This topic describes how to deploy a Smart Access Gateway (SAG) device in one-arm
mode and enable Open Shortest Path First (OSPF) routing to connect a private network
to Alibaba Cloud.
Prerequisites
- A Virtual Private Network (VPC) network is created. For more information, see Create a VPC.
- A Cloud Enterprise Network (CEN) instance is created and associated with the VPC network.
For more information, see Create a CEN instance.
Background information
In this example, a company needs to connect its private network to Alibaba Cloud.
The company has created a VPC network in the China (Beijing) region and deployed application
services in the VPC network. The company wants to use SAG to connect the company private
network in mainland China to Alibaba Cloud. The model of the SAG device used in this
example is SAG-1000. The SAG device is deployed in one-arm mode and OSPF dynamic routing
is enabled. This solution connects the private network to Alibaba Cloud without changing
the topology of the private network
Subnetting
The following CIDR blocks are used in this example. When you allocate CIDR blocks
based on your actual requirements, make sure that the CIDR blocks do not overlap with
each other.
Network |
CIDR block |
Private network of the company |
Workloads: 172.16.0.0/12. |
WAN port (port 5) of the SAG device: 192.168.100.1/30. IP address of the gateway:
192.168.100.2.
|
Port G11 of the Layer 3 switch: 192.168.100.2/30.
Loopback interface: 192.168.100.3/32.
|
Port G1 of the Internet-facing router: 192.168.80.1/30.
Port G2 of the Layer 3 switch: 192.168.80.2/30.
|
VPC network in the China (Beijing) region |
10.0.0.0/16 |
Configuration procedure
Step 1: Purchase an SAG device
After you place an order in the SAG console, Alibaba Cloud delivers the SAG device
to the specified address and creates an SAG instance to facilitate the management
of the device.
Note If the area where the SAG device is used is outside mainland China, you must purchase
the device from a third-party vendor that is authorized by Alibaba Cloud. For more
information, see
Purchase an SAG device.
- Log on to the SAG console.
- On the Smart Access Gateway page, click Purchase SAG.
- Select Create SAG (CPE).
- Set the following parameters and click Buy Now:
- Area: Select the area where the SAG devices will be deployed. Mainland China is selected in this example.
- Device Spec: Select the model of the SAG device. SAG-1000 is selected in this example.
- Have SAG Devices Already: Select whether you already have an SAG device. No is selected in this example.
- Edition: Select the edition of the SAG device. Standard is selected in this example by default.
- Quantity: Select the number of SAG devices that you want to purchase. 1 is selected in this example.
- Area: Select the area where the bandwidth will be used. The area is the same as that of
the SAG device and cannot be changed.
- Name: Specify a name for the SAG instance.
The name must be 2 to 128 characters in length, and can contain digits, periods (.),
hyphens (-), and underscores (_). It must start with a letter or a Chinese character.
- Peak Bandwidth: Specify the maximum bandwidth value. 50 Mbps is specified in this example.
- Subscription Duration: Specify the subscription duration of the bandwidth resources.
- Confirm the order information and click Confirm Purchase.
- In the Shipping Address dialog box, enter the recipient address and click Buy Now.
- On the Pay page, select a payment method and complete the payment.
You can check whether the order has been placed on the Smart Access Gateway page.
After the order is placed, it will be shipped within two business days. If your order
is not shipped as expected, you can submit a ticket to query the shipping status.
Step 2: Activate the SAG devices
After you receive the SAG device, check whether you have received all the accessories.
For more information, see Descriptions of an SAG-1000 device.
- Log on to the SAG console.
- In the top navigation bar, select the area of the SAG device.
- On the Smart Access Gateway page, find the SAG instance created for the SAG device.
- In the Actions column, click Activate.
- In the Activate dialog box, click OK.
- After the SAG device is activated, connect it to the private network based on the
preceding network topology.
Use a network cable to connect the WAN port (port 5) of the SAG device to port G11
of the Layer 3 switch.
- Optional:If the SAG device was purchased from a third-party vendor, you must manually associate
the SAG device with the SAG instance. For more information, see Add a device.
Step 3: Configure the SAG device
After the SAG device is connected to the private network, you can configure the device
ports in the SAG console.
- Configure ports.
- On the Device Management tab, click Manage WAN Ports in the left-side navigation tree.
- In the WAN (Port 5) section, click Edit.
- In the Configure WAN (Port 5) dialog box, set the following parameters and click OK.

- Connection Type: Static IP is selected in this example.
- Priority: 1 is selected by default.
- IP Address: Enter the IP address of the WAN port. 192.168.100.1 is used in this example.
- Subnet Mask: Enter the subnet mask of the WAN port IP address. 255.255.255.252 is used in this
example.
- Gateway: Enter the IP address of the gateway. 192.168.100.2 is used in this example.
Note After the gateway is configured, the SAG device automatically adds a default route.
- Configure OSPF dynamic routing.
Configure OSPF dynamic routing to establish network communication between the SAG
device and Layer 3 switch.
- On the Device Management tab, click Manage Routes in the left-side navigation tree.
- In the OSPF Protocol Settings section, click Edit.
- In the Configure OSPF Protocol dialog box, enter the information about the allocated IP address and click OK.
Parameter |
Description |
Area ID |
Set the area ID to 1. |
Hello_time |
Set the hello time to 3 seconds. |
Dead_time |
Set the dead time to 10 seconds. |
Authentication |
Select Disable Authentication. |
Router ID |
Set the router ID to 192.168.100.1. |
Area Type |
Default value: NSSA. |
- In the WAN/LAN Dynamic Routing Settings section, select Enable OSPF Protocol.
- Find Port 5(LAN), click Edit in the Actions column, select Enable OSPF, and then click OK.
- Select a method to advertise routes to Alibaba Cloud.
You must specify how routes are advertised to Alibaba Cloud. These routes are used
for network communication between the private network and cloud resources.
- On the instance details page, click the Network Configuration tab.
- In the left-side navigation tree, click Methods to Synchronize with On-premises Routes.
- Select Static Routing, click Add Static Route to add a CIDR block, and then click OK.
Enter the CIDR block used to connect the private network to Alibaba Cloud. 172.16.0.0/12
is used in this example.

Step 4: Configure switches and Internet-facing routers
In this step, you must configure the peer switch and Internet-facing router for the
SAG device. Switches and routers used in this example may be different from yours.
For more information, see the manuals issued by your providers.
- Configure the Layer 3 switch.
#a. Set the port IP addresses and OSPF parameters.
interface GigabitEthernet 0/11
no switchport
ip ospf network point-to-point #The network type of the ports that use the OSPF protocol must be set to peer-to-peer (P2P). Otherwise, the SAG device cannot calculate routes correctly.
ip ospf hello-interval 3
ip ospf dead-interval 10
ip address 192.168.100.2 255.255.255.252
#b. Configure the loopback IP address and route advertisement information for the switch.
interface Loopback 0
ip address 192.168.100.3 255.255.255.255 #The loopback IP address of the switch.
router ospf 1 #Configure OSPF settings and routes.
router-id 192.168.100.3 #The router ID of the switch that uses the OSPF protocol.
network 172.16.0.0 0.15.255.255 area 0 #The CIDR block of the private network.
network 192.168.100.0 0.0.0.4 area 1 #The CIDR block of the switch port connected to the SAG device.
network 192.168.100.3 0.0.0.0 area 0 #The loopback IP address of the switch.
area 1 nssa #The OSPF area is NSSA.
- Configure routes for the Internet-facing router.
ip route 192.168.100.0 255.255.255.252 192.168.80.2 #The route to the SAG device.
Step 5: Set up network connections
After you configure the SAG device, you must set up network connections to connect
the private network to Alibaba Cloud.
- Create a Cloud Connect Network (CCN) instance.
- Log on to the SAG console.
- In the top navigation bar, select Mainland China.
The area of the CCN instance must be the same as that of the SAG device.
- In the left-side navigation pane, click CCN.
- On the CCN page, click Create CCN Instance.
- In the Create CCN Instance pane, specify a name for the CCN instance and click OK.
The name must be 2 to 100 characters in length, and can contain digits, underscores
(_), and hyphens (-). It must start with a letter or a Chinese character.

- Associate the SAG instance with the CCN instance.
- In the left-side navigation pane, click Smart Access Gateway.
- On the Smart Access Gateway page, find the SAG instance that you want to manage and click Network Configuration in the Actions column.
- In the left-side navigation tree, click Network Instance Details.
- On the Network Instance Details tab, click Attach Network, select the CCN instance, and then click OK.
- Associate the CCN instance with a CEN instance.
After the CCN instance is associated with a CEN instance, SAG devices associated with
the CCN instance can communicate with VPC networks associated with the CEN instance.
- In the left-side navigation pane, click CCN.
- Find the CCN instance and click Bind CEN Instance in the Actions column.
- In the Bind CEN Instance pane, select Existing CEN, select the CEN instance that you want to associate with the CCN instance, and then
click OK.
- Create a security group rule.
You must create a security group rule for the Elastic Compute Service (ECS) instance
in the VPC network to allow clients in the CIDR block 172.16.0.0/12 of the private
network to access resources deployed on the ECS instance. For more information, see
Add security group rules.
Step 6: Test network connectivity
After you complete the preceding steps, test whether you can access cloud resources
deployed in the VPC network from a client in the private network.