The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
You can view and modify a variety of information about containers, including:
– Set up an Internet WAN gateway for Internet access
– Set up a Site-to-Site gateway
– View summary information about a firewall
– View the hierarchy of information on the Firewall tab
– Change the policy map for a service policy
– Create a new network Access Control List (ACL)
– Change an Access Control List
Step 1 To display summary information about a specific container instance, click Cisco Network.
You see the Tenant Summary Tab screen.
Figure 2-1 Tenant Summary Tab Screen
The Tenants Summary screen displays a list of all the WAN Gateway services configured in the container (MPLS VPN, Site-to-Site, Remote Access, and Internet) and a list of all the perimeter network services configured in the container (firewall, tiers, DMZ, etc.).
Specific information above the WAN Gateway and Perimeter tables includes:
– Yellow—Container state is Creating.
You can collapse and expand the table information using the triangles, as shown in the following sample screen for the MPLS VPN WAN Gateway and Perimeter Tier 1.
Figure 2-2 Summary Tab—WAN Gateway MPLS VPN Details
Using MPLS VPN as an example, the information in the WAN Gateway table includes:
Information in the Perimeter table is based on the currently selected Cloud Service and includes information about firewalls and tiers (in the current release, public for backups and recovery for DMZ are not used).
Figure 2-3 Summary Tab—Perimeter Firewall Details
Using Zone Based Firewall as an example, the information in the Perimeter table includes:
Figure 2-4 Summary Tab—Perimeter Tier Details
Note When you delete a container, all information about the container is deleted from the Cisco CNAP database and none of the deleted information can be recovered.
Step 1 To display summary information about a specific container instance, click Cisco Network.
You see the Tenant Summary Tab screen.
Figure 2-5 Tenant Summary Tab Screen
Step 2 You can use the Containers: pull-down menu to select a different container to delete. To delete the selected container, at the bottom of the screen click Remove.
You see a screen asking you to confirm the deletion, as shown in the following screen.
Figure 2-6 Confirm Container Deletion
Step 3 Click Yes to delete the container or No to cancel the deletion.
Step 1 To view gateway information for the currently selected container, click the Gateway tab.
You see the Tenant Gateway screen. The screen below shows an example for MPLS.
Figure 2-7 Tenant Gateway Tab Screen—MPLS
You can perform the following operation on the gateway screen:
The screen displays the following information:
– Green—WAN Gateway is Active.
– Red—WAN Gateway is Inactive.
– Yellow—WAN Gateway state is Creating.
– Aut. System Number—The PEaciL2InterfacePrimary field from the global settings (contact your cloud provider for more information about this field).
– Import Route Target—Configured RT for the WAN Gateway.
– Export Route Target—Configured RT for the WAN Gateway.
– Route Descriptor—Configured descriptor based on your cloud provider's network design.
– VRF—Generated by Cisco CNAP based on the abbreviation of the container ID.
– Primary IP—External PE IP Address in dotted format.
– Secondary IP—External PE IP Address in dotted format.
– Mask—External PE Mask in dotted format
Step 2 If the WAN Gateway has not been activated, you see the following screen.
Figure 2-8 Gateway Tab—MPLS WAN Gateway Not Activated
Step 3 Contact your cloud provider to have the WAN Gateway activated.
If your cloud provider has enabled Internet WAN Gateway for the plan, you can:
To set up and manage an Internet WAN gateway:
Step 1 Click the Gateway tab, then under Gateways, click Internet. You see the following screen.
Figure 2-9 Internet WAN Gateway
Step 2 Click the check box next to Enabled, as shown in the following screen.
Figure 2-10 Internet WAN Gateway Tab—Enabled Box Checked
The interface information is automatically populated, but it is not applied until you click Save.
Step 3 Click the check box next to Allow workloads to Access Internet, as shown in the following screen.
Figure 2-11 Internet WAN Gateway Tab—Allow Workload Access Box Checked
Step 4 Click the Edit button to select the Tiers that will have access, as shown in the following screen.
