This topic describes how to deploy a Smart Access Gateway (SAG) device in one-arm mode and enable Open Shortest Path First (OSPF) routing to connect a private network to Alibaba Cloud.

Prerequisites

  • A Virtual Private Network (VPC) network is created. For more information, see Create a VPC.
  • A Cloud Enterprise Network (CEN) instance is created and associated with the VPC network. For more information, see Create a CEN instance.

Background information

In this example, a company needs to connect its private network to Alibaba Cloud. The company has created a VPC network in the China (Beijing) region and deployed application services in the VPC network. The company wants to use SAG to connect the company private network in mainland China to Alibaba Cloud. The model of the SAG device used in this example is SAG-1000. The SAG device is deployed in one-arm mode and OSPF dynamic routing is enabled. This solution connects the private network to Alibaba Cloud without changing the topology of the private networkNetwork topology

Subnetting

The following CIDR blocks are used in this example. When you allocate CIDR blocks based on your actual requirements, make sure that the CIDR blocks do not overlap with each other.

Network CIDR block
Private network of the company Workloads: 172.16.0.0/12.
WAN port (port 5) of the SAG device: 192.168.100.1/30. IP address of the gateway: 192.168.100.2.
Port G11 of the Layer 3 switch: 192.168.100.2/30.

Loopback interface: 192.168.100.3/32.
Port G1 of the Internet-facing router: 192.168.80.1/30.

Port G2 of the Layer 3 switch: 192.168.80.2/30.
VPC network in the China (Beijing) region 10.0.0.0/16

Configuration procedure

Procedure

Step 1: Purchase an SAG device

After you place an order in the SAG console, Alibaba Cloud delivers the SAG device to the specified address and creates an SAG instance to facilitate the management of the device.

Note If the area where the SAG device is used is outside mainland China, you must purchase the device from a third-party vendor that is authorized by Alibaba Cloud. For more information, see Purchase an SAG device.
  1. Log on to the SAG console.
  2. On the Smart Access Gateway page, click Purchase SAG.
  3. Select Create SAG (CPE).
  4. Set the following parameters and click Buy Now:
    • Area: Select the area where the SAG devices will be deployed. Mainland China is selected in this example.
    • Device Spec: Select the model of the SAG device. SAG-1000 is selected in this example.
    • Have SAG Devices Already: Select whether you already have an SAG device. No is selected in this example.
    • Edition: Select the edition of the SAG device. Standard is selected in this example by default.
    • Quantity: Select the number of SAG devices that you want to purchase. 1 is selected in this example.
    • Area: Select the area where the bandwidth will be used. The area is the same as that of the SAG device and cannot be changed.
    • Name: Specify a name for the SAG instance.

      The name must be 2 to 128 characters in length, and can contain digits, periods (.), hyphens (-), and underscores (_). It must start with a letter or a Chinese character.

    • Peak Bandwidth: Specify the maximum bandwidth value. 50 Mbps is specified in this example.
    • Subscription Duration: Specify the subscription duration of the bandwidth resources.
  5. Confirm the order information and click Confirm Purchase.
  6. In the Shipping Address dialog box, enter the recipient address and click Buy Now.
  7. On the Pay page, select a payment method and complete the payment.

You can check whether the order has been placed on the Smart Access Gateway page. After the order is placed, it will be shipped within two business days. If your order is not shipped as expected, you can submit a ticket to query the shipping status.

The order status

Step 2: Activate the SAG devices

After you receive the SAG device, check whether you have received all the accessories. For more information, see Descriptions of an SAG-1000 device.

  1. Log on to the SAG console.
  2. In the top navigation bar, select the area of the SAG device.
  3. On the Smart Access Gateway page, find the SAG instance created for the SAG device.
  4. In the Actions column, click Activate.
  5. In the Activate dialog box, click OK.
  6. After the SAG device is activated, connect it to the private network based on the preceding network topology.
    Use a network cable to connect the WAN port (port 5) of the SAG device to port G11 of the Layer 3 switch.
  7. Optional:If the SAG device was purchased from a third-party vendor, you must manually associate the SAG device with the SAG instance. For more information, see Add a device.

Step 3: Configure the SAG device

After the SAG device is connected to the private network, you can configure the device ports in the SAG console.

  1. Configure ports.
    1. On the Device Management tab, click Manage WAN Ports in the left-side navigation tree.
    2. In the WAN (Port 5) section, click Edit.
    3. In the Configure WAN (Port 5) dialog box, set the following parameters and click OK.
      WAN port
      • Connection Type: Static IP is selected in this example.
      • Priority: 1 is selected by default.
      • IP Address: Enter the IP address of the WAN port. 192.168.100.1 is used in this example.
      • Subnet Mask: Enter the subnet mask of the WAN port IP address. 255.255.255.252 is used in this example.
      • Gateway: Enter the IP address of the gateway. 192.168.100.2 is used in this example.
        Note After the gateway is configured, the SAG device automatically adds a default route.
  2. Configure OSPF dynamic routing.
    Configure OSPF dynamic routing to establish network communication between the SAG device and Layer 3 switch.
    1. On the Device Management tab, click Manage Routes in the left-side navigation tree.
    2. In the OSPF Protocol Settings section, click Edit.
    3. In the Configure OSPF Protocol dialog box, enter the information about the allocated IP address and click OK.
      Parameter Description
      Area ID Set the area ID to 1.
      Hello_time Set the hello time to 3 seconds.
      Dead_time Set the dead time to 10 seconds.
      Authentication Select Disable Authentication.
      Router ID Set the router ID to 192.168.100.1.
      Area Type Default value: NSSA.
    4. In the WAN/LAN Dynamic Routing Settings section, select Enable OSPF Protocol.
    5. Find Port 5(LAN), click Edit in the Actions column, select Enable OSPF, and then click OK.
    Configure OSPF routing
  3. Select a method to advertise routes to Alibaba Cloud.
    You must specify how routes are advertised to Alibaba Cloud. These routes are used for network communication between the private network and cloud resources.
    1. On the instance details page, click the Network Configuration tab.
    2. In the left-side navigation tree, click Methods to Synchronize with On-premises Routes.
    3. Select Static Routing, click Add Static Route to add a CIDR block, and then click OK.

      Enter the CIDR block used to connect the private network to Alibaba Cloud. 172.16.0.0/12 is used in this example.

      Advertise routes to Alibaba Cloud 2

Step 4: Configure switches and Internet-facing routers

In this step, you must configure the peer switch and Internet-facing router for the SAG device. Switches and routers used in this example may be different from yours. For more information, see the manuals issued by your providers.

  1. Configure the Layer 3 switch.
    #a. Set the port IP addresses and OSPF parameters.
interface GigabitEthernet 0/11
 no switchport
 ip ospf network point-to-point                        #The network type of the ports that use the OSPF protocol must be set to peer-to-peer (P2P). Otherwise, the SAG device cannot calculate routes correctly.    
  ip ospf hello-interval 3
 ip ospf dead-interval 10
 ip address 192.168.100.2 255.255.255.252   



#b. Configure the loopback IP address and route advertisement information for the switch. 
interface Loopback 0
ip address 192.168.100.3 255.255.255.255               #The loopback IP address of the switch.    


router ospf 1                                          #Configure OSPF settings and routes.
 router-id 192.168.100.3                               #The router ID of the switch that uses the OSPF protocol.
 network 172.16.0.0 0.15.255.255 area 0                #The CIDR block of the private network.
 network 192.168.100.0 0.0.0.4 area 1                       #The CIDR block of the switch port connected to the SAG device.
 network 192.168.100.3 0.0.0.0 area 0                        #The loopback IP address of the switch.               
 area 1 nssa                                           #The OSPF area is NSSA.
  2. Configure routes for the Internet-facing router.
    
ip route 192.168.100.0 255.255.255.252 192.168.80.2    #The route to the SAG device.

Step 5: Set up network connections

After you configure the SAG device, you must set up network connections to connect the private network to Alibaba Cloud.

  1. Create a Cloud Connect Network (CCN) instance.
    1. Log on to the SAG console.
    2. In the top navigation bar, select Mainland China.
      The area of the CCN instance must be the same as that of the SAG device.
    3. In the left-side navigation pane, click CCN.
    4. On the CCN page, click Create CCN Instance.
    5. In the Create CCN Instance pane, specify a name for the CCN instance and click OK.
      The name must be 2 to 100 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter or a Chinese character.Create a CCN instance
  2. Associate the SAG instance with the CCN instance.
    1. In the left-side navigation pane, click Smart Access Gateway.
    2. On the Smart Access Gateway page, find the SAG instance that you want to manage and click Network Configuration in the Actions column.
    3. In the left-side navigation tree, click Network Instance Details.
    4. On the Network Instance Details tab, click Attach Network, select the CCN instance, and then click OK.
      Attach a network
  3. Associate the CCN instance with a CEN instance.
    After the CCN instance is associated with a CEN instance, SAG devices associated with the CCN instance can communicate with VPC networks associated with the CEN instance.
    1. In the left-side navigation pane, click CCN.
    2. Find the CCN instance and click Bind CEN Instance in the Actions column.
    3. In the Bind CEN Instance pane, select Existing CEN, select the CEN instance that you want to associate with the CCN instance, and then click OK.
      Associate with a CEN instance
  4. Create a security group rule.
    You must create a security group rule for the Elastic Compute Service (ECS) instance in the VPC network to allow clients in the CIDR block 172.16.0.0/12 of the private network to access resources deployed on the ECS instance. For more information, see Add security group rules.

Step 6: Test network connectivity

After you complete the preceding steps, test whether you can access cloud resources deployed in the VPC network from a client in the private network.