Smart Access Gateway:Deploy two SAG devices in inline mode and enable static routing

Scenarios

The following figure shows the topology of the on-premises network. A Layer-3 switch is connected to two Layer-2 switches. On-premises clients and servers are connected to the Layer-2 switches. Two SAG devices are connected to the Layer-3 switch in inline mode to establish network connections between the on-premises network and Alibaba Cloud. The two SAG devices serve as standby devices for each other.

Prerequisites

• A virtual private cloud (VPC) is created in the China (Beijing) region. For more information, see Create and manage a VPC.
• A Cloud Enterprise Network (CEN) instance is created and the VPC is attached to the CEN instance. For more information, see Create a CEN instance.

CIDR blocks

The following CIDR blocks are used in this example. When you allocate CIDR blocks based on your requirements, make sure that the CIDR blocks do not overlap with each other.

Step 1: Purchase SAG devices

After you purchase SAG devices in the SAG console, Alibaba Cloud delivers the devices to the specified address and creates an SAG instance to help you facilitate network management.

1. Log on to the SAG console.
2. On the Smart Access Gateway page, choose Purchase SAG > Create SAG (CPE).
3. On the buy page, set the following parameters and click Buy Now:
   • Area: Select the area where you want to use the SAG device. Mainland China is selected in this example.
   • Device Spec: Select the model of the SAG device. SAG-1000 is selected in this example.
   • Have SAG Devices Already: Specify whether you already have an SAG device. In this example, No is selected.
   • Edition: Select the edition of the SAG device. Standard is selected in this example.
   • Quantity: Select the number of SAG devices that you want to purchase. 2 is selected in this example.
   • Area: Select the area where the SAG bandwidth will be used. This area must be the same as that of the SAG device and cannot be modified.
   • Instance Name: Enter a name for the SAG instance.

     The name must be 2 to 128 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_). It must start with a letter.

   • Peak Bandwidth: Specify the maximum bandwidth for network connections. 30Mbps is selected in this example.
   • Subscription Duration: Select a subscription duration.
4. Confirm the order and click Confirm Purchase.
5. In the Address dialog box, enter the recipient address and then click Order Now.
6. On the Pay page, click Pay.
7. You can check whether the order has been placed on the Smart Access Gateway page. SAG devices will be shipped within two business days after you place the order. To check the shipping updates, perform the following steps:
   1. On the Smart Access Gateway page, find the SAG instance.
   2. Choose View Shipping Update in the Actions column.
   3. In the Order Updates panel, view the shipping updates.

Step 2: Activate the SAG devices

After you receive the SAG devices, check whether you have received all the accessories. For more information, see SAG-1000 device specifications.

1. In the top navigation bar, select the region.
2. On the Smart Access Gateway page, find the SAG instance that you want to activate.
3. Click Activate in the Actions column of the SAG instance.
4. Click the ID of the SAG instance. On the instance details page, click the Device Management tab and enter the serial number of the device.
   
5. Click Add Device.
6. Repeat this step to associate the other SAG device with the SAG instance.

Step 3: Connect the SAG devices to your on-premises network

After you activate the SAG devices and associate them with the SAG instance, you must connect the devices to your on-premises network.

Before you begin, make sure that the devices are activated, the 4G network works as expected, and the devices are connected to Alibaba Cloud. Device 1 is used as an example. Repeat this step to connect Device 2 to your on-premises network.

1. On the Smart Access Gateway page, find and click the SAG instance ID.
2. On the instance details page, click the Device Management tab.
3. In the left-side section, click Assign Port Roles.
4. In the Assign Port Roles section, find the port and click Edit in the Actions column. Assign a role to the port and click OK.
   The WAN port (port 5) and LAN port (port 4) are used as an example. For more information about ports, see Assign a role to a port.
5. Use a cable to connect the WAN port (port 5) of the SAG device to port G1 of the Internet-facing router.
6. Use a cable to connect the LAN port (port 4) of the SAG device to port G11 of the Layer-3 switch.

Step 4: Configure ports

After the SAG devices are connected to your on-premises network, you can configure the device ports in the SAG console.

Device 1 is used as an example. Repeat this step to configure the ports of Device 2.

1. Log on to the SAG console.
2. On the Smart Access Gateway page, click the ID of the SAG instance.
3. On the instance details page, click the Device Management tab.
4. In the left-side navigation tree, click Manage LAN Ports.
5. In the LAN (Port 4) section, click Edit.
6. In the Configure LAN (Port 4) dialog box, set the following parameters and click OK.

   Device 1:

   • Link Type: Select Static.
   • Port Address: Enter the IP address of the LAN port. 192.168.50.1 is entered in this example.
   • Subnet Mask: Enter the subnet mask of the LAN port IP address. 255.255.255.0 is entered in this example.

   Device 2:

   • Link Type: Select Static.
   • Port Address: Enter the IP address of the LAN port. 192.168.50.3 is entered in this example.
   • Subnet Mask: Enter the subnet mask of the LAN port IP address. 255.255.255.0 is entered in this example.
7. In the left-side section, click Manage WAN Ports.
8. In the WAN (Port 5) section, click Edit.
9. In the Configure WAN (Port 5) dialog box, set the following parameters and click OK.

   Device 1:

   • Link Type: Select Static.
   • IP Address: Enter the IP address of the WAN port. 192.168.100.1 is entered in this example.
   • Subnet Mask: Enter the subnet mask of the WAN port IP address. 255.255.255.252 is entered in this example.
   • Gateway: Enter the IP address of the gateway. 192.168.100.2 is entered in this example.

   Device 2:

   • Link Type: Select Static.
   • IP Address: Enter the IP address of the WAN port. 192.168.200.1 is entered in this example.
   • Subnet Mask: Enter the subnet mask of the WAN port IP address. 255.255.255.252 is entered in this example.
   • Gateway: Enter the IP address of the gateway. 192.168.200.2 is entered in this example.

   Note After the parameters are set, a default route is added to the SAG device.

Step 5: Add routes

After you configure the WAN and LAN ports of the SAG devices, you need to configure the routing method that synchronizes local routes to Alibaba Cloud and specify static routes to route traffic from Alibaba Cloud to the on-premises network.

Device 1 is used as an example. Repeat this step to configure a routing method for Device 2.

1. On the Smart Access Gateway page, click the ID of the SAG instance.
2. On the SAG instance details page, click the Network Configuration tab.
3. In the left-side section, click Method to Synchronize with On-premises Routes.
4. Select Static Routing, click Add Static Route to add a CIDR block, and then click OK.

   Enter the CIDR block used to connect the on-premises network to Alibaba Cloud. 172.16.0.0/12 is used in this example.

   
5. On the instance details page, click the Device Management tab.
6. In the left-side section, click Manage Routes and then click Add Static Route.
7. In the Add Static Route dialog box, add a static route that routes traffic from Alibaba Cloud to the on-premises network.

   Parameter	Description
   Destination CIDR Block	Device 1: 172.16.0.0/12. Device 2: 172.16.0.0/12.
   Next Hop	Device 1: 192.168.50.2. Device 2: 192.168.50.2.
   Ports	Select Port 4 (LAN) for both Device 1 and Device 2.

   

Step 6: Configure HA

The HA feature is used in this example to address single point of failures (SPOFs).

Device 1 is used as an example. Repeat this step to configure a routing method for Device 2.

1. Log on to the Smart Access Gateway console.
2. Use one of the following methods to open the Device Management tab.
   • Click the ID of the SAG instance. On the instance details page, click the Device Management tab.
   • Find the SAG instance and choose > Device Management in the Actions column.
3. On the Device Management tab, click Manage HA.
4. In the HA Information section, click .
5. In the Configure HA dialog box, select an HA mode.
   The following table describes the parameters.

   Parameter	Description
   HA Mode	Select Static for both Device 1 and Device 2.
   Port	Select LAN 4 for both Device 1 and Device 2.
   Virtual IP	Enter a virtual IP address for the SAG devices. 192.168.50.254 is used for both Device 1 and Device 2 in this example.

6. Click Save.

Step 7: Configure the Layer-3 switch and Internet-facing router

• Layer-3 switch
  Note For each SAG device, the network type of ports that use the OSPF protocol must be set to peer-to-peer (P2P). Otherwise, the SAG device cannot calculate routes correctly.

  Configure IP addresses for the ports:
  
  
  interface GigabitEthernet 0/12
  switchport access vlan 10                 //Assign the LAN port of Device 1 to VLAN 10.
  
  
  interface GigabitEthernet 0/14
  switchport access vlan 10                 //Assign the LAN port of Device 2 to VLAN 10.
  
  interface  vlan 10
  ip address 192.168.50.2 255.255.255.0      //The gateway IP address of the client.
  
  ip route 0.0.0.0 0.0.0.0 192.168.50.254    //The route to the Internet. 
                      

• Internet-facing router

  Add a static route
  
  ip route 192.168.100.1 255.255.255.252  192.168.100.2  //The route to Device 1.
  ip route 192.168.200.1 255.255.255.252  192.168.200.2  //The route to Device 2.
                      

Step 8: Set up network connections

After you configure the SAG devices, you must set up network connections to connect the on-premises network to Alibaba Cloud.

1. Create a Cloud Connect Network (CCN) instance.
   1. Log on to the SAG console.
   2. In the left-side navigation pane, click CCN.
   3. On the CCN page, click Create CCN Instance.
   4. In the Create CCN Instance panel, specify a name for the CCN instance and click OK.
      The name must be 2 to 100 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). It must start with a letter.
2. Set up network connections.
   1. Log on to the SAG console.
   2. On the Smart Access Gateway page, find the SAG instance and click Network Configuration in the Actions column.
   3. On the Network Instance Details tab, click Attach Network, select the CCN instance, and then click OK.
      
3. Attach the CCN instance to a CEN instance.
   1. Log on to the SAG console.
   2. In the left-side navigation pane, click CCN.
   3. Find the CCN instance and click Bind CEN Instance in the Actions column.
   4. In the Bind CEN Instance pane that appears, select the CEN instance and click OK.
      After the CCN instance is associated with the CEN instance, SAG devices connected to the CCN instance can communicate with network instances such as VPCs and virtual border routers (VBRs) attached to the CEN instance.
4. Configure an Elastic Compute Service (ECS) security group.
   Create a security group rule that allows access from the on-premises network to the VPC. For more information, see Add a security group rule.

Step 9: Verify the settings

After you complete the preceding steps, access cloud resources deployed in the VPC from a client in your on-premises network to test the network connectivity.