Figure 2-12 Internet WAN Gateway Tab—Select Tiers for Access
Step 5 Click a Tier to highlight it, then click the Select>> button to move it to the Permit Access column. Repeat for each Tier that you want to have access. When you are finished, click the Save button. The Tiers with Internet access are shown on the Internet Gateway tab, as shown in the following screen.
Figure 2-13 Internet WAN Gateway Tab—Tiers with Access Displayed
Step 6 To change the Tiers that have access, click the Edit button. You see the following screen.
Figure 2-14 Internet WAN Gateway Tab—Edit Tiers with Access
Step 7 Click a Tier to highlight it, then click the Select>> button to move it to the Permit Access column. Repeat for each Tier that you want to have access. To remove Internet access for a Tier, select it in the Permit Access column and click <<Unselect. The following screen shows an additional Tier moved to the Permit Access column.
Figure 2-15 Internet WAN Gateway Tab—Add Access for Another Tier
Step 8 When you are finished, click the Save button. The Tiers with Internet access are shown on the Internet Gateway tab, as shown in the following screen.
Figure 2-16 Internet WAN Gateway Tab—Additional Tiers with Access Displayed
If you had allowed Internet access for all Tiers, they would all appear on the Internet Gateway tab, as shown in the following screen.
Figure 2-17 Internet WAN Gateway Tab—All Tiers with Access Displayed
Step 9 When you are finished modifying Tiers, click Save on the main Internet WAN Gateway tab.
Step 10 To disable Internet access for all Tiers, uncheck the check box next to Allow workloads to Access Internet, then click Save, as shown in the following screen.
Figure 2-18 Internet WAN Gateway Tab—Disable Access to All Tiers
Step 11 To disable the Internet WAN Gateway, uncheck the check box next to Enabled, as shown in the following screen.
Note If you disable the Internet WAN Gateway, then site-to-site access will not work.
Figure 2-19 Internet WAN Gateway Tab—Disable Internet WAN Gateway
When you click Save, you see the following confirmation screen.
Figure 2-20 Internet WAN Gateway Tab—Disable Internet Gateway Confirmation Screen
Step 12 To disable the Internet WAN Gateway, click Yes. You see the following screen with the Internet WAN Gateway disabled.
Figure 2-21 Internet WAN Gateway Tab—Internet WAN Gateway Removed
If your cloud provider has enabled Site-to-Site VPN for the plan, you can:
Step 1 Click the Gateway tab, then under Gateways, click Site-to-Site. You see the following screen.
Figure 2-22 Site-to-Site VPN Screen
Step 2 Complete the following fields:
– Encryption—Encryption used for the IKE proposal; used to ensure the secrecy of data during traffic flow: AES, DES, or Triple DES.
– Hash—Specifies the hash algorithm within an IKE policy; used to authenticate data during traffic flow: MD5, SHA, or SHA256.
– Keep Alive—Number of seconds during which traffic is not received from the peer before keep-alive messages are sent if there is data traffic to send.
– Retry—Number of seconds between keep-alive packet retries if the keep-alive message fails.
– Group—Specify which Diffie-Hellman Modulus Group to use.
– Method—Pre-Shared Key: Allow for a secret key to be shared between two peers for mutual authentication prior to tunnel activation.
– Shared Key—The shared secret for authentication. The shared key must be configured and equal at each peer or the IKE SA cannot be established.
– esp-des—ESP with the 56-bit Data Encryption Standard (DES) encryption algorithm (no longer recommended).
– esp-3des—ESP with the 168-bit DES encryption algorithm (3DES or Triple DES) (no longer recommended).
– esp-null—Null encryption algorithm.
– esp-aes—SP with the 128-bit Advanced Encryption Standard (AES) encryption algorithm.
– esp-aes-192—SP with the 192-bit Advanced Encryption Standard (AES) encryption algorithm.
