< Home

Web Example: Applying a VXLAN to a Data Center

The VXLAN feature is often used with hot standby, virtual system, and NAT features on a data center.

Networking Requirements

In a data center shown in Figure 1, VMs of one virtual private cloud (VPC) are deployed on different x86 servers. VXLAN-supported Layer-2 devices provide access and Layer-2 forwarding services for the VMs. The FWs act as VXLAN gateways and are responsible for network security between VPCs and between VPCs and physical networks. Route isolation is required between VPCs. Only public addresses are visible for external networks. For secure and stable networking, FWs must work in hot standby mode.

Figure 1 Applying a VXLAN to a data center
Table 1 Security zone planning

Security Zone

Interface

Description

TRUST

GigabitEthernet 0/0/0

Connecting to a VXLAN Layer-2 access device

DMZ

BDIF1

BDIF2

Outbound interfaces of VPCs where tenant VMs reside

Virtual-if0

Outbound interface from a virtual system to the root system, equal to the BDIF interface for the root system

GigabitEthernet 0/0/1

HRP heartbeat interface

UNTRUST

GigabitEthernet 0/0/2

Upstream interface connecting the device to the Internet or another physical network

Virtual-if1

Virtual-if2

Interfaces connecting virtual systems to the root system, equal to GigabitEthernet 0/0/2 for virtual systems

Configuration Roadmap

  1. Connect two FWs to Layer-3 devices (OSPF configured) in the upstream direction and Layer-2 devices in active/standby mode (VRRP group configured) in the downstream direction.

    Permit OSPF packets in the security policies for the interzone between the Local zone and the security zone where upstream interfaces reside. Otherwise, OSPF neighbor relationships cannot be set up.

  2. Create the BD, VNI (VXLAN ID), and VXLAN tunnel. Set the source IP address of the NVE interface to the virtual IP address of the VRRP group.

    Permit VXLAN packets in the security policies for the interzone between the Local zone and the security zone where VRRP group interfaces reside. Otherwise, VXLAN tunnels cannot be set up.

  3. Create a virtual system and associate the VNI and public IP address with the virtual system. Then, the BDIF interface is allocated to the virtual system along with the associated VNI.

  4. Create a BDIF (VXLAN) interface, and set an IP address for the interface.

    Set the same IP address on the standby device. Setting the same MAC address for both devices is recommended. Otherwise, services are interrupted for a short period during the switchover.

  5. Configure NAT Server in the virtual system to map private IP addresses into public IP addresses.

  6. Configure a static route between the virtual system and root system.
  7. Configure the IP address of the BDIF interface as the VM gateway.

  8. Configure the VXLAN Layer-2 access device. Set the peer IP address of VXLAN tunnel to the VRRP virtual IP address of the FW. Set up a VXLAN tunnel between VXLAN Layer-2 access devices.

Procedure

  1. Complete basic network configurations on FW_A.
    1. Choose Network > Interface to configure interface IP addresses and security zones.

      Interface

      Configuration

      GE0/0/0

      IP Address: 10.0.10.11

      Zone: trust

      GigabitEthernet 0/0/1

      IP Address: 172.16.0.1

      Zone: dmz

      GigabitEthernet 0/0/2

      IP Address: 10.1.0.1

      Zone: untrust

      Virtual-if0

      Zone: dmz

    2. Choose Network > Route > OSPF to configure OSPF.

      1. Click Add, set parameters, and click OK.

        Type

        OSPF v2

        Process ID

        1

      2. Click Advanced Settings, Area Settings, and then Add, set parameters, and click OK.

        Area

        0

        IP Network

        10.1.0.0

        Mask/Wildcard Mask

        0.0.0.255

        Authentication Mode

        NONE

      3. Click Route Import and then Add, set parameters, and click OK.

        Route Type

        Direct

  2. Configure hot standby on FW_A.

    Choose System > High Availability > Dual-System Hot Standby, click Edit, complete the following configuration, and click OK.

  3. Configure hot standby on FW_B.

    The configuration on FW_B is similar to that on FW_A except that:

    1. The IP addresses of interfaces on FW_B are different from those of interfaces on FW_A.
    2. The subnets to which FW_B advertises OSPF routes are different from those to which FW_A advertises OSPF routes.
    3. The State value of FW_B is Standby.

  4. Configure the BD, VNI (VXLAN ID), and VXLAN tunnel.

    A BD is automatically created when you create a VXLAN tunnel.

