure pool and uses cloud settings that you defined for the Cisco APIC vPC information to set up the WAN Gateways in the plan.

If your network does not include PE equipment (e.g., Cisco ASRs), you can manually provision the WAN gateways in a plan. During container creation, do not select Autoprovision WAN Edge/PE. Then during set up of WAN Gateways, you can specify the VLAN that will be used on the vPC to connect to private network service, as well as the external PE A and PE B IP addresses.

Caution You can manually provision WAN gateways even if your network includes PE equipment. You can also use both auto-provisioning and manual provisioning, however you must be extremely careful not to introduce potential configuration conflicts.

All gateways set up in the plan will be provisioned in the same way, either automatically or manually.

Note If you are manually provisioning WAN Edge/PE for Shared Services, you must add a SharedService firewall subnet. For more information, see Configuring Network Pools in Chapter3, “Building the Pool of Available Cloud Resources”

Setting Up a WAN Gateway

Note You cannot configure a WAN Gateway until a tenant has created a container and the container is active.

To set up a WAN Gateway, you specify WAN Gateway settings as appropriate for the VPN access methods you select:

  • MPLS VPN
  • Site-to-Site VPN—Not available in the current release.
  • Remote Access VPN—Not available in the current release.

The information you enter is different depending on whether during container creation you specified you wanted Cisco CNAP to Autoprovision WAN Edge/PE.

To set up a WAN Gateway for a container:

Step 1 On the Tenants tab click on the row with the container for which you want to set up a WAN Gateway, as shown in the following screen.

Figure 5-13 Tenants Tab—Container Selected Screen

 

You see the Tenants Summary screen.

Figure 5-14 Tenants Summary Screen

 

Step 2 Click the Gateway tab.

The specific Tenant Gateway screen you see and the fields you complete depend on whether or not during container creation you specified Autoprovision WAN Edge/PE.

The screens below show examples for MPLS.

Setting up an Auto-provisioned WAN Edge/PE

Figure 5-15 Tenant Gateway Screen—Auto-provision Provider Edge

 

a. Complete the modifiable fields to set up the gateway.

Note Modifiable fields when auto-provisioning WAN Edge/PE are Import Route Target, Export Route Target, and Route Descriptor, which are noted in bold below.

  • VPN:

Provider Edge Bundle—The bundled interface on the ASR, the same as in the Global settings for clouds, MPLS Network, Primary PE ACI L2 Attachment.

VLAN ID—The VLAN ID that Cisco CNAP allocates.

Note The values for Route Targets and Route Descriptor must be verified and accurately entered to prevent any security violation of a tenant network. You must ensure that tenant cloud networks (containers) are only mapped to their specific VPN by using the correct values for the Route Targets and Route Descriptor of that specific tenant L3VPN.

Import Route Target —Enter the proper RT based on the network design.

Export Route Target —Enter the proper RT based on the network design.

Route Descriptor —Enter the proper descriptor based on the network design.

  • PE:

VRF—Generated by Cisco CNAP based on the abbreviation of the container ID.

Primary IP—External PE IP Address in dotted format.

Secondary IP—External PE IP Address in dotted format.

Mask—External PE Mask in dotted format

b. When you are finished, click the Add button.

Setting up a Manually Provisioned WAN Edge/PE

Figure 5-16 Tenant Gateway Screen—Manual Provision Provider Edge

 

a. Complete the modifiable fields to add the gateway:

Note Modifiable fields when manually-provisioning WAN Edge/PE are VLAN ID, Primary IP, Secondary IP, and Mask, which are noted in bold below.

  • VPN:

Provider Edge Bundle—The bundled interface on the ASR, the same as in the Global settings for clouds, MPLS Network, Primary PE ACI L2 Attachment.

VLAN ID —Enter the VLAN ID.

Note The following fields are not displayed when manually provisioning WAN Edge/PE. The SP administrator should consult with the Microsoft WAP PE administrator to provision the tenant network into the correct L3VPN or other private network for the tenant and agree on the VLAN used for the hand-off of tenant traffic to the cloud data center.

Import Route Target—RT based on the network design.

Export Route Target—RT based on the network design.

Route Descriptor—Descriptor based on the network design.

  • PE:

VRF—Generated by Cisco CNAP based on the abbreviation of the container ID.

Primary IP —Enter the external PE IP Address in dotted format.

Secondary IP —Enter the external PE IP Address in dotted format.

Mask —Enter the external PE Mask in dotted format.

Note Based on the PE IP address and subnet mask you specify, Cisco CNAP automatically provisions the Cisco CSR 1000V interface IP and HSRP address.

b. When you are finished, click the Add button.

 

Changing a WAN Gateway

Step 1 On the Tenants tab, click on the row with the container whose WAN Gateway you want to change, then on the Gateway tab, click Change.

Once a container is created, the only WAN Gateway fields you can change are the Import Route Target and Export Route Target, as shown in the following screen.

Note If you manually provisioned the WAN gateways, you cannot change any of the fields.

Figure 5-17 Tenant Gateway Screen—Change WAN Gateway Settings

 

Step 2 When you are finished, click Change.

 

Removing a Gateway

On the Tenants tab, click on the row with the container whose WAN Gateway you want to remove, then on the Gateway tab, click Remove.

Configuring and Managing Firewalls

On the Firewall tab, you can:

  • View summary information about a firewall
  • View the hierarchy of information on the Firewall tab
  • Configure a firewall
  • Change the policy map for a service policy
  • Add a new class map
  • Change a class map
  • Create a new network Access Control List (ACL)
  • Change an Access List
  • Create a new object group
  • Change an object group

Understanding Firewall Creation

A firewall is created by default the moment you create a WAN Gateway in the Zinc container and a default policy is applied that allows inside to outside traffic, but restricts outside to inside traffic. The SP administrator can view and manage tenant firewalls, depending on the agreement with the tenant (e.g., you might do it as a managed service or while troubleshooting a customer reported problem). Each Tier is considered a zone, as is the Layer 3 VPN as well as any other external access such as Site-to-Site VPN, Internet access, etc. The Firewall tab will not display any information until the WAN Gateway has been provisioned, since there is no point in showing how traffic is going to be regulated if the tenant cannot access the container from the “outside”.

For detailed information on the base firewall configuration, see: Cisco Cloud Architecture for the Microsoft Cloud Platform: Zinc Container Configuration Guide, Release 1.0
 http://www.cisco.com/c/en/us/td/docs/solutions/Service_Provider/CCAMCP/1-0/IaaS_Zinc_Config/CCAMCP1_IaaS_Zinc_Config.html

Viewing Summary Information about a Firewall

Step 1 To display firewall information about a specific container, on the Tenants tab click on the row with the container you want to view, as shown in the following screen.

Figure 5-18 Tenants Tab Screen—Container Selected

 

You see the Tenants Summary screen.

Figure 5-19 Tenants Summary Screen

 

Step 2 Click the Firewall tab.

You see the Tenant Firewall screen.

Figure 5-20 Tenant Firewall Screen

 

The screen displays the following information:

  • Tenant:—Displays the tenant name.
  • Container Type:—Displays the container type instance name.
  • Hosting Cloud:—Displays the Hosting Cloud name.
  • Modified:—Displays the date and time when the firewall was last modified in the form mm-dd-yyyy hh:mm:ss.
  • Status:—Displays the firewall status. The icons indicate (icons are only meaningful on initial configuration as status is not routinely monitored):

Green—Firewall is Active.

Red— Firewall is Inactive.

Yellow—Firewall state is Creating.

  • Name:—Displays the name in the form < abbreviation >-fw.
  • Created:—Displays the date and time when the firewall was created in the form mm-dd-yyyy hh:mm:ss.
  • Zone Pair—Source Zone and Destination Zone are the zones between which the firewall is configured.

Note In rare instances, the retrieval of Zone Pairs may take longer than approximately 20 seconds, in which case you will see an error message. Dismiss the error message and refresh the screen.

 

Viewing the Hierarchy of Information on the Firewall Tab

You use the Firewall Tab to view the various layers of information about firewalls, including:

  • Service Policy with its associated Policy Map for a particular Source Zone and Destination Zone

Note To change the Policy Map associated with a Source and Destination Zone pair, you have to define a new Policy Map, which replaces the existing one.

  • Class Maps in a Policy Map
  • Access Lists within a Class Map
  • Rules in an Access List
  • Object Groups of a Rule

Note You can view the list of all Object Groups, but you cannot view or edit the details of any specific Object Group.

To display the various layers of information about a firewall:

Step 1 On the Firewall tab screen, use the Source Zone: and Destination Zone: pull-down menus to select the relevant zones, as shown in the following screens.

Figure 5-21 Firewall Source Zone Pull-down Menu Screen

 

Figure 5-22 Firewall Destination Zone Pull-down Menu Screen

 

After you select the Source and Destination Zones, the screen populates with a variety of information, as shown in the following screen.

Figure 5-23 Firewall Zones Selected Screen—Detailed Firewall Information Displayed

 

The various operations you can perform on this screen are described in the following section, Configuring a Firewall.

Step 2 If you click an element on the screen to bring it into focus, it changes to blue. For the element in focus:

  • The Remove button de-couples the entity in focus, for example the Class Map Instance tier1-web, from the parent entity marked, for example the Policy Map l3vpn-to-tier1 for the Service Policy.

The Remove button may be used to remove a:

Class Map Instance from a Policy Map

Access List from a Class Map

Rule from an Access List

Note In the current release, Cisco CNAP allows and requires you to associate only one Policy Map with any given zone pair. Consequently, the Remove button is deactivated when you drill down to the Policy Map, but not further.

  • The Modify button displays the change screen for the element currently in focus.

 

Configuring a Firewall

Note You can only configure a firewall after a tenant has created a container and the Admin has created a WAN Gateway. The firewall is automatically created with a base configuration during container creation. When the WAN gateway is created, another firewall zone is created for the WAN edge. For more information, see Understanding Firewall Creation.

Firewalls are configurable on a per-Tier basis. You configure one firewall per container (not per tier) and you specify policy rules between zones. Firewall policies are specified between each of the workload Tiers and outside interfaces and in each direction independently. That is, a policy needs to be specified for L3VPN to Tier 1 and Tier 1 to L3VPN, and so on for each tier.

To configure a firewall for a container:

Step 1 On the Tenants tab, click the row with the container for which you want to configure a firewall, as shown in the following screen.

Figure 5-24 Tenants Tab Screen—Container Selected

 

You see the Tenants Summary screen.

Figure 5-25 Tenants Summary Screen

 

Step 2 Click the Firewall tab.

You see the Tenant Firewall screen.

Figure 5-26 Tenant Firewall Screen

 

Step 3 Use the Source Zone: and Destination Zone: pull-down menus to select the relevant zones. After you select the zones, the screen populates with a variety of information, as shown in the following screen.

Figure 5-27 Firewall Zones Selected Screen—Detailed Firewall Information Displayed

 

Step 4 To add a Policy Map, click the Policy Map under Service Policy, then click the Add button. You see the following screen.

Figure 5-28 Add Policy Map for Service Policy Screen

 

Step 5 Enter a name.

As you begin entering a name, the screen expands to display the following screen where you can associate class maps with the new Policy Map.

Figure 5-29 New Policy Map—Class Maps Screen

 

Step 6 Associate class maps with the new Policy Map:

  • Name—Enter a descriptive name for the Policy Map.
  • On Device—Lists all the Class Maps available on the device.
  • Class Map Instances—Lists the class maps associated with this Policy Map.
  • Select>> button—Click to select one or more Class Maps available “On Device”'. Clicking Select associates them to the current Policy Map.
  • <<Unselect button—Click to select one or more Class Map Instances associated with the current Service Policy. Clicking Unselect disassociates them from the current Policy Map.
  • +New button—Click the + New button to create a new Class Map.
  • Ordering the Class Maps—The Class Map Instances get added to the top of the list. You can reorder them by clicking <<Unselect and Select>> on the Class Maps in the desired order.

Note The class-default shown in the following screen cannot be de-coupled from the policy.

Figure 5-30 Class Map Instance class-default Screen

 

Step 7 When you are finished, click Save.

 

Changing a Policy Map for a Service Policy

Step 1 Click a Policy Map to select it (mark it blue).

Step 2 Click the Modify button to display the Policy Map pop-up.

Figure 5-31 Policy Map Pop-up Screen

 

This is the same as the Create Service Policy page, but with the name field deactivated. You can click:

  • Select>> to select Class Maps available on the device.
  • <<Unselect to unselect Class Map Instances associated with the Policy Map.
  • +New to create a new Class Map.

 

Adding a New Class Map

Step 1 Click + New in the Class Map Instance section on the Policy Map screen shown below.

Figure 5-32 Class Map Instance Screen—Click +New

 

You see the following screen.

Figure 5-33 New Class Map Instance Screen

 

Step 2 In the Name field, enter a descriptive name for your new Class Map.

This expands the screen to display the following screen.

Figure 5-34 New Class Map Instance Details Screen

 

The fields on this screen are:

  • match-all/match-any—This pull-down menu identifies the criteria used to match access groups in the map.
  • On Device—Lists all the ACLs available for use on the device.
  • ACL Instances—Lists the ACLs associated with this Class Map.
  • Select>>, + New, and <<Unselect —These buttons work the same as on the Service Policy screen.

Step 3 When you are finished associating ACLs to this Class Map, click Update to return to the Service Policy screen.

 

Changing a Class Map

Step 1 Select the desired Class Map on the Firewall tab.

Step 2 Click Modify.

You see the following screen.

Figure 5-35 Class Map Instance Screen

 

This screen is identical to the Create Class Map pop up, but with the Name field deactivated.

Step 3 You can:

  • Select>> ACLs from the list of ACLs available on the device.
  • <<Unselect ACLs associated with the Class Map.
  • Create a + New ACL on the device and have it associated with the Class Map.

 

Creating a New Network Access Control List

Step 1 Click New on the Class Map Instance screen shown above, which displays the Access Group screen shown below.

Figure 5-36 Access Groups Screen

 

Step 2 When you enter a name for the Access List, the screen expands to display the Rules section. Since this is a new ACL, the screen expands in the Add Rule mode as shown below.

Figure 5-37 Access Groups Details Screen

 

Step 3 The fields you can complete include:

  • Action—Indicates weather traffic is permitted or denied by the rule.
  • Target—A valid protocol or object group.
  • Source—Network entity identified as the traffic source.
  • Destination—Network entity identified as the traffic destination.

Step 4 If you select Object-Group in the drop-down menu for Target, the Source or Destination menus allow you to choose from object groups existing on the device or create new ones, as shown in the following screen.

Figure 5-38 Access Groups Screen—Object Group Selected

 

Step 5 Click the +Add Rule button to add the current rule being built to the ACL.

Figure 5-39 Rule Added to ACL Screen

 

Step 6 Click +New Rule to add more rules.

Step 7 Click the Update button to exit the Add Rule mode and show the list of all rules in the ACL.

 

Changing an Access List

Step 1 Select the desired Access List on the Firewall tab.

Step 2 Click Modify to display the Access List pop-up screen, as shown below.

Figure 5-40 Access List Pop-up Screen

 

Step 3 You can add and remove rules as explained in Creating a New Network Access Control List.

Step 4 If you make any changes to the list of Rules, the Save button is activated and you can click it to save the changes.

 

Creating a New Object Group

Step 1 Select the desired Access List on the Firewall tab.

Step 2 Click Modify to display the Access List pop-up screen, as shown in the following screen.

