This topic describes how to deploy two Smart Access Gateway (SAG) devices in inline mode and enable Open Shortest Path First (OSPF)-based dynamic routing to connect an on-premises network to Alibaba Cloud.

Background information

The following figure shows the topology of the on-premises network. A Layer 3 switch is connected to two Layer 2 switches. On-premises clients and servers are connected to the Layer 2 switches. Two SAG devices are connected to the Layer 3 switch in inline mode to establish network connections between the on-premises network and Alibaba Cloud. The two SAG devices serve as standby devices for each other.

Deploy two SAG devices in inline mode

Prerequisites

  • A virtual private cloud (VPC) is deployed in the China (Beijing) region. For more information, see Create and manage a VPC.
  • A Cloud Enterprise Network (CEN) instance is created and associated with the VPC in the China (Beijing) region. For more information, see Create a CEN instance.

Network planning

The following CIDR blocks are used in this example. When you allocate CIDR blocks based on your requirements, make sure that the CIDR blocks do not overlap with each other.

Item IP address
VPC in the China (Beijing) region 10.0.0.0/16
Internet-facing router Port G1: 192.168.100.2/30.
Port G2: 192.168.200.2/30.
SAG Device 1
  • WAN port (port 5): 192.168.100.1/30. Next hop: 192.168.100.2.
  • LAN port 4:192.168.50.1/30.
SAG Device 2
  • WAN port (port 5): 192.168.200.1/30. Next hop: 192.168.200.2.
  • LAN port 4:192.168.60.1/30.
Layer 3 switch
  • Port G11: 192.168.50.2/30.
  • Port G12: 192.168.60.2/30.
  • Loopback interface: 192.168.100.3/32.
On-premises network 172.16.0.0/12

Step 1: Purchase SAG devices

After you purchase SAG devices in the SAG console, Alibaba Cloud delivers the devices to the specified address and creates an SAG instance to help you facilitate network management.

  1. Log on to the SAG console.
  2. In the left-side navigation pane, click Smart Access Gateway.
  3. On the Smart Access Gateway page, choose Purchase SAG > Create SAG (CPE).
  4. Set the following parameters and click Buy Now.
    • Area: Select the area where the SAG device will be deployed. Mainland China is selected in this example.
    • Device Spec: Select the model of the SAG device. SAG-1000 is selected in this example.
    • Have SAG Devices Already: Select whether you already have an SAG device. In this example, No is selected.
    • Edition: Select the edition of the SAG device. Standard is selected in this example.
    • Quantity: Select the number of SAG devices that you want to purchase. 2 is selected in this example.
    • Area: Select the area where the SAG bandwidth will be used. This area must be the same as that of the SAG device and cannot be modified.
    • Instance Name: Enter a name for the SAG instance.

      The name must be 2 to 128 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_). It must start with a letter.

    • Peak Bandwidth: Select a maximum bandwidth value for network connections. 30 Mbps is selected in this example.
    • Subscription Duration: Select a subscription duration.
  5. Confirm the order information and click Confirm Purchase.
  6. In the Shipping Address dialog box, enter a recipient address and click Buy Now.
  7. On the Pay page, select a payment method and complete the payment.

You can check whether the order has been placed on the Smart Access Gateway page. After the order is placed, the package will be shipped within two business days. If the shipping is overdue, you can submit a ticket to check the shipping status.

View the order status

Step 2: Activate the SAG devices

After you receive the SAG devices, check whether you have received all the accessories. For more information, see Descriptions of SAG-1000.

  1. Log on to the SAG console.
  2. On the Smart Access Gateway page, find the SAG instance that you want to manage.
  3. Click Activate in the Actions column.
  4. Click the ID of the SAG instance. On the instance details page, click the Device Management tab and enter the serial number of the device.
    Add a device
  5. Click Add Device.
  6. Repeat this step to associate the other SAG device with the SAG instance.

