No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
CloudCampus Solution V100R019C10 Deployment Guide for Large- and Medium-Sized Campus Networks (Virtualization Scenario)
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overlay Network Design

Overlay Network Design

Overlay Network Overview

An overlay network consists of the fabric and multiple virtual networks (VNs). A fabric is a network on which all resources are pooled. These resources can be selected as required during VN creation, decoupling the overlay network from the underlay network. Creating a VN is equivalent to creating an instance on the fabric. One VN instance can represent a virtual network dedicated to one type of service.

For details about concepts related to the overlay network, see Overlay Network Overview.

Overlay Network Resource Planning

VLAN/BD Planning

VLAN/BD resources of the overlay network are planned in the fabric global resource pool. Table 2-48 lists the resource items to be planned. For details about VLAN/BD planning, see "VLAN/BD Planning" in Network Resource Planning.
Table 2-48 VLAN/BD resource plan for the fabric global resource pool

Resource Item

Description

BD
  • Layer 2 broadcast domains are isolated in a VN. Generally, one-to-one mapping is configured between BDs and user service VLANs.
  • The planned BD resource pool needs to accommodate the number of user service VLANs. By default, the value ranges from 1 to 4095.

Service VLAN
  • User terminals access the campus network through service VLANs, which are bound to BDs.
  • You are advised to assign service VLANs based on logical areas, organizational structures, and service types of campus networks.

Interconnection VLAN
  • When creating external network resources on a fabric, configure interconnection VLANs to interconnect with an egress network.
  • When creating network service resources on a fabric, configure interconnection VLANs to interconnect with a network management zone.

IP Address Planning

Only IP addresses of loopback interfaces need to be planned in the fabric global resource pool. Other IP addresses on an overlay network do not need to be planned. Table 2-49 lists the IP address resource items to be planned for an overlay network. For details about IP address planning, see "IP Address Planning" in Network Resource Planning.

Table 2-49 IP address plan for the fabric global resource pool

Resource Item

Description

Loopback interface IP address

Configure loopback interface IP addresses to establish BGP EVPN peer relationships between border and edge nodes, which also function as the VXLAN tunnel endpoints (VTEPs).

Service IP address
  • Configure IP addresses of servers, service terminals, and gateways.
  • You are advised to use the same last digits as the gateway address. For example, gateways use IP addresses suffixed by .254.
  • The IP address range of each service must be clearly distinguished. The IP addresses of each type of service terminals must be contiguous and can be summarized.
  • Considering the scope of a broadcast domain and easy planning, it is recommended that an address segment with a 24-bit mask be reserved for each service. If the number of service terminals exceeds 200, an extra address segment with a 24-bit mask is assigned.

Interconnection IP address
  • When creating external network resources on a fabric, configure interconnection IP addresses to interconnect with an egress network.
  • When creating network service resources on a fabric, configure interconnection IP addresses to interconnect with a network management zone.

Fabric Network Design

Fabric Role Design

As demonstrated in Figure 2-87, in the distributed gateway solution where VXLAN is deployed across core and aggregation layers, it is recommended that the core switch be used as the border node, the aggregation switch as the edge node, and the access switch as the fabric extended node. Policy association can be deployed between edge and fabric extended nodes to implement access control of user terminals on access switches.

Figure 2-87 Fabric networking

Border and edge nodes also function as VTEPs. You are advised to configure the route reflector (RR) function on the nodes to establish BGP EVPN peer relationships. If no RR is configured, BGP peer relationships need to be established between edge nodes, and between edge and border nodes. The configuration is complex and many BGP connections consume CPU resources. Border and edge nodes can function as RRs. The border node used as the RR has the strongest processing capability, so it is recommended that border nodes be used as RRs.

External Network Design

In the resource model design for the fabric network, external networks are created on the border node so that terminals on the campus network can access the Internet. For each external network resource created on the border node, a VRF instance is allocated. After an external network resource is selected during VN creation, the VRF instances of the created VN and external network resource import routes from each other. In this way, service subnets in the VN can communicate with the external network, as shown in Figure 2-88.

Figure 2-88 External network resource model design for a fabric

Egress Types of External Networks

Three types of external network resources are defined: L3 shared egress, L3 exclusive egress, and L2 shared egress. If the user gateway is located in the fabric, the L3 shared egress or L3 exclusive egress is used, as shown in Figure 2-89.

  • L3 shared egress: Multiple VNs on the fabric network share an L3 egress to communicate with the egress device. To enable communication between VNs and external networks, you must configure return routes to service subnets on the firewall. As a result, service subnets of different VNs can communicate with each other on the firewall. To isolate different VNs on the firewall, configure policies based on service network segments in the VNs.