    1. Choose Network > VXLAN.
    2. Select Enable corresponding to VXLAN and VXLAN Monitoring, set Source IP Address to the virtual IP address for hot standby, and click Apply.

    3. Click Add to configure the VXLAN tunnel.

      VXLAN ID

      Destination IP Address

      8001

      10.0.20.10

      10.0.20.11

      8002

      10.0.20.10

      10.0.20.11

  5. Create virtual systems and allocate VNIs and public addresses.
    1. Choose System > Virtual System > Virtual System, enable the Virtual System, select Enable, and click OK.

    2. Click Add to create a virtual system and allocate resources.

      Basic Settings

      VXLAN Settings

      IP Address Settings

      Name: vsys1

      Bound VXLAN: vni 8001

      Exclusively used IP Address ranges: 1.1.1.1-1.1.1.100

      Name: vsys2

      Bound VXLAN: vni 8002

      Exclusively used IP Address ranges: 2.2.2.1-2.2.2.100

  6. Create a BDIF interface (VXLAN interface) and configure the IP address and security zone for the interface.

    • If a BDIF interface already has an IP address when a virtual system is created, the IP address will be deleted.

    • The device can automatically associate a virtual system based on the VXLAN ID. Do not manually set the virtual system.

    1. Choose Network > Interface, click Add, and set BDIF interface parameters.

      Interface Name

      Type

      Zone

      		 VXLAN ID IP Address

      1

      VXLAN Interface

      DMZ

      8001

      192.168.1.1/24

      2

      8002

      192.168.2.1/24

  7. Configure a static route for the root system.

    In this example, the IP address of the interface on the downstream device is 10.0.10.1.

    Choose Network > Route > Static Route and click Add to configure a static route.

  8. Configure a security policy for the root system.

    Choose Policy > Security Policy > Security Policy and click Add Security Policy to configure the following security policies.

    Name

    Function

    vxlan

    Permit VXLAN packets.

    ospf

    Permit OSPF packets.

    1_in

    Permit access from Internet users to VMs in the intranet after NAT is performed.

    2_in

    1_out

    Permit intranet users to access the external network after NAT is performed.

    2_out

  9. Configure vsys1.
    1. Switch the virtual system to vsys1.

    2. Configure NAT Server.

      Choose Policy > NAT Policy > Server Mapping, click Add, complete the following configuration, and click OK.

    3. Choose Network > Interface and assign interfaces to security zones.

    4. Choose Network > Route > Static Route and configure a static route to the Internet.

    5. Choose Policy > Security Policy > Security Policy and configure security policies.

      Name

      Function

      in

      Permit Internet users to access VMs.

      out

      Permit VMs to access the Internet.

  10. Configure vsys2.

    The configuration of vsys2 is the same as that of vsys1 except that:

    1. Public and private addresses of NAT Server
    2. Source and destination addresses in security policies

  11. Configure the VXLAN interface IP address and static route on FW_B.

    The configuration on FW_B is the same as that on FW_A. This configuration must be manually performed because it cannot be automatically backed up to the standby device in hot standby scenarios.

  12. Optional: Set the same MAC address for the BDIF interfaces on FW_A and FW_B.
    1. Log in to FW_B, choose Network > Interface, click Edit corresponding to the BDIF interface, and query the MAC address of the BDIF interface in Advanced.
    2. Configure the MAC address of the BDIF interface on FW_A in the same way.

Verification

Operation

Queried Session Table

Access from the VM at 192.168.1.2 in VPCa to a public IP address is successful.
FW_A
  • OSPF session table between Untrust and Local zones

  • VXLAN session table between Trust and Local zones

  • In the root system, session table from the DMZ to the Untrust zone with the source address being 1.1.1.2

  • In vsys1, session table from the DMZ to the Untrust zone with the source address being 192.168.1.2

Access from the Internet to the NAT Server address (2.2.2.2) in VPCb is successful.
FW_A
  • OSPF session table between Untrust and Local zones

  • VXLAN session table between Untrust and Local zones

  • In the root system, session table from the Untrust zone to the DMZ with the destination address being 2.2.2.2

  • In vsys2, session table from the Untrust zone to the DMZ with the destination address being 192.168.2.2

Access from the VM at 192.168.1.2 in VPCa to the NAT Server address (2.2.2.2) in VPCb is successful.
FW_A

  • VXLAN session table between Untrust and Local zones

  • In vsys1, session table from the DMZ to the Untrust zone with the source address being 1.1.1.2 and destination address being 2.2.2.2

  • In vsys2, session table from the Untrust zone to the DMZ with the source address being 1.1.1.2 and destination address being 192.168.2.2

Shut down GigabitEthernet 0/0/2 on FW_A and repeat the preceding operations. The operations succeed.

