This topic describes how to deploy two Smart Access Gateway (SAG) devices in one-arm mode and enable Open Shortest Path First (OSPF)-based dynamic routing to connect a private network to Alibaba Cloud.
Background information
The following figure shows the topology of the private network. A Layer 3 switch is connected to two Layer 2 switches. On-premises clients and servers are connected to the Layer 2 switches. Two SAG devices are connected to the Layer 3 switch in inline mode to establish network connections between the private network and Alibaba Cloud. When one device is malfunctioning, the other device takes over.

Prerequisites
- A virtual private cloud (VPC) is created in the China (Beijing) region. For more information, see Create a VPC.
- A Cloud Enterprise Network (CEN) instance is created and associated with the VPC in the China (Beijing) region. For more information, see Create a CEN instance.
Subnetting
Item | CIDR block |
---|---|
VPC in the China (Beijing) region | 10.0.0.0/16 |
Internet-facing router | 192.168.80.1/30 |
Uplink port of the Layer 3 switch | 192.168.80.2/30 |
SAG Device 1 | WAN port (port 5): 192.168.100.1/30. Next hop: 192.168.100.2. |
SAG Device 2 | WAN port (port 5): 192.168.200.1/30. Next hop: 192.168.200.2. |
Layer 3 switch |
|
Private network | 172.16.0.0/12 |
Step 1: Purchase SAG devices
After you purchase SAG devices in the SAG console, Alibaba Cloud delivers the devices to the specified address and creates an SAG instance to help you facilitate network management.
You can check whether the order has been placed on the Smart Access Gateway page. After the order is placed, the package will be shipped within two business days. If the package is not shipped within two business days, submit a ticket to query the shipping status.

Step 2: Activate the SAG devices
After you receive the SAG devices, check whether you have received all the accessories. For more information, see Descriptions of an SAG-1000 device.
Step 3: Connect the SAG devices to your private network
After you activate the SAG devices and associate them with the SAG instance, you must connect the devices to your private network.
Before you begin, make sure that the devices are activated, the 4G networks work as expected, and the devices are connected to Alibaba Cloud. The active device is used in this example. Repeat this step to connect the standby device to your private network.
Step 4: Configure ports
After the SAG devices are connected to your private network, you can configure the device ports in the SAG console.
The active device is used in this example. Repeat this step to configure the ports of the standby device.
Step 5: Configure OSPF-based dynamic routing
You can configure OSPF-based dynamic routing for SAG devices in the SAG console.
The active device is used in this example. Repeat this step to configure OSPF-based dynamic routing for the standby device.
Step 6: Configure the Layer 3 switch and Internet-facing router
The commands used to configure switches vary based on the switch provider. For more information, see the manuals issued by your providers. A switch and router provided by Cisco are used in this example.- The Layer 3 switch
- Set the port IP addresses and OSPF parameters.
Note For each SAG device, the network type of ports that use the OSPF protocol must be set to peer-to-peer (P2P). Otherwise, the SAG device cannot calculate routes correctly.
interface GigabitEthernet 0/11 no switchport ip ospf network point-to-point Set the network type to P2P ip ospf hello-interval 3 ip ospf dead-interval 10 ip address 192.168.100.2 255.255.255.252 The port IP address of the peer switch of Device 1 interface GigabitEthernet 0/13 no switchport ip address 192.168.200.2 255.255.255.252 The port IP address of the peer switch of Device 2 ip ospf network point-to-point Set the network type to P2P ip ospf dead-interval 10 ip ospf hello-interval 3 !
- Specify the loopback address and route advertisement information.
Note OSPF requires a not-so-stubby area (NSSA), automatically generates a default route, and advertises it to SAG.
interface Loopback 0 ip address 192.168.100.3 255.255.255.255 The loopback address of the switch ! router ospf 1 router-id 192.168.100.3 The router ID of the switch network 172.16.0.0 0.15.255.255 area 0 The CIDR block of the on-premises server network 192.168.100.0 0.0.0.4 area 1 The CIDR block of the switch port connected to Device 1 network 192.168.100.3 0.0.0.0 area 0 The loopback address of the switch network 192.168.200.0 0.0.0.4 area 1 The CIDR block of the switch port connected to Device 2 area 1 nssa default-information-originate no-summary !
- Set the port IP addresses and OSPF parameters.
- The Internet-facing router
Add a static route ip route 192.168.100.1 255.255.255.252 192.168.80.2 The route to Device 1 ip route 192.168.200.1 255.255.255.252 192.168.80.2 The route to Device 2
Step 7: Set up network connections
After you configure the SAG devices, you must set up network connections to connect the private network to Alibaba Cloud.
- Create a CCN instance.
- Set up network connections.
- Associate the CCN instance with a Cloud Enterprise Network (CEN) instance.
- Configure a security group rule.
Step 8: Test the connectivity
After you complete the configurations in the preceding steps, access cloud resources deployed in the VPC from a client in your private network to test the connectivity.