    The L3 shared egress helps save VLAN and IP resources for interconnection and applies to scenarios where there are low requirements on security control policies between VNs.

  • L3 exclusive egress: Each VN on the fabric network exclusively uses an L3 egress to communicate with the egress device. In this case, multiple security zones are configured on the firewall, each corresponding to one L3 exclusive egress. Thus, the traffic between service subnets of different VNs is isolated when reaching the firewall. To enable inter-VN communication through the firewall, you can configure security policies between security zones. Configuring security policies can also control the application ports used for communication and limit the bandwidth.

    The L3 exclusive egress applies to scenarios where there are high requirements on security control policies between VNs.

Figure 2-89 Traffic models for L3 shared egress and L3 exclusive egress on a fabric

Route Planning for External Networks

When interconnecting VNs with external networks, pay attention to the following points: On the border node, the VRF instances of VNs and external network resources use VPN targets to import routes from each other. The border node and firewall communicate with each other through routing protocols. In Figure 2-90, routes between the border node and firewall are configured based on the route design principles for communication between campus intranets and external networks.

  • Routes from the campus intranet to external networks on the border node: Generally, default routes are used to prevent a huge number of external network routes from affecting intranets.
  • Configure routes from external networks to the campus intranet on the firewall: Generally, specific routes are used.
Figure 2-90 Route planning between the border node and firewall

When creating external network resources on the border node, you can use any of the following routing protocols to interconnect the border node with the firewall. According to the route design principles described above, Table 2-50 lists the recommended configurations for the three routing protocols.

Table 2-50 Configurations of different routing protocols between the border node and firewall

Routing Protocol

Default Routes from VNs to External Networks on the Border Node

Return Routes from External Networks to VNs on the Firewall

Interconnection Between the Border Node and Firewall

Static routing
  1. On the border node, manually configure a default route whose next hop is the IP address of an interface on the firewall.
  1. On the firewall, manually configure specific routes of service subnets whose next hop is the IP address of an interface on the border node. Route summarization can be used to reduce the number of routes to be configured.

OSPF
  1. On the firewall, configure a common area in the OSPF process to advertise default routes. Active default routes must exist in the local routing table of the firewall.
  2. On the border node, the OSPF process of VN1-Outer learns the advertised default routes through LSA updates.
  1. On the border node, VN1-Outer imports specific routes of service subnets from VN1 through BGP.
  2. On the border node, the OSPF process in VN1-Outer imports BGP routes.
  3. On the firewall, the OSPF process learns the imported specific routes of service subnets through LSA updates.

BGP
  1. On the firewall, configure the BGP process to import default routes or advertise such routes using the network command. Active default routes must exist in the local routing table of the firewall.
  2. On the border node, VN1-Outer learns the default routes through BGP.
  1. On the border node, VN1-Outer imports specific routes of service subnets from VN1 through BGP.
  2. The firewall learns the imported specific routes of service subnets through BGP.

When selecting a routing protocol between the firewall and border node, you need to consider how to switch the service traffic path in active/standby switchover scenarios when firewalls are deployed in HSB mode. For details, see the egress route design in Egress Network Design.

You can configure routes on the border node when creating external network resources on iMaster NCE-Campus, and configure routes on the firewall by logging in to the web system or CLI.

Network Service Resource Design

In the resource model design for the fabric network, network service resources are created on the border node so that service terminals on the campus network can access service resources in the network management zone, such as the DHCP server and NAC server. For each network service resource created on the border node, a VRF instance is allocated. After a network service resource is selected during VN creation, the VRF instances of the created VN and network service resource import routes from each other. In this way, service subnets in the VN can communicate with the network service resource, as shown in Figure 2-91.

Figure 2-91 Network service resource model design for a fabric

When creating network service resources on the fabric on iMaster NCE-Campus, you need to perform the following configurations:

  • Configure the addresses for accessing network service resources, such as the DHCP service address and southbound address of iMaster NCE-Campus.
  • Select an interconnection scenario, which can be directly connecting to a server or directly connecting to a switch. Generally, the border node is directly connected to a switch instead of a server.
  • Configure physical interconnection interfaces.
  • Configure interconnection VLANs and IP addresses.

The route design for network service resources is simpler than that for external network resources. For network service resources, static routes are configured on the border node based on the addresses for accessing the service resources. You can create multiple network service resources, or add addresses for accessing network service resources to a network service resource model. If only a few service resources in the network management zone need to be accessed, you are advised to plan these service resources in the same network service resource model. This saves interconnection VLAN and IP address resources and simplifies route configuration on the network management zone side, as shown in Figure 2-92.

Figure 2-92 Traffic model for communication between the VN and network service resource

Routes on the border node are automatically delivered when network service resources are created on iMaster NCE-Campus. To configure routes on the gateway in the network management zone, log in to the web system or CLI of the device.

Access Management Design

When creating a fabric network, you need to plan authentication control points, including access point resource pools, for user access. The wired access point resource refers to switch interfaces connected by terminals, and the wireless access point resource refers to SSIDs connected by terminals. In the distributed gateway solution, if the fabric network adopts the recommended networking of VXLAN deployed across core and aggregation layers and the edge node serves as the native WAC on the WLAN, then:

  • It is recommended that the edge node (aggregation switch) be used as the unified authentication control point for wired and wireless users.
  • The authentication template resources to be bound to wired and wireless access points can be planned on the edge node in a unified manner. During access management configuration for the fabric network, you need to bind authentication templates to wired access ports. In addition, you need to configure the mapping between wireless SSIDs and authentication templates and deliver the configuration to the WAC. Then, bind the authentication templates to wireless SSIDs on APs through the web system of the WAC. For details, see "WLAN Admission Design" in WLAN Design.

Access Interface Design

During access management configuration for a fabric network, three connection types are defined for access interfaces on switches, as shown in Figure 2-27.

  • Fabric extended AP: allows Huawei Fit APs to access. This type is used when configuring policy association.
  • Fabric extended switch: allows Huawei switches to access. This type is used when configuring policy association.
  • Terminal (PCs, phones, dumb terminals, and non-fabric extended access switches or APs): allows terminals to access. Bind authentication profiles to terminals based on terminal types to control terminal access. For details, see "User Access Authentication Design" in Access Control Design.
Figure 2-93 Connection types of fabric access interfaces

Policy Association Design

Policy association moves the authentication control point up towards the aggregation or core layer. In this manner, devices at the aggregation or core layer can implement policy association with devices at the access layer through CAPWAP tunnels. This helps reduce the number of authentication control points configured and allows terminal access control at the access layer. In the scenario where wired and wireless users share the authentication control point, APs can also join the WAC functioning as the wireless authentication control point over the CAPWAP tunnel established through policy association.

In the distributed gateway solution, VXLAN is recommended to be deployed across core and aggregation layers. In such scenario, you are advised to plan the policy association function in the access management design for the fabric network. As shown in Figure 2-94, policy association is deployed between the aggregation switches (edge nodes) and access switches.

Figure 2-94 Planning policy association in fabric access management design

Perform the following operations when configuring policy association during access management configuration for the fabric network:

  • On the edge node, configure the management VLAN and management IP address for policy association.
  • On the edge node, set the connection type of the port connected to an access switch to "fabric extended switch". This connection type can enable the management VLAN for policy association between the edge node and access switch.
  • On the access switch, set the connection type of the port connected to an AP to "fabric extended AP". This connection type can enable the management VLAN for policy association between the access switch and AP.

After the configuration is complete:

  • A CAPWAP tunnel can be established between the edge node and access switch. Wired user access authentication is still performed on the edge node, but wired authentication enforcement points are moved downwards to the access layer (access switches). Wired users can access the network through the access switches only after passing authentication.
  • A CAPWAP tunnel can be established between an edge node and an AP. The AP can go online on the edge node and function as an authentication enforcement point for wireless users.

Note: If the type of the AP port connected to a switch is set to the fabric extended AP, the management VLAN auto-negotiation function cannot be deployed on the port.

VN Design

VN Division Principles

In the virtualization solution for a large or midsize campus network, each VN is a VPN instance, and one VN can contain multiple subnets. By default, users in the same VN can communicate with each other at Layer 3, and users in different VNs are isolated from each other. VNs can be planned based on the following principles:

  • Allocate an independent service department or service network to a VN. For example, on a campus network, services such as guest, teaching, IoT, and video surveillance services, each is allocated to an independent VN.
  • VNs are not used to fulfill the requirements for isolating users of different levels in the same service department or service network. Instead, access policies can be implemented to achieve this.

VN Access Design

VN Access of User Subnets

As demonstrated in Figure 2-95, in the distributed gateway solution, the fabric typically adopts the recommended networking of VXLAN deployed across core and aggregation layers, and the edge node functions as the native WAC. In such scenario, wireless user traffic (CAPWAP packets) is decapsulated when reaching the edge node. Therefore, wired and wireless user traffic can enter a particular VN through the edge node and be forwarded in the VN after the user VLAN is associated with a BD.

Figure 2-95 VN access of user subnets in the distributed gateway solution

User VLAN Access Modes

VLAN access modes for users include the static VLAN mode and dynamically authorized VLAN mode. You need to select a mode when configuring a user gateway in a VN. Table 2-51 lists the two access modes.

Table 2-51 Comparison between the static VLAN mode and dynamically authorized VLAN mode

VLAN Access Mode

Implementation

Application Scenario

Static VLAN
  • Wired access: Configure a static VLAN on the switch interface connected to wired user terminals.
  • Wireless access: Configure a static service VLAN for an SSID.

The static VLAN mode applies when terminals access the VLAN at fixed locations and do not need to be authenticated. This access mode is more secure but lacks flexibility. When the locations of terminals change, you need to perform the configuration again.

Dynamically authorized VLAN
  • Wired access: After a user is authenticated successfully, the authorization result, including authorized VLAN information, is delivered to the corresponding access interface.
  • Wireless access: After a user is authenticated successfully, the authorization result, including authorized VLAN information, is delivered to the corresponding SSID.

The dynamically authorized VLAN mode applies when terminals access the VLAN anywhere and need to be authenticated based on the VLAN information delivered during user authentication. This access mode is flexible and the configuration does not need to be changed when the locations of terminals change.
  • If a downlink interface is connected to an IP phone, you can configure a voice VLAN on the interface for the IP phone.
  • The dynamically authorized VLAN mode applies to MAC address authentication and 802.1X authentication. The dynamically authorized VLAN mode requires users to go online again during Portal authentication, so this mode is not recommended in Portal authentication.
  • The dynamically authorized VLAN mode can be implemented based on VLAN pools. In this mode, the authentication control point automatically calculates and allocates a VLAN in the VLAN pool to the access interface or SSID based on authorized VLAN pool information. Subnets of VLANs in a VLAN pool are connected to the same VN.

    The VLAN pool-based authorization mode applies to scenarios where there are a large number of user subnets. In the distributed gateway solution, edge nodes are not isolated at Layer 2, and therefore, this mode is recommended. However, uneven assignment may occur when users are assigned to VLANs in a VLAN pool. If this is the case, certain VLANs are assigned a large number of users, and thus some users in these VLANs may fail to obtain IP addresses due to insufficient IP addresses planned for the VLAN pool. When configuring a user gateway for a VN, you are advised to plan the number of IP addresses for a subnet be five times the actual number of users if the VLAN pool mode is used.

VN User Gateway Design

In the distributed gateway solution, the user gateway for the VN sits on the edge node. You can use the following methods to perform the VN configuration on iMaster NCE-Campus:

  • Automatic allocation: After the number of user subnets and start VLAN and IP address of the subnet are specified, the user subnet gateway is automatically configured. This mode applies to scenarios where a large number of subnets are deployed and automatic gateway configuration is required.
  • Manual configuration: Manually configure the user access VLAN and the IP address of the gateway interface. This mode applies to scenarios where a few subnets are deployed and automatic gateway configuration is not required.

You are advised to perform the following configurations on iMaster NCE-Campus:

  • Deploy an independent DHCP server to dynamically allocate IP addresses to user terminals. Generally, the DHCP server and user terminals are on different network segments. It is recommended that the DHCP relay function be enabled on the user gateway.
  • You are advised to enable DHCP snooping in the corresponding BD of the user gateway to ensure that user terminals obtain IP addresses from authorized DHCP servers and prevent attacks. In addition, if DHCP options are used to obtain terminal information for terminal identification, DHCP snooping also needs to be configured.
  • If the multicast DNS (mDNS) mode is used for terminal identification, mDNS snooping should be enabled in the corresponding BD of the user gateway.

VN Communication Design

Intra-VN Subnet Communication

Communication Within a Subnet in a VN

Users on the same subnet in a VN communicate with each other at Layer 2, as shown in Figure 2-96.

Figure 2-96 Traffic model for communication between users on the same subnet in a VN
  • Users on the same subnet connected to the same edge node can directly communicate with each other through the edge node.
    1. Host 1 and Host 2 are on the same subnet. When Host 1 accesses Host 2, the destination MAC address of the packet sent by Host 1 to Host 2 is the MAC address of Host 2.
    2. After the packet arrives at Edge 1, Edge 1 searches for the MAC address entry of Host 2. The entry belongs to VLAN 10 and is learned from GE0/0/2. Edge 1 then forwards the packet.
    3. Host 2 receives the packet from Host 1 through GE0/0/2.
  • Users on the same subnet connected to different edge nodes communicate with each other through the VXLAN tunnel between the edge nodes.
    1. Host 1 and Host 2 are on the same subnet. When Host 1 accesses Host 2, the destination MAC address of the packet sent by Host 1 to Host 2 is the MAC address of Host 2.
    2. After the packet arrives at Edge 1, Edge 1 searches for the MAC address entry of Host 2. The entry belongs to BD 10 and is learned from the tunnel source interface (displayed as the IP address) of Edge 2. Edge 1 then encapsulates the packet into a VXLAN packet.
    3. After the encapsulation, the outer source and destination IP addresses of the packet are the IP addresses of tunnel source interfaces of Edge 1 and Edge 2, respectively. Then the packet is forwarded based on the underlay route.
    4. After the packet arrives at Edge 2, Edge 2 performs VXLAN decapsulation, searches for the MAC address entry of Host 2, determines the outbound interface GE0/0/1, and forwards the packet.
    5. Host 2 receives the packet from Host 1 through GE0/0/1.
Communication Between Subnets in a VN

In a VN, traffic between subnets needs to be forwarded by the gateway. In the centralized gateway solution, the border node function as the gateway, as shown in Figure 2-97.

Figure 2-97 Traffic model for communication between users on different subnets in a VN
  • Users on different subnets connected to the same edge node communicate with each other through the VXLAN tunnel between the edge node and border node. Mutual access traffic is sent to the border node first, then forwarded at Layer 3 based on direct routes in the VN.
    1. Host 1 and Host 2 are on different subnets. When Host 1 accesses Host 2, the packet is sent to the gateway first. The destination MAC address of the packet is the MAC address of VBDIF 10 on the gateway.
    2. After the packet arrives at Edge 1, Edge 1 searches the VN 1 routing table for the direct route to Host 2 and then forwards the packet based on the ARP entry.
    3. Host 2 receives the packet from Host 1 through GE0/0/2.
  • Users on different subnets connected to different edge nodes communicate with each other through the VXLAN tunnels between the edge nodes and border node. Mutual access traffic is sent to the border node first, then forwarded at Layer 3 based on direct routes in the VN.
    1. Host 1 and Host 2 are on different subnets. When Host 1 accesses Host 2, the packet is sent to the gateway first. The destination MAC address of the packet is the MAC address of VBDIF 10 on the gateway.
    2. After the packet arrives at Edge 1, Edge 1 searches for the route to Host 2 in the VN 1 routing table. The next hop is the IP address of the tunnel source interface of Edge 2. Edge 1 then encapsulates the packet into a VXLAN packet. The inner destination MAC address of the packet is the MAC address of Host 2.
    3. After the encapsulation, the outer source and destination IP addresses of the packet are the IP addresses of tunnel source interfaces of Edge 1 and Edge 2, respectively. Then the packet is forwarded based on the underlay route.
    4. After the packet arrives at Edge 2, Edge 2 performs VXLAN decapsulation and searches for the MAC address entry of Host 2. The entry belongs to VLAN 20 and is learned from GE0/0/2. Edge 2 then forwards the packet.
    5. Host 2 receives the packet from Host 1 through GE0/0/1.

Inter-VN Subnet Communication

In the virtualization solution for a large or midsize campus network, VNs are isolated by VPNs at Layer 3. By default, VNs cannot communicate with each other. Subnets in different VNs can communicate with each other through a border node or firewall. Table 2-52 lists the application scenarios of the two communication modes.

Table 2-52 VN communication modes and application scenarios

Communication Mode

Application Scenario

Communication through a border node

Communication between VNs does not require advanced security policy control by the firewall. In this case, implement policy control based on the free mobility solution, and import the network segment routes that can be reachable between devices added to the VNs on the border node.

Communication through a firewall

Communication between VNs requires advanced security policy control by the firewall.
Subnet Communication Between VNs Through a Border Node

To implement communication between VNs through a border node, import the network segment routes that can be reachable between devices added to the VNs on the border node. After mutual access traffic arrives at the border node, the border node forwards the traffic between VNs based on the imported routes, as shown in Figure 2-98.

Figure 2-98 Traffic model for subnet communication between VNs through a border node
  • Users on subnets of different VNs connected to the same edge node communicate with each other through the VXLAN tunnel between the edge node and border node. Mutual access traffic is sent to the border node first, then forwarded between VNs based on the imported routes of the VNs.
    1. Host 1 and Host 2 are on different subnets. When Host 1 accesses Host 2, the packet is sent to the gateway first. The destination MAC address of the packet is the MAC address of VBDIF 10 on the gateway.
    2. After the packet reaches Edge 1, Edge 1 searches the VN 1 routing table for the route to the network segment of Host 2. Because routes have been imported between the VPN routing tables of VN 1 and VN 2 on the border node, Edge 1 can learn the VPN route of VN 2 imported by the border node from its BGP peer. Then, Edge 1 finds that the next hop is the IP address of the tunnel source interface of the border node and encapsulates the packet into a VXLAN packet.
    3. After the encapsulation, the outer source and destination IP addresses of the packet are the IP addresses of tunnel source interfaces of Edge 1 and the border node, respectively. Then the packet is forwarded based on the underlay route.
    4. After the packet arrives at the border node, the border node performs VXLAN decapsulation and searches for the route to the network segment of Host 2 in the VN 1 routing table. Because the VPN routing tables of VN 1 and VN 2 import routes from each other, the route to the network segment of Host 2 can be found in the VN 1 routing table. The next hop of the packet is the IP address of the tunnel source interface of Edge 1. The border node then encapsulates the packet into a VXLAN packet. The inner destination MAC address of the packet is the MAC address of VBDIF 20 on Edge 1.
    5. After the encapsulation, the outer source and destination IP addresses of the packet are the IP addresses of tunnel source interfaces of the border node and Edge 1, respectively. Then the packet is forwarded based on the underlay route.
    6. After the packet reaches Edge 1, Edge 1 decapsulates the packet by removing its VXLAN header and searches the VN 2 routing table for the direct route to the network segment of Host 2. Then Edge 1 directly forwards the packet out.
    7. Host 2 receives the packet from Host 1 through GE0/0/2.
  • Users on subnets of different VNs connected to different edge nodes communicate with each other through the VXLAN tunnels between the edge nodes and border node. Mutual access traffic is sent to the border node first, then forwarded between VNs based on the imported routes of the VNs.
    1. Host 1 and Host 2 are on different subnets. When Host 1 accesses Host 2, the packet is sent to the gateway first. The destination MAC address of the packet is the MAC address of VBDIF 10 on the gateway.
    2. After the packet reaches Edge 1, Edge 1 searches the VN 1 routing table for the route to the network segment of Host 2. Because routes have been imported between the VPN routing tables of VN 1 and VN 2 on the border node, Edge 1 can learn the VPN route of VN 2 imported by the border node from its BGP peer. Then, Edge 1 finds that the next hop is the IP address of the tunnel source interface of the border node and encapsulates the packet into a VXLAN packet.
    3. After the encapsulation, the outer source and destination IP addresses of the packet are the IP addresses of tunnel source interfaces of Edge 1 and the border node, respectively. Then the packet is forwarded based on the underlay route.
    4. After the packet arrives at the border node, the border node performs VXLAN decapsulation and searches for the route to the network segment of Host 2 in the VN 1 routing table. Because the VPN routing tables of VN 1 and VN 2 import routes from each other, the route to the network segment of Host 2 can be found in the VN 1 routing table. The next hop of the packet is the IP address of the tunnel source interface of Edge 2. The border node then encapsulates the packet into a VXLAN packet. The inner destination MAC address of the packet is the MAC address of VBDIF 20 on Edge 2.
    5. After the encapsulation, the outer source and destination IP addresses of the packet are the IP addresses of tunnel source interfaces of the border node and Edge 2, respectively. Then the packet is forwarded based on the underlay route.
    6. After the packet reaches Edge 2, Edge 2 decapsulates the packet by removing its VXLAN header and searches the VN 2 routing table for the direct route to the network segment of Host 2. Then Edge 2 directly forwards the packet out.
    7. Host 2 receives the packet from Host 1 through GE0/0/1.
Subnet Communication Between VNs Through a Firewall

To implement communication between VNs through a firewall, configure mutual access control policies between security zones of the firewall. After mutual access traffic arrives at the firewall, the firewall forwards the traffic between VNs based on the mutual access policies, as shown in Figure 2-99.

