Huawei Campus Switch includes S1700, S2300, S2700, S3300, S3700, S5300, S5700, S600-E, S6300, S6700, S7700, S7900, S9300, S9300X, S9700, S12700 Series. In this article, HongTelecom will introduce the Example for Configuring Egress Devices on Small- and Medium-Sized Campus or Branch Networks for Huawei S7700/S9700 Switch.
Example for Configuring Egress Devices on Small- and Medium-Sized Campus or Branch Networks
A campus network egress is often located between an enterprise’s internal network and external network to provide the only ingress and egress for data traffic between the internal and external networks. Small- and medium-scale enterprises want to deploy multiple types of services on the same device to reduce initial investment on enterprise network construction and long-term O&M cost. Enterprise network users require access to the Internet and virtual private networks (VPNs). To reduce network construction and maintenance costs, small- and medium-scale enterprises often lease the Internet links of carriers to build VPNs. Some campus networks requiring high reliability often deploy two egress routers to implement device-level reliability and use reliability techniques such as link aggregation, Virtual Router Redundancy Protocol (VRRP), and active and standby routes to ensure campus network egress reliability. Huawei AR series routers can be used as egress devices and work with Huawei S series switches to provide a cost-effective network solution for small- and medium-scale campus networks. Campus network egress devices must provide the following functions:
- Provide the network address translation (NAT) outbound and NAT server functions to translate between private and public network addresses, so that internal users can access the Internet and Internet users can access internal servers.
- Support the construction of VPNs through the Internet so that branches of the enterprise can communicate over VPNs.
- Encrypt data to protect data integrity and confidentiality, ensuring service transmission security.
- Egress devices of small- and medium-scale campus networks must be reliable, secure, low-cost, and easy to maintain.
This configuration example:
- Applies to small- and medium-sized enterprise campus/branch egress solutions.
- Provides only the enterprise network egress configuration. For the internal network configuration, see “Small- and Mid-Sized Campus Networks” in the HUAWEI S Series Campus Switches Quick Configuration.
- Uses S series switches running V200R008 and AR series routers running V200R003.
The headquarters and branch of an enterprise are located in different cities and far from each other. The headquarters has two departments (A and B), and the branch has only one department. A cross-regional enterprise campus network needs to be constructed to meet the following requirements:
- Both users in the headquarters and branch have access to the Internet. In the headquarters, users in Department A can access the Internet, but users in Department B are not allowed to access the Internet. In the branch, all users can access the Internet.
- The headquarters has a web server to provide WWW service so that external users can access the internal server.
- The headquarters and branch need to communicate through VPNs over the Internet and communication contents must be protected.
- The headquarters’ campus network egress requires link-level reliability and device-level reliability.
- The branch does not need high reliability.
A comprehensive configuration solution, as shown in Figure 1, is provided to meet the preceding requirements. The solution adopts a multi-layer, modular, redundant, and secure design and applies to small- and medium-scale enterprise or branch campus networks.
- Deploy Huawei S2700&S3700 switches (ACC1, ACC2, and SwitchA) at the access layer, deploy Huawei S5700 switches (CORE) at the core layer, and deploy Huawei AR3200 routers (RouterA, RouterB, and RouterC) at the campus network egress.
- In the headquarters, use redundancy between two AR egress routers (RouterA and RouterB) to ensure device-level reliability. In the branch, deploy one AR router as the egress router.
- In the headquarters, set up a stack (CORE) between two S5700 core switches to ensure device-level reliability.
- In the headquarters, deploy Eth-Trunks between access switches, the CORE, and egress routers to ensure link-level reliability.
- In the headquarters, assign a VLAN to each department and transmit services between departments at Layer 3 through VLANIF interfaces of the CORE.
- Use the CORE of the headquarters as the gateway for users and servers, and deploy a DHCP server to assign IP addresses to users.
- Deploy the gateway for branch users on the egress router.
- Deploy VRRP between the two egress routers of the headquarters to ensure reliability.
- Construct an Internet Protocol Security (IPSec) VPN between the headquarters and branch over the Internet to enable communication while ensuring data transmission security.
- Deploy Open Shortest Path First (OSPF) between the two egress routers and CORE of the headquarters to advertise user routes for future capacity expansion and maintenance.
The configuration roadmap is as follows:
- Deploy the headquarters and branch campus networks.In the headquarters, deploy a stack and link aggregation, configure VLANs and IP addresses for interfaces, and deploy a DHCP server to allow users in the headquarters campus network to communicate. Users within a department communicate at Layer 2 through access switches, and users in different departments communicate at Layer 3 through the VLANIF interfaces of the CORE.
In the branch, configure VLANs and IP addresses for interfaces on access switches and egress routers, and deploy a DHCP server to allow users in the branch campus network to communicate.
- Deploy VRRP.To ensure reliability between the CORE and two egress routers of the headquarters, deploy VRRP between the two egress routers so that VRRP heartbeat packets are exchanged through the CORE. Configure RouterA as the master device and RouterB as the backup device.
To prevent service interruption in the case of an uplink failure on RouterA, associate the VRRP status with the uplink interface of RouterA. The association ensures a fast VRRP switchover when the uplink fails.
- Deploy routes.To steer uplink traffic of devices, configure a default route with the VRRP virtual address as the next hop on the CORE of the headquarters, and configure a default route on each egress router of the headquarters and branch, with the next hop pointing to the IP address of the connected carrier network device (public network gateway address).
To steer the return traffic of two egress routers of the headquarters, configure OSPF between the two egress routers and CORE, and advertise all user network segments on the CORE into OSPF and then to the two egress routers.