All the preceding session tables can be queried on FW_B.

Configuration Scripts

FW_A

FW_B

 
#
 hrp enable
 hrp interface GigabitEthernet 0/0/1 remote 172.16.0.2
 hrp adjust ospf-cost enable
 hrp auto-sync config static-route
 hrp track interface GigabitEthernet 0/0/2
#
bridge-domain 1
 vxlan vni 8001
#
bridge-domain 2
 vxlan vni 8002
#
vsys enable 
#
vsys name vsys1 1
 assign global-ip 1.1.1.1 1.1.1.100 exclusive
 assign vni 8001
#
vsys name vsys2 2
 assign global-ip 2.2.2.1 2.2.2.100 exclusive
 assign vni 8002
#
interface GigabitEthernet0/0/0
 ip address 10.0.10.11 255.255.255.0
 vrrp vrid 1 virtual-ip 10.0.10.10 active
#
interface GigabitEthernet 0/0/1
 ip address 172.16.0.1 255.255.255.0
#
interface GigabitEthernet 0/0/2
 ip address 10.1.0.1 255.255.255.0
#
interface Vbdif1
 ip address 192.168.1.1 255.255.255.0
#
interface Vbdif2
 ip address 192.168.2.1 255.255.255.0
#
interface Nve1
 source 10.0.10.10
 vxlan statistic enable
 vni 8001 head-end peer-list 10.0.20.10 10.0.20.11
 vni 8002 head-end peer-list 10.0.20.10 10.0.20.11
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/2
#
firewall zone dmz
 set priority 50
 add interface Virtual-if0
 add interface GigabitEthernet 0/0/1
#
ospf 1 
 import-route static 
 area 0.0.0.0
  network 10.1.0.0 0.0.0.255
#
ip route-static 1.1.1.0 255.255.255.0 vpn-instance vsys1
ip route-static 2.2.2.0 255.255.255.0 vpn-instance vsys2
ip route-static 10.0.20.0 255.255.255.0 10.0.10.1
#
security-policy
 rule name vxlan
  source-zone local
  source-zone trust
  destination-zone local
  destination-zone trust
  destination-address 10.0.0.0 mask 255.255.0.0
  service vxlan
  action permit
 rule name ospf
  source-zone local
  source-zone untrust
  destination-zone local
  destination-zone untrust
  destination-address 10.0.0.0 mask 255.0.0.0
  service ospf
  action permit
 rule name 1_in
  source-zone untrust
  destination-zone dmz
  destination-address 1.1.1.0 mask 255.255.255.0
  action permit
 rule name 2_in
  source-zone untrust
  destination-zone dmz
  destination-address 2.2.2.0 mask 255.255.255.0
  action permit
 rule name 1_out
  source-zone dmz
  destination-zone untrust
  source-address 1.1.1.0 mask 255.255.255.0
  action permit
 rule name 2_out
  source-zone dmz
  destination-zone untrust
  source-address 2.2.2.0 mask 255.255.255.0
  action permit
#
switch vsys vsys1 
#
interface Vbdif1
 ip address 192.168.1.1 255.255.255.0
#
firewall zone untrust
 set priority 5
 add interface Virtual-if1
#
firewall zone dmz
 set priority 50
 add interface Vbdif1
#
security-policy
 rule name in
  source-zone untrust
  destination-zone dmz
  destination-address 192.168.1.0 mask 255.255.255.0
  action permit
 rule name out
  source-zone dmz
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  action permit
#
ip route-static 0.0.0.0 0.0.0.0 public
#
 nat server to1 0 global 1.1.1.2 inside 192.168.1.2 unr-route
#
switch vsys vsys2 
#
interface Vbdif2
 ip address 192.168.2.1 255.255.255.0
#
firewall zone untrust
 set priority 5
 add interface Virtual-if2
#
firewall zone dmz
 set priority 50
 add interface Vbdif2
#
security-policy
 rule name in
  source-zone untrust
  destination-zone dmz
  destination-address 192.168.2.0 mask 255.255.255.0
  action permit
 rule name out
  source-zone dmz
  destination-zone untrust
  source-address 192.168.2.0 mask 255.255.255.0
  action permit
#
ip route-static 0.0.0.0 0.0.0.0 public
#
 nat server to2 1 global 2.2.2.2 inside 192.168.2.2 unr-route
#

#
 hrp enable
 hrp interface GigabitEthernet 0/0/1 remote 172.16.0.1
 hrp adjust ospf-cost enable
 hrp auto-sync config static-route
 hrp track interface GigabitEthernet 0/0/2
#
bridge-domain 1
 vxlan vni 8001
#
bridge-domain 2
 vxlan vni 8002
#
vsys enable 
#
vsys name vsys1 1
 assign global-ip 1.1.1.1 1.1.1.100 exclusive
 assign vni 8001
#
vsys name vsys2 2
 assign global-ip 2.2.2.1 2.2.2.100 exclusive
 assign vni 8002
#
interface GigabitEthernet0/0/0
 ip address 10.0.10.12 255.255.255.0
 vrrp vrid 1 virtual-ip 10.0.10.10 standby
#
interface GigabitEthernet 0/0/1
 ip address 172.16.0.2 255.255.255.0
#
interface GigabitEthernet 0/0/2
 ip address 10.2.0.1 255.255.255.0
#
interface Vbdif1
 ip address 192.168.1.1 255.255.255.0
#
interface Vbdif2
 ip address 192.168.2.1 255.255.255.0
#
interface Nve1
 source 10.0.10.10
 vxlan statistic enable
 vni 8001 head-end peer-list 10.0.20.10 10.0.20.11
 vni 8002 head-end peer-list 10.0.20.10 10.0.20.11
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/2
#
firewall zone dmz
 set priority 50
 add interface Virtual-if0
 add interface GigabitEthernet 0/0/1
#
ospf 1 
 import-route static 
 area 0.0.0.0
  network 10.2.0.0 0.0.0.255
#
ip route-static 1.1.1.0 255.255.255.0 vpn-instance vsys1
ip route-static 2.2.2.0 255.255.255.0 vpn-instance vsys2
ip route-static 10.0.20.0 255.255.255.0 10.0.10.1
#
security-policy
 rule name vxlan
  source-zone local
  source-zone trust
  destination-zone local
  destination-zone trust
  destination-address 10.0.0.0 mask 255.255.0.0
  service vxlan
  action permit
 rule name ospf
  source-zone local
  source-zone untrust
  destination-zone local
  destination-zone untrust
  destination-address 10.0.0.0 mask 255.0.0.0
  service ospf
  action permit
 rule name 1_in
  source-zone untrust
  destination-zone dmz
  destination-address 1.1.1.0 mask 255.255.255.0
  action permit
 rule name 2_in
  source-zone untrust
  destination-zone dmz
  destination-address 2.2.2.0 mask 255.255.255.0
  action permit
 rule name 1_out
  source-zone dmz
  destination-zone untrust
  source-address 1.1.1.0 mask 255.255.255.0
  action permit
 rule name 2_out
  source-zone dmz
  destination-zone untrust
  source-address 2.2.2.0 mask 255.255.255.0
  action permit
#
switch vsys vsys1 
#
interface Vbdif1
 ip address 192.168.1.1 255.255.255.0
#
firewall zone untrust
 set priority 5
 add interface Virtual-if1
#
firewall zone dmz
 set priority 50
 add interface Vbdif1
#
security-policy
 rule name in
  source-zone untrust
  destination-zone dmz
  destination-address 192.168.1.0 mask 255.255.255.0
  action permit
 rule name out
  source-zone dmz
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  action permit
#
ip route-static 0.0.0.0 0.0.0.0 public
#
 nat server to1 0 global 1.1.1.2 inside 192.168.1.2 unr-route
#
switch vsys vsys2 
#
interface Vbdif2
 ip address 192.168.2.1 255.255.255.0
#
firewall zone untrust
 set priority 5
 add interface Virtual-if2
#
firewall zone dmz
 set priority 50
 add interface Vbdif2
#
security-policy
 rule name in
  source-zone untrust
  destination-zone dmz
  destination-address 192.168.2.0 mask 255.255.255.0
  action permit
 rule name out
  source-zone dmz
  destination-zone untrust
  source-address 192.168.2.0 mask 255.255.255.0
  action permit
#
ip route-static 0.0.0.0 0.0.0.0 public
#
 nat server to2 1 global 2.2.2.2 inside 192.168.2.2 unr-route
#
Parent Topic: VXLAN
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >