Firewall Deployment Plan

Huawei hardware firewalls can be connected to border leaf nodes or service leaf nodes in bypass mode, or to border leaf nodes and PEs in inline mode. It is recommended that firewalls be connected to service leaf nodes in bypass mode, as shown in Figure 9.13.

The controller automatically delivers configurations such as vSYS, security policies, and SNAT/EIP for the interconnection between tenants’ VPCs and firewalls.

LB Deployment Plan

The following LB deployment plan is recommended:

  • • LBs are deployed in active/standby mode.
  • • LBs are connected to service leaf nodes in bypass mode.
Load balancing on an egress network when firewalls connect to service leaf nodes in bypass mode

FIGURE 9.13 Load balancing on an egress network when firewalls connect to service leaf nodes in bypass mode.

  • • LBs are connected to the VXLAN network at Layer 2. The Self-IP address, service VIP address, and server IP address are on the same subnet.
  • • An LB uses Eth-Trunk to connect to the service leaf node in M-LAG mode.

Figure 9.14 shows the traffic model when LBs are used. The server forwards packets to the LBs at Layer 2 over the VXLAN tunnel, and the LBs route the packets by default to service leaf nodes, which search for a route and forward the packets to the firewall.

In cloud-network integration, the cloud platform can connect to LBs provided by some vendors and automatically deliver load balancing services.

In network virtualization, the SDN controller can manage LBs provided by some vendors and automatically deliver interconnection addresses and

Traffic model when LBs connect to service leaf nodes in bypass mode

FIGURE 9.14 Traffic model when LBs connect to service leaf nodes in bypass mode.

bidirectional routes between LBs and switches. Load balancing services have to be manually configured on LBs.

Server Access Deployment Plan

Figure 9.15 shows the common access modes of x86 servers.

  • • (Recommended) Servers are connected to M-LAG switches working in active/standby mode, as shown in Figure 9.15a.
  • • (Recommended) The server is connected to M-LAG switches working in load balancing mode, as shown in Figure 9.15b.
  • • The server is connected to leaf nodes working in active/standby mode, as shown in Figure 9.15c.

Table 9.2 compares the three access modes of x86 servers.

Figure 9.16 shows the key configurations related to server access.

• When servers are connected in active/standby mode, physical interfaces on leaf nodes are used as interconnected interfaces. In this case, Eth-Trunks do not need to be configured. When servers are connected in load balancing mode, M-LAG is configured on leaf nodes.

Access modes of x86 servers

FIGURE 9.15 Access modes of x86 servers.

Access Mode

Applicable Scenario

Precautions

Active/standby connections to M-LAG switches (recommended)

VMs or BMs do not proactively send notifications to the network during active/ standby switchover of NICs

The peer-link bandwidth should be equal to the total uplink bandwidth, and the uplink and downlink oversubscription should be applied

Load balancing connections to M-LAG switches (recommended)

Servers are connected to the network in load balancing mode

The peer-link bandwidth should be high enough to meet demand if a downlink of the leaf node is faulty

Active/standby connections to single leaf nodes

There is no coupling among leaf nodes

During the active/standby switchover of NICs, VMs and BMs must detect the fault and proactively send notifications to the network. Otherwise, the network convergence is slow

Key configurations related to server access

FIGURE 9.16 Key configurations related to server access.

Broadcast suppression, multicast suppression, ARP rate limit, and unknown unicast suppression are configured on all access interfaces.

Configure a monitor link group on server leaf nodes. This helps to prevent traffic interruption by ensuring that the downlinks go down if all physical uplinks or Eth-Trunks go down.

 
Source
< Prev   CONTENTS   Source   Next >