Step 3: Connect the SAG devices to your on-premises network

After you activate the SAG devices and associate them with the SAG instance, you must connect the devices to your on-premises network.

Before you begin, make sure that the devices are activated, the 4G networks work as expected, and the devices are connected to Alibaba Cloud. Device 1 is used in this example. Repeat this step to connect Device 2 to your on-premises network.

  1. Log on to the SAG console.
  2. On the Smart Access Gateway page, find and click the SAG instance ID.
  3. On the instance details page, click the Device Management tab.
  4. In the left-side navigation tree, click Assign Port Roles.
  5. In the Assign Port Roles section, find the port and click Edit in the Actions column. Assign a role to the port and click OK.
    In this example, port 5 is assigned the WAN role and port 4 is assigned the LAN role. For more information, see Assign a role to a port.
  6. Use a network cable to connect the WAN port (port 5) of the SAG device to port G1 of the Internet-facing router.
  7. Use a network cable to connect the LAN port (port 4) of the SAG device to port G11 of the Layer 3 switch.

Step 4: Configure ports

After the SAG devices are connected to your on-premises network, you can configure the device ports in the SAG console.

Device 1 is used in this example. Repeat this step to configure the ports of Device 2.

  1. Log on to the SAG console.
  2. On the Smart Access Gateway page, click the ID of the SAG instance.
  3. On the instance details page, click the Device Management tab.
  4. In the left-side navigation tree, click Manage LAN Ports.
  5. In the LAN (Port 4) section, click Edit.
  6. In the Configure LAN (Port 4) dialog box, set the following parameters and click OK.
    • Link Type: Select Static.
    • Port Address: Enter the IP address of the LAN port. 192.168.50.1 is used in this example.
    • Subnet Mask: Enter the subnet mask of the LAN port IP address. 255.255.255.252 is used in this example.
  7. In the left-side section, click Manage WAN Ports.
  8. In the WAN (Port 5) section, click Edit.
  9. In the Configure WAN (Port 5) dialog box, set the following parameters and click OK.
    • Link Type: Select Static.
    • IP Address: Enter the IP address of the WAN port. 192.168.100.1 is used in this example.
    • Subnet Mask: Enter the subnet mask of the WAN port IP address. 255.255.255.252 is used in this example.
    • Gateway: Enter the IP address of the gateway. 192.168.100.2 is used in this example.
      Note After the parameter is set, a default route is added to the SAG device.

Step 5: Configure OSPF-based dynamic routing

You can configure OSPF-based dynamic routing for SAG devices in the SAG console.

Device 1 is used in this example. Repeat this step to configure OSPF-based dynamic routing for Device 2.

  1. Log on to the SAG console.
  2. On the Smart Access Gateway page, click the ID of the SAG instance.
  3. On the instance details page, click the Device Management tab.
  4. In the left-side navigation tree, click Manage Routes.
  5. In the OSPF Protocol Settings section, click Edit.
  6. In the Configure OSPF Protocol dialog box, enter the information about the allocated IP address and click OK.
    Parameter Description
    Area ID Enter the area IDs of the active and standby devices.

    Area ID of the active device: 1.

    Area ID of the standby device: 1.

    Hello Time Set the hello time to 3 seconds for both devices.
    Dead Time Set the dead time to 10 seconds for both devices.
    Authentication Type Select Disable Authentication for both devices.
    Router ID Enter the device router IDs.

    Router ID of the active device: 192.168.100.1.

    Router ID of the standby device: 192.168.200.1.

    Area Type Default value: NSSA.
  7. In the WAN/LAN Dynamic Routing Settings section, select Enable OSPF Protocol.
  8. Find Port 4 (LAN), click Edit in the Actions column, select Enable OSPF, and then click OK.

