Solution Design
This chapter focuses on the planning and deployment of WAN-side interconnection services between multiple campuses. LAN-side services within a campus network are not described.
Based on the networking and requirements of enterprise A, the service provider (SP) recommends the EVPN interconnection network solution, which will replace the private line network. Enterprise A cannot deploy the EVPN interconnection network by itself, and request the SP to deploy the network. Therefore, the MSP-operated O&M solution is used. Figure 3-1 shows the EVPN networking for enterprise A.
Site Design
- Hub_1 is the active headquarters site and uses two AR routers as the egress devices of the campus network. The LAN side of the campus network is a Layer 3 network. At this site, only the egress AR routers are managed by iMaster NCE-Campus, and the other LAN-side devices are managed locally.
- Hub_2 is the standby headquarters site and uses two AR routers as the egress devices of the campus network. The LAN side of the campus network is a Layer 3 network. At this site, only the egress AR routers are managed by iMaster NCE-Campus, and the other LAN-side devices are managed locally.
- Site_1 is a small branch and uses a single AR router as the egress device of the campus network. The LAN side of the campus network is a Layer 2 network, and APs are deployed on the LAN side.
- Site_2 is a midsize branch and uses a single AR router as the egress device of the campus network. The LAN side of the campus network is a Layer 2 network, and access switches and APs are deployed on the LAN side.
- Site_3 is a large branch and uses two AR routers as the egress devices of the campus network. The LAN side of the campus network is a Layer 2 network, and core switches, access switches, and APs are deployed on the LAN side.
- Core switches function as the LAN-side device gateways and service gateways of the headquarters sites, and AR routers function only as the egress devices of the campus network.
- The AR routers deployed at the egress function as the LAN-side device gateways and service gateways of the branch sites.
In this example, LAN-side devices at the enterprise headquarters have been deployed before the EVPN Interconnection Solution is used and are managed locally. This document presents only the related configurations on egress AR routers.
In actual scenarios, LAN-side devices and networking modes can be selected based on site requirements.
Underlay Network Design
- Transport network design
All sites use both the MPLS and Internet links to transmit data. On the MPLS and Internet links, data is encrypted using IPSec to implement secure interconnection.
- WAN link template design
- Hub_1 and Hub_2 use the same template Hub, in which dual gateways (gateway 1 and gateway 2) are deployed. Gateway 1 uses the MPLS link and gateway 2 uses the Internet link to transmit data.
- Branch sites Site_1 and Site_2 use the same template Branch1, in which a single gateway is deployed and uses both the MPLS and Internet links to transmit data.
- Branch site Site_3 uses the template Branch2, in which dual gateways (gateway 1 and gateway 2) are deployed. Gateway 1 uses the MPLS link and gateway 2 uses the Internet link to transmit data.
- WAN link parameter design
- The MPLS and Internet links of Hub_1, Hub_2, and Site_3 use static IP addresses to connect to the WAN.
- At Site_1 and Site_2, the MPLS links use static IP addresses and the Internet links use the PPPoE mode to connect to the WAN.
- NTP design
- The headquarters sites function as both the NTP client and the NTP server of branch sites. NTP parameters need to be set manually.
- Branch sites function as NTP clients and automatically synchronize configurations from the headquarters sites.
- Underlay WAN-side route design
Static, BGP, and OSPF routes can be configured for the WAN side of the underlay network. In this example, static routes are used.
Overlay Network Design
- Overlay networking design
- The headquarters sites function as RRs, and branch sites are associated with the RRs so that routes between sites are reflected through the RRs.
- All the headquarters and branch sites are on the same virtual network (VN). The hub-spoke topology is used, and traffic between branch sites traverses a hub site.
- LAN-WAN interconnection interface design
- Connect AR routers deployed at the egress of a headquarters site to the LAN-side core switch through a Layer 3 sub-interface.
- Plan the management network segment and service network segment for connecting to LAN-side devices to connect the AR router at the egress of a branch site to LAN-side devices through a Layer 2 sub-interface.
- Enable the DHCP server on the AR router deployed at the egress of a branch site, and set DHCP Option 148.
- Configure VRRP for the dual AR routers deployed at the egress of a branch site to improve reliability.
- LAN-WAN interworking route design (overlay LAN-side routes)
BGP, OSPF, and static routes can be configured for LAN-WAN interworking, depending on the LAN-side networking.
- The LAN side of a headquarters site is a Layer 3 network, and LAN-WAN interworking routes need to be configured. In this example, BGP routes are used.
- The LAN side of a branch site is a Layer 2 network, and LAN-WAN interworking routes do not need to be configured.
Policy Design
- Traffic policy design
- The VoIP and Software_Update applications are used as examples to describe how to design different application groups and traffic policy templates for different applications.
- Enable the application-based Internet access function for all branch sites so that LAN-side devices at the sites can access iMaster NCE-Campus. In addition, enable the NAT function on the WAN links.
- Configure intelligent traffic steering policies. Configure intelligent traffic steering on a VN to ensure that VoIP service traffic is preferentially transmitted over the optimal link when the network link quality is poor.
- Configure QoS policies for the overlay network to ensure that VoIP services are preferentially forwarded when a network congestion occurs.
- Security policy design
Configure URL filtering to control the URLs accessed by users and ensure acceptable employee online behaviors.
Site Deployment Design
- Deployment at headquarters sites:
LAN-side devices at a headquarters site have been deployed. You only need to deploy AR routers at the egress through emails.
- Deployment at branch sites:
All devices at branch sites need to be newly deployed. Egress AR routers are deployed through emails, and LAN devices at sites are deployed through DHCP Option 148.