No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
CloudCampus Solution V100R019C10 Deployment Guide for Large- and Medium-Sized Campus Networks (Virtualization Scenario)
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overlay Network Design

Overlay Network Design

Overlay Network Overview

An overlay network consists of the fabric and multiple virtual networks (VNs). A fabric is a network on which all resources are pooled. These resources can be selected as required during VN creation, decoupling the overlay network from the underlay network. Creating a VN is equivalent to creating an instance on the fabric. One VN instance can represent a virtual network dedicated to one type of service.

For details about concepts related to the overlay network, see Overlay Network Architecture Design.

Overlay Network Resource Planning

VLAN/BD Planning

VLAN/BD resources of the overlay network are planned in the fabric global resource pool. Table 2-12 lists the resource items to be planned. For details about VLAN/BD planning, see "VLAN/BD Planning" in Network Resource Planning.
Table 2-12 VLAN/BD resource plan for the fabric global resource pool

Resource Item

Description

Broadcast domain (BD)
  • Layer 2 broadcast domains are isolated in a VN. Generally, one-to-one mapping is configured between BDs and user service VLANs.
  • The planned BD resource pool needs to accommodate the number of user service VLANs. By default, the value ranges from 1 to 4095.

Service VLAN
  • User terminals access the campus network through service VLANs, which are bound to BDs.
  • You are advised to assign service VLANs based on logical areas, organizational structures, and service types of campus networks.

Interconnection VLAN
  • When creating external network resources on a fabric, configure interconnection VLANs to interconnect with an egress network.
  • When creating network service resources on a fabric, configure interconnection VLANs to interconnect with a network management zone.

IP Address Planning

Only IP addresses of loopback interfaces need to be planned in the fabric global resource pool. Other IP addresses on an overlay network do not need to be planned. Table 2-13 lists the IP address resource items to be planned for an overlay network. For details about IP address planning, see "IP Address Planning" in Network Resource Planning.

Table 2-13 IP address plan for the fabric global resource pool

Resource Item

Description

Loopback interface IP address

Configure loopback interface IP addresses to establish BGP EVPN peer relationships between border and edge nodes, which also function as the VXLAN tunnel endpoints (VTEPs).

Service IP address
  • Configure IP addresses of servers, service terminals, and gateways.
  • You are advised to use the same last digits as the gateway address. For example, gateways use IP addresses suffixed by .254.
  • The IP address range of each service must be clearly distinguished. The IP addresses of each type of service terminals must be contiguous and can be summarized.
  • Considering the scope of a broadcast domain and easy planning, it is recommended that an address segment with a 24-bit mask be reserved for each service. If the number of service terminals exceeds 200, an extra address segment with a 24-bit mask is assigned.

Interconnection IP address
  • When creating external network resources on a fabric, configure interconnection IP addresses to interconnect with an egress network.
  • When creating network service resources on a fabric, configure interconnection IP addresses to interconnect with a network management zone.

Fabric Network Design

Fabric Role Design

Figure 2-21 shows fabric roles in the centralized gateway solution using different fabric networking modes.

  • Two-layer networking with VXLAN deployed across core and access layers: Core switches function as border nodes and access switches as edge nodes.
  • Three-layer networking with VXLAN deployed across core and access layers: Core switches function as border nodes, access switches as edge nodes, and aggregation switches as transparent devices.
  • Three-layer networking with VXLAN deployed across core and aggregation layers: Core switches function as border nodes, aggregation switches as edge nodes, and access switches as fabric extended nodes. Policy association can be deployed between edge and fabric extended nodes to implement access control of user terminals on access switches.
Figure 2-21 Fabric networking

Border and edge nodes also function as VTEPs. You are advised to configure the route reflector (RR) function on the nodes to establish BGP EVPN peer relationships. If no RR is configured, BGP peer relationships need to be established between edge nodes, and between edge and border nodes. The configuration is complex and many BGP connections consume CPU resources. Border and edge nodes can function as RRs. The border node used as the RR has the strongest processing capability, so it is recommended that border nodes be used as RRs.

External Network Design

In the resource model design for the fabric network, external networks are created on the border node so that terminals on the campus network can access the Internet. For each external network resource created on the border node, a VRF instance is allocated. After an external network resource is selected during VN creation, the VRF instances of the created VN and external network resource import routes from each other. In this way, service subnets in the VN can communicate with the external network, as shown in Figure 2-22.

Figure 2-22 External network resource model design for a fabric

Egress Types of External Networks

Three types of external network resources are defined: L3 shared egress, L3 exclusive egress, and L2 shared egress. If the user gateway is located in the fabric, the L3 shared egress or L3 exclusive egress is used, as shown in Figure 2-23.

