Usage Scenario

IPv4 flat networks and IPv6 flat networks can all be applied to the following typical usage scenarios:
  • IPv4+IPv6 double stack
  • L2 connected network
  • Security group
  • EIP
  • Load Balancing
  • Hardware SDN

For the purpose of this Tutorial, this section mainly describes IPv4 flat networks as an example.


IPv4+IPv6 Double Stack

An IPv4+IPv6 double stack is one NIC with two types of IP addresses: IPv4 and IPv6, and takes full advantage of both IPv4 and IPv6. With the IPv4+IPv6 double stack, you can build different business scenarios.

Assume that your environment is as follows:
  1. IPv4 range
    Table 1. IPv4 Range Configuration
    Flat Network Configurations
    NIC em1
    VLAN ID 2002
    IP range 192.168.2.2-192.168.2.254
    Subnet mask 255.255.255.0
    Gateway 192.168.2.1
    DHCP IP 192.168.2.3
    DNS 223.5.5.5
  2. IPv6 range
    Table 2. IPv6 Range Configuration
    Flat Network Configurations
    IP range 234e:0:4568::2-234e:0:4568:0:ffff:ffff:ffff:ffff
    Prefix length 64
    Gateway 234e:0:4568::1
    DHCP IP 234e:0:4567::3
    DNS 240c::6644
To create an IPv4+IPv6 double stack
  1. Create an IPv4 networking environment.
  2. Add an IPv6 range.
  3. Add an IPv6 DNS address.
  4. Create VM instances by using a double stack network.
  5. Obtain IPv6 addresses of the VM instances.
  6. Validate the network connectivity.
  1. Create an IPv4 networking environment.
    Create a flat network with an IPv4 address. Assume that the flat network is L3-Flat Network. At this time, this network is an IPv4 network. For more information, see IPv4 Range Configuration and IPv6 Range Configuration.
    Note: You can also create an IPv6 flat network first, and then add an IPv4 range to a flat network.
  2. Add an IPv6 range.

    Add an IPv6 range to the existing IPv4 network. Hence, an IPv4+IPv6 double stack network is created.

    On the Private Network page, select the IPv4 network, choose Actions > Add IPv6 IP Range, and set the following parameters:
    • Method: Select IP Range. Options: IP Range and CIDR.
      Note: IPv6 supports IP Range and CIDR. The following are the supported formats:
      • Colon hexadecimal notation: X:X:X:X:X:X:X:X. Specifically, each X is a 16-bit section that can be represented with hexadecimal digits, such as 234e:0:4567:0:ffff:ffff:ffff:ffff.
      • Zero compression: If a long range of the number 0 is included in an IPv6 address, this continuous range of 0 can be compressed into ::. However, to ensure the uniqueness of address resolutions, :: in the address can only be appeared once, such as 234e:0:4567::2.
      • CIDR notation: X:X:X:X:X:X:X:X/N. Specifically, N represents the prefix length.
    • Mode: Select Stateful-DHCP.
      Note: IPv6 supports the following IP allocations:
      • Stateful-DHCP: Stateful DHCP configurations, which means that interface addresses and other parameters are all configured via the DHCP protocol. Only the IP Range method supports this allocation.
      • Stateless-DHCP: Stateless DHCP configurations, which means that interface addresses are automatically deduced via prefixes of routing advertisements, while other parameters are configured via the DHCP protocol.
      • SLAAC: Stateless address autoconfigurations, which means that interface addresses are automatically deduced via prefixes of routing advertisements, while other parameters are attached in the routing advertisements.
    • Start IP: Enter a start IP for the IPv4 network, such as 234e:0:4568::2.
    • End IP: Enter an end IP for the IPv4 network, such as 234e:0:4568:0:ffff:ffff:ffff:ffff.
    • Prefix Length: Enter a prefix length for the IPv4 network, such as 64. Range: 64-126.
    • Gateway: Enter a gateway for the IPv4 network, such as 234e:0:4568::1.
    • DHCP IP: Optional. Enter a DHCP IP address, such as 234e:0:4568::3.
      Note:
      • If you create an L3 network and enable the DHCP service for the first time, or if you add the first IP range for the L3 network that has enabled the DHCP service, you can customize the DHCP IP address.
      • If the L3 network has a DHCP IP address, you cannot customize the DHCP IP address when you add an IP range.
      • The DHCP IP address can be included or excluded in or from the added IP range. However, the DHCP IP address must be within the CIDR to which the added IP range belongs, and must not be occupied.
      • The IP range specified within the start IP address and end IP address cannot contain IP addresses of the link-local address (169.254.0.0/16).
      • If not specified, the system will randomly specify an IP address within the IP range that you added.
    Click OK to complete adding the IPv6 range for the IPv4 flat network, as shown in Add IPv6 Range. Hence, this network has changed into an IPv4+IPv6 network.
    Figure 1. Add IPv6 Range


  3. Add an IPv6 DNS address.
    On the DNS tab page of this network, click Add DNS, and set the following parameters:
    • IP Address Type: Select IPv6.
    • DNS: Enter the IPv6 DNS address, such as 240c::6644.
    Click OK to complete adding the DNS address, as shown in Add IPv6 DNS Address.
    Figure 2. Add IPv6 DNS Address


  4. Create VM instances by using a double stack network.
    In the navigation pane of the ZStack Private Cloud UI, choose Resource Pool > VM Instance. On the VM Instance page, click Create VM Instance. On the displayed Create VM Instance page, set the following parameters:
    • Add Type: Select Multiple.
    • Create Count: Enter 2.
    • Name: Enter a name for the VM instances, such as VM-Double Stack.
    • Description: Optional. Enter a description for the VM instances.
    • Instance Offering: Select an instance offering for the VM instances.
    • Image: Select an image for the VM instances.
    • Network: Select a double-stack L3 network.
    Click OK to complete creating these two double stack VM instances (VM-Double Stack-1 and VM-Double Stack-2), as shown in Create VM Instance.
    Figure 3. Create VM Instance


  5. Obtain IPv6 addresses of the VM instances.
    ZStack defaults to automatically obtain IP addresses for the IPv4 network, while you must manually obtain IPv6 addresses for the IPv6 network. Open the consoles of these two VM instances respectively, and run the following commands to obtain IP addresses:
    -bash-4.2# dhclient -6 eth0  # eth0 is the NIC name.
    Note: The address that begins with FE80 is the link-local address instead of the expected address.
    Obtain IP addresses, as shown in Obtain IP Address.
    Figure 4. Obtain IP Address


    In this scenario, after running ifconfig, you will obtain the following addresses:
    • VM-Double Stack-1 IPv4 address: 192.168.2.248
    • VM-Double Stack-1 IPv6 address: 234e:0:4568::69:9fdc
    • VM-Double Stack-2 IPv4 address: 192.168.2.183
    • VM-Double Stack-2 IPv6 address: 234e:0:4568::23:c59b
  6. Validate the network connectivity.
    Expected result:
    • Log in to the VM-Double Stack-1. Use the IPv4 address and the IPv6 address respectively to validate whether these two IP addresses can ping VM-Double Stack-2.
    • Log in to the VM-Double Stack-2. Use the IPv4 address and the IPv6 address respectively to validate whether these two IP addresses can ping VM-Double Stack-1.
    Validate the network connectivity: Log in to the VM-Double Stack-1. Use the IPv4 address and the IPv6 address to validate whether these two IP addresses can ping VM-Double Stack-2, as shown in Validate Network Connectivity.
    Figure 5. Validate Network Connectivity


    Similarly, log in to the VM-Double Stack-2. Use the IPv4 address and the IPv6 address to validate whether these two IP addresses ping VM-Double Stack-1.

    So far, we have introduced how to use a double stack (IPv4+IPv6) flat network.


L2 Connected Network

A typical L2 flat network is a layer 2 connected network. Specifically, in a data center of a private cloud, all hosts and VM instances are on one L2 network, while the IP addresses of these hosts and VM instances are on the same L3 network. Mutual accesses between these hosts and VM instances are not routed via gateways.

IP addresses of all compute nodes are assigned from 172.16.0.0/16, as shown in L2 Flat Network.
Figure 1. L2 Flat Network


L2 flat networks are preferably applied to small and medium-sized enterprises. Due to the simplicity of the network topology architecture, staff computers can reach each other directly. Computers of all staffs are on one L2 network, so network access controls usually are guaranteed by security groups (distributed firewalls) of the private cloud.

In actual deployments, gateway addresses of L3 networks must be set as gateway addresses of your company. Besides, IP addresses that are assigned to VM instances must avoid duplicating IP addresses associated to hosts with attended assignment and isolation.


Security Group

A security group serves as a virtual firewall for your VM instances to allow or deny incoming network traffic to, or outgoing network traffic from, multiple types of cloud resources. L3 network security controls are provided over your VM instances, and TCP, UDP, or ICMP data packets are managed for effective filtering. With the security group, you can effectively control specified VM instances on specified networks according to specified security rules.
  • Flat networks, vRouter networks, and VPC support the security group service. The security group service is provided by the security group network service module. By using iptables, you can perform security controls over VM instances. This method also applies to flat networks, vRouter networks, and VPC.
  • A security group is actually a distributed firewall. When you modify a rule, or when you add or delete a NIC, note that firewall rules in VM instances are updated as well.
Security group rule:
  • A security group rule has the following two types of traffics according the direction of data packets:
    • Ingress: Represents inbound data packets that access a VM instance.
    • Egress: Represents outbound data packets that are sent from a VM instance.
  • A security group rule supports the following protocol types:
    • ALL: Includes all protocol types, indicating that you cannot specify a port.
    • TCP: Supports ports 1-65535.
    • UDP: Supports ports 1-65535.
    • ICMP: By default, both the start port and end port are all -1, indicating that all ICMP protocols are supported.
  • A security group rule can limit data sources that comes either from inside or outside of VM instances. Currently, sources can be set as source CIDR or source security group.
    • Source CIDR: Allows only the specified CIDR.
    • Source security group: Allows only the VM instances in a specified security group.
    Note: If you set both CIDR and the security group, note that only the intersection of them can take effect.
A security group topology is shown in Figure 1.
Figure 1. Security Group


The basic workflow about how to use a security group is as follows: Select an L3 network, set the corresponding security group rule, and add specified VM instances to the rule.

The following two scenarios are introduced as how to create a security group in a flat network environment:
  • Set an ingress rule for VM instances.
  • Set an egress rule for VM instances.
  1. Create a flat network, and create two VM instances named after VM-1 and VM-2. For more information, see Basic Deployment.
    Log in to VM-1, and remotely connect to VM-2 via port 22 defaulted by SSH, as shown in Successful Login via SSH.
    Figure 2. Successful Login via SSH


  2. Set an ingress rule for VM-1.
    1. Create a security group.
      In the navigation pane of the ZStack Private Cloud UI, choose Network Service > Security Group. On the Security Group page, click Create Security Group. On the displayed Create Security Group page, set the following parameters:
      • Name: Enter a name for the security group.
      • Description: Optional. Enter a description for the security group.
      • IP Address Type: Select an IP address type. Options: IPv4 | IPv6.
      • Network: Select an existing L3 network according to the IP address type that you selected.
        • IPv4 supports three types of L3 networks: public network, private network, and VPC network.
        • IPv6 supports two types of L3 networks: public network and private network.
        • You can add multiple same types of L3 networks, but cannot add different types of L3 networks at the same time.
      • Rule: Optional. Either set a firewall rule directly when creating a security group or set the firewall rule after creating the security group.
        Note:

        For more information, see Set Ingress Rule and Set Egress Rule.

      • NIC: Optional. Add a VM NIC to the security group. A VM NIC can be either added directly to the security group when you create the security group or added to the security group after you create the security group.
        Note:

        For more information, see Add VM NIC to Security Group.

      Click OK to complete creating the security group, as shown in Create Security Group.
      Figure 3. Create Security Group


    2. Set an ingress rule.
      The following example is about a security group rule that is set after a security group is created. On the Security Group page, select a security group that you created, expand the details page of the security group, and click Rule. On the Rule tab page, choose Actions > Add Rule. On the displayed Set Rule page, set the following parameters:
      • Type: Select Ingress.
      • Protocol: Select TCP.
      • Start Port: Enter 20.
      • End Port: Enter 100.
      • CIDR: Optional. Only the specified CIDR is allowed.
      • Source Security Group: Optional. Only the specified VM instance within the security group is allowed.
      Click OK to complete setting the ingress rule, as shown in Set Ingress Rule.
      Figure 4. Set Ingress Rule


    3. Add a VM NIC to the security group.
      The following example is about a VM NIC that is added after a security group is created. On the Security Group page, select a security group that you created, expand the details page of the security group, and click VM NIC. On the VM NIC tab page, choose Actions > Bind VM NIC. On the displayed Select NIC page, select a VM NIC, such as VM-1, as shown in Add VM NIC to Security Group.
      Figure 5. Add VM NIC to Security Group


    4. Verify the ingress rule.

      Now, VM-1 can be only reached via port 20-100.

      Log in to VM-2, and try to run nc to establish connections to VM-1.
      Note: The iptables rule in VM-1 must be cleaned by running iptables -F.
      1. For example, if you use port 10 that is out of the rule range, VM-2 and VM-1 fail to communicate with each other, as shown in VM-2 Fails to Connect VM-1 on Port 10.
        Figure 6. VM-2 Fails to Connect VM-1 on Port 10


      2. For example, if you use port 23 within the rule range, both VM-2 and VM-1 communicate with each other successfully, as shown in VM-2 Sends Message to VM-1 on Port 23 and VM-1 Receives Message Successfully on Port 23.
        Figure 7. VM-2 Sends Message to VM-1 on Port 23


        Figure 8. VM-1 Receives Message Successfully on Port 23


  3. Set an egress rule for VM-1.
    1. Set an egress rule.
      The following example is about a security group rule that is set after a security group is created. On the Security Group page, select a security group that you created, expand the details page of the security group, and click Rule. On the Rule tab page, choose Actions > Add Rule. On the displayed Set Rule page, set the following parameters:
      • Type: Select Egress.
      • Protocol: Select TCP.
      • Start Port: Enter 200.
      • End Port: Enter 1000.
      • CIDR: Optional. Only specified CIDR is allowed.
      • Source Security Group: Optional. Only the specified VM instance within the security group is allowed.
      Click OK to complete setting the egress rule, as shown in Set Egress Rule.
      Figure 9. Set Egress Rule


    2. Verify the egress rule.

      Now, only VM-1 can be reached via port 200-1000.

      Log in to VM-2, and try to run nc to establish connections to VM-1.
      Note: The iptables in VM-1 can be cleaned by running iptables -F.
      1. For example, if you use port 10 that is out of the rule range, VM-2 and VM-1 fail to communicate with each other, as shown in VM-2 Fails to Connect to VM-1 on Port 10
        Figure 10. VM-2 Fails to Connect to VM-1 on Port 10


      2. For example, if you use port 200 within the rule range, VM-2 and VM-1 communicate with each other successfully, as shown in VM-1 Sends Message to VM-2 on Port 200 and VM-2 Receives Message Successfully on Port 200.
        Figure 11. VM-1 Sends Message to VM-2 on Port 200


        Figure 12. VM-2 Receives Message Successfully on Port 200


The constraints of a security group are as follows:
  • A security group can be attached to more than one VM instance. These VM instances will share the same security group rules.
  • A security group can be attached to more than one L3 network. These L3 networks will share the same security group rules.
  • A security group supports whitelists. That is, you can set all security group rules to Allow. Once you set an allow rule for a port, other ports will not be allowed.
  • When you create a security group, the system automatically configures two rules (an inbound rule and an outbound rule whose protocol types are both ALL) for communications in the security group. You can delete these two default rules to cancel the intra-group communication.
  • When you create a security group, if you did not set any rule, incoming traffics are not allowed to access VM instances in the security group. However, outgoing traffics from VM instances in the security group are allowed.
  • If you are using simultaneously the security group with other network services, such as load balancing and vRouter table, make sure that the corresponding rules required by these network services are added to the security group.

So far, we have introduced how to use the security group.




Download

Already filled the basic info? Click here.

Enter at least 2 characters.
Invalid mobile number.
Enter at least 4 characters.
Invalid email address.
Wrong code. Try again. Send Code Resend Code (60s)

An email with a verification code will be sent to you. Make sure the address you provided is valid and correct.

Download

Not filled the basic info yet? Click here.

Invalid email address or mobile number.

Email Us

contact@zstack.io
ZStack certification training consulting
Enter at least 2 characters.
Invalid mobile number.
Enter at least 4 characters.
Invalid email address.
Wrong code. Try again. Send Code Resend Code (60s)

Email Us

contact@zstack.io

The download link is sent to your email address.

If you don't see it, check your spam folder, subscription folder, or AD folder. After receiving the email, click the URL to download the documentation.

The download link is sent to your email address.

If you don't see it, check your spam folder, subscription folder, or AD folder.
Or click on the URL below. (For Internet Explorer, right-click the URL and save it.)

Thank you for using ZStack products and services.

Submit successfully.

We'll connect soon.

Thank you for choosing ZStack products and services.

Back to Top