All Products
Search
Document Center

Smart Access Gateway:Deploy an SAG device in one-arm mode and enable dynamic routing

Last Updated:Nov 13, 2023

This topic describes how to deploy a Smart Access Gateway (SAG) device in one-arm mode and enable Open Shortest Path First (OSPF) routing to connect an on-premises network to Alibaba Cloud.

Prerequisites

  • A virtual private cloud (VPC) is created. For more information, see Create and manage a VPC.

  • A Cloud Enterprise Network (CEN) instance is created and the VPC is attached to the CEN instance. For more information, see Create a CEN instance.

Background information

In this example, a company needs to connect its on-premises network to Alibaba Cloud. The company has created a VPC network in the China (Beijing) region and deployed application services in the VPC network. The company wants to use SAG to connect its on-premises network in the Chinese mainland to Alibaba Cloud. The model of the SAG device used in this example is SAG-1000. The SAG device is deployed in one-arm mode and OSPF dynamic routing is enabled. This solution connects the on-premises network to Alibaba Cloud without changing the topology of the on-premises network.Network topology

Subnetting

The following CIDR blocks are used in this example. When you allocate CIDR blocks based on your business requirements, make sure that the CIDR blocks do not overlap with each other.

Network

CIDR block

On-premises network of the company

Workloads: 172.16.0.0/12.

WAN port (port 5) of the SAG device: 192.168.100.1/30. Gateway: 192.168.100.2

Port G11 of the Layer 3 switch: 192.168.100.2/30.

Loopback interface: 192.168.100.3/32.

Port G1 of the Internet-facing router: 192.168.80.1/30.

Port G2 of the Layer 3 switch: 192.168.80.2/30.

VPC network in the China (Beijing) region

10.0.0.0/16

Configuration procedure

Procedure

Step 1: Purchase an SAG device

After you purchase SAG devices in the SAG console, Alibaba Cloud delivers the devices to the specified address and creates SAG instances to help you facilitate network management.

Note

To use SAG devices in areas outside the Chinese mainland, you must purchase SAG devices from third-party vendors. For more information, see Purchase SAG devices.

  1. Log on to the SAG console.

  2. On the Smart Access Gateway page, click Purchase SAG.

  3. Select SAG (CPE).

  4. On the Smart Access Gateway page, set the following parameters and click Buy Now:

    • Area: Select the area where the SAG device will be deployed. Mainland China is selected in this example.

    • Device Spec: Select the model of the SAG device. SAG-1000 is selected in this example.

    • Have SAG Devices Already: Select whether you already have an SAG device. In this example, No is selected.

    • Edition: Select the edition of the SAG device. Standard is selected in this example.

    • Quantity: Select the number of SAG devices that you want to purchase. 1 is selected in this example.

    • Area: Select the area where the SAG bandwidth will be used. This area is the same as that of the SAG device and cannot be modified.

    • Instance Name: Enter a name for the SAG instance.

      The name must be 2 to 128 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_). It must start with a letter.

    • Peak Bandwidth: Select a maximum bandwidth value for network connections. 50 Mbps is selected in this example.

    • Subscription Duration: Select a subscription duration.

  5. Confirm the order information, select the terms of service, and then click Buy Now.

  6. In the Shipping Address dialog box, enter a recipient address and click Buy Now.

  7. On the Pay page, select a payment method and complete the payment.

  8. You can check whether the order has been placed on the Smart Access Gateway page. SAG devices will be shipped within two business days after you place the order. To check the shipping updates, perform the following steps:
    1. On the Smart Access Gateway page, find the SAG instance.
    2. Choose ellipsis-vView Shipping Update in the Actions column.
    3. In the Order Updates panel, view the shipping updates.
Check the order status

Step 2: Activate the SAG device

After you receive an SAG-1000 device, check whether you have received all the accessories. For more information, see SAG-1000 device specifications.

Then, you must activate the SAG device and connect it to your on-premises network.

  1. Log on to the SAG console.

  2. In the top navigation bar, select the area where the SAG device is deployed.

  3. On the Smart Access Gateway page, find the SAG instance that you want to activate. Associate the SAG device with the SAG instance. For more information, see Add a device.

  4. After you associate the SAG device with the SAG instance, return to the Smart Access Gateway page. Find the SAG instance and choose The More icon > Activate in the Actions column.

  5. In the Activate message, click OK.

  6. After the SAG device is activated, connect it to the on-premises network based on the preceding network topology.

    Use a network cable to connect the WAN port of the SAG device to port G11 of the Layer 3 switch.

    In this example, the WAN port is port 5. If you do not want port 5 to be the WAN port, you can modify the port roles. For more information, see Assign a role to a port.

    Note
    • Only version 2.0 of SAG-1000 devices allows you to modify port roles.

    • Before you assign port roles, make sure that the SAG device is activated, the 4G network works as expected, and the device is connected to Alibaba Cloud.

Step 3: Configure the SAG device

After the SAG device is connected to the on-premises network, you can configure the device ports in the SAG console. Make sure that the SAG device is activated, the 4G network works as expected, and the device is connected to Alibaba Cloud.

  1. Configure the ports.

    1. Log on to the SAG console.

    2. In the top navigation bar, select the area where the SAG instance is deployed.

    3. On the Smart Access Gateway page, click the ID of the SAG instance.

    4. On the instance details page, click the Device Management tab.

    5. On the Device Management tab, click Manage WAN Ports in the left-side navigation tree.

    6. In the WAN (Port 5) section, click Edit.

    7. In the Configure WAN (Port 5) dialog box, set the following parameters and click OK.

      WAN (Port 3)
      • Link Type: Select Static.

      • Priority: 1 is selected by default.

      • IP Address: Enter the IP address of the WAN port. 192.168.100.1 is used in this example.

      • Subnet Mask: Enter the subnet mask of the WAN port IP address. 255.255.255.252 is used in this example.

      • Gateway: Enter the IP address of the gateway. 192.168.100.2 is used in this example.

        Note

        After the gateway is configured, the SAG device automatically adds a default route.

  2. Configure OSPF dynamic routing.

    Configure OSPF dynamic routing to establish network communication between the SAG device and Layer 3 switch.

    1. On the Device Management tab, click Manage Routes in the left-side management pane.

    2. In the OSPF Protocol Settings section, click Edit.

    3. In the Configure OSPF Protocol dialog box, enter the information about the allocated IP address and click OK.

      Parameter

      Description

      Area ID

      Set the area ID to 1.

      Hello_time

      Set the hello time to 3 seconds.

      Dead_time

      Set the dead time to 10 seconds.

      Authentication

      Select Disable Authentication.

      Router ID

      Set the router ID to 192.168.100.1.

      Area Type

      Default value: NSSA.

    4. In the WAN/LAN Dynamic Routing Settings section, select Enable OSPF Protocol.

    5. Find Port 5(LAN), click Edit in the Actions column, select Enable OSPF, and then click OK.

    Configure OSPF routing
  3. Select a method to advertise routes to Alibaba Cloud.

    You must specify how routes are advertised to Alibaba Cloud. These routes are used for network communication between the on-premises network and cloud resources.

    1. On the instance details page, click the Network Configuration tab.

    2. In the left-side navigation tree, click Methods to Synchronize with On-premises Routes.

    3. Select Static Routing, click Add Static Route to add a CIDR block, and then click OK.

      Enter the CIDR block used to connect the on-premises network to Alibaba Cloud. 172.16.0.0/12 is used in this example.

      Advertise routes to Alibaba Cloud 2

Step 4: Configure switches and Internet-facing routers

In this step, you must configure the peer switch and Internet-facing router for the SAG device. Switches and routers used in this example may be different from yours. For more information, see the manuals issued by your providers.

  1. Configure the Layer 3 switch.

    #a. Set the port IP addresses and OSPF parameters.
    interface GigabitEthernet 0/11
    no switchport
    ip ospf network point-to-point                        #The network type of the ports that use the OSPF protocol must be set to peer-to-peer (P2P). Otherwise, the SAG device cannot calculate routes correctly.  
    ip ospf hello-interval 3
    ip ospf dead-interval 10
    ip address 192.168.100.2 255.255.255.252
    
    
    
    #b. Configure the loopback IP address and route advertisement information for the switch. 
    interface Loopback 0
    ip address 192.168.100.3 255.255.255.255                #The loopback IP address of the switch. 
    
    
    router ospf 1                                          #The loopback IP address of the switch.
     router-id 192.168.100.3                               #The router ID of the switch that uses the OSPF protocol.
     network 172.16.0.0 0.15.255.255 area 0                #The CIDR block of the on-premises network.
     network 192.168.100.0 0.0.0.4 area 1                   #The CIDR block of the switch port connected to the SAG device.
     network 192.168.100.3 0.0.0.0 area 0                  #The loopback IP address of the switch. 
     area 1 nssa                                           #The OSPF area is NSSA. 
    
                    
  2. Configure routes for the Internet-facing router.

    
    ip route 192.168.100.0 255.255.255.252 192.168.80.2    #The route to the SAG device.
                    

Step 5: Set up network connections

After you configure the SAG device, you must set up network connections to connect the on-premises network to Alibaba Cloud.

  1. Create a Cloud Connect Network (CCN) instance.

    1. Log on to the SAG console.

    2. In the top navigation bar, select Mainland China.

      The CCN instance and SAG instance must be deployed in the same area.

    3. In the left-side navigation pane, click CCN.

    4. On the CCN page, click Create CCN Instance.

    5. In the Create CCN Instance panel, enter a name for the CCN instance and click OK.

      The name must be 2 to 100 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). It must start with a letter. Create a CCN instance

  2. Associate the SAG instance with a CCN instance.

    1. In the left-side navigation pane, click Smart Access Gateway.

    2. On the Smart Access Gateway page, find the SAG instance and click Network Configuration in the Actions column.

    3. In the left-side management pane, click Network Instance Details.

    4. On the Network Instance Details tab, click Attach Network, select the CCN instance you created, and then click OK.

      The Attach Network tab
  3. Associate the CCN instance with a CEN instance.

    After the CCN instance is associated with the CEN instance, SAG devices associated with the CCN instance can communicate with VPC networks attached to the CEN instance.

    1. In the left-side navigation pane, click CCN.

    2. Find the CCN instance and click Bind CEN Instance in the Actions column.

    3. In the Bind CEN Instance pane, select Existing CEN, select the CCN instance from the drop-down list, and then click OK.

      CEN
  4. Configure security group rules.

    You must create a security group rule for the Elastic Compute Service (ECS) instance in the VPC to allow clients in the CIDR block 172.16.0.0/12 of the on-premises network to access resources deployed on the ECS instance. For more information, see Add a security group rule.

Step 6: Test network connectivity

After you complete the preceding steps, test whether you can access cloud resources deployed in the VPC from a client in the on-premises network.