  • L3 shared egress: Multiple VNs on the fabric network share an L3 egress to communicate with the egress device. To enable communication between VNs and external networks, you must configure return routes to service subnets on the firewall. As a result, service subnets of different VNs can communicate with each other on the firewall. To isolate different VNs on the firewall, configure policies based on service network segments in the VNs.

    The L3 shared egress helps save VLAN and IP resources for interconnection and applies to scenarios where there are low requirements on security control policies between VNs.

  • L3 exclusive egress: Each VN on the fabric network exclusively uses an L3 egress to communicate with the egress device. In this case, multiple security zones are configured on the firewall, each corresponding to one L3 exclusive egress. Thus, the traffic between service subnets of different VNs is isolated when reaching the firewall. To enable inter-VN communication through the firewall, you can configure security policies between security zones. Configuring security policies can also control the application ports used for communication and limit the bandwidth.

    The L3 exclusive egress applies to scenarios where there are high requirements on security control policies between VNs.

Figure 2-23 Traffic models for L3 shared egress and L3 exclusive egress on a fabric

Route Planning for External Networks

When interconnecting VNs with external networks, pay attention to the following points: On the border node, the VRF instances of VNs and external network resources use VPN targets to import routes from each other. The border node and firewall communicate with each other through routing protocols. In Figure 2-24, routes between the border node and firewall are configured based on the route design principles for communication between campus intranets and external networks.

  • Routes from the campus intranet to external networks on the border node: Generally, default routes are used to prevent a huge number of external network routes from affecting intranets.
  • Configure routes from external networks to the campus intranet on the firewall: Generally, specific routes are used.
Figure 2-24 Route planning between the border node and firewall
When creating external network resources on the border node, you can use any of the following routing protocols to interconnect the border node with the firewall. According to the route design principles described above, Table 2-14 lists the recommended configurations for the three routing protocols.
Table 2-14 Configurations of different routing protocols between the border node and firewall

Routing Protocol

Default Routes from VNs to External Networks on the Border Node

Return Routes from External Networks to VNs on the Firewall

Interconnection Between the Border Node and Firewall

Static routing
  1. On the border node, manually configure a default route whose next hop is the IP address of an interface on the firewall.
  1. On the firewall, manually configure specific routes of service subnets whose next hop is the IP address of an interface on the border node. Route summarization can be used to reduce the number of routes to be configured.

OSPF
  1. On the firewall, configure a common area in the OSPF process to advertise default routes. Active default routes must exist in the local routing table of the firewall.
  2. On the border node, the OSPF process of VN1-Outer learns the advertised default routes through LSA updates.
  1. On the border node, VN1-Outer imports specific routes of service subnets from VN1 through BGP.
  2. On the border node, the OSPF process in VN1-Outer imports BGP routes.
  3. On the firewall, the OSPF process learns the imported specific routes of service subnets through LSA updates.

BGP
  1. On the firewall, configure the BGP process to import default routes or advertise such routes using the network command. Active default routes must exist in the local routing table of the firewall.
  2. On the border node, VN1-Outer learns the default routes through BGP.
  1. On the border node, VN1-Outer imports specific routes of service subnets from VN1 through BGP.
  2. The firewall learns the imported specific routes of service subnets through BGP.

When selecting a routing protocol between the firewall and border node, you need to consider how to switch the service traffic path in active/standby switchover scenarios when firewalls are deployed in HSB mode. For details, see the egress route design in Egress Network Design.

You can configure routes on the border node when creating external network resources on iMaster NCE-Campus, and configure routes on the firewall by logging in to the web system or CLI.

Network Service Resource Design

In the resource model design for the fabric network, network service resources are created on the border node so that service terminals on the campus network can access service resources in the network management zone, such as the DHCP server and NAC server. For each network service resource created on the border node, a VRF instance is allocated. After a network service resource is selected during VN creation, the VRF instances of the created VN and network service resource import routes from each other. In this way, service subnets in the VN can communicate with the network service resource, as shown in Figure 2-25.

Figure 2-25 Network service resource model design for a fabric

When creating network service resources on the fabric on iMaster NCE-Campus, you need to perform the following configurations:

  • Configure the addresses for accessing network service resources, such as the DHCP service address and southbound address of iMaster NCE-Campus.
  • Select an interconnection scenario, which can be directly connecting to a server or directly connecting to a switch. Generally, the border node is directly connected to a switch instead of a server.
  • Configure physical interconnection interfaces.
  • Configure interconnection VLANs and IP addresses.

