Got it

HCS8.0.3 Captain Secret Scripts !Episode 2 Network plane interworking Highlighted

Latest reply: Apr 12, 2022 01:26:27 349 6 3 0 0

Whoa, whoa, whoa.Welcome to the voyage again.

The previous document describes how to isolate the functions of the network plane from HCS 8.0.3. This section describes how HCS 8.0.3 network planes can communicate with each other.

In order to achieve network plane interoperability, an important device needs to be introduced.Firewall! The entire network plane of the HCS platform is controlled by a firewall. Almost all communication requirements can be controlled by the firewall if needed. 

Note: the telnet plane (communication between VMS). and External_Relay_Network (internal conversion network) cannot be controlled. Details will be described later. (Due to their special and important functions, they are mentioned every time a distinction is needed).

The firewall in HCS is directly connected to the core switch, which delivers all routes to the firewall. There is no VRF configured on the firewall.

The function of VRF is similar to the function of virtual machine. There are no VRFs configured on the firewall and many VRFs on the core switch. In this case, it can be understood that multiple switches are connected to the firewall and they all send their own routes to the firewall.

As shown in the figure below, the logical structure and implementation result of configuring multiple VRFs on a single switch is the same as that of using multiple physical switches.


Review: vrf: gugan. is a VRF that preserves the customer's subnet.


1. If this structure is used, does the VRF:manger contain the routing information for the VRF:DMZ? If so, what are the implications?

The answer is, yes, but there is no impact.

2. According to the previous answer, VRF:gugan contains the address of the cloud platform management subnet, so will VRF:manger, the address of the cloud platform component leak into the customer network?

The answer is, no, don't worry about it. If a detailed explanation of this part is needed later, it will be expanded.

If  cannot understand these two questions, it does not matter. This is something for network professionals to consider and is not relevant to understanding cloud computing services.

Okay, back to the whole thing.

In HCS, the firewalls are deployed as follows. Combined with the LLD planning on the right easily gives a visual understanding of the relationship of the network plane planning.


Let's focus on firewalls and core switches.

All subnets are now in a global routing table. The firewall denies mutual access between all subnets by default. By default, all planes cannot communicate with each other. The method for mutual access is to enable security policies on the firewall.

Generally, all subnets of a network plane are placed in a zone.

Observe the information in the red box in the figure below. The information at the top of the red box is a scenario design example. The purpose of displaying it together is to show that the firewall is doing many important things.

The description and legends here show only some mutual access requirements. For details about access requirements, see the network design guide and customer requirements.

Attention please: There is no VRF distinction on the firewall.There is only one global routing table and nearly a thousand security policies!


The following are the common scenarios for enabling security policies:

1. Required by cloud platform functions.

For example:

    Management Plane and DMZ - Permit

     Management Plane and innetwork(External_Relay_Network): Permit (Functional Component)

    Management Plane and Tennat: Permit (Functional Components Are Not User VMS)

    Management Plane and OMAccess - Permit


    The management plane needs to interact with any of the basic components of the cloud platform. Therefore, communication between the management plane and any plane is allowed.

2. common user requirements

For example

    1. customer's offline physical NAT and cloud platform NAT-Permit

    2. customer's offline Ops center and cloud platform - Permit


    Based on user requirements and security control principles, minimize active access to cloud platform management components by offline nodes.

3. Unconventional requirements

For example:

    ROMA accesses the Internet. ROMA is located on the DC_VPC_GW network plane and belongs to the VRF manager.

    The Internet route integrated by the HCS is generally in the customer subnet, that is, the VRF (gugan).

    We typically do not communicate our management components directly with the Internet. However, if necessary, one address of ROMA can be unidirectionally allowed to communicate with the Internet. This is achievable.

    The main thing is to control it in the firewall.

Well, now we've got two more secrets from Captain T.

Captain T's Secret Book #4: How the cloud platform components communicate with each other.

1. The cloud platform components can communicate with each other in two ways: one using the methods described in this article, and the other using the intranet (described later).

2. All VRF routes are delivered to the firewall by configuring a firewall security policy. The firewall is zoned according to the VRF plane, and IP sets and security policies are configured for the addresses that need to communicate with each other.

Captain T's Secret Book #5: How the cloud platform component communicates with the Internet;

1. Security policies can be used to control external communication. Assume that the addresses of some internal groups are not transmitted to the VRF of the core and are used only on the cloud platform. In this case, you can bind the component to an EIP and configure Internet access policies for the EIP.

2. Please note that direct access to the Internet by internal components is a risky behavior. Ensure that the accessed content does not affect the cloud platform.

a note about:Assume that the addresses of some internal groups are not transmitted to the VRF of the core and are used only on the cloud platform. In this case

    The cloud platform does not need to assign all component addresses to physical network devices. If the cloud computing function can be implemented in its own component cluster, its address does not need to be transferred to the core switches. For example, in the following description of cloud connect, the prerequisite for using this function is as follows: The IP address of the vRouter component needs to be generated on core switches using static routes and advertised to VRF:gugan, and then sent to the peer region.

Content preview:

The next episode will show a case study of integrating heterogeneous security services into HCS.

  • x
  • convention:

Admin Created Apr 2, 2022 02:51:09

Thanks for your sharing!
View more
  • x
  • convention:

Created Apr 2, 2022 04:20:57

Great share
View more
  • x
  • convention:

Created Apr 3, 2022 03:59:28

Good share
View more
  • x
  • convention:

Created Apr 12, 2022 01:26:13

Thank you for the recognition
View more
  • x
  • convention:

Created Apr 12, 2022 01:26:21

Thank you for the recognition
View more
  • x
  • convention:

Created Apr 12, 2022 01:26:27

Thank you for the recognition
View more
  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.