Got it

HCS8.0.3 Captain Secret Scripts !Episode 3 Integrated heterogeneous platform。

Latest reply: Apr 12, 2022 01:31:08 232 4 2 0 0

        Today, I received a help from my friend. We'll go and see it.

        According to my friend's description, he had to use a physical platform because his business had some very special needs. In addition, the physical platform is not integrated in the HCS and can only be attached to the HCS in bypass mode.

        The function of the solution is that all traffic between VMSs must pass through the physical platform.For example, VMs in VPC 1 and VPC 2 in region A need to pass through this physical platform.

        Note that theprivate IP addresses of the VMS must also be inter-accessible through the physical platform.

        As mentioned earlier, as long as the VMS addresses can appear in the core switch routes, we can bring traffic to this set of physical platforms and this problem is easily solved.

        However, VMS private address traffic passes through the tenant plane, where only the VETP address used to encapsulate the VXLAN header is stored, and the VMS private IP address is not displayed on the tenant plane.

How Do I Enable the Private IP Address of the VMS to Be Displayed on the Core Switch?t_0013.gif

OK, we will cover the content we haven't read. Let's start with the answer. Let's focus on this case first. Actually, we can use the private line service.

Briefly describe the differences between the network connectivity services included in the HCS.

Enhanced Cloud Private Line, Normal cloud private line, EIP, and L2BR all pass traffic directly to one of the physical VRFs.

1.Enhanced Cloud Private Line, EVPN is established between the control plane and the directly connected TOR switch. The data plane uses VXLAN to send data directly to the directly connected TOR switch and uses vXLA to transfer data from the compute node to the directly connected TOR switch. As long as we give the private address of the VMS to the external device, we can find a way to implement the shunt.

2.normal cloud private line, the private IP address of the VMS is published on the tenant plane and the private IP address of the VMS is sent through the tenant plane to the firewall and then to the VRF: gugan. This operation is similar to that of the customer's offline operation center and cloud platform, but  the VRF is different.

3.EIP: The IP address on the network node is changed to enter VRF:Internet via EIP, and then the policy is sent to the firewall and VRF:gugan. the point is that the address is translated, not the private address.

4.L2BR: Similar to the control plane and data plane of Enhanced Cloud Private Line, the difference is that vtep-ip in VXLAN is different. VXLAN tunnels established by L2BR can forward Layer 2 packets.

------And one more------

        5.Cloud connect:Cloud connectivity is different from the previous description. Cloud connections can only communicate with HCS. The entire communication segment is encapsulated in a VXLAN and no private addresses are translated or leaked. Therefore, Cloud Connect cannot control VMS communication through a physical firewall. For example, when transmitting between two regions, when passing through the physical network of both regions, the outer side is a VXLAN vetp-ip, and physically cannot control certain VMS communications, and physical control can only allow all traffic from the cloud connection to pass through or all break. Naturally, it is also impossible to divert and filter traffic against VMS.

Okay, back to the whole thing.

That's what they do, showing pictures directly.

        All VMSs that need to be monitored are placed in different PVCs and are connected to the Cloud Direct Connect TOR switch. The sends the exposed routes to the traffic diversion switch through the core switch and then to the physical platform.

        Direct connect TOR switches send only external traffic to the VMS on the cloud platform. this traffic comes from local clouds, physical machines and other clouds. In fact, there is no difference for Cloud Direct Connect TOR switch.


As long as this design is used beyond the "one VPC" range, the east-west flow is the same as above.This is true for the same VDC or different VDCs.

The following figure shows the traffic paths between the same VPC.


This is only a reminder that the VPC can communicate with each other.

It doesn't matter if you don't understand the cases described above. As we move along, you can easily understand the detailed features and limitations of each network service.

The above example shows that if there is a service that needs to be more tightly integrated into the HCS, this can be done.

Well, my friend's problem is not yet solved. His problem is why there is a drop in traffic speed after the Compute node TOR and Compute node.

Service VM1--->Compute node--->Compute node TOR--->Cloud Direct Connect TOR switch--->core switch--->Traffic diversion switch for security services--->Heterogeneous Security Resource Pools

Heterogeneous Security Resource Pools ---> Traffic diversion switch for security services ---> core switch ---> Cloud Direct Connect TOR switch --->Compute node TOR --->Compute node--->Service-2 VM1

Do you have any ideas, friends?

  • x
  • convention:

Created Mar 26, 2022 10:05:06

Thanks for sharing
View more
  • x
  • convention:

Created Apr 2, 2022 04:21:26

Good share
View more
  • x
  • convention:

Created Apr 12, 2022 01:30:55

Thanks for the recognition
View more
  • x
  • convention:

Created Apr 12, 2022 01:31:08

Thank you for the recognition
View more
  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.