Network

www.sangfor.com Sangfor Technologies Inc.

Contents

PART PART PART

1 2 3

VPC Network Classic Network Virtual Network

Device (NFV)

Sangfor Technologies CONFIDENTIAL Page 2

What is Virtual Network?

Deploy corresponding network topology using virtual machines and virtual network devices. It finally bridges the
gateway to the physical server network port to form a Local Area Network communication.

• Physical Network is virtualized

• All clustered nodes provides resources to form a Virtual Network

• Virtual Network provides overview of the VM network topology

• You draw what you get in the Virtual Network

• Easy to design and management

• Only one person can edit the Virtual Network in the same time

Sangfor Technologies CONFIDENTIAL Page 3

01
VPC
Network
VPC Introduction

VPC Network Sample:

Sangfor Technologies CONFIDENTIAL Page 5

VPC Introduction

VPC (Virtual Private Cloud) is a logically isolated virtual private network provided by MCS.

It provides users with a safe, reliable and self-definable network environment.

Internet

VPC 1 VPC 2

Subnet 1 Subnet 2 Subnet 1

(192.168.0.0/24) (192.168.1.0/24) (192.168.0.0/24)

VM A
VM A Server DB

VM B Server SQL VM B

Tenant A Tenant B

Sangfor Technologies CONFIDENTIAL Page 6

Why We Recommend VPC?

Network isolation

Build a cloud-isolated network to make network use more secure.

VPC 1 VPC 2

Subnet 1 Subnet 2 Subnet 1

(192.168.0.0/24) (192.168.1.0/24) (192.168.0.0/24)

VM A
VM A Server DB

VM B Server SQL VM B

Tenant A Tenant B
Layer 2
Logical Isolation

Sangfor Technologies CONFIDENTIAL Page 7

Why We Recommend VPC?

Flexible

Autonomous network planning and flexible control of network deployment.

IP

IP Address Subnet Routing Gateway

Sangfor Technologies CONFIDENTIAL Page 8

Why We Recommend VPC?

Expandable

User can expand their network easily. By using the NAT gateway to manage the public network edge or combined with the
dedicated line

Elastic IP
Network Subnet
NAT Gateway
Dedicated Line

Sangfor Technologies CONFIDENTIAL Page 9

VPC Components

VPC
vRouters and vSwitches are the two basic components of a VPC:

• The vRouter can connect to various switches in the VPC.

• vRouter is also a gateway device connecting the VPC and other networks.
Subnet 1 Subnet 2
(192.168.0.0/24) (192.168.1.0/24)
• After VPC is created, the system will automatically create a vRouter and

Server DB
the routing table.
VM A

• A vSwitch is a basic network device that forms a VPC and is used to

VM B Server SQL
connect different network devices.

Sangfor Technologies CONFIDENTIAL Page 10

 VPC Components
Virtual Router

The vRouter able to create multiple subnet, static route, ACL, DNS server, and internal DNS.

By default the router will enable DHCP for every subnet, when the VM connect to the subnet will obtain IP automatically.

Sangfor Technologies CONFIDENTIAL Page 11

 VPC Components
VPC Gateway

VPC gateway is the gateway for all subnet under the VPC. By associating the Elastic IP to the gateway, the default route and
NAT will be created to let the subnet VM access to the internet.

It supports creating a DNAT policy to NAT the public IP to the internal VM IP address.

Sangfor Technologies CONFIDENTIAL Page 12

 VPC Components

Distributed Firewall

The tenants can set distributed firewall rules in the classic and VPC network to manage the internal subnet and network.

Sangfor Technologies CONFIDENTIAL Page 13

 VPC Components

Precautions of Distributed Firewall:

1.The distributed firewall policy only takes effect in the area of this tenant.

2.When selecting services, a policy supports up to 10 services.

Sangfor Technologies CONFIDENTIAL Page 14

Elastic IP

Elastic IP is a public IP address resource provided for tenants to communicate with external networks.

By associating the elastic IP to the virtual machines, vRouter, and gateway devices, the tenant VPC is able to communicate
with the external network.
VPC

Subnet 1
(192.168.0.0/24)

VM A VM B

EIP 1

Subnet 2
(192.168.1.0/24)

Web
Server DB
Server

EIP 2

Sangfor Technologies CONFIDENTIAL Page 15

Why need Elastic IP?

• Support associate and disassociate the EIP address at anytime.

• Assign the EIP address into edge devices to let the whole subnet VM able to access the internet.