The route design for network service resources is simpler than that for external network resources. For network service resources, static routes are configured on the border node based on the addresses for accessing the service resources. You can create multiple network service resources, or add addresses for accessing network service resources to a network service resource model. If only a few service resources in the network management zone need to be accessed, you are advised to plan these service resources in the same network service resource model. This saves interconnection VLAN and IP address resources and simplifies route configuration on the network management zone side, as shown in Figure 2-26.

Figure 2-26 Traffic model for communication between the VN and network service resource

Routes on the border node are automatically delivered when network service resources are created on iMaster NCE-Campus. To configure routes on the gateway in the network management zone, log in to the web system or CLI of the device.

Access Management Design

When creating a fabric network, you need to plan authentication control points, including access point resource pools, for user access. The wired access point resource refers to switch interfaces connected by terminals, and the wireless access point resource refers to SSIDs connected by terminals. In the centralized gateway solution:

  • You are advised to deploy the authentication control point for wired user access on the edge node and plan this during access management configuration for a fabric network.
  • The authentication control point for wireless user access is deployed on the WAC. The design and planning of the authentication control point depend on the WAC type. For details, see "WLAN Admission Design" in WLAN Design.

Access Interface Design

During access management configuration for a fabric network, three connection types are defined for access interfaces on switches, as shown in Figure 2-27.

  • Fabric extended AP: allows Huawei Fit APs to access. This type is used when configuring policy association.
  • Fabric extended switch: allows Huawei switches to access. This type is used when configuring policy association.
  • Terminal (PCs, phones, dumb terminals, and non-fabric extended access switches or APs): allows terminals to access. Bind authentication profiles to terminals based on terminal types to control terminal access. For details, see "User Access Authentication Design" in Access Control Design.
Figure 2-27 Connection types of fabric access interfaces

The connection types "fabric extended AP" and "fabric extended switch" are mainly used for configuring a management VLAN for policy association and forwarding data between the authentication control point and authentication enforcement point. In this scenario, the fabric extended switch functions as the authentication enforcement point and can be connected to fabric extended APs and terminals.

In policy association, the authentication control point is moved up to the aggregation or core layer. Devices at the aggregation or core layer and those at the access layer can complete policy association through Control and Provisioning of Wireless Access Points (CAPWAP) tunnels. In this way, the number of authentication control points is reduced, and access control of terminals can be implemented at the access layer.

Policy association is designed based on the traditional "WAC + Fit AP" architecture for access control. In this architecture, WACs function as authentication control points and APs as authentication enforcement points. User authentication information is synchronized between WACs and APs through CAPWAP tunnels. Therefore, policy association applies to scenarios where aggregation or core devices function as unified authentication control points for wired and wireless users.

In the centralized gateway solution, wired and wireless authentication control points are deployed separately. Therefore, pay attention to the following points when configuring access management for a fabric:

  • If VXLAN is deployed across core and access layers for the fabric network, policy association is not deployed.
  • If VXLAN is deployed across core and aggregation layers for the fabric network, policy association can be deployed between edge nodes and access switches for wired access authentication, and the authentication enforcement point for wired access can be moved down to the access switches. Do not select "Fabric extended AP" for access switch interfaces that connect to APs. If this connection type is used, the APs cannot communicate with the border node through management VLAN auto-negotiation.

VN Design

VN Division Principles

In the virtualization solution for a large or midsize campus network, each VN is a VPN instance, and one VN can contain multiple subnets. By default, users in the same VN can communicate with each other at Layer 3, and users in different VNs are isolated from each other. VNs can be planned based on the following principles:

  • Allocate an independent service department or service network to a VN. For example, on a campus network, services such as guest, teaching, IoT, and video surveillance services, each is allocated to an independent VN.
  • VNs are not used to fulfill the requirements for isolating users of different levels in the same service department or service network. Instead, access policies can be implemented to achieve this.

VN Access Design

VN Access of User Subnets

In the centralized gateway solution shown in Figure 2-28, if WLAN traffic is forwarded in the recommended tunnel forwarding mode and the border node functions as the native WAC and wireless subnet gateway, then:

  • Traffic of wired users enters a VN through an edge node, and is forwarded in the VN based on the BD associated with the user VLAN. Implement this when configuring a user gateway in the VN on iMaster NCE-Campus.
  • Traffic of wireless users is forwarded to the border node through the CAPWAP tunnel. The border node decapsulates CAPWAP packets and then forwards the decapsulated packets. If the traffic needs to be forwarded out by entering a particular VN, you can bind the gateway interface of the corresponding wireless subnet to a VN instance. The gateway interface can be a VLANIF or VBDIF interface. The binding process is performed on the border node using commands.
Figure 2-28 VN access of user subnets in the centralized gateway solution

User VLAN Access Modes

VLAN access modes for users include the static VLAN mode and dynamically authorized VLAN mode. You need to select a mode when configuring a user gateway in a VN. Table 2-15 lists the two access modes.

Table 2-15 Comparison between the static VLAN mode and dynamically authorized VLAN mode

VLAN Access Mode

Implementation

Application Scenario

Static VLAN
  • Wired access: Configure a static VLAN on the switch interface connected to wired user terminals.
  • Wireless access: Configure a static service VLAN for an SSID.

The static VLAN mode applies when terminals access the VLAN at fixed locations and do not need to be authenticated. This access mode is more secure but lacks flexibility. When the locations of terminals change, you need to perform the configuration again.

Dynamically authorized VLAN
  • Wired access: After a user is authenticated successfully, the authorization result, including authorized VLAN information, is delivered to the corresponding access interface.
  • Wireless access: After a user is authenticated successfully, the authorization result, including authorized VLAN information, is delivered to the corresponding SSID.

The dynamically authorized VLAN mode applies when terminals access the VLAN anywhere and need to be authenticated based on the VLAN information delivered during user authentication. This access mode is flexible and the configuration does not need to be changed when the locations of terminals change.
  • If a downlink interface is connected to an IP phone, you can configure a voice VLAN on the interface for the IP phone.
  • The dynamically authorized VLAN mode applies to MAC address authentication and 802.1X authentication. The dynamically authorized VLAN mode requires users to go online again during Portal authentication, so this mode is not recommended in Portal authentication.
  • The dynamically authorized VLAN mode can be implemented based on VLAN pools. In this mode, the authentication control point automatically calculates and allocates a VLAN in the VLAN pool to the access interface or SSID based on authorized VLAN pool information. Subnets of VLANs in a VLAN pool are connected to the same VN.

    The VLAN pool-based authorization mode applies to scenarios where there are a large number of user subnets. In the centralized gateway solution, all downlink interfaces on edge nodes are isolated at Layer 2 by default. In this case, you are advised to create subnets with VLANs instead of a VLAN pool.

VN User Gateway Design

In the centralized gateway solution, the user gateway for the VN sits on the border node. You can use the following methods to perform the VN configuration on iMaster NCE-Campus:

  • Automatic allocation: After the number of user subnets and start VLAN and IP address of the subnet are specified, the user subnet gateway is automatically configured. This mode applies to scenarios where a large number of subnets are deployed and automatic gateway configuration is required.
  • Manual configuration: Manually configure the user access VLAN and the IP address of the gateway interface. This mode applies to scenarios where a few subnets are deployed and automatic gateway configuration is not required.

You are advised to perform the following configurations on iMaster NCE-Campus:

  • Deploy an independent DHCP server to dynamically allocate IP addresses to user terminals. Generally, the DHCP server and user terminals are on different network segments. It is recommended that the DHCP relay function be enabled on the user gateway.
  • You are advised to enable DHCP snooping in the corresponding BD of the user gateway to ensure that user terminals obtain IP addresses from authorized DHCP servers and prevent attacks. In addition, DHCP snooping should be enabled for terminal identification in DHCP mode.
  • If the multicast DNS (mDNS) mode is used for terminal identification, mDNS snooping should be enabled in the corresponding BD of the user gateway.

VN Communication Design

Intra-VN Subnet Communication

Communication Within a Subnet in a VN

Users on the same subnet in a VN communicate with each other at Layer 2, as shown in Figure 2-29.

Figure 2-29 Traffic model for communication between users on the same subnet in a VN
  • Users on the same subnet connected to the same edge node can directly communicate with each other through the edge node.
    1. Host 1 and Host 2 are on the same subnet. When Host 1 accesses Host 2, the destination MAC address of the packet sent by Host 1 to Host 2 is the MAC address of Host 2.
    2. After the packet arrives at Edge 1, Edge 1 searches for the MAC address entry of Host 2. The entry belongs to VLAN 10 and is learned from GE0/0/2. Edge 1 then forwards the packet.
    3. Host 2 receives the packet from Host 1 through GE0/0/2.
  • Users on the same subnet connected to different edge nodes communicate with each other through the VXLAN tunnel between the edge nodes.
    1. Host 1 and Host 2 are on the same subnet. When Host 1 accesses Host 2, the destination MAC address of the packet sent by Host 1 to Host 2 is the MAC address of Host 2.
    2. After the packet arrives at Edge 1, Edge 1 searches for the MAC address entry of Host 2. The entry belongs to BD 10 and is learned from the tunnel source interface (displayed as the IP address) of Edge 2. Edge 1 then encapsulates the packet into a VXLAN packet.
    3. After the encapsulation, the outer source and destination IP addresses of the packet are the IP addresses of tunnel source interfaces of Edge 1 and Edge 2, respectively. Then the packet is forwarded based on the underlay route.
    4. After the packet arrives at Edge 2, Edge 2 performs VXLAN decapsulation, searches for the MAC address entry of Host 2, determines the outbound interface GE0/0/1, and forwards the packet.
    5. Host 2 receives the packet from Host 1 through GE0/0/1.
Communication Between Subnets in a VN

In a VN, traffic between subnets needs to be forwarded by the gateway. In the centralized gateway solution, the border node function as the gateway, as shown in Figure 2-30.

Figure 2-30 Traffic model for communication between users on different subnets in a VN
  • Users on different subnets connected to the same edge node communicate with each other through the VXLAN tunnel between the edge node and border node. Mutual access traffic is sent to the border node first, then forwarded at Layer 3 based on direct routes in the VN.
    1. Host 1 and Host 2 are on different subnets. When Host 1 accesses Host 2, the packet is sent to the gateway first. The destination MAC address of the packet is the MAC address of VBDIF 10 on the gateway.
    2. After the packet arrives at Edge 1, Edge 1 searches for the MAC address entry of VBDIF 10. The entry belongs to BD 10 and is learned from the tunnel source interface (displayed as the IP address) of the border node. Edge 1 then encapsulates the packet into a VXLAN packet.
    3. After the encapsulation, the outer source and destination IP addresses of the packet are the IP addresses of tunnel source interfaces of Edge 1 and the border node, respectively. Then the packet is forwarded based on the underlay route.
    4. After the packet arrives at the border node, the border node performs VXLAN decapsulation and searches for the direct route to Host 2 in the VN 1 routing table. The next hop is the IP address of the tunnel source interface of Edge 1. The border node then encapsulates the packet into a VXLAN packet. The inner destination MAC address of the packet is the MAC address of Host 2.
    5. After the encapsulation, the outer source and destination IP addresses of the packet are the IP addresses of tunnel source interfaces of the border node and Edge 1, respectively. Then the packet is forwarded based on the underlay route.
    6. After the packet arrives at Edge 1, Edge 1 performs VXLAN decapsulation and searches for the MAC address entry of Host 2. The entry belongs to VLAN 20 and is learned from GE0/0/2. Edge 1 then forwards the packet.
    7. Host 2 receives the packet from Host 1 through GE0/0/2.
  • Users on different subnets connected to different edge nodes communicate with each other through the VXLAN tunnels between the edge nodes and border node. Mutual access traffic is sent to the border node first, then forwarded at Layer 3 based on direct routes in the VN.
    1. Host 1 and Host 2 are on different subnets. When Host 1 accesses Host 2, the packet is sent to the gateway first. The destination MAC address of the packet is the MAC address of VBDIF 10 on the gateway.
    2. After the packet arrives at Edge 1, Edge 1 searches for the MAC address entry of VBDIF 10. The entry belongs to BD 10 and is learned from the tunnel source interface (displayed as the IP address) of the border node. Edge 1 then encapsulates the packet into a VXLAN packet.
    3. After the encapsulation, the outer source and destination IP addresses of the packet are the IP addresses of tunnel source interfaces of Edge 1 and the border node, respectively. Then the packet is forwarded based on the underlay route.
    4. After the packet arrives at the border node, the border node performs VXLAN decapsulation and searches for the direct route to Host 2 in the VN 1 routing table. The next hop is the IP address of the tunnel source interface of Edge 2. The border node then encapsulates the packet into a VXLAN packet. The inner destination MAC address of the packet is the MAC address of Host 2.
    5. After the encapsulation, the outer source and destination IP addresses of the packet are the IP addresses of tunnel source interfaces of the border node and Edge 2, respectively. Then the packet is forwarded based on the underlay route.
    6. After the packet arrives at Edge 2, Edge 2 performs VXLAN decapsulation and searches for the MAC address entry of Host 2. The entry belongs to VLAN 20 and is learned from GE0/0/2. Edge 2 then forwards the packet.
    7. Host 2 receives the packet from Host 1 through GE0/0/1.

Inter-VN Subnet Communication

In the virtualization solution for a large or midsize campus network, VNs are isolated by VPNs at Layer 3. By default, VNs cannot communicate with each other. Subnets in different VNs can communicate with each other through a border node or firewall. Table 2-16 lists the application scenarios of the two communication modes.

Table 2-16 VN communication modes and application scenarios

Communication Mode

Application Scenario

Communication through a border node

Communication between VNs does not require advanced security policy control by the firewall. In this case, implement policy control based on the free mobility solution, and import the network segment routes that can be reachable between devices added to the VNs on the border node.

Communication through a firewall

Communication between VNs requires advanced security policy control by the firewall.
Subnet Communication Between VNs Through a Border Node

To implement communication between VNs through a border node, import the network segment routes that can be reachable between devices added to the VNs on the border node. After mutual access traffic arrives at the border node, the border node forwards the traffic between VNs based on the imported routes, as shown in Figure 2-31.

Figure 2-31 Traffic model for subnet communication between VNs through a border node
  • Users on subnets of different VNs connected to the same edge node communicate with each other through the VXLAN tunnel between the edge node and border node. Mutual access traffic is sent to the border node first, then forwarded between VNs based on the imported routes of the VNs.
    1. Host 1 and Host 2 are on different subnets. When Host 1 accesses Host 2, the packet is sent to the gateway first. The destination MAC address of the packet is the MAC address of VBDIF 10 on the gateway.
    2. After the packet arrives at Edge 1, Edge 1 searches for the MAC address entry of VBDIF 10. The entry belongs to BD 10 and is learned from the tunnel source interface (displayed as the IP address) of the border node. Edge 1 then encapsulates the packet into a VXLAN packet.
    3. After the encapsulation, the outer source and destination IP addresses of the packet are the IP addresses of tunnel source interfaces of Edge 1 and the border node, respectively. Then the packet is forwarded based on the underlay route.
    4. After the packet arrives at the border node, the border node performs VXLAN decapsulation and searches for the route to the network segment of Host 2 in the VN 1 routing table. Because the VPN routing tables of VN 1 and VN 2 import routes from each other, the direct route to the network segment of Host 2 can be found in the VN 1 routing table. The next hop of the packet is the IP address of the tunnel source interface of Edge 1. The border node then encapsulates the packet into a VXLAN packet. The inner destination MAC address of the packet is the MAC address of Host 2.
    5. After the encapsulation, the outer source and destination IP addresses of the packet are the IP addresses of tunnel source interfaces of the border node and Edge 1, respectively. Then the packet is forwarded based on the underlay route.
    6. After the packet arrives at Edge 1, Edge 1 performs VXLAN decapsulation and searches for the MAC address entry of Host 2. The entry belongs to VLAN 20 and is learned from GE0/0/2. Edge 1 then forwards the packet.
    7. Host 2 receives the packet from Host 1 through GE0/0/2.
  • Users on subnets of different VNs connected to different edge nodes communicate with each other through the VXLAN tunnels between the edge nodes and border node. Mutual access traffic is sent to the border node first, then forwarded between VNs based on the imported routes of the VNs.
    1. Host 1 and Host 2 are on different subnets. When Host 1 accesses Host 2, the packet is sent to the gateway first. The destination MAC address of the packet is the MAC address of VBDIF 10 on the gateway.
    2. After the packet arrives at Edge 1, Edge 1 searches for the MAC address entry of VBDIF 10. The entry belongs to BD 10 and is learned from the tunnel source interface (displayed as the IP address) of the border node. Edge 1 then encapsulates the packet into a VXLAN packet.
    3. After the encapsulation, the outer source and destination IP addresses of the packet are the IP addresses of tunnel source interfaces of Edge 1 and the border node, respectively. Then the packet is forwarded based on the underlay route.
    4. After the packet arrives at the border node, the border node performs VXLAN decapsulation and searches for the route to the network segment of Host 2 in the VN 1 routing table. Because the VPN routing tables of VN 1 and VN 2 import routes from each other, the direct route to the network segment of Host 2 can be found in the VN 1 routing table. The next hop is the IP address of the tunnel source interface of Edge 2. The border node then encapsulates the packet into a VXLAN packet. The inner destination MAC address of the packet is the MAC address of Host 2.
    5. After the encapsulation, the outer source and destination IP addresses of the packet are the IP addresses of tunnel source interfaces of the border node and Edge 2, respectively. Then the packet is forwarded based on the underlay route.
    6. After the packet arrives at Edge 2, Edge 2 performs VXLAN decapsulation and searches for the MAC address entry of Host 2. The entry belongs to VLAN 20 and is learned from GE0/0/1. Edge 2 then forwards the packet.
    7. Host 2 receives the packet from Host 1 through GE0/0/1.
Subnet Communication Between VNs Through a Firewall

To implement communication between VNs through a firewall, configure mutual access control policies between security zones of the firewall. After mutual access traffic arrives at the firewall, the firewall forwards the traffic between VNs based on the mutual access policies, as shown in Figure 2-32.

Figure 2-32 Traffic model for subnet communication between VNs through a firewall
  • Users on subnets of different VNs connected to the same edge node communicate with each other through the VXLAN tunnel between the edge node and border node. Mutual access traffic is sent to the border node first, then forwarded to the firewall based on the imported routes of external networks. The firewall then forwards the traffic between VNs based on mutual access control policies between security zones.
    1. Host 1 and Host 2 are on different subnets. When Host 1 accesses Host 2, the packet is sent to the gateway first. The destination MAC address of the packet is the MAC address of VBDIF 10 on the gateway.
    2. After the packet arrives at Edge 1, Edge 1 searches for the MAC address entry of VBDIF 10. The entry belongs to BD 10 and is learned from the tunnel source interface (displayed as the IP address) of the border node. Edge 1 then encapsulates the packet into a VXLAN packet.
    3. After the encapsulation, the outer source and destination IP addresses of the packet are the IP addresses of tunnel source interfaces of Edge 1 and the border node, respectively. Then the packet is forwarded based on the underlay route.
    4. After the packet arrives at the border node, the border node performs VXLAN decapsulation and searches for the route to the network segment of Host 2 in the VN 1 routing table. Because the VPN routing tables of VN 1 and the external network resource model VN1-Outer import routes from each other, the route to the network segment of Host 2 can be found in the VN 1 routing table. The next hop of the packet is the IP address of GE1/0/1.1 on the firewall. The destination MAC address of the packet is the MAC address of GE1/0/1.1, and the packet is not encapsulated into a VXLAN packet.
    5. After the packet arrives at the firewall, the firewall allows VN 1 to access VN 2 based on the mutual access policies and searches for the route to the network segment of Host 2. The next hop of the packet is the IP address of VLANIF 12 on the border node. The destination MAC address of the packet is the MAC address of VLANIF 12, and the packet is not encapsulated into a VXLAN packet.
    6. After the packet arrives at the border node, the border node searches for the direct route to Host 2 in the VN 2 routing table. The next hop of the packet is the IP address of the tunnel source interface of Edge 1. The border node then encapsulates the packet into a VXLAN packet. The inner destination MAC address of the packet is the MAC address of Host 2.
    7. After the encapsulation, the outer source and destination IP addresses of the packet are the IP addresses of tunnel source interfaces of the border node and Edge 1, respectively. Then the packet is forwarded based on the underlay route.
    8. After the packet arrives at Edge 1, Edge 1 performs VXLAN decapsulation and searches for the MAC address entry of Host 2. The entry belongs to VLAN 20 and is learned from GE0/0/2. Edge 1 then forwards the packet.
    9. Host 2 receives the packet from Host 1 through GE0/0/2.
  • Users on subnets of different VNs connected to different edge nodes communicate with each other through the VXLAN tunnels between the edge nodes and border node. Mutual access traffic is sent to the border node first, then forwarded to the firewall based on the imported routes of external networks. The firewall then forwards the traffic between VNs based on mutual access control policies between security zones.
    1. Host 1 and Host 2 are on different subnets. When Host 1 accesses Host 2, the packet is sent to the gateway first. The destination MAC address of the packet is the MAC address of VBDIF 10 on the gateway.
    2. After the packet arrives at Edge 1, Edge 1 searches for the MAC address entry of VBDIF 10. The entry belongs to BD 10 and is learned from the tunnel source interface (displayed as the IP address) of the border node. Edge 1 then encapsulates the packet into a VXLAN packet.
    3. After the encapsulation, the outer source and destination IP addresses of the packet are the IP addresses of tunnel source interfaces of Edge 1 and the border node, respectively. Then the packet is forwarded based on the underlay route.
    4. After the packet arrives at the border node, the border node performs VXLAN decapsulation and searches for the route to the network segment of Host 2 in the VN 1 routing table. Because the VPN routing tables of VN 1 and the external network resource model VN1-Outer import routes from each other, the route to the network segment of Host 2 can be found in the VN 1 routing table. The next hop of the packet is the IP address of GE1/0/1.1 on the firewall. The destination MAC address of the packet is the MAC address of GE1/0/1.1, and the packet is not encapsulated into a VXLAN packet.
    5. After the packet arrives at the firewall, the firewall allows VN 1 to access VN 2 based on the mutual access policies and searches for the route to the network segment of Host 2. The next hop of the packet is the IP address of VLANIF 12 on the border node. The destination MAC address of the packet is the MAC address of VLANIF 12, and the packet is not encapsulated into a VXLAN packet.
    6. After the packet arrives at the border node, the border node searches for the direct route to the network segment of Host 2 in the VN 2 routing table. The next hop is the IP address of the tunnel source interface of Edge 2. The border node then encapsulates the packet into a VXLAN packet. The inner destination MAC address of the packet is the MAC address of Host 2.
    7. After the encapsulation, the outer source and destination IP addresses of the packet are the IP addresses of tunnel source interfaces of the border node and Edge 2, respectively. Then the packet is forwarded based on the underlay route.
    8. After the packet arrives at Edge 2, Edge 2 performs VXLAN decapsulation and searches for the MAC address entry of Host 2. The entry belongs to VLAN 20 and is learned from GE0/0/1. Edge 2 then forwards the packet.
    9. Host 2 receives the packet from Host 1 through GE0/0/1.

Communication Between VNs and External Networks

In the virtualization solution for a large or midsize campus network, two resource models are designed for the fabric network: external network resources and network service resources. For each resource created, a VRF instance is allocated. During VN creation and resource selection, VNs and external network resources (or network service resources) automatically import routes from each other to enable mutual access, as shown in Figure 2-33.

Figure 2-33 Traffic model for communication between VNs and external networks
  • Users in a VN access the Internet through the VXLAN tunnel between the edge node and border node. Traffic is sent to the border node first, then forwarded to the firewall based on the imported routes of external networks. The firewall then forwards the packet to the Internet.
    1. Host 1 and the Internet are on different subnets. When Host 1 accesses the Internet, the packet is sent to the gateway first. The destination MAC address of the packet is the MAC address of VBDIF 10 on the gateway.
    2. After the packet arrives at Edge 1, Edge 1 searches for the MAC address entry of VBDIF 10. The entry belongs to BD 10 and is learned from the tunnel source interface (displayed as the IP address) of the border node. Edge 1 then encapsulates the packet into a VXLAN packet.
    3. After the encapsulation, the outer source and destination IP addresses of the packet are the IP addresses of tunnel source interfaces of Edge 1 and the border node, respectively. Then the packet is forwarded based on the underlay route.
    4. After the packet arrives at the border node, the border node performs VXLAN decapsulation and searches for the route to the Internet in the VN 1 routing table. Because the VPN routing tables of VN 1 and the external network resource model VN1-Outer import routes from each other, the route to the Internet can be found in the VN 1 routing table. The next hop of the packet is the IP address of GE1/0/1.1 on the firewall. The destination MAC address of the packet is the MAC address of GE1/0/1.1, and the packet is not encapsulated into a VXLAN packet.
    5. After the packet arrives at the firewall, the firewall allows VN 1 to access the Internet based on the mutual access policies and searches for the route to Internet. The firewall then forwards the packet.
  • Users in a VN access network service resources through the VXLAN tunnel between the edge node and border node. Traffic is sent to the border node first, then forwarded to the gateway in the network management zone based on the imported routes of the network management zone. The gateway in the network management zone then forwards the packet to the network management zone.
    1. Host 1 and the network service resource are on different subnets. When Host 1 accesses the network service resource, the packet is sent to the gateway first. The destination MAC address of the packet is the MAC address of VBDIF 10 on the gateway.
    2. After the packet arrives at Edge 1, Edge 1 searches for the MAC address entry of VBDIF 10. The entry belongs to BD 10 and is learned from the tunnel source interface (displayed as the IP address) of the border node. Edge 1 then encapsulates the packet into a VXLAN packet.
    3. After the encapsulation, the outer source and destination IP addresses of the packet are the IP addresses of tunnel source interfaces of Edge 1 and the border node, respectively. Then the packet is forwarded based on the underlay route.
    4. After the packet arrives at the border node, the border node performs VXLAN decapsulation and searches for the route to the network service resource in the VN 1 routing table. Because the VPN routing tables of VN 1 and the network service resource model VN1-Server import routes from each other, the route to the network service resource can be found in the VN 1 routing table. The next hop of the packet is the IP address of VLANIF 11 on the gateway in the network management zone. The destination MAC address of the packet is the MAC address of VLANIF 11, and the packet is not encapsulated into a VXLAN packet.
    5. After the packet arrives at the gateway in the network management zone, the gateway searches for the route to the network service resource and forwards the packet.
Translation
简体中文
Download
Updated: 2021-04-29

Document ID: EDOC1100141248

Views: 125316

Downloads: 509

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :