just demonstrate some
more practical steps
that you might go through
the maestro environment.
So first I'm going to log in to my orchestrator. It's already been cabled.
used the serial interface to set the management
interfaces I p address.
you'll note that this looks very much like any other guy. A Web user interface. Except it has this
clicking on orchestrator. If I get a pop up error message about communicating with the orchestrator,
the most probable cause of the most common reason you see that is that
you are in a one orchestrator deployment,
the orchestrator appliances ship expecting to be in a duel deployment. So you have to go into the Seelye
of the orchestrator and
orchestrator number count
And then you should not see that our message here. Excuse me.
So next I'm gonna create a security group
and I will go ahead and set up the first time wizard as well.
And I'm not going to create this as a V s ex Gateway security group.
So the security group has been created, but it requires at least
security gateway module be assigned and at least
one management interface be assigned
big. And I have to be very careful where I drag and drop the gateway objects
from the unassigned gateways
I tried to drag it somewhere else.
It doesn't accept it
sometimes, Ah, cause of confusion.
So I've populated it with or security gateway modules
management interface and some additional traffic interfaces.
be lands on the traffic interfaces.
It's repeating for all of these interfaces
reading violent interfaces,
so I wanna wanna wanna to be. Lands
are ultimately going to be internal networks,
are ultimately going to be
This sort of thing might actually go faster via the command line interface,
two villains each on the four
up link interfaces that I've assigned to this security group
security group settings.
many things. It will send the security group configuration out to those appliances
those appliances will
received. The security group information
could figure themselves and then restart themselves.
Teoh reflect the fact that they're now in a security group with these interfaces in this configuration.
So those security gateways are going to be restarting themselves, and I'll pause
and then continue when the security gateways or back up.
So at this point, thesis acuity, gateways are back up,
and Security Management Object is answering
security groups i p. Address so I can connect to it with the
used the default password admin, admin
Go ahead and make some setting changes.
Perhaps in a production environment, you wouldn't have the time outs be
in this environment.
That's what I'm doing.
So now I want to set up the network interfaces
I have the four network interfaces that were assigned to the security group
in the orchestrator web. You I
create another bond,
were the other pair of interfaces,
and I want to create violence on each of those bonds.
It will be a total of four V lands,
So next for each of those villains, I'm going to set up my I P addresses.
It's working through them all
So now all of the bonded interfaces
are participating in villains,
and I'm assigned each
the lan its own i p address.
I did that now in the security groups Web user interface
before I opened Smart Consul
and start creating the object that will represent the security group
now in Smart Consul Smart
security group, and it's going to be a
so creating a gateway object
to represent the security group in policy
Now let's sick is established.
Apology of the security gateway will be automatically fetched and populate this objects network management screen.
And I'm going to install a simple policy.
is modified clean. A parole always matches except some logs, the traffic.
So some things to note, even though that there are four security gateway modules assigned to the security group.
It's represented by that single management object at the I. P address that I assigned to the security group,
no need to create a cluster object
create multiple gateway objects.
In the previous demonstration, I created one security group using up link interfaces
from one orchestrator
here. I'm in a duel orchestrator deployment, and I'm going to set up
uplink interfaces from both
orchestrators. So if an orchestrator has an issue, we have
The first I'll create the security groups
and populate the single management object
set up. The first time wizard
not installed, has via ***.
Go ahead and create the second security group.
and the first time was
Second Security Group
and not Pez via ***.
Now I will allocate half of my security Gateway modules,
one security group and the other half to the other security group,
and I will start adding management interfaces.
Note that I can reuse the management interface
have management interfaces from both orchestrators, but
I'm not going to do that right now
and for the second security group,
and now I'm going to set up
two pairs of up imports,
assigned a security Group one,
each pair has a pair of villains.
Later on, I will bond the pairs together
and I do the same thing
and one last set of the lance to create
uplink ports, from those
to orchestrators in both security groups
and by bonding them later in the security groups Web user interface. I have high availability between
the two orchestrators. If one fails,
connectivity is still possible,
so I will apply the changes that I've made. It will take a little bit to think about,
validating and and applying the new topology, I'll get a report.
Until that report is ready
the summary is available, and it looks very nice.
have their configuration.
The security gateway modules are
plying the configuration and restarting.
And when that process is done than the single management object for each security group will be responsive toe Web user interface connections.
I'll pause until that's ready.
At this point, the security groups have been created,
security gateway modules have restarted and the single management object is available.
to the Web Yui of the first security group,
and do just a little bit of
Now I want to configure.
here in the single management object,
but I will be doing is first creating bond interfaces.
And then I'll create V lands on top of those London bases.
That's the first bond interface,
so I've configured the bond interfaces.
Next, I'm going to give them I p addresses,
verifying that they are indeed enabled.
I've created two villains per bon. I've
configured I p address of each of those Phelan's
do the same on security group to
So you may have seen that there was an error.
Copy that convict propagating that big to the other
members of the security group.
Uh, so I paused. And
it turns out that of the six
security Gateway modules,
1st 4 are up and running.
One is unresponsive, and I don't know if it has power. Not the other
out in a healthy state. So
rather than deal with all that drama,
I redistributed the security gateway modules
the ah, the orchestrator Web user interface.
And now each security group has to security gateway modules.
And that's the beauty of Maestro.
The fact that I re allocated resource is
doesn't show up in the single management object, and it won't show up in policy or Smart Consul.
That adds a lot of flexibility.
So again, here I want to start creating bond interfaces and then V lands on those bond interfaces and then
our ad I p addresses
of going through all eight iterations of this.
It's at this point, it's four. It orations.
to v lands on each bond interface.
How I want to set I p addresses
continuing setting up the
Turns out computers are very specific.
with two inter fit physical interfaces per bond and then on top of the bonds, I've created
two villains per bond.
Next, I'm going to bring up
a smart consul application
represent both security groups,
obviously very difficult.
created this security get way object
that's using a single management object of security Group one,
when I established sick, it was able to pull over the topology,
reflecting what I had just configured in the Web user interface.
for the second security group
Once again, technology will be etched.
I also wanted to point out the
platform hardware was updated to Maestro,
the version is already got 20 scalable platform.
Next, all install very simple policy. It's still the modified cleanup rule
that allows everything,
and policy installation is under way.
A pas. Until policies
policy has been successfully installed, toe both
security groups, both single management objects.
access the orchestrator command line or Web user interface
and shuffle around the
assignments of the individual security gateway modules. Perhaps
some of them are faster appliances, more powerful appliance than others that can shift them around in response to load
course. When I do that, it will be a brief time when they're not
managing any connections.
It is possible that in a future release of
environment scalable platforms that
designate some of the security gateway modules to be,
um, to be floaters. I don't know exactly what the terminology will end up be, but
on a sign security gateways can be automatically dynamically added to security groups
that you define. If the the load is above this point for this long,
then add a security gateway.
If it falls below this point for this long, take the security gate way out.
Dynamic shifting dynamic
balancing of resource is,
sort of on the road map, and we'll see which version
shows up in if if any,
I've demonstrated using both orchestrators
fail over for high availability
by creating security groups that
consist of uplink ports from both orchestrators.
the security gateway modules must have down link connectivity to both orchestrators
to actually be high availability.
Next, I'm going to demonstrate security groups using
TSX virtual system extension.