HP Helion Cloudsystem 9.0 Network Planning Guide

HP Helion Cloudsystem 9.0 Network Planning Guide About this guide This information is for use by administrators using HP Helion CloudSystem Software version 9.0, who are assigned to configure and provision compute resources for deployment and use in virtual data centers. HP Part Number: 5900-4303 Published: September 2015 Edition: 1

Copyright 2014, 2015 Hewlett-Packard Development Company, L.P. Microsoft and Windows registered trademarks of the Microsoft group of companies. Red Hat is a registered trademark of Red Hat, Inc. in the United States and other countries. VMware vcenter and VMware vsphere are registered trademarks of VMware, Inc. in the United States and/or other jurisdictions. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Contents 1 Before you begin...4 2 Network Overview...5 High-level network characteristics...6 Platform Services, including Helion Development Platform and DNS as a Service...9 3 OpenStack networking in CloudSystem...11 Configuration requirements...11 4 Network definitions...12 Management trunk...12 Cloud Data Trunk...17 Storage trunk...18 5 Pre-deployment considerations...21 Proof of concept installations...21 Production installations...21 6 Network planning...23 CloudSystem pre-deployment planning...23 CloudSystem installation planning...23 7 L2 gateway configuration...27 L2 gateway...27 HP VAN SDN Controller...27 HP 5930 ToR switch...27 Open vswitch Database (OVSDB)...27 HP 5930 switch configuration...27 Prerequisites...28 Configuring HP 5930 switch...28 Discovering and activating a device...29 Creating and managing L2 gateway...31 Creating and managing L2 gateway connections...32 Interaction between L2 gateway and the CloudSystem controller...32 RESTful API definitions for L2 Gateways...33 8 Support and other resources...35 Information to collect before contacting HP...35 How to contact HP...35 Registering for software technical support and update service...35 HP authorized resellers...35 Documentation feedback...36 Related information...36 HP CloudSystem documents...36 HP Helion OpenStack documents...36 HP Insight Management documents...37 Third-party documents...37 HP 3PAR StoreServ documents...37 HP VSA StoreVirtual documents...38 HP ProLiant servers documents...38 Contents 3

1 Before you begin The HP Helion CloudSystem 9.0 Network Planning Guide provides an overview of the networking architecture that supports the CloudSystem product. You should review this guide before installing HP Helion CloudSystem 9.0. Additional CloudSystem concepts to review when exploring the CloudSystem product: CloudSystem architecture See the Understanding CloudSystem part of the HP Helion CloudSystem 9.0 Administrator Guide in the Enterprise Information Library. CloudSystem resource requirements and supported hardware, software and tools See the HP Helion CloudSystem 9.0 Support Matrix in the Enterprise Information Library. CloudSystem installation See the HP Helion CloudSystem 9.0 Installation Guide in the Enterprise Information Library. CloudSystem issues and limitations See the HP Helion CloudSystem 9.0 Release Notes in the Enterprise Information Library. 4 Before you begin

2 Network Overview HP Helion CloudSystem 9.0 supports several new networks and network deployment options. The tables below summarize what s new in CloudSystem 9.0. Table 1 New CloudSystem networks Network iscsi Block Storage Network Object Storage Network Object Proxy Network PXE Network VxLAN underlay Purpose This network supports block storage for 3PAR and VSA storage devices. This network supports communication between object storage PAC and Object nodes. This network connects the control plane with external object storage PAC and Object nodes. This untagged network is used to boot object storage servers. This network is a single network VLAN that encapsulates and carries Tenant and Provider networks as VxLANs. When is it created? When CloudSystem is deployed, by the First-Time Installer. Manually created after CloudSystem is deployed, when configuring object storage. When CloudSystem is deployed, by the First-Time Installer. When CloudSystem is deployed, by the First-Time Installer. When CloudSystem is deployed, by the First-Time Installer. Table 2 Management hypervisor networking options Hypervisor type VLAN VxLAN CVR DVR ESXi X X X X SDN Controller is launched to manage compute security KVM X X Only supported with RHEL 7.0 X X SDN Controller is NOT launched Table 3 Compute node networking options Compute node type VLAN VxLAN CVR DVR ESXi X X X KVM X X X X Only supported with RHEL 7.0 Hyper-V X X Comparing OpenStack Distributed Virtual Router and Centralized Virtual Routing OpenStack introduced the Distributed Virtual Router (DVR) in the Juno release. When installing CloudSystem, customers can choose to implement CloudSystem with DVR or traditional Centralized Virtual Routing (CVR). With DVR, L3 forwarding and NAT functions are moved from the network nodes to the compute nodes. DVR provides greater East/West load distribution compared to CVR and better network scalability. 5

There are several things to consider when making this implementation decision: In the Juno release, there is no migration utility for the distributed router. Changing to traditional CVR requires re-installing the product. Since not all OpenStack traffic is moved to DVR, some North/South traffic may still be required through the network node. Using DVR complicates the management of the floating IPv4 address pool for the External Network. Juno is the initial release of DVR capability. It does not yet support full network fault tolerance. Recommendation: DVR is a network enhancement in the OpenStack Juno release (April 2015). HP recommends the classic VLAN options for most CloudSystem implementations. If the CloudSystem environment is large, with thousands of hosted instances, please consult an HP CloudSystem specialist to discuss the option of implementing DVR. Comparing VLAN and VxLAN Virtual Extensible LAN (VxLAN) is designed to enhance Layer 2 network services beyond what IEEE 802.1Q VLAN supports today. The VxLAN specification was created through a partnership with VMware, Arista Networks, and Cisco. VxLAN offers several benefits over classic VLAN. VxLAN provides high scalability, allowing environments to scale beyond the 802.1Q limit of 4,094 VLANs VxLAN technology provides cloud service providers with multi-tenancy (i.e. duplicate IP) options VxLAN allows for greater instance (virtual machine) mobility across the entire datacenter Recommendation: HP recommends classic VLAN for most CloudSystem implementations. If network scalability is critical, including multi-tenant network segmentation, consult an HP CloudSystem product specialist to discuss the option of implementing CloudSystem with VxLAN. Figure 1 Network Decision Points High-level network characteristics Table 4 Network types and sizing requirements Network Required Type Minimum subnet size IP address requirements Data Center Management Network Yes L3 /27 at least 14 Cloud Management Network Yes L2 /24 Consumer Access Network Yes L3 /24 at least 3 6 Network Overview

Table 4 Network types and sizing requirements (continued) Network Required Type Minimum subnet size IP address requirements External Network Yes L3 /27 1 Provider Network No L3 /27 12 Tenant Network No L2 /24 200 Block Storage Network No L2 /24 Object Proxy Network No L2 /24 Management trunk Table 5 Data Center Management Network Configuration fields in the installers Default value Configure in... Modify in... Constraints Notes VLAN ID service network CloudSystem Management appliance installer (csstart) ID must be between 0 4095 VLAN ID must be unique DNS First-Time Installer Operations Console DHCP CloudSystem Management appliance installer (csstart) IP range First-Time Installer Operations Console Routes First-Time Installer Operations Console Routes configured on Cloud controller and Enterprise appliance trios Gateway CloudSystem Management appliance installer (csstart) Gateway is configured on all appliances except the Cloud controller and Enterprise appliance trios Domain name CloudSystem Management appliance installer (csstart) High-level network characteristics 7

Table 6 Cloud Management Network Configuration fields in the installers Required Default value Configure in... Modify in... Constraints Notes VLAN ID Yes First-Time Installer ID must be between 0 4095 VLAN ID must be unique The CloudSystem Management Appliance Installer assigns a default VLAN ID to this network. You can update this to your unique VLAN ID in the First-Time Installer. DHCP Yes First-Time Installer Always use DHCP CIDR No 192.168.0.0/21 First-Time Installer 16=<Prefix len>=23 Domain name Yes hpiscmgmt.local First-Time Installer Table 7 Consumer Access Network Configuration fields in the installers Required Default value Configure it... Modify it... Constraints Notes VLAN ID Yes First-Time Installer ID must be between 0 4095 VLAN ID must be unique DHCP No First-Time Installer CIDR No First-Time Installer IP range No 3 IP addresses First-Time Installer Add three IP addresses for the Enterprise appliances in the trio Gateway No First-Time Installer Operations Console Configured on the Cloud controller and Enterprise appliance trios Table 8 External Network Configuration fields in the installers Required Default value Configure it... Modify it... Constraints Notes VLAN ID Yes First-Time Installer ID must be between 0 4095 VLAN ID must be unique Table 9 PXE Network Configuration fields in the installers Required Default value Configure in... Modify in... Constraints Notes VLAN ID No First-Time Installer This network must be an untagged network. 8 Network Overview

Cloud Data Trunk Table 10 Supported configurations Network configuration Supported compute types Supported routing Default values Configure in... Modify in... Notes VLAN ESXi KVM Hyper-V CVR First-Time Installer You cannot change this after deployment. VxLAN ESXi CVR KVM DVR 192.168.248.0/21 First-Time Installer You cannot change this after deployment. Storage trunk Table 11 Block Storage Network Configuration fields in the installers Required Default value Configure in... Modify in... Constraints Notes VLAN ID No First-Time Installer ID must be between 0 4095 VLAN ID must be unique DHCP No First-Time Installer IP range No First-Time Installer Six IP addresses are required for the Management appliance and Cloud controller trios CIDR No First-Time Installer Routes No First-Time Installer Table 12 Object Proxy Network Configuration fields in the installers Required Default value Configure in... Modify in... Constraints Notes VLAN ID Yes First-Time Installer ID must be between 0 4095 VLAN ID must be unique DHCP Yes First-Time Installer Always use DHCP CIDR No 192.168.210.0/26 First-Time Installer Platform Services, including Helion Development Platform and DNS as a Service Helion Development Platform is a Platform as a Service (PaaS) that enables developers to rapidly develop, deploy and scale applications across a mix of public and private clouds. It provides support for applications developed with Java,.NET, Python, Ruby, Go, Node.js, Scala, Clojure, Perl, as well as popular database and messaging technologies such as MySQL, Microsoft Sql Platform Services, including Helion Development Platform and DNS as a Service 9

Server, PostgreSQL, Redis, Memcached and RabbitMQ. Platform Services included in CloudSystem are: Database as a Service (DBaaS) is based on OpenStack technologies. This service can be managed and configured by IT, but is easily consumable by developers. Application Lifecycle Service (ALS) is a Cloud Foundry-based, managed runtime environment for applications. Domain Name System as a Service (DNSaaS) is based on the OpenStack Designate project. This service is engineered to help you create, publish, and manage your DNS zones and records securely and efficiently to either a public or private DNS server network. For more information on installing and configuring platform services, see the Platform Services, including Helion Development Platform and DNS as a Service chapter in the HP Helion CloudSystem 9.0 Administrator Guide in the Enterprise Information Library. Figure 2 Helion Development Platform network overview 10 Network Overview

3 OpenStack networking in CloudSystem OpenStack Neutron networking components in CloudSystem are present in both the management cluster and the compute node. Management cluster OpenStack Neutron services are incorporated into the Cloud controllers. SDN Controller is deployed in the management cluster for VxLAN configurations. Compute node OVSvApp L2 agent is automatically deployed on a compute node when the compute node is activated in the CloudSystem environment. Table 13 Networking characteristics Supported driver type Supported hypervisors Supported Network platform Security Supported switch type ML2 ESXi, KVM, Hyper-V VLAN, VxLAN OVSvApp DVS Configuration requirements CloudSystem administrators must configure the following networking resources before cloud users can access the networking services: Table 14 OpenStack Neutron networking requirements Network Purpose Number of networks Created in... External Network Supports floating IPs 1 OpenStack user portal after CloudSystem is deployed Tenant Network segmentation IDs Supports Tenant Networks varies Operations Console after CloudSystem is deployed Provider Network Connects data center to the cloud varies Operations Console after CloudSystem is deployed Configuration requirements 11

4 Network definitions Management trunk The Management trunk requires a Virtual Distributed Switch (VDS), which connects the trunk to the CloudSystem control plane. Associate a port group for each network in the Management trunk to the VDS. The management trunk networks connect to the VDS at nic0. The Data Center Management Network is created during CloudSystem deployment by the Cloud Management Appliance Installer. This network connects virtual appliances to HP 3PAR, HP StoreVirtual VSA, VMware vcenter Server, and enclosures. Only administrator roles have access to this network. Configuration requires a unique VLAN ID register a FQDN and a virtual IP address (VIP) for the Management appliance, Cloud controller and Enterprise appliance in the DNS server on this network. The VIP is the customer access point for the appliances. One VIP maps to all three appliances in the appliance HA trio. reserve a range of IP addresses. The recommended range for this network to support the maximum cloud size is /23. For proof of concept installations, plan for 14 IP addresses. To determine a more precise requirement for your environment, use the following Formula: 3 native IPs + 1 VIP for the Management appliances + 3 native IPs + 1 VIP for the Cloud controllers + 3 native IPs + 1 VIP for the Enterprise appliance + 1 native IP for the Update appliance + 1 IP for the OVSvApp on each ESXi compute node + 1 IP for the SDN controller, if you are using a VxLAN configuration add a route for each remote network. Since the Consumer Access Network is defined as the default gateway for all CloudSystem virtual appliances, you need to add a route that allows the appliances on the Data Center Management Network to access remote networks from the Data Center Management Network. Network considerations IMPORTANT: Protect this network according to your network security policies. Sensitive information, such as CloudSystem backup files, pass over this network. The Operations Console and OpenStack API admin URLs and the CSA APIs are also on this network. OpenStack Keystone uses this network for the admin endpoint for all services. 12 Network definitions

Figure 3 Data Center Management Network The Consumer Access Network is created during CloudSystem deployment by the First-Time Installer. This network is a public network that allows cloud users to access the OpenStack user portal, HP CSA, the Marketplace Portal, and OpenStack and Marketplace Portal APIs. Configuration requires a unique VLAN ID configure the default gateway for the CloudSystem virtual appliances on this network. create a static IP for the Management appliance, Cloud controller and Enterprise appliance on this network and add them to the management hypervisor server profile. reserve a range of IP addresses. The VIP addresses are the public endpoints for the user that are assigned to the cluster to support HA load balancing. Formula: + 1 VIP for the Cloud controllers + 3 native IPs + 1 VIP for the Enterprise appliances If needed, set up the firewall for the public IP address and make sure that it matches the VIP on this network. Network considerations The OpenStack user portal public access is on this network. The OpenStack Keystone public endpoint is on this network. Management trunk 13

Figure 4 Consumer Access Network The Cloud Management Network is created during CloudSystem deployment, initially by the Cloud Management Appliance Installer, when a temporary VLAN ID is automatically assigned. Then, during First-Time Installation, you can set the actual VLAN ID. It provides solution components with a dedicated cloud management network. All appliance-to-appliance and appliance-to-compute node traffic is on this network. HA heartbeats and OpenStack APIs (internal URLs) are on this network. Configuration requires a unique VLAN ID the default value for this network is 192.168.0.0/21. use DHCP for IP address assignment no external DNS server or DHCP server on this network. CloudSystem will add a DNS/DHCP server in this network. Network considerations For object storage (OpenStack Swift), 192.168.7.2 192.168.7.254 is reserved for nodes created by the OpenStack Swift service. Multiple HP Helion CloudSystem deployments cannot share this network. 14 Network definitions

Figure 5 Cloud Management Network The External Network VLAN ID is identified during CloudSystem deployment in the First-Time Installer. This network is a distinct VLAN that allows cloud users to attach public IP addresses to their provisioned virtual machine instances. Configuration requires a unique VLAN ID create the network in the OpenStack user portal after CloudSystem is deployed. See the Network Configuration chapter of the HP Helion CloudSystem 9.0 Administrator Guide in the Enterprise Information Library. create subnets if you need to segregate the External Network. CloudSystem only supports one distinct External Network. create a route between the External Network and the Consumer Access Network if instances in your environment require access to OpenStack services. Network considerations You must use floating IPs to connect instances to this network. Use the OpenStack user portal to reserve a pool of floating IP addresses Management trunk 15

Figure 6 External Network The Preboot Execution Environment (PXE) Network is an untagged VLAN used to provision bare metal nodes through PXE. It is created during CloudSystem deployment by the First-Time Installer. Configuration leave the network untagged (do not assign a VLAN ID). This network is automatically created during the First-Time Installation process. NOTE: If you plan to deploy more than one Swift object storage stack in your CloudSystem environment, you will need an additional deployment network that is tagged. Contact HP Technical Support for help with this networking modification. PXE is connected to the object storage nodes exclusively at eth0 (or the first NIC of the machine). No other networks can be connected to this NIC. Network considerations Best practice is to use 172.16.0.0/24. This is an internal subnet. PXE uses the same port as the Cloud Managment Network on the Management appliance node Cloud controller nodes are not connected to this network. The PXE network must be a private network with IPAM that is managed by the csprovisioner CLI tool. 16 Network definitions

Figure 7 PXE Network Cloud Data Trunk When deploying CloudSystem, you must choose a VLAN or VxLAN network underlay. You cannot change this after CloudSystem is deployed. You should also keep in mind that if you plan to migrate a CloudSystem 8.1 environment, VxLAN is not supported. Provider networks are created in the Operations Console by cloud administrators. A Provider network is a data center network routed through the existing data center infrastructure. If using VxLAN, a L2 HW gateway is used to bridge the VxLAN to external VLANs. Tenant network segmentation ID ranges are created in the Operations Console by cloud administrators. Cloud users then create Tenant Networks in the OpenStack user portal. The Tenant Underlay Network is only available in VxLAN configurations. This network is configured when CloudSystem is deployed by the First-Time installer when the VxLAN option is selected. The VxLAN underlay is an alternative to the Cloud Data Trunk and VLANs for Tenant and Provider networks. If used, this network is a single network VLAN that encapsulates and carries Tenant and Provider networks as VxLANs. The SDN controller virtual appliance is automatically configured when this network is created and the VxLAN option is selected during the first-time install. Cloud Data Trunk 17

Figure 8 Cloud Data Trunk with VLAN Figure 9 Cloud Data Trunk with VxLAN Storage trunk The Block Storage Network is created during CloudSystem deployment by the First-Time Installer. This network is an iscsi network used to integrate VSA Cinder (KVM and Hyper-V computes) and/or 3PAR iscsi Cinder (KVM and Hyper-V computes) into CloudSystem. 18 Network definitions

Configuration requires a unique VLAN ID Network considerations Compute nodes use this fixed address network to connect block storage volumes to virtual machines. Figure 10 Block Storage Network The Object Proxy Network is created during CloudSystem deployment by the First-Time Installer. This network connects the control plane with external object storage PAC and Object nodes. You can connect this network with a load balancer that is connected to the Consumer Access Network. Configuration requires a unique VLAN ID default CIDR value automatically configured for this network is 192.168.210.0/26 If needed, you can change this value when running the First-Time Installer. Storage trunk 19

Figure 11 Object Proxy Network The Object Store Network must be created manually. This network supports traffic between Swift PAC and Swift object nodes. Configuration requires a unique VLAN ID Figure 12 Object Storage Network 20 Network definitions

5 Pre-deployment considerations Plan for the following physical NICs according to the type of cloud environment you plan to create. Proof of concept installations Table 15 Management hyperviors Hypervisor type ESXi KVM Table 16 Compute nodes Hypervisor type ESXi KVM Hyper-V Production installations Phyical NICs 2 1 Phyical NICs 2 1 2 Notes No Storage trunk is configured. Notes No Storage trunk is configured. Recommended configuration Table 17 Management hyperviors Hypervisor type ESXi KVM Table 18 Compute nodes Hypervisor type ESXi KVM Hyper-V Phyical NICs 6 6 Phyical NICs 6 6 6 Notes Storage and teaming are supported Notes Storage and teaming are supported Alternative supported configuration Table 19 Management hyperviors Hypervisor type ESXi KVM Table 20 Compute nodes Hypervisor type ESXi KVM Hyper-V Phyical NICs 2 2 Phyical NICs 2 2 2 Notes No Storage trunk is configured. Notes No Storage trunk is configured. Proof of concept installations 21

Figure 13 ESXi management cluster uplinks Figure 14 KVM management cluster uplinks 22 Pre-deployment considerations

6 Network planning CloudSystem pre-deployment planning Table 21 Checklist of pre-deployment tasks Pre-deployment task Read the Network Planning Guide. Evaluate network options (CVR vs DVR, VLAN vs VxLAN) Understand the purpose of CloudSystem networks. Determine if firewall rules are required and create the rules, if necessary. Plan static routes for the Data Center Management Network. Gather network service information for NTP servers, SMTP, DNS servers, and Active Directory. Verify that the management cluster has the required number and type of physical NICs. Verify that compute nodes have the required number and type of physical NICs. Add FQDN entries in the DNS server for the Data Center Management Network and the Consumer Access Network. Fill out the Network Planning worksheet and calculate the correct subnet size for each network. Assign unique customer VLAN IDs and CIDR ranges for each network. Create L3/L2 VLANs. Configure the TOR switch ports (trunks) and patch cables. Verify L3 network connectivity by pinging gateways from the management cluster. Verify DNS server (forward and reverse). Verify firewall rules. Install HP Helion CloudSystem 9.0 using the two CloudSystem installers. CloudSystem installation planning Use the worksheet below to gather your CloudSystem environment details before you begin the installation process. Reference this information as you step through the CloudSystem installers. Table 22 CloudSystem Installation Planning Worksheet Installation Preparation Images Source release package unpacked and added to your staging environment Names Disk Format Thin Provision (recommended) Installation script (csstartgui.bat) Source release package unpacked and added to your staging environment Target CloudSystem Management Appliance Installer Management hypervisor type CloudSystem pre-deployment planning 23

Table 22 CloudSystem Installation Planning Worksheet (continued) vcenter IP address vcenter user name vcenter password Cluster Management appliance image name Hostname Example: my.ma.hpiscmgmt.local Host IP type IP Address *If using static IP address assignment. Gateway *If using static IP address assignment. Netmask *If using static IP address assignment. CS key (optional) CS certificate (optional) First Time Installer NOTE: If you are not sure what information to provide in a field below, use the help links provided next to each field in the First-Time Installer. Management hypervisor Verify the information Appliance images Make sure image names match what you created in vcenter. Use the default VM names for easier troubleshooting. Enterprise appliance Migrate Cloud Data Trunk Yes or No Yes or No VLAN or VxLAN Network Settings: Management Trunk Data Center Management Network VLAN ID Domain name Use DHCP Primary DNS Secondary DNS (optional) Appliance IP ranges (optional) Routes (optional) Network Settings: Management Trunk Consumer Access Network 24 Network planning

Table 22 CloudSystem Installation Planning Worksheet (continued) VLAN ID Use DHCP CIDR Domain name VLAN ID Use DHCP CIDR Domain name VLAN ID VLAN ID Use DHCP IP Address *If using static IP address assignment. Network Settings: Management Trunk Cloud Management Network Network Settings: Management Trunk External Network Network Settings: Storage Trunk Block Storage Network CIDR *If using static IP address assignment. Routes (optional) VLAN ID Use DHCP CIDR *If using static IP address assignment. Network Settings: Storage Trunk Object Proxy Network Data Center Management FQDN for the Management appliance Data Center Management Virtual IP address for the Management appliance Data Center Management FQDN for the Cloud controller Network Settings: Appliance Settings Management appliance Network Settings: Appliance Settings Cloud controller CloudSystem installation planning 25

Table 22 CloudSystem Installation Planning Worksheet (continued) Data Center Management Virtual IP address for the Cloud controller Consumer Access Network FQDN for the Cloud controller (optional) Consumer Access Network Virtual IP address for the Cloud controller Consumer Access Network Public Address (optional) Data Center Management FQDN for the Enterprise appliance Data Center Management Virtual IP address for the Enterprise appliance Consumer Access Network FQDN for the Enterprise appliance (optional) Consumer Access Network Virtual IP address for the Enterprise appliance Consumer Access Network Public Address (optional) Network Settings: Appliance Settings Enterprise appliance Glance Disk Size Disk Size (GB) 512 GB is recommended Time Settings Use Time Zone Yes or No Time Zone Time Server 1 (optional) Time Server 2 (optional) Time Server 3 (optional) HTTP/HTTPS Proxy HTTP/HTTPS Proxy HTTP/HTTPS Proxy Address HTTP/HTTPS Proxy Address (optional) Administrator Account Passwords OS account for CloudSystem appliances (cloudadmin) Operations Console and Portal (admin) Operations Orchestration (Administrator) Password: Password: Password: 26 Network planning

7 L2 gateway configuration L2 gateway The L2 gateway agent is an interoperable SDN (Software-Defined Networking) and network virtualization solution deployed over the HP Helion CloudSystem. The agent allows users to leverage their physical and virtual network to work together as a single entity, thus eliminating the manual network configuration, which is time consuming and error prone. The components of this unified solution are: VAN SDN Controller (Virtual Applications Network Software-Defined Networking) HP Converged Control SDN Application HP FlexFabric 5930 Top-of-Rack Switch Series HP Helion CloudSystem Controller The HP Converged Control federates the SDN controller and CloudSystem Controller through federation APIs. CloudSystem Controller communicates with the SDN controller using the OVSDB (Open vswitch Database) management protocol, which is supported by the SDN controller via the federation APIs. The solution allows CloudSystem Controller to share virtual tunnel state information with the VAN SDN centralized control plane and deliver virtual network tunnel endpoints on physical network devices, such as the HP 5930 ToR switch with VxLAN support. HP VAN SDN Controller SDN Controller is a critical piece of component in the L2 gateway solution. The SDN controller node hosts the OVSDB server that stores the configuration information and the discovered information of the hardware L2 gateway. The SDN controller additionally hosts the L2 gateway agent that acts as a proxy between the CloudSystem controller and the OVSDB server. HP 5930 ToR switch The HP FlexFabric 5930 switch series represents a new generation of top-of-rack data center switches that are optimized for SDN and for virtualization. It is a family of high-density 40 GbE and ultra-low latency top-of-rack data center switches. The series belongs to the FlexFabric solution module of the HP FlexNetwork architecture. It has built-in intelligence based on VxLAN technology and extends network virtualization to the servers, enabling virtual and physical networks to work together as a single entity. For information about the HP 5930 switch, see the HP FlexFabric 5930 Switch Installation Guide in the HP Support Center at http://www.hp.com/go/hpsc. Open vswitch Database (OVSDB) The CloudSystem controller communicates with the SDN controller via the federation APIs, which support the Open vswitch Database (OVSDB) management protocol. The OVSDB server is a federated interface between the HP 5930 switch and CloudSystem controller. The OVSDB protocol is used in a control cluster, along with other managers and controllers, to supply information to the switch database server. The protocol manipulates a set of tables representing switch configuration data. The controller uses OVSDB schema version 1.3.0. HP 5930 switch configuration Configure the HP 5930 switch to interact with the virtual and the bare metal nodes. The SDN Controller uses the same configuration details to telnet the switch while discovering the switch. Use the console port to perform the switch configuration. L2 gateway 27

Prerequisites NOTE: The 5930 switch VTEP IP and compute VTEP IPs should be in different subnets and the subnets must be route-able. Before you configure the HP 5930 switch, download and install the HP 5930 switch firmware from the following location: https://h10145.www1.hp.com/downloads/downloadsoftware.aspx? SoftwareReleaseUId=11943&ProductNumber=JG726A&prodSeriesId=6604154 Configuring HP 5930 switch 1. To create an RSA key, run the following command: public-key local create rsa 1024 2. To enable the switch terminal, run the following commands: user-interface vty 0 4 authentication-mode scheme 3. To create a local user, run the following commands: local-user user name password password authorization-attribute user-role network-admin service-type ssh terminal telnet quit For example: local-user cloudadmin password password 4. To enable the local user, run the following commands: ssh user sdn service-type all authentication-type password local-user user name service-type ssh terminal telnet authorization-attribute user-role network-admin service-type ssh terminal telnet quit 5. To enable netconf, run the following commands: netconf soap http enable netconf soap https enable netconf ssh server enable 6. To enable SNMP v2, run the following commands: snmp-agent community write public mib-view internet snmp-agent mib-view included internet internet snmp-agent packet max-size 5000 7. To enable SNMP v3, run the following commands: snmp-agent group v3 <group name>authentication read-view internet write-view internet snmp-agent mib-view included internet internet snmp-agent mib-view included internet interfaces snmp-agent calculate-password <cipher-text-of-password> snmp-agent calculate-password <plain-text-password> mode md5 local-engineid snmp-agent usm-user v3 <user name> <group name> cipher authentication-mode <auth_mode> <cipher-text-of-password> privacy-mode des56 <cipher-text-of-password> 8. To enable L2 gateway VPN, run the following command: l2vpn enable 28 L2 gateway configuration

Discovering and activating a device 1. Use a supported browser, such as Google Chrome, to access the SDN controller's GUI at the controller IP address: GUI https://sdn controller_ip_addr:8443/sdn/ui Example https://192.0.2.1:8443/sdn/ui 2. Enter user name and password credentials, then select Login. Example Default user name: sdn Default password: skyline The main controller screen appears with the Alerts screen displayed. 3. Change the default login credentials. Example User name: cloudadmin Password: new password NOTE: For information about changing the default credentials, see the HP VAN SDN Controller Installation Guide in the SDN information library at http://www.hp.com/go/sdn/ infolib. 4. Select Credentials on the navigation pane and ensure that the SNMP and Netconf credentials are configured on the SDN controller. The credentials are used to communicate with the device or the 5930 switch. By default, the SDN controller uses the pre-configured SNMP credentials. L2 gateway 29

Figure 15 Setting SNMP credentials 5. Select L2 Gateway on the navigation pane and click Discover. Enter the Gateway IP Address of the device and click OK. Figure 16 Discovering a device The L2 Gateway screen is populated with the device details. By default on discovery, the device status is deactivated as shown in Figure 17 (page 30). Figure 17 Device status after discovery 6. To activate the L2 Gateway for a device, select the device and click Activate. a. Select the VTEP IP Address from the drop-down list. b. Select the relevant port. 30 L2 gateway configuration

Figure 18 Activating a device Figure 19 Activation summary When the device is activated, the SDN controller populates the HP 5930 switch hardware VTEP details in the OVSDB server. Creating and managing L2 gateway Use the following commands to manage the L2 gateway. To create the L2 gateway, run the following command from the CloudSystem controller: neutron l2-gateway-create <l2gateway-name> --device name="<device_name>",interface_names="<interface_name1 segid1; <interface_name2> <segid2 L2 gateway 31

NOTE: Segmentation ID is an optional parameter, if you do not provided it when you create the l2 gateway, you must provide it when you create the l2 gateway connection. For example: neutron l2-gateway-create testl2gateway --device name="cell21-5930-01",interface_names="fortygige1/0/1" Or neutron l2-gateway-create testl2gateway --device name="cell21-5930-01",interface_names="fortygige1/0/1 1800;FortyGigE1/0/2 1801" To list L2 gateways, run the following command: neutron l2-gateway-list To show L2 gateways, run the following command: neutron l2-gateway-show <l2gateway-id/l2gateway-name> To delete an L2 gateway, run the following command: neutron l2-gateway-delete <l2gateway-id/l2gateway-name> To update an L2 gateway, run the following command: neutron l2-gateway-update <l2gateway-id/l2gateway-name> --name <new_l2gateway_name> --device name="<device_name>",interface_names="<interface_name1 segid1;<interface_name2> <segid2 Creating and managing L2 gateway connections L2 gateways bridge two or more networks together to make them look at a single L2 broadcast domain, typically bridge the virtual network with the physical network. L2 gateway capabilities extend CloudSystem logical (overlay) networks into physical (provider) networks that are outside the OpenStack domain. These networks can be, for instance, VLAN's that may or may not be managed by OpenStack. NOTE: You can create a maximum of 350 connections and connect a maximum of 1024 VMs to each L2 gateway in the CloudSystem for reliable performance. To create the L2 gateway, run the following command: neutron l2-gateway-connection-create <l2gateway-id> <network-id> --default-segmentation-id seg-id To list L2 gateways connections, run the following command: neutron l2-gateway-connection-list To show L2 gateways connections, run the following command: neutron l2-gateway-connection-show <l2gateway-connection-id> To delete an L2 gateway connection, run the following command: neutron l2-gateway-connection-delete <l2gateway-connection-id> Interaction between L2 gateway and the CloudSystem controller After you create the L2 gateway, the following changes occur: The CloudSystem controller populates the OVSDB server with the updates, which includes the VLAN bindings (xconnect) of the device and the remote MAC addresses residing behind the hypervisor. CloudSystem does the binding of the VLAN to the VNI for a given switch port on the HP 5930 using Netconf based on the xconnect information. A tunnel is established between the 32 L2 gateway configuration

hypervisor VTEP and each activated hardware VTEP. The tunnel is bound to the VSI for the given VNI and the given remote MAC is added as a static MAC entry in the HP 5930 switch. CloudSystem also populates the OVSDB server with the bare metal MAC details residing behind the HP 5930 switch. The also creates a tunnel mesh from the newly activated HP 5930 switch with every other activated switch in the network. This tunnel mesh is created to handle BUM traffic generated from the bare metal towards other bare metal servers. Each tunnel the application creates is bound with every available VSI in the switch. Figure 20 Tunnel creation between the hypervisor and HP5930 switch HP Converged Control SDN Application + HP VAN SDN Controller CloudSystem Controller OVSDB Client OVSDB Server Aggregate Switch Aggregate Switch NetConf + SNMPv3S HP 5930 Tunnel Creation HP 5930 Hypervisors with Software VTEPs WAN Routers Physical Servers Interactions with the OVSDB server RESTful API definitions for L2 Gateways The following RESTful API's are defined for L2 gateway to create and manage the L2 gateway functionality. 1. To establish connection between the baremetal devices and the virtual machines, you must add security groups to the tenant session from which the virtual machine is booted. Log in to the tenant session as an administrator and run the following command: neutron security-group-list neutron security-group-rule-create --protocol icmp --direction ingress <security_group_id> 2. To create the L2 gateway, with segmentation id, run the following command: curl -i -X POST http://<controller_clm_vip>:9696/v2.0/l2-gateways -H "User-Agent: python-neutronclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: $<Admin_Auth_Token>" -d '{"l2_gateway": {"name": "gateway", "devices": [{"interfaces": [{"name": "device_interface_name1","segmentation_id":"seg_id1"},{"name": "device_interface_name2", "segmentation_id":"seg_id2"} ], "device_name":"switch-name"}]}}' 3. To create the L2 gateway, without segmentation id, run the following command: curl -i -X POST http://<controller_clm_vip>:9696/v2.0/l2-gateways -H "User-Agent: python-neutronclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: $<Admin_Auth_Token>" L2 gateway 33

-d '{"l2_gateway": {"name": "gateway", "devices": [{"interfaces": [{"name": "device_interface_name1"},{"name": "device_interface_name2"} ], "device_name": "switch-name"}]}}' 4. To list L2 gateways, run the following command: curl -i -X GET http://<controller_clm_vip>:9696/v2.0/l2-gateways -H "User-Agent: python-neutronclient" -H "Accept: application/json" -H "X-Auth-Token: $<Admin_Auth_Token>" 5. To show L2 gateways, run the following command: curl -i -X GET http://<controller_clm_vip>:9696/v2.0/l2-gateways/$<gateway_id> -H "User-Agent: python-neutronclient" -H "Accept: application/json" -H "X-Auth-Token: $<Admin_Auth_Token> " 6. To delete L2 gateways, run the following command: curl -i http://<controller_clm_vip>:9696/v2.0/l2-gateways/$<gateway_id> -X DELETE -H "X-Auth-Token: $<Admin_Auth_Token> " -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-neutronclient" 7. To create L2 gateway connection, run the following command: curl -i http://<controller_clm_vip>:9696/v2.0/l2-gateway-connections -X POST -H "X-Auth-Token: $<Admin_Auth_Token> " -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-neutronclient" -d '{"l2_gateway_connection": {"l2_gateway_id": "$<l2gateway_id>", "network_id" : "$<network_id>", "segmentation_id" : "$<vlan_id>"}}' NOTE: The segmentation_id is optional. 8. To delete L2 gateway connection, run the following command: curl -i http://<controller_clm_vip>:9696/v2.0/l2-gateway-connections/$<l2gateway_connection_id> -X DELETE -H "X-Auth-Token: $<Admin_Auth_Token> " -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-neutronclient" 9. To show L2 gateway connection, run the following command: curl -i http://<controller_clm_vip>:9696/v2.0/l2-gateway-connection/$<l2gateway_connection_id> GET -H "X-Auth-Token: $<Admin_Auth_Token> " -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-neutronclient" 10. To list L2 gateway connection, run the following command: curl -i http://<controller_clm_vip>:9696/v2.0/l2-gateway-connections GET -H "X-Auth-Token: $<Admin_Auth_Token> " -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-neutronclient" 34 L2 gateway configuration

8 Support and other resources Information to collect before contacting HP Be sure to have the following information available before you contact HP: Software product name Hardware product model number Operating system type and version Applicable error message Third-party hardware or software Technical support registration number (if applicable) How to contact HP Use the following methods to contact HP: To obtain HP contact information for any country, see the Contact HP worldwide website: http://www.hp.com/go/assistance Use the Get help from HP link on the HP Support Center: http://www.hp.com/go/hpsc To contact HP by telephone in the United States, use the Contact HP Phone Assist website to determine the telephone number that precisely fits your needs. For continuous quality improvement, conversations might be recorded or monitored. http://www8.hp.com/us/en/contact-hp/phone-assist.html#section1 Registering for software technical support and update service HP CloudSystem includes one year of 24 x 7 HP Software Technical Support and Update Service. This service provides access to HP technical resources for assistance in resolving software implementation or operations problems. The service also provides access to software updates and reference manuals, either in electronic form or on physical media as they are made available from HP. Customers who purchase an electronic license are eligible for electronic updates only. With this service, HP CloudSystem customers benefit from expedited problem resolution as well as proactive notification and delivery of software updates. For more information about this service, see the following website: http://www.hp.com/services/insight Registration for this service takes place following online redemption of the license certificate. HP authorized resellers For the name of the nearest HP authorized reseller, see the following sources: In the United States, see the U.S. HP partner and store locator website: http://www.hp.com/service_locator In other locations, see the Contact HP worldwide website: http://www.hp.com/go/assistance Information to collect before contacting HP 35

Documentation feedback HP is committed to providing documentation that meets your needs. To help us improve the documentation, send your suggestions and comments to: docsfeedback@hp.com In your mail message, include the following information. They are located on the front cover. Document title Published date Edition number Help us pinpoint your concern by posting the document title in the Subject line of your mail message. Related information Use this section to learn about available documentation for HP CloudSystem components and related products HP CloudSystem documents The latest versions of HP CloudSystem manuals and white papers, including HP CSA and HP Operations Orchestration, can be downloaded from the Enterprise Information Library at http:// www.hp.com/go/cloudsystem/docs. HP Helion CloudSystem 9.0 Release Notes HP Helion CloudSystem 9.0 Installation Guide HP Helion CloudSystem 9.0 Administrator Guide HP Helion CloudSystem 9.0 Network Planning Guide HP Helion CloudSystem 9.0 Troubleshooting Guide HP Helion CloudSystem 9.0 Command Line Interface Guide HP Helion CloudSystem 9.0 Support Matrix Online help for the CloudSystem Console is available by clicking the help control button in the Console user interface: HP Helion OpenStack documents The latest version of HP Helion OpenStack information is viewable from HP Helion Documentation at http://docs.hpcloud.com, including information about the following products: HP Helion OpenStack HP Helion OpenStack Community HP Helion Development Platform HP Helion Eucalyptus HP Helion Public Cloud The full list of HP CSA documentation can be accessed from the HP Cloud Service Automation tab. 36 Support and other resources

HP Insight Management documents The latest versions of HP Matrix Operating Environment manuals, white papers, and the HP Insight Management Support Matrix can be downloaded from the HP Enterprise Information Library at http://www.hp.com/go/matrixoe/docs, including the following documents: HP Matrix Operating Environment Release Notes HP Insight Management Support Matrix HP Matrix Operating Environment Infrastructure Orchestration User Guide Cloud bursting with HP CloudSystem Matrix infrastructure orchestration Third-party documents CloudSystem incorporates OpenStack technology (listed below), and interoperates with other third-party virtualization software. OpenStack Juno OpenStack Documentation for Juno releases With few exceptions (such as installation information), OpenStack documents are always set to display the current release stream on the OpenStack document web site. Check the OpenStack appendices in the HP CloudSystem Administrator Guide to learn about unsupported OpenStack functionality in this release. VMware Cloud Administrator Guide Virtual Machine Image Guide API Quick Start Admin User Guide End User Guide Command reference Keystone commands Glance commands Neutron commands Nova commands Cinder commands VMware vsphere documents Microsoft Microsoft Windows Server documents Microsoft Hyper-V documents Red Hat Red Hat Enterprise Linux 6 documents Red Hat Enterprise Linux 7 documents HP 3PAR StoreServ documents The latest versions of HP 3PAR StoreServ Storage manuals are available from the Storage tab at the top of the Enterprise Information Library. Related information 37

HP 3PAR StoreServ Storage manuals can also be downloaded from the HP Support Center, including the following documents: HP 3PAR StoreServ Storage Concepts Guide HP 3PAR StoreServ Storage Troubleshooting Guide HP VSA StoreVirtual documents The latest versions of HP VSA StoreVirtual Storage manuals are available from the Storage tab at the top of the Enterprise Information Library. HP VSA StoreVirtual Storage manuals can also be downloaded from the HP Support Center, including the following document: HP StoreVirtual Storage User Guide HP ProLiant servers documents The HP Integrated Lights-Out QuickSpecs contain support information and are available from the ilo product website: http://h18004.www1.hp.com/products/quickspecs/12362_div/12362_div.pdf HP ProLiant servers: ProLiant BL BladeSystem servers: http://www.hp.com/go/blades ProLiant DL, ML, and SL servers: http://www8.hp.com/us/en/products/servers/proliant-servers.html 38 Support and other resources