Figure 5-41 Access List Pop-up Screen

 

Step 3 Click the +New Rule button.

On the Access Groups screen, the Target, Source, and Destination drop-down menus have an object-group option which when selected displays the Object Group: fields with drop-down menus with a list of compatible object groups and + buttons that launch a page where you can create a new compatible Object Group.

  • The Object Group drop-down menu for Target would only show Service type Object Groups (groups of objects having the Target, filter, and port fields or having the Target and Range fields).
  • The Object Group drop down for Source and Destination would only show Network type Object Groups (groups of objects having a Host field or having the Subnet and mask fields).
  • The + buttons are contextual. Clicking the + button for the Target of the ACL Rule launches a page to create an Object Group with Service type objects.
  • Clicking the + button for the Source or Destination of the ACL Rule launches a page to create an Object Group with Network type objects.

Step 4 Click the + button as shown in the following screen.

Figure 5-42 Access Groups Screen—Object Group Selected

 

You see the following screen.

Figure 5-43 Object Group Screen

 

Step 5 When you enter a name, you see the Add Object screen, as shown below.

Figure 5-44 Add Object Screen

 

Step 6 When you click a field, you see information about allowable values, as shown in the following screen.

Figure 5-45 Add Object Screen—Possible Field Values Displayed

 

Step 7 You can enter information for the following fields:

  • Target—A valid protocol {ahp, esp, gre, icmp, ip, tcp, udp, number [0,255]}.
  • Filter—eq (equals), gt (greater than), or lt (less than). The Filter indicates the criteria to match packets based on the port number. If “filter” is present, then “port” must be present.
  • Port—IP port [0,65535]
  • Range—<port-number1>-<port-number2>. Must be entered from low to high, e.g., 20-90. Match only packets in the range of the port numbers.

Note If “range” is present, the “filter” and “port” properties are ignored.

Step 8 You can create Network or Service type objects and click + to include the object in the group.

A Group must be homogeneous; i.e., it must contain objects of only one type (Network or Service)

Step 9 When you click +, you see the following screen.

Figure 5-46 Object Added to Group Screen

 

Step 10 Click the X under Remove to remove an object from the group.

Changing an Object Group

Step 1 On the screen shown below, select the object group you want to change, then click Modify.

Figure 5-47 Firewall Zones Selected Screen—Select Object Group

 

You see the following screen.

Figure 5-48 Modify Object Group Screen

 

Step 2 You can enter information for the following fields:

  • Target—A valid protocol {ahp, esp, gre, icmp, ip, tcp, udp, number [0,255]}.
  • Filter—eq (equals), gt (greater than), or lt (less than). The Filter indicates the criteria to match packets based on the port number. If “filter” is present, then “port” must be present.
  • Port—IP port [0,65535]
  • Range—<port-number1>-<port-number2>. Must be entered from low to high, e.g., 20-90. Match only packets in the range of the port numbers.

Note If “range” is present, the “filter” and “port” properties are ignored.

Step 3 You can create Network or Service type objects and click + to include the object in the group.

A Group must be homogeneous; i.e., it must contain objects of only one type (Network or Service)

Step 4 When you click +, the object is added to the group. Click the X under Remove to remove an object from the group. When you are done, click Save to save your changes or Close to exit without saving them.

 

Managing Load Balancers

On the load balancer tab screen, you can:

  • Look at information about a load balancer.
  • Enable set up of a load balancer by confirming the licensing of a Citrix NetScaler VPX.

Viewing Load Balancer Information about a Container

Load balancing services are performed on a per-tenant basis, so you can view information about a load balancer, such as the associated tenant, container type, hosting cloud, etc.

Step 1 To display load balancer information about a specific container, on the Tenants tab click on the row with the container you want to view, as shown in the following screen.

Figure 5-49 Tenants Tab Screen—Container Selected

 

You see the Tenants Summary screen.

Figure 5-50 Tenants Summary Screen

 

Step 2 Click the Load Balancer tab.

You see the Tenant Load Balancer screen.

Figure 5-51 Tenant Load Balancer Screen

 

Step 3 If you click a specific Load Balancer Virtual Server, you see the corresponding Server Farm, as shown in the following screen.

Figure 5-52 Tenant Load Balancer Screen—Server Farm

 

The screen displays the following information:

  • Tenant:—Displays the tenant name.
  • Container Type:—Displays the container type name.
  • Hosting Cloud:—Displays the Hosting Cloud name.
  • IP Address:—Displays the IP address of the load balancer.
  • Status:—Displays the load balancer status. The icons indicate (icons are only meaningful on initial configuration as status is not routinely monitored):

Green—Load balancer is Active.

Red— Load balancer is Inactive.

Yellow— Load balancer state is Creating.

  • Name:—Displays the name in the form lb n.
  • Description:—Descriptive name.
  • Service Type:—The type of service for which the load balancer is configured (HTTP, HTTPS, FTP).
  • Port:—The Port for which the load balancer is configured.
  • Device Information:—Information about the load balancer device.
  • Load Balancer Virtual Servers:—Lists all the VIPs configured on the VPX device.
  • Server Farm:—The list of servers which are configured and attached to the load balancer virtual server.

 

Setting Up a Server Load Balancer

Note In the current release, the only operation that can be performed in the Admin Portal related to setting up a server load balancer (SLB) is confirming that the Citrix NetScaler VPX is licensed. The remaining configuration is performed in the Tenant Portal. For more information on the Tenant Portal steps, see Cisco Cloud Network Automation Provisioner for the Microsoft Cloud Platform—Tenant Portal Guide, Release 1.1.

The steps required in the Tenant Portal and Admin Portal to set up a server load balancer are:

Step 1 On the Tenant Portal Load Balancers tab, the tenant should add a Citrix NetScaler VPX device.

The Citrix NetScaler VPX that was added will be in a “LicenseNeeded” state. The tenant will see the message: “Please contact your Cloud Administrator to license your NetScalers”.

Note The administrator must license the Citrix NetScaler VPX, which is not performed within the Cisco CNAP portals nor within the Microsoft WAP interface. You must license and reboot the Citrix NetScaler VPX before you confirm the licensing in Cisco CNAP or the Citrix NetScaler VPX will be deleted.

Step 2 On the Admin Portal, under the Tenants tab screen, Load Balancer tab, the administrator must confirm that the Citrix NetScaler VPX is licensed (this sets the base configuration on the Citrix NetScaler VPX and changes the database information for the device). Information on confirming the licensing of the Citrix NetScaler VPX is shown in the next section.

On the Tenant Portal Load Balancers tab, the Citrix NetScaler VPX will now be in an Active state.

On the Tenant Portal Load Balancers tab, the tenant can now:

  • Add a server
  • Change a load balancer
  • Change a server
  • Remove a load balancer
  • Remove a server
  • Remove a Citrix NetScaler VPX

For more information, see Cisco Cloud Network Automation Provisioner for the Microsoft Cloud Platform—Tenant Portal Guide, Release 1.1.

 

Confirming that a Citrix NetScaler VPX is Licensed

Step 1 On the Tenants tab, click on the row with the container for which you want to confirm the Citrix NetScaler VPX license, as shown in the following screen.

Figure 5-53 Tenants Tab Screen—Container Selected

 

You see the Tenants Summary screen.

Figure 5-54 Tenants Summary Screen

 

Step 2 Click the Load Balancer tab.

You see the Tenant Load Balancer screen.

Figure 5-55 Tenant Load Balancer Screen

 

Note You must license and reboot the Citrix NetScaler VPX before you confirm the licensing in Cisco CNAP or the Citrix NetScaler VPX will be deleted.

Step 3 The Citrix NetScaler VPX that requires license confirmation will be in a “LicenseNeeded” state. Click the device, then click License NetScaler(s).

Was this Document Helpful?

FeedbackFeedback

Contact Cisco