• For some scenarios, user may assign an EIP address to the Web Server if it required a dedicated public IP address.

Sangfor Technologies CONFIDENTIAL Page 16

Shared Bandwidth

Associate multiple elastic IP addresses and share the bandwidth to achieve the multiplexing.

Example: Associate the elastic IPs shared bandwidth pool to the virtual machines, routers, NFV, etc. The devices with the EIP
will share the bandwidth.
VPC

Subnet 1
(192.168.0.0/24)
EIP 1

VM A VM B
Shared
Bandwidth
10MB/s
Subnet 2
(192.168.1.0/24)

Web
Server DB
Server EIP 2

Sangfor Technologies CONFIDENTIAL Page 17

 Why need Shared bandwidth?

• Increase the limited bandwidth usage and reduce cost.

• For the production server that requires high bandwidth to ensure user experiences, the user can assign dedicated bandwidth
to it.

• For the VM or network devices that do not require high bandwidth, the user can assign shared bandwidth.

Sangfor Technologies CONFIDENTIAL Page 18

How Many VPCs Should Use?

Single VPC Multiple VPC

Small and medium-sized applications that do not Suitable for user who like to isolate the VPCs environment.
require VPC to do isolation.

Internet
VPC

Production Environment Testing Environment

Subnet 1 Subnet 2 VPC VPC
(192.168.0.0/24) (192.168.1.0/24)

Subnet 1 Subnet 2 Subnet 1

(192.168.0.0/24) (192.168.1.0/24) (192.168.0.0/24)
VM A Server DB

Web
VM A Web Server Demo
VM B Server SQL

VM
VM B Server SQL
Demo
Tenant A

Tenant A

Sangfor Technologies CONFIDENTIAL Page 19

Precautions of VPC

1. A Tenant can create multiple VPCs for different resources pool.

2. A tenant can only have 1 VPC network within the same resources pool. MCS will support creating multiple VPCs within
the same resources pool in future.

3. A VPC network supports creating a maximum of 20 subnets.

4. After creating the subnet, the IP address of the subnet cannot be changed.

5. For the Alternative way to change the subnet IP, you need to create a new subnet, then move the VM to the new subnet and
delete the old subnet.

Sangfor Technologies CONFIDENTIAL Page 20

 02
Classic Network
Classic Network

MCS provide two types of the virtual network to Tenants which is Classic Network and VPC Network.

Classic Network Sample:

Sangfor Technologies CONFIDENTIAL Page 22

 Classic Network Component

Edge
• Works like a bridge between Physical Network and Virtual Network
• By default using Trunk All to forward traffic
• Add specific Port Group will allow specific VLAN to pass-through
• Every Physical Edge is required to include a network interface in every Physical Nodes
• Else it will cause some of the VM unable to go out via Physical Edge

Sangfor Technologies CONFIDENTIAL Page 23

 Classic Network Component

Virtual Switch
• Distributed Virtual Switch
• VMs connected to a Virtual Switch will allow the Layer 2 communication between VMs
• Allow VMs communicate via overlay interface
• A Virtual Switch is able to support maximum 1024 ports
• Support for ACL based on IP and port
• Support to prevent broadcast storm

Sangfor Technologies CONFIDENTIAL Page 24

 Classic Network Component

Virtual Router
• Virtual Router Functions as forwarding Layer 3 traffic
• Have to manually configure number of interface, interface IP and static route
• Able to support VLAN Sub-Interface
• Able to support Advanced ACL with interface, IP and service types
• Able to support SNAT, DNAT, DHCP and DNS Proxy
• Virtual Router is not distributed form but HA is available

Sangfor Technologies CONFIDENTIAL Page 25

 Classic Network

In the MCS, we are recommend using the VPC network because it is flexible, expandable, and isolation .

Why use Classic Network ?

• For the user to have a drag & drop network management

• To have an overview of virtual network

• User who familiar with HCI virtual topology

• Dedicated line connected to outside gateway

• Support NGAF to build an SSL VPN tunnel with outsiders and VPC network.

Sangfor Technologies CONFIDENTIAL Page 26

Classic Network

Precautions

1. The classic network and VPC network are isolated, both networks are unreachable.

2. VM can only allocate to one network either classic or VPC networks, but it can be swapped after.

3. Require admin assistance to create the NFV in tenant classic network topology.

Sangfor Technologies CONFIDENTIAL Page 27

 03
Virtual Network Device
(NFV)
What is NFV?

• Sangfor products virtualized and 100% compatible in Sangfor HCI.

• Able to directly drag and drop into Virtual Network.

• Hardware allocation for NFV devices able to increase only.

• All Sangfor Products are virtualized and can be added into Virtual Network such as NGAF, SSLVPN, ADC, and etc.

Sangfor Technologies CONFIDENTIAL Page 29

NGAF
Security Trend

• A large number of new applications built on the HTTP/HTTPS standard protocol

• A number of threats to rely on the spread of the spread of the application
• Gartner report: 75% of the attack from the application layer
• Difficulties of O&M for Network Security

Traditional Security Model is Outdated !

• No Visibility of Users, Traffic and IT Assets !

• No Real-Time Detection, No Post-Event Detection, Slow Response !
• Difficulties of O&M for Network Security, Time Wasted !
• Low Performance for L7 Application Layer Security !

Sangfor Technologies CONFIDENTIAL Page 30

NGAF Function
Network Business Visibility APP security
security Traffic APP security protection
identification BM
IPS WAF
Authentication Core Bandwidth
OA business guarantee
APT Anti-virus
NAT
Legitimate Bandwidth potential
business limitation threat
Dos/DDoS
unknown Threat
Illegal
Block
VPN business Backtracking Sandbox

App control log Network security log

Traffic log Report Center Risk Assessment

Real-time vulnerability analysis WEB Scanner

Once Cross- Efficient

Multi-core
analysis module algorithm

High performance

Sangfor Technologies CONFIDENTIAL Page 31

NGAF

Public User

VPC • After the firewall is enabled, the VM’s traffic data goes through the underlying
Router
routing of the VPC, and then goes to the public network through the firewall and
router.
NGAF
• Data accessed by external network users passes through the egress router and
firewall to reach the VM.
• Next-generation firewalls identify and control the traffic that passes through.
• The firewall is actually a separate VM running in a VPC.

VM 1 VM 2 VM 3

Sangfor Technologies CONFIDENTIAL Page 32

SSLVPN

SSL VPN is a remote secure access technology, named after the use of the SSL protocol. Because Web browsers are
embedded to support the SSL protocol, the SSL VPN can be deployed clientless, which makes the use of remote secure
access very simple, and the entire system is easier to maintain. SSL VPN generally uses a plug-in system to support
various TCP and UDP non-Web applications, making SSL VPN truly a VPN, and more in line with application security
requirements than IPSec VPN, becoming the main means and choice for remote secure access .

In MCS, we recommend using NGAF to provide SSL VPN services for ease of management and to simplify the network
topology.

Sangfor Technologies CONFIDENTIAL Page 33

SSLVPN

The customer company's business system is deployed to the MCS, and the company's employees are required to
maintain the business system through secure access on a daily basis.

Access SSL VPN

Staff / Partner / User
VPC
Encrypted Tunnel

SSLVPN Interface

1. Security: user authentication, data security, terminal security. LAN:172.31.0.38

IP:192.168.0.0/24

2. Fast: the speed of the user accessing the system, the access speed.
3. Ease of use: Ease of use for client access (mobile terminal, cross-platform, etc.)

Sangfor Technologies CONFIDENTIAL Page 34

ADC

Public User

After application delivery (AD) is enabled, when an external network

VPC
user accesses a server on the AD internal network, the AD device
Router

intelligently dispatches the connection accessed from the external

network to the optimal server (server load) in the server group.
AD

WEB1 WEB2 Database

Sangfor Technologies CONFIDENTIAL Page 35

ADC Features

Server Health Check 1 2 3

The AD device can actively send the data of the specified content to
the server, and judge whether the server is normal according to the
data returned by the server.

NO
YES YES
If it is determined that the server state is abnormal, the user's request
will not be dispatched to the server.
1 2
3

Sangfor Technologies CONFIDENTIAL Page 36

NFV Precautions

1. By enabling NFV, it needs to be given the corresponding quota in advance. If the quota is insufficient, it will be
greyed out when the console is opened.
2. If the bandwidth becomes larger, the service of the NFV will be restarted, which may affect the production.
3. SSL VPN can use a public IP or be mapped from the router port. It is recommended to map a port to save the IP
address.
4. Application delivery (AD) can use a public IP or be mapped from the router port. It is recommended to map a port
to save the IP address.
5. After the next-generation firewall is enabled, all functions such as IPS, WAF, and vulnerability analysis are enabled
by default, and no manual configuration are required.

Sangfor Technologies CONFIDENTIAL Page 37

THANK YOU
tech.support@sangfor.com
community.sangfor.com