Step 6: Configure the Layer 3 switch and Internet-facing router

The commands used to configure switches vary based on the switch provider. For more information, see the manuals issued by your providers. A switch and a router provided by Cisco are used in this example.
  • Layer 3 switch settings
    • Set the port IP addresses and OSPF parameters.
      Note For each SAG device, the network type of ports that use the OSPF protocol must be set to peer-to-peer (P2P). Otherwise, the SAG device cannot calculate routes correctly.
      
      interface GigabitEthernet 0/11
       no switchport
       ip ospf network point-to-point       #Set the network type to P2P.
       ip ospf hello-interval 3
       ip ospf dead-interval 10
       ip address 192.168.50.2 255.255.255.252  #The port IP address of the peer switch of Device 1.
      
      
      interface GigabitEthernet 0/12
       no switchport
       ip address 192.168.60.2 255.255.255.252 #The port IP address of the peer switch of Device 2.
       ip ospf network point-to-point        #Set the network type to P2P.
       ip ospf dead-interval 10
       ip ospf hello-interval 3
      
      !  
      
                                  
    • Specify the loopback address and route advertisement information.
      Note OSPF requires a not-so-stubby area (NSSA), automatically generates a default route, and advertises it to SAG.
      
      
      interface Loopback 0
      ip address 192.168.100.3 255.255.255.255  #The loopback address of the switch.
      !
      
      router ospf 1
       router-id 192.168.100.3          #The router ID of the switch.
       network 172.16.0.0 0.15.255.255 area 0  #The CIDR block of the on-premises server.
       network 192.168.50.0 0.0.0.4 area 1    #The CIDR block of the port that the switch uses to connect to SAG Device 1.
       network 192.168.100.3 0.0.0.0 area 0   #The loopback address of the switch.                
       network 192.168.60.0 0.0.0.4 area 1       #The CIDR block of the port that the switch uses to connect to SAG Device 2.
       area 1 nssa default-information-originate no-summary
      
      !
      
                                  
  • Internet-facing router settings
    Add static routes
    
    ip route 192.168.100.1 255.255.255.252  192.168.100.2  #The route to Device 1.
    ip route 192.168.200.1 255.255.255.252  192.168.200.2  #The route to Device 2.

Step 7: Set up network connections

After you configure the SAG devices, you must set up network connections to connect the on-premises network to Alibaba Cloud.

  1. Create a Cloud Connect Network (CCN) instance.
    1. Log on to the SAG console.
    2. In the left-side navigation pane, click CCN.
    3. On the CCN page, click Create CCN Instance.
    4. In the Create CCN Instance panel, enter a name for the CCN instance and click OK.
      The name must be 2 to 100 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). It must start with a letter. Create a CCN instance
  2. Set up network connections.
    1. Log on to the SAG console.
    2. On the Smart Access Gateway page, click the ID of the SAG instance or click Network Configuration in the Actions column.
    3. On the Method to Synchronize with On-premises Routes tab, select Dynamic Routing.
    4. On the Network Instance Details tab, click Attach Network, select the CCN instance, and then click OK.
      CCN
  3. Associate the CCN instance with a Cloud Enterprise Network (CEN) instance.
    1. Log on to the SAG console.
    2. In the left-side navigation pane, click CCN.
    3. Find the CCN instance and click Bind CEN Instance in the Actions column.
    4. In the Bind CEN Instance panel, select the CEN instance that you want to use and click OK.
      After the CCN instance is associated with the CEN instance, SAG devices connected to the CCN instance can communicate with networks such as VPCs and virtual border routers (VBRs) attached to the CEN instance. CEN
  4. Configure an Elastic Compute Service (ECS) security group.
    1. Log on to the ECS console.
    2. In the left-side navigation pane, choose Network & Security > Security Groups.
    3. On the Security Groups page, find the security group that you want to manage and click Add Rules in the Actions column.
    4. On the Security Group Rules tab, click Add Rule.
    5. Create a security group rule that allows access from the on-premises network to the VPC. For more information, see Add a security group rule.

Step 8: Test the network connectivity

After you complete the preceding steps, access cloud resources deployed in the VPC network from a client in your on-premises network to test the network connectivity.