Figure 2-99 Traffic model for subnet communication between VNs through a firewall
  • Users on subnets of different VNs connected to the same edge node communicate with each other through the VXLAN tunnel between the edge node and border node. Mutual access traffic is sent to the border node first, then forwarded to the firewall based on the imported routes of external networks. The firewall then forwards the traffic between VNs based on mutual access control policies between security zones.
    1. Host 1 and Host 2 are on different subnets. When Host 1 accesses Host 2, the packet is sent to the gateway first. The destination MAC address of the packet is the MAC address of VBDIF 10 on the gateway.
    2. After the packet reaches Edge 1, Edge 1 searches the VN 1 routing table for the route to the network segment of Host 2. Because routes have been imported between the VPN routing tables of VN 1 and the external network resource model VN1-Outer on the border node, Edge 1 can learn the VPN route of VN1-Outer imported by the border node from its BGP peer. Then, Edge 1 finds that the next hop is the IP address of the tunnel source interface of the border node and encapsulates the packet into a VXLAN packet.
    3. After the encapsulation, the outer source and destination IP addresses of the packet are the IP addresses of tunnel source interfaces of Edge 1 and the border node, respectively. Then the packet is forwarded based on the underlay route.
    4. After the packet arrives at the border node, the border node performs VXLAN decapsulation and searches for the route to the network segment of Host 2 in the VN 1 routing table. Because the VPN routing tables of VN 1 and the external network resource model VN1-Outer import routes from each other, the route to the network segment of Host 2 can be found in the VN 1 routing table. The next hop of the packet is the IP address of GE1/0/1.1 on the firewall. The destination MAC address of the packet is the MAC address of GE1/0/1.1, and the packet is not encapsulated into a VXLAN packet.
    5. After the packet arrives at the firewall, the firewall allows VN 1 to access VN 2 based on the mutual access policies and searches for the route to the network segment of Host 2. The next hop of the packet is the IP address of VLANIF 12 on the border node. The destination MAC address of the packet is the MAC address of VLANIF 12, and the packet is not encapsulated into a VXLAN packet.
    6. After the packet arrives at the border node, the border node searches for the route to Host 2 in the VN 2 routing table. The next hop of the packet is the IP address of the tunnel source interface of Edge 1. The border node then encapsulates the packet into a VXLAN packet. The inner destination MAC address of the packet is the MAC address of VBDIF 20 on Edge 1.
    7. After the encapsulation, the outer source and destination IP addresses of the packet are the IP addresses of tunnel source interfaces of the border node and Edge 1, respectively. Then the packet is forwarded based on the underlay route.
    8. After the packet reaches Edge 1, Edge 1 decapsulates the packet by removing its VXLAN header and searches the VN 2 routing table for the direct route to the network segment of Host 2. Then Edge 1 directly forwards the packet out.
    9. Host 2 receives the packet from Host 1 through GE0/0/2.
  • Users on subnets of different VNs connected to different edge nodes communicate with each other through the VXLAN tunnels between the edge nodes and border node. Mutual access traffic is sent to the border node first, then forwarded to the firewall based on the imported routes of external networks. The firewall then forwards the traffic between VNs based on mutual access control policies between security zones.
    1. Host 1 and Host 2 are on different subnets. When Host 1 accesses Host 2, the packet is sent to the gateway first. The destination MAC address of the packet is the MAC address of VBDIF 10 on the gateway.
    2. After the packet reaches Edge 1, Edge 1 searches the VN 1 routing table for the route to the network segment of Host 2. Because routes have been imported between the VPN routing tables of VN 1 and the external network resource model VN1-Outer on the border node, Edge 1 can learn the VPN route of VN1-Outer imported by the border node from its BGP peer. Then, Edge 1 finds that the next hop is the IP address of the tunnel source interface of the border node and encapsulates the packet into a VXLAN packet.
    3. After the encapsulation, the outer source and destination IP addresses of the packet are the IP addresses of tunnel source interfaces of Edge 1 and the border node, respectively. Then the packet is forwarded based on the underlay route.
    4. After the packet arrives at the border node, the border node performs VXLAN decapsulation and searches for the route to the network segment of Host 2 in the VN 1 routing table. Because the VPN routing tables of VN 1 and the external network resource model VN1-Outer import routes from each other, the route to the network segment of Host 2 can be found in the VN 1 routing table. The next hop of the packet is the IP address of GE1/0/1.1 on the firewall. The destination MAC address of the packet is the MAC address of GE1/0/1.1, and the packet is not encapsulated into a VXLAN packet.
    5. After the packet arrives at the firewall, the firewall allows VN 1 to access VN 2 based on the mutual access policies and searches for the route to the network segment of Host 2. The next hop of the packet is the IP address of VLANIF 12 on the border node. The destination MAC address of the packet is the MAC address of VLANIF 12, and the packet is not encapsulated into a VXLAN packet.
    6. After the packet arrives at the border node, the border node searches for the route to Host 2 in the VN 2 routing table. The next hop of the packet is the IP address of the tunnel source interface of Edge 2. The border node then encapsulates the packet into a VXLAN packet. The inner destination MAC address of the packet is the MAC address of VBDIF 20 on Edge 2.
    7. After the encapsulation, the outer source and destination IP addresses of the packet are the IP addresses of tunnel source interfaces of the border node and Edge 2, respectively. Then the packet is forwarded based on the underlay route.
    8. After the packet reaches Edge 2, Edge 2 decapsulates the packet by removing its VXLAN header and searches the VN 2 routing table for the direct route to the network segment of Host 2. Then Edge 2 directly forwards the packet out.
    9. Host 2 receives the packet from Host 1 through GE0/0/1.

Communication Between VNs and External Networks

In the virtualization solution for a large or midsize campus network, two resource models are designed for the fabric network: external network resources and network service resources. For each resource created, a VRF instance is allocated. During VN creation and resource selection, VNs and external network resources (or network service resources) automatically import routes from each other to enable mutual access, as shown in Figure 2-100.

Figure 2-100 Traffic model for communication between VNs and external networks
  • Users in a VN access the Internet through the VXLAN tunnel between the edge node and border node. Traffic is sent to the border node first, then forwarded to the firewall based on the imported routes of external networks. The firewall then forwards the packet to the Internet.
    1. Host 1 and the Internet are on different subnets. When Host 1 accesses the Internet, the packet is sent to the gateway first. The destination MAC address of the packet is the MAC address of VBDIF 10 on the gateway.
    2. After the packet reaches Edge 1, Edge 1 searches the VN 1 routing table for the route to the Internet. Because routes have been imported between the VPN routing tables of VN 1 and the external network resource model VN1-Outer on the border node, Edge 1 can learn the VPN route of VN1-Outer imported by the border node from its BGP peer. Then, Edge 1 finds that the next hop is the IP address of the tunnel source interface of the border node and encapsulates the packet into a VXLAN packet.
    3. After the encapsulation, the outer source and destination IP addresses of the packet are the IP addresses of tunnel source interfaces of Edge 1 and the border node, respectively. Then the packet is forwarded based on the underlay route.
    4. After the packet arrives at the border node, the border node performs VXLAN decapsulation and searches for the route to the Internet in the VN 1 routing table. Because the VPN routing tables of VN 1 and the external network resource model VN1-Outer import routes from each other, the route to the Internet can be found in the VN 1 routing table. The next hop of the packet is the IP address of GE1/0/1.1 on the firewall. The destination MAC address of the packet is the MAC address of GE1/0/1.1, and the packet is not encapsulated into a VXLAN packet.
    5. After the packet arrives at the firewall, the firewall allows VN 1 to access the Internet based on the mutual access policies and searches for the route to Internet. The firewall then forwards the packet.
  • Users in a VN access network service resources through the VXLAN tunnel between the edge node and border node. Traffic is sent to the border node first, then forwarded to the gateway in the network management zone based on the imported routes of the network management zone. The gateway in the network management zone then forwards the packet to the network management zone.
    1. Host 1 and the network service resource are on different subnets. When Host 1 accesses the network service resource, the packet is sent to the gateway first. The destination MAC address of the packet is the MAC address of VBDIF 10 on the gateway.
    2. After the packet reaches Edge 1, Edge 1 searches the VN 1 routing table for the route to the Internet. Because routes have been imported between the VPN routing tables of VN 1 and the external network resource model VN1-Server on the border node, Edge 1 can learn the VPN route of VN1-Server imported by the border node from its BGP peer. Then, Edge 1 finds that the next hop is the IP address of the tunnel source interface of the border node and encapsulates the packet into a VXLAN packet.
    3. After the encapsulation, the outer source and destination IP addresses of the packet are the IP addresses of tunnel source interfaces of Edge 1 and the border node, respectively. Then the packet is forwarded based on the underlay route.
    4. After the packet arrives at the border node, the border node performs VXLAN decapsulation and searches for the route to the network service resource in the VN 1 routing table. Because the VPN routing tables of VN 1 and the network service resource model VN1-Server import routes from each other, the route to the network service resource can be found in the VN 1 routing table. The next hop of the packet is the IP address of VLANIF 11 on the gateway in the network management zone. The destination MAC address of the packet is the MAC address of VLANIF 11, and the packet is not encapsulated into a VXLAN packet.
    5. After the packet arrives at the gateway in the network management zone, the gateway searches for the route to the network service resource and forwards the packet.
Translation
简体中文
Download
Updated: 2021-04-29

Document ID: EDOC1100141248

Views: 138147

Downloads: 586

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :