Completing the Peering Configuration
When two Private Cloud Appliance systems have been cabled correctly, and their local endpoints have been configured, the peer connection can be created.
The peer connection is a symmetrical configuration, meaning the setup must be performed on each connected appliance. The administrators exchange the relevant configuration details of their system, so they can each include the peer details required for creating the connection. A trust relationship between the appliances is established through a CA chain stored in the Secret Service (Vault).
When the first appliance completes its side of the connection setup, it goes into a waiting state. By design, the appliance with the IP address ending with the lowest value initiates the connection. As soon as the entry for the peer appliance is detected, the CA certificates are verified and the mutual trust relationship is confirmed. After successful peering, a pair of secure tunnels is established between the spine switches. These allow the administration services on the appliances to exchange information with each other.
These parameters are required to create a peer connection:
-
the IP addresses (4 in total) of the local and the remote endpoint for each tunnel
-
the IP addresses of the remote spine switches in the peer appliance
-
properties of the peer appliance: domain name, system name, serial number, ASN ID if applicable
-
properties of the peer Admin Service: host name, admin user name, admin password, CA chain
The network configuration must allow peer-to-peer connectivity between the replication endpoints, or use routable IPs when both systems are in separate address spaces. Ensure that the new network setup does not overlap with existing connections between the appliance and the data center.
A peer connection requires a /30 subnet, with 2 IPs assigned to each local endpoint. When setting up the connection, you include the netmask for the local endpoint IPs, but not for the remote endpoint IPs and remote spine switch IPs.
- Creating the Peer Connection
-
When you have obtained all required parameters, create the peer connection.
-
Service CLI:
Enter the following command on a single line, replacing the sample parameters with the ones you obtained:
PCA-ADMIN> create PeerConnection name=<peerconnection1> description=<"my peer connection"> \ peerSerialNumber=<1654BF2465> peerSystemName=<mypca1> peerDomainName=<mydomain.com> \ localEndpoint1Ip=<172.16.21.1/30> remoteEndpoint1Ip=<172.16.21.2> \ localEndpoint2Ip=<172.16.21.5/30> remoteEndpoint2Ip=<172.16.21.6> \ remoteSpine1Ip=<10.212.128.10> remoteSpine2Ip=<10.212.128.11> \ peerAdminHostname=<mypca1.mydomain.com> peerAdminUserName=<admin> peerAdminPassword=<password> \ peerAdminCaChain=<ca_string> remoteAsn=<136025>Check the peer connection configuration using the following commands:
PCA-ADMIN> list PeerConnection Data: id Name Peer Admin Hostname Peer Rack Serial Number Lifecycle State -- ---- ------------------- ----------------------- --------------- ocid1.drpeerconnection....unique_ID peerconnection1 mypca1.mydomain.com 1654BF2465 ACTIVE PCA-ADMIN> show peerConnection id=ocid1.drpeerconnection....unique_ID Data: Id = ocid1.drpeerconnection....unique_ID Type = PeerConnection Lifecycle Sub State = ACTIVE Lifecycle State = ACTIVE Peer Rack Serial Number = 1654BF2465 Local Endpoint 1 Ip = 172.16.21.1/30 Local Endpoint 2 Ip = 172.16.21.5/30 Remote Endpoint 1 Ip = 172.16.21.2 Remote Endpoint 2 Ip = 172.16.21.6 Remote Spine 1 Ip = 10.212.128.10 Remote Spine 2 Ip = 10.212.128.11 Peer Admin CaChain = -----BEGIN CERTIFICATE-----\nMIIFbjCCA1agAwIBAgIQfMPkn17+ZTNl/jZjYzbpn[...] Peer Admin Hostname = mypca1.mydomain.com Peer Rack Domain Name = mydomain.com Peer Rack System Name = mypca1 Peer Rack Admin User Name = admin Peer Rack Admin User Password = ******* Remote Asn = 136025 ProgressRecordIds 1 = id:d39144d6-feef-4988-ba71-fac4b046fff8 type:ProgressRecord name: ProgressRecordIds 2 = id:940b397f-993c-4ab9-9708-909dabb65c47 type:ProgressRecord name: ProgressRecordIds 3 = id:64b31360-3d0d-4dc2-a925-35164143eb25 type:ProgressRecord name: ProgressRecordIds 4 = id:7e8d9e2e-74b1-4d31-9098-7a09d719ec6a type:ProgressRecord name: ProgressRecordIds 5 = id:2309bcdc-1689-410b-a93e-528444ada2a5 type:ProgressRecord name: ProgressRecordIds 6 = id:8a4d5747-d8fe-48e2-96e2-f4c797964cbe type:ProgressRecord name: Name = peerconnection1 Work State = Normal -
Service Web UI:
Under Disaster Recovery Service, open the Peer Connections page. In the top-right corner, click Create Peer Connection.
In the pop-up window, enter all parameters in the respective fields. Click Create Peer Connection to apply the settings.
In the Peer Connections page, the table displays a new entry for the connection you created. Click the name in the table to display the detail page of the peer connection, and review its configuration parameters.
-
- Updating the Peer Connection
-
There is no CLI command or UI function to modify the peer connection once it's configured. Changing the peer connection requires that you delete it and create a new connection with the updated parameters.
- Deleting the Peer Connection
-
If a peer connection is no longer used, you can delete it. Ensure that the peer configuration is removed from each connected appliance.
-
Service CLI:
Look up the ID of the peer connection you want to delete, then enter the delete command as shown.
PCA-ADMIN> list PeerConnection Data: id Name Peer Admin Hostname Peer Rack Serial Number Lifecycle State -- ---- ------------------- ----------------------- --------------- ocid1.drpeerconnection....unique_ID peerconnection1 mypca1.mydomain.com 1654BF2465 ACTIVE PCA-ADMIN> delete peerConnection id=ocid1.drpeerconnection....unique_ID -
Service Web UI:
Under Disaster Recovery Service, open the Peer Connections page. In the table, click the name of the connection you want to delete. The peer connection detail page is displayed. In the top-right corner, click Delete.
-