– esp-aes-256—SP with the 256-bit Advanced Encryption Standard (AES) encryption algorithm.
– esp-md5-hmac—ESP with the MD5 (HMAC variant) authentication algorithm (no longer recommended).
– esp-sha-hmac—ESP with the SHA (HMAC variant) authentication algorithm.
– ah-md5-hmac—AH with the MD5 (Message Digest 5) (an HMAC variant) authentication algorithm (no longer recommended).
– ah-sha-hmac—AH with the SHA (Secure Hash Algorithm) (an HMAC variant) authentication algorithm.
Step 3 When you are finished, click Add Tunnel.
To remove a MPLS WAN Gateway, on the MPLS WAN Gateway tab, click Remove.
A firewall is created by default the moment your cloud provider creates a WAN Gateway. Cisco CNAP will automatically set up a perimeter around each of the zones in your container. Each Tier is considered a zone, as is the Layer 3 VPN as well as any other external access such as Site-to-Site VPN, Internet access, etc. The Firewall tab will not display any information until the WAN Gateway has been provisioned, since there is no point in showing how traffic is going to be regulated if you cannot access the container from the “outside”.
For detailed information on the base firewall configuration, see: Cisco Cloud Architecture for the Microsoft Cloud Platform: Zinc Container Configuration Guide, Release 1.0
http://www.cisco.com/c/en/us/td/docs/solutions/Service_Provider/CCAMCP/1-0/IaaS_Zinc_Config/CCAMCP1_IaaS_Zinc_Config.html
Step 1 To view firewall information, click the Firewall tab.
The screen displays the following information:
– Yellow—Firewall state is Creating.
You use the Firewall Tab to view the various layers of information about firewalls, including:
Note To change the Policy Map associated with a Source and Destination Zone pair, you have to define a new Policy Map, which replaces the existing one.
To display the various tiers of information about a firewall:
Step 1 Use the Source Zone: and Destination Zone: pull-down menus to select the relevant zones, as shown in the following screens.
Figure 2-24 Firewall Source Zone Pull-down Menu
Figure 2-25 Firewall Destination Zone Pull-down Menu
After you select the Source and Destination Zones, the screen populates with a variety of information, as shown in the following screen.
Figure 2-26 Firewall Zones Selected Screen—Detailed Firewall Information Displayed
The various operations you can perform on this screen are described in the following section, Configuring a Firewall.
Step 2 If you click an element on the screen to bring it into focus, it changes to blue. For the element in focus:
The Remove button may be used to remove a:
– Class Map Instance from a Policy Map
– Access List from a Class Map
Note In the current release, Cisco CNAP allows and requires you to associate only one Policy Map with any given zone pair. Consequently, the Remove button is deactivated when you drill down to the Policy Map, but not further.
Note You can only configure a firewall after you have created a container and your cloud provider has created a WAN Gateway. The firewall is automatically created with a base configuration either during container creation if the container has multiple tiers or when the WAN gateway is created. For more information, see the section Understanding Firewall Creation.
Firewalls are configurable on a per-Tier basis. You configure one firewall per container (not per tier) and you specify policy rules between zones. Firewall policies are specified between each of the workload Tiers and outside interfaces and in each direction independently. That is, a policy needs to be specified for L3VPN to Tier 1 and Tier 1 to L3VPN, and so on for each tier.
To configure a firewall for a container:
Step 1 Use the Source Zone: and Destination Zone: pull-down menus to select the relevant zones. After you select the zones, the screen populates with a variety of information, as shown in the following screen.
Figure 2-27 Firewall Zones Selected Screen—Detailed Firewall Information Displayed
Step 2 To add a Policy Map, click the Policy Map under Service Policy, then click the Add button. You see the following screen.
Figure 2-28 Add Policy Map for Service Policy Screen
As you begin entering a name, the screen expands to display the following screen where you can associate class maps with the new Policy Map.
Figure 2-29 New Policy Map—Class Maps Screen
Step 4 Associate class maps with the new Policy Map:
Note The class-default shown in the following screen cannot be de-coupled from the policy.
Figure 2-30 Class Map Instance class-default Screen
Step 5 When you are finished, click Save.
Step 1 Click a Policy Map to select it (mark it blue).
Step 2 Click the Modify button to display the Policy Map pop-up.
Figure 2-31 Policy Map Pop-up Screen
This is the same as the Create Service Policy page, but with the name field deactivated. You can click:
Step 1 Click + New in the Class Map Instance section on the Policy Map screen shown below.
Figure 2-32 Class Map Instance Screen—Click +New
Figure 2-33 New Class Map Instance Screen
Step 2 In the Name field, enter a descriptive name for your new Class Map.
This expands the screen to display the following screen.
Figure 2-34 New Class Map Instance Details Screen
The fields on this screen are:
Step 3 When you are finished associating ACLs to this Class Map, click Update to return to the Service Policy screen.
Step 1 Select the desired Class Map on the Firewall tab.
Figure 2-35 Class Map Instance Screen
This screen is identical to the Create Class Map pop up, but with the Name field deactivated.
Step 1 Click New on the Class Map Instance screen shown above, which displays the Access Group screen shown below.
Figure 2-36 Access Groups Screen
Step 2 When you enter a name for the Access List, the screen expands to display the Rules section. Since this is a new ACL, the screen expands in the Add Rule mode as shown below.
Figure 2-37 Access Groups Details Screen
Step 3 The fields you can complete include:
Step 4 If you select Object-Group in the drop-down menu for Target, the Source or Destination menus allow you to choose from object groups existing on the device or create new ones, as shown in the following screen.
Figure 2-38 Access Groups Screen—Object Group Selected
Step 5 Click the +Add Rule button to add the current rule being built to the ACL.
Figure 2-39 Rule Added to ACL Screen
Step 6 Click +New Rule to add more rules.
Step 7 Click the Update button to exit the Add Rule mode and show the list of all rules in the ACL.
Step 1 Select the desired Access List on the Firewall tab.
Step 2 Click Modify to display the Access List pop-up screen, as shown below.
Figure 2-40 Access List Pop-up Screen
Step 3 You can add and remove rules as explained in Creating a New Network Access Control List.
Step 4 If you make any changes to the list of Rules, the Save button is activated and you can click it to save the changes.
Step 1 Select the desired Access List on the Firewall tab.
Step 2 Click Modify to display the Access List pop-up screen, as shown in the following screen.
Figure 2-41 Access List Pop-up Screen
Step 3 Click the +New Rule button.
On the Access Groups screen, the Target, Source, and Destination drop-down menus have an object-group option which when selected displays the Object Group: fields with drop-down menus with a list of compatible object groups and + buttons that launch a page where you can create a new compatible Object Group.
Step 4 Click the + button as shown in the following screen.
Figure 2-42 Access Groups Screen—Object Group Selected
Figure 2-43 Object Group Screen
Step 5 When you enter a name, you see the Add Object screen, as shown below.
Step 6 When you click a field, you see information about allowable values, as shown in the following screen.
Figure 2-45 Add Object Screen—Possible Field Values Displayed
Step 7 You can enter information for the following fields:
Note If “range” is present, the “filter” and “port” properties are ignored.
Step 8 You can create Network or Service type objects and click + to include the object in the group.
A Group must be homogeneous; i.e., it must contain objects of only one type (Network or Service)
Step 9 When you click +, you see the following screen.
Figure 2-46 Object Added to Group Screen
Step 10 Click the X under Remove to remove an object from the group.
Step 1 On the screen shown below, select the object group you want to change, then click Modify.
Figure 2-47 Firewall Zones Selected Screen—Select Object Group
Figure 2-48 Modify Object Group Screen
Step 2 You can enter information for the following fields:
Note If “range” is present, the “filter” and “port” properties are ignored.
Step 3 You can create Network or Service type objects and click + to include the object in the group.
A Group must be homogeneous; i.e., it must contain objects of only one type (Network or Service)
Step 4 When you click +, the object is added to the group. Click the X under Remove to remove an object from the group. When you are done, click Save to save your changes or Close to exit without saving them.
Step 1 To view tier information, click the Tiers tab.
Step 2 To view segment information about a specific tier, click the tier name.
Figure 2-50 Tiers Screen—Tier Selected and Segment(s) Visible
The screen displays the following information:
– Name—Name given to the tier. The System assigns Tier < space >< number > during container creation.
– Type—It specifies the type of container to which the tier belongs.
– Num Segments—Tiers can contain multiple segments.
– Num SLB—Number of Server Load Balancers
– Description—A brief description of the tier (what the user intends to use it for, what services are hosted in it, etc.)
– Name—Name given to the segment. The System assigns Segment < space >< number > during container creation.
– Network—The subnet address of this segment.
– Gateway—The default gateway to access this segment.
– Description—A brief description of the segment (what the user intends to use it for, what services are hosted in it, etc.).
Step 1 On the Tiers Tab screen, click Add.
The screen displays the following information:
– Add—Add a segment. For more information, see the next section.
– Name—Name of the Layer 2 segment.
– Sub Net—Subnet of the Layer 2 segment.
– Description—Description of the Layer 2 segment.
Step 2 When you are finished, click Add.
When you are adding a tier, you must add a segment:
Step 1 On the Add Tier screen shown in the previous section, under Enter L2 Segments, click the addition symbol (+).
Figure 2-52 Add Segment Screen
Enter information about the segment:
Step 2 When you are finished, click Add.
Step 1 On the Tiers Tab screen, click the tier you want to change, then click Change (when you click a tier, you see segment information about the selected tier).
Figure 2-53 Change a Tier Screen
The screen displays the following information, some of which you can change:
– Name:—You can edit the name.
– Description:—You can edit the description.
– Name—Name of the Layer 2 segment.
– Description—Description of the Layer 2 segment.
– Network—The network of the Layer 2 segment.
You can click a specific segment under L2 Segments to update it. For more information, see the next section.
Step 2 When you are finished, click Change.
When you are changing a tier, you can update a segment:
Step 1 On the Change Tier screen shown in the previous section, under L2 Segments, click the segment you want to update.
Figure 2-54 Update Segments Screen
Step 2 When you are finished, click Update.
You return to the previous screen.
To remove a tier, on the Tiers Tab screen, click the tier you want to remove, then click Remove. In the current release, you must return to the Tiers tab to force a reload and consequent fetch from the backend.
The DMZ tier is a perimeter network inside a container which is securely separated from the other interior networks of the container. The DMZ tier hosts applications and is accessible from the public Internet and other external networks having connectivity to the container edge.
To enable real-time inbound communication from the public Internet to your private cloud DMZ tier, your cloud provider can allow the servers you administer to be addressable on the public Internet. Your cloud provider can create pools of unallocated (unassigned) public IP addresses. Then, as needed, you can request that the cloud provider allocate (assign) these public IP addresses to you. You can map the allocated public IP addresses to private IP addresses within your DMZ tiers, including any DMZ Load Balancer VIP and any Workload VM addresses. Mapping directs inbound traffic from a public IP address to a private DMZ address. You can also unmap addresses.
For example, you might create a workload VM on the DMZ tier and want access to it from the Internet, in which case you request a public IP address from your cloud provider. You can then map the workload VM address to the public IP address you were allocated by the cloud provider.
To view, map, and unmap IP addresses:
Step 1 Click the IP Addressing tab. You see the following screen.
Step 2 Click the IP address you want to map and click Map To. You see the following screen.
Step 3 Enter the Target address and click Map.
Step 4 To unmap an IP address, click the mapped IP Address you want to unmap, then click Unmap. You see the following confirmation screen.
Figure 2-57 Unmap Confirmation