Avaya Solution & Interoperability Test Lab
Subject: Hosted Solutions Data Infrastructure
Tenant Data Partitioning Setup and Configuration
- Issue 1.0
Date:
April 10, 2001
From:
George Kaminski
HO 2D-637A
(732) 817-4561
gkamin@avaya.com
Application Notes
These application notes address the Hosted Solutions data infrastructure tenant partition setup and configuration.
The network depicted in Figure 1, represents the basic Hosted Solutions topology. The service provider is equipped
with (2) AP1000's with (3) T-1 cards each, (2) LMF bricks, (1) Cajun P550R, (1) Definity PBX and Cajun Rules
software. Each remote tenant is equipped with a single AP450 and associated T-1 line in order to interface with the
service provider. Internet access is provided to the tenants using AP1000 T-1 lines running NAT.
Remote AP450's
Tenant 1
Tenant 2
T-1
Lines
Tenant 3
Cajun Rules
Server
Tenant 10
AP1000 with
(3) T-1 Cards
Lucent Brick
Internet
S Y S M O N
S Y S M O N
T-1
Lines
Cajun P550R
High Availability
Tenant 11
AP1000 with
(3) T-1 Cards
Lucent Brick
Tenant 18
Tenant 19
Tenant 20
Figure 1: Hosted Solutions Basic Data Infrastructure
AVAYA - PROPRIETARY
Use pursuant to Company Instructions.
-1-
Definity PBX
Recommended Approach to Tenant Data Partitioning
The Hosted Solutions data infrastructure requires a dual method approach to tenant data partitioning. Both methods
must be used simultaneously. The first method utilizes the access list capabilities of the Cajun P550R and the second
method relies on the Class Based Queue (QBQ) mechanisms of the AP1000 router. Both methods rely on the
addressing scheme used, which has been included in the "Tenant Subnet Addressing Guidelines" section below.
Attempts to utilize OSPF as a means of data partitioning where tried, but were abandoned since each tenant would
require a separate AP1000 in order to be apart of a unique area. This becomes far too costly a solution.
Verified Software Versions
Cajun P550R:
Cajun Rules:
AP1000 and AP450:
v5.0.0
v2.0.106
v2.3.0
Tenant Subnet Addressing Guidelines
Each tenant should be provided with a Class C subnet address space such that all tenants fall under the same Class A
or B network address. For example, here in Holmdel we used 125.16.1.0 for Tenant 1, 125.16.2.0 for Tenant 2, etc.
See Figure 2 as a reference. Assigning address space in this manor forces each tenant to fall within the same Class
A network address of 125.0.0.0. This eases partitioning through CBQ filters and access lists.
Remote AP450's
Tenant 1 Subnet: 125.16.1.0/24
Tenant 2 Subnet: 125.16.2.0/24
T-1
Lines
Tenant 3 Subnet: 125.16.3.0/24
Tenant 10 Subnet: 125.16.10.0/24
AP1000 #1
Internet
T-1
Lines
Tenant 11 Subnet: 125.16.11.0/24
AP1000 #2
Tenant 18 Subnet: 125.16.18.0/24
Tenant 19 Subnet: 125.16.19.0/24
Tenant 20 Subnet: 125.16.20.0/24
AVAYA - PROPRIETARY
Use pursuant to Company Instructions.
-2-
Figure 2: IP Address Recommendation for Basic Configuration
Partitioning Data Traffic at the Cajun P550R - Method 1
Method 1 is required in order to partition clear and decrypted VPN data traffic at the Cajun P550R on the protected
zone sides of the bricks. The access list feature is used to prevent inter-Tenant routing from occurring. P550R
access lists can be provisioned using the Cajun web interface, the CLI or by using Cajun Rules software. See Figure
3, below.
Tenant 1
AP1000 #1
Lucent Brick
P550R access lists will prevent
inter-Tenant routing from
occuring beyond the firewalls.
S Y S M O N
S Y S M O N
Cajun P550R
AP1000 #2
Lucent Brick
Tenant 20
Figure 3: Using P550R Access Lists
Implementing Access Lists Via the Web Interface
Each tenant is assigned an Extended Index entry under Access List 100. The same rule applies to each tenant, which
states that any data from a tenant's subnet cannot access any other 125.16.0.0/16 tenant network. See Figure 4.
NOTE: Additional index entries are not show for brevity.
Figure 4: Hosted Solutions Access List Via Web Interface
AVAYA - PROPRIETARY
Use pursuant to Company Instructions.
-3-
Implementing Access Lists Via the Cajun CLI
The following command can be used to enter each tenant blocking rule to the P550R access list from the CLI for the
network depicted in Figure 2. The last command enables the access list once it is created.
(configure)# ip access-list 100 1 deny ip 125.16.1.0 0.0.0.255 125.16.0.0
0.0.255.255
*** Continue adding rules for tenants 2 through 20 here. ***
Use the following command to enable the access-list:
(configure)# access-group 100
Implementing Access Lists Via Cajun Rules
The Cajun Rules software can be used to implement access
lists in the P550R of the Hosted Solutions infrastructure.
Assuming that the software exists on the machine addressed
108.16.10.90 as in Figure 5, right. Open up the P550R web
interface and click on System ! Administration ! SNMP
Communities. Select the public row and change the Access to
Read-Write and click Apply.
S Y S M O N
S Y S M O N
Cajun P550R
108.16.10.1
Cajun Rules
108.16.10.90
Figure 5: Cajun Rules Setup
Open up the Cajun Rules Console on the server and add the P550 device to the server by going to File ! Create !
Device or by using Ctrl+Shift-V. Enter the IP address of the Cajun Router connected to the Cajun Rules server. In
Figure 5, the address entered was 108.16.10.1. Enter public in the community field and click Verify. The device
LDAP properties should be filled in. If an error occurs during verification, check the network connection and
P550R SNMP settings. The device will now appear in the console tree.
Click on the Network tab. Add the tenant network by going to File ! Create ! Network or by using Ctrl-Shift-N.
Note: The Cajun Rules software requires that you use the official address classes. Enter the information as follows:
Name:
Network Class:
IP Address:
All Tenants
Class A
125.0.0.0
Un-check "Create Subnets" and click OK. The All Tenants network will appear in the console tree. Next the
subnets for each tenant must be created. Click on File ! Create ! Subnet or use Ctrl+Shift-S.
Name:
IP Address:
tenant1
125.16.1.0
Select "Create Hosts" and use the slide bar to select the mask 255.255.255.0 and click OK. Repeat the subnet add
steps for all tenant partitions. Naming should be sequential tenant2 with 125.16.2.0, tenant3 with 125.16.3.0, etc.
AVAYA - PROPRIETARY
Use pursuant to Company Instructions.
-4-
The result of adding the tenants for Figure 1 are shown below in Figure 6.
Figure 6: Created All Tenant Subnets
Next the access policies must be created. Use File ! Create ! Policy or use Ctrl+Shift-P. Create the policy called
hosted solutions and set the default to AllowAny. See Figure 7.
AVAYA - PROPRIETARY
Use pursuant to Company Instructions.
-5-
Figure 7: Create New Policy
Click on the New button at the bottom of the screen. Select the New Rule at the top of the screen. Enter the
following information:
Name: Rule #20
Service: Deny
When: Always
Between {type tenant20 and press Enter} and {type All Tenants and press Enter}
Press the F2 key to accept the new rule. Continie the steps above for Rules 19 through 1. Be sure to decrement the
rule# and tenant# by the same value sequentially; Rule #19 for tenant19, Rule #18 for tenant18 and so forth. See
Figure 8, below.
AVAYA - PROPRIETARY
Use pursuant to Company Instructions.
-6-
Figure 8: All 20 Tenant Blocking Rules
Click on the Domain Tab to add a new domain. Use File ! Create ! Domain or Ctrl+Shift-D. Enter the following
information:
Name: tenant domain
Select Policy: hosted solutions
Press OK. Select the tenant domain in the console tree and right-click menu to Set Targets. In the menu select
108.16.10.1 and click Add then OK. Right click menu on tenant domain and select Deploy Policy and choose
hosted solutions. Verify that the access lists are deployed to the Cajun switch by checking the web interface.
Partitioning Data Traffic at the Access Point Routers - Method 2
Method 2 is required in order to separate clear data traffic at the AP1000 route distribution points. Since the tenant
routing occurs at the Access Points, Class Based Queue (CQB) filtering rules must be added to each AP1000 in
order for the tenants to be successfully partitioned in addition to the P550R access list implementation. The AP1000
CBQ filters can be provisioned manually one at a time or all at once using a TCL script. See Figure 9.
NOTE: As of this document there is no plan to have Cajun Rules support Access Point management.
AVAYA - PROPRIETARY
Use pursuant to Company Instructions.
-7-
Tenant 1
P550R access lists will not
prevent inter-Tenant routing
from occuring at the AP1000's
AP1000 #1
Lucent Brick
P550R access lists will prevent
inter-Tenant routing from
occuring beyond the firewalls.
Tenant 9
S Y S M O N
S Y S M O N
Tenant 11
Cajun P550R
AP1000 #2
Lucent Brick
Tenant 20
Figure 9: CBQ Filtering at the AP1000's
Managing Tenant Data Partitioning Using Manual Provisioning
Assuming that AP1000 #1's T-1 interfaces have associated CBQs such that Tenant 1 connects to cbq.1, Tenant 2
connects to cbq.2, and so forth. The following CBQ commands are needed to partition Tenants 1 through 10 on
AP1000 #1, in Figure 2:
"
"
"
"
"
config cbq.1 traffic-class.root-input-tree row-status active
add cbq.1 traffic-class.BLOCK parent root-input-tree
config cbq.1 traffic-class.BLOCK bandwidth-allocation 0 bounded true
dest-ip-addresses 125.16.0.0 dest-ports any row-status active
config cbq.1 traffic-class.pass-default parent root-input-tree
config cbq.1 traffic-class.pass-default row-status active
*** Continue entering commands for each cbq.2 thought cbq.9 here. ***
"
"
"
"
"
config cbq.10 traffic-class.root-input-tree row-status active
add cbq.10 traffic-class.BLOCK parent root-input-tree
config cbq.10 traffic-class.BLOCK bandwidth-allocation 0 bounded true
dest-ip-addresses 125.16.0.0 dest-ports any row-status active
config cbq.10 traffic-class.pass-default parent root-input-tree
config cbq.10 traffic-class.pass-default row-status active
This only covers AP1000 #1. A similar set of CBQs must also be added on AP1000 # 2 to complete the partitioning
process. See the next section for an easier implementation using TCL Scripts as opposed to manual provisioning.
Managing Tenant Data Partitioning Using TCL Scripts
The following TCL script can be used to setup the tenant partitions for AP1000 # 1 in Figure 2. The script includes
provision to setup all AP1000 T-1 interfaces and assumes that Tenant 1 T-1 is sequentially associated with cbq.1 and
ip.1, Tenant 2 with cbq.2 and ip.2, and so forth. Create a file using an editor called partitionsetup.tcl and include
the following lines in the file:
#xedia-tcl-script for hosted solutions tenant partition setup
set i 1
AVAYA - PROPRIETARY
Use pursuant to Company Instructions.
-8-
while {$i<11} { config ip.$i address 10.10.$i.1 net-mask 255.255.255.0
configured-protocols rip row-status active; config cbq.$i traffic-class.rootinput-tree row-status active; add cbq.$i traffic-class.BLOCK parent rootinput-tree row-status active; config cbq.$i traffic-class.BLOCK bandwidthallocation 0 bounded true dest-ip-addresses 125.16.0.0 dest-ports any rowstatus active; add cbq.$i traffic-class.pass-default parent root-input-tree
row-status active; puts $i; incr i}
Move the newly created file to the root directory of an accessible TFTP server and execute the following command
on AP1000 # 1 assuming that the TFTP server IP address is 192.168.66.55:
>source server.192.168.66.55 partitionsetup.tcl
The partitionremoval.tcl script is as follows:
#xedia-tcl-script for hosted solutions tenant partition removal
set r 1
while {$r<8} {remove ip.$r address.10.10.$r.1; config cbq.$r trafficclass.root-input-tree row-status notinservice; remove cbq.$r trafficclass.BLOCK; remove cbq.$r traffic-class.pass-default; puts $r; incr r}
Highly Inefficient Method for CBQ Data Partitioning (Not Recommended)
It is possible to partition tenant data using a more complex Class C network-addressing scheme. See Figure 10.
This is not a recommended approach and has only been included to show that other less efficient methods of
partitioning exist. You will find that as the number of tenants increase, so will the number of CBQ filters by a factor
of n(n-1). This places a burden on the network administrator. Following the approach in the "Tenant Subnet
Addressing Guidelines" at the beginning of this document will simplify design and configuration process.
Tenant 1
174.16.100.0/24
AP450
Tenant 1
Client
Tenant 2
192.16.200.0/24
10.10.10.0/24
T-1
cbq.3
10.10.20.0/24
cbq.5
AP450
Tenant 2
Client
AP1000
100.100.100.0/24
T-1
cbq.11
T-1
10.10.30.0/24
Tenant 3
167.50.200.0/24
AP450
Tenant 3
Client
Figure 10: Complex Address Scheme Results in Less Efficient Filtering
AVAYA - PROPRIETARY
Use pursuant to Company Instructions.
-9-
Download PDF
Similar pages