On RouterD, to steer traffic generated by access to the web server from external networks, configure two static routes of which the destination address is the public network address of the web server and next-hop addresses are uplink interface addresses of the two egress routers. To ensure simultaneous route switchover and VRRP switchover, set the route with next hop pointing to RouterA as the preferred one. When this route fails, the route with next hop pointing to RouterB takes effect.
- Configure NAT outbound.To enable internal users to access the Internet, configure NAT on the uplink interfaces of the two egress routers for translation between private network addresses and public network addresses. Use an ACL to permit the source IP address of packets from Department A so that users in Department A can access the Internet while users in Department B cannot.
- Configure a NAT server.To enable external users to access the internal web server, configure a NAT server on the uplink interfaces of the two egress routers to translate between the public and private network addresses of the server.
- Deploy IPSec VPN.To enable users in the headquarters and branch to communicate through a VPN, configure IPSec VPN between the egress routers of the headquarters and branch for secure communication.
For the enterprise internal network configuration, see “Small- and Mid-Sized Campus Networks” in the HUAWEI S Series Campus Switches Quick Configuration.
Table 1, Table 2, and Table 3 provide the data plan.
|DEVICE||LAG INTERFACE||PHYSICAL INTERFACE|
All Eth-Trunk interfaces work in Link Aggregation Control Protocol (LACP) mode.
|RouterA||Eth-Trunk1.100: Configure a dot1q termination sub-interface to terminate packets of VLAN 100.||Connects to the CORE of the headquarters.|
|RouterB||Eth-Trunk1.100: Configure a dot1q termination sub-interface to terminate packets of VLAN 100.||Connects to the CORE of the headquarters.|
|CORE||Eth-Trunk1: a trunk interface that transparently transmits packets of VLAN 10.||Connects to department A of the headquarters.|
|Eth-Trunk2: a trunk interface that transparently transmits packets of VLAN 20.||Connects to department B of the headquarters.|
|GE0/0/5: an access interface with VLAN 30 as the default VLAN.||Connects to the web server of the headquarters.|
|Eth-Trunk3: a trunk interface that transparently transmits packets of VLAN 100.||Connects to RouterA of the headquarters.|
|Eth-Trunk4: a trunk interface that transparently transmits packets of VLAN 100.||Connects to RouterB of the headquarters.|
|ACC1||Eth-Trunk1: a trunk interface that transparently transmits packets of VLAN 10.||Connects to the CORE of the headquarters.|
|Ethernet0/0/2: an access interface with VLAN 10 as the default VLAN.||Connects to PC1 in department A.|
|ACC2||Eth-Trunk1: a trunk interface that transparently transmits packets of VLAN 20.||Connects to the CORE of the headquarters.|
|Ethernet0/0/2: an access interface with VLAN 20 as the default VLAN.||Connects to PC3 in department B.|
|RouterC||GE2/0/0.200: Configure a dot1q termination sub-interface to terminate packets of VLAN 200.||Connects to SwitchA (access switch) of the branch.|
|SwitchA||GE0/0/1: a trunk interface that transparently transmits packets of VLAN 200.||Connects to RouterC (egress router) of the branch.|
|Ethernet0/0/2: an access interface with VLAN 200 as the default VLAN.||Connects to PC5 in the branch.|
|RouterA||GE1/0/0: 184.108.40.206/24Eth-Trunk1.100: 10.10.100.2/24||GE1/0/0 connects to the carrier network.Eth-Trunk1.100 connects to the CORE of the headquarters.|
|RouterB||GE1/0/0: 220.127.116.11/24Eth-Trunk1.100: 10.10.100.3/24||–|
|CORE||VLANIF 10: 10.10.10.1/24VLANIF 20: 10.10.20.1/24
VLANIF 30: 10.10.30.1/24
VLANIF 100: 10.10.100.4/24
|VLANIF 10 functions as the user gateway of department A.VLANIF 20 functions as the user gateway of department B.
VLANIF 30 functions as the gateway of the web server.
VLANIF 100 connects to egress routers.
|Web server||IP address: 10.10.30.2/24Default gateway: 10.10.30.1||Public network IP address translated by the NAT server: 18.104.22.168|
|PC1||IP address: 10.10.10.2/24Default gateway: 10.10.10.1||IP address 10.10.10.2/24 is allocated to the PC through DHCP in this example.|
|PC3||IP address: 10.10.20.2/24Default gateway: 10.10.20.1||IP address 10.10.20.2/24 is allocated to the PC through DHCP in this example.|
|RouterD||InterfaceB: interface number GigabitEthernet1/0/0 and IP address 22.214.171.124/24InterfaceC: interface number GigabitEthernet2/0/0 and IP address 126.96.36.199/24||RouterD is a carrier network device. The interface number used here is an example. When configuring a device, use the actual interface number.|
|RouterE||InterfaceA: interface number GigabitEthernet1/0/0 and IP address 188.8.131.52/24||RouterE is a carrier network device. The interface number used here is an example. When configuring a device, use the actual interface number.|
|RouterC||GE1/0/0: 184.108.40.206/24GE2/0/0.200: 10.10.200.1/24||–|
|PC5||IP address: 10.10.200.2/24Default gateway: 10.10.200.1||IP address 10.10.200.2/24 is allocated to the PC through DHCP in this example.|
As a world leading Huawei networking products supplier, Hong Telecom Equipment Service LTD(HongTelecom) keeps regular stock of Huawei router and switch and all cards at very good price, also HongTelecom ship to worldwide with very fast delivery.
For related articles, visit the HongTelecom Blog and HongTelecom WordPress.
For real pictures of related product, visit the HongTelecom Gallery.
To buy related product, visit the HongTelecom Online Shop.