培訓(xùn)時(shí)間：2025年8月5日培訓(xùn)講師：XXXSDNL4-L7服務(wù)及業(yè)務(wù)鏈設(shè)計(jì)培訓(xùn)課件

課堂規(guī)則Open—開(kāi)放的心態(tài)、積極參與、勇敢發(fā)問(wèn)

Close—封閉的環(huán)境，不要受外界的干擾，請(qǐng)將手機(jī)關(guān)機(jī)或靜音請(qǐng)勿隨意走動(dòng)、交談感謝您的配合SDNL4-L7服務(wù)及業(yè)務(wù)鏈設(shè)計(jì)本文介紹了L4-L7服務(wù)的VAS和ServiceChain的概念、價(jià)值、組網(wǎng)、DCN-SDN解決方案的實(shí)現(xiàn)；針對(duì)VAS和ServiceChain，圍繞以下內(nèi)容進(jìn)行闡述：概念、價(jià)值、應(yīng)用場(chǎng)景、部署、服務(wù)發(fā)放、轉(zhuǎn)發(fā)模型，通過(guò)本文可以了解到華為SDN-DCN方案中L4-L7服務(wù)的功能及實(shí)現(xiàn)原理等。學(xué)完本課程后，您將能夠：描述VAS基本概念掌握DCN-SDN方案中的VAS描述SFC基本概念掌握DCN-SDN方案中的SFC掌握VAS功能全景VAS概述DCN-SDN方案中的VASSFC概述DCN-SDN方案中的SFCVAS功能全景VAS是什么Value-addedservice，增值服務(wù)，簡(jiǎn)稱(chēng)VAS。VASFWLBVPNNATIPS……VAS能做什么FW安全防護(hù)ACL，提供基本的防火過(guò)濾；SNAT，私網(wǎng)IP到公網(wǎng)IP的地址轉(zhuǎn)換服務(wù)；EIP，VM的彈性IP服務(wù)；Qos，流量管理服務(wù)；LBSLB，服務(wù)器負(fù)載分擔(dān)；GSLB，全局服務(wù)負(fù)載分擔(dān)；VPNIPSecVPN，VPN隧道接入，可以提供加密功能；SSLVPN，為地址不固定的用戶(hù)提供VPN專(zhuān)線(xiàn)接入；WAFWeb應(yīng)用防護(hù)，對(duì)web應(yīng)用提供保護(hù)服務(wù)；Etc.…………VAS在DCN-SDN解決方案中的位置VAS位置Huawei第三方合作用戶(hù)云平臺(tái)或APP可集群的AC控制器第三方控制器L2-L3物理服務(wù)器虛擬化平臺(tái)ESXiKVMHyper-VXEN業(yè)務(wù)呈現(xiàn)層網(wǎng)絡(luò)控制層網(wǎng)絡(luò)層物理網(wǎng)元vSwitchvRouterHuaweiL4-L7物理網(wǎng)元vFWvLB服務(wù)器第三方L4-L7物理網(wǎng)元vFWvLBVAS的架構(gòu)-網(wǎng)絡(luò)虛擬化場(chǎng)景AC控制器業(yè)務(wù)PortalL2/L3FabricHuaweiVAS3rdVAS3rd

管理系統(tǒng)3rd業(yè)務(wù)PortalVAS的架構(gòu)-云網(wǎng)一體化場(chǎng)景OpenStackL2/L3FabricHuaweiVAS3rdVAS3rd

管理系統(tǒng)3rd業(yè)務(wù)PortalVAS概述DCN-SDN方案中的VASVAS的場(chǎng)景應(yīng)用VAS的部署傳統(tǒng)VAS服務(wù)發(fā)放傳統(tǒng)VAS流量轉(zhuǎn)發(fā)模型SFC概述DCN-SDN方案中的SFCVAS功能全景防火墻服務(wù)-內(nèi)外網(wǎng)互訪(fǎng)VPC標(biāo)示用戶(hù)/租戶(hù)為業(yè)務(wù)劃分的一個(gè)邏輯組網(wǎng)模型，一個(gè)VPC模型組成一個(gè)獨(dú)立的網(wǎng)絡(luò)安全域，單個(gè)租戶(hù)或業(yè)務(wù)部署時(shí)可根據(jù)互訪(fǎng)需要規(guī)劃多個(gè)VPC，VPC與外網(wǎng)互訪(fǎng)用VPC出口防火墻進(jìn)行安全訪(fǎng)問(wèn)控制；VPCFWGWsubnetsubnet…ExternalNetFW2FW1FW3遠(yuǎn)程分支/園區(qū)遠(yuǎn)程用戶(hù)Internet防火墻服務(wù)-VPC間互訪(fǎng)VPC標(biāo)示用戶(hù)/租戶(hù)為業(yè)務(wù)劃分的一個(gè)邏輯組網(wǎng)模型，一個(gè)VPC模型組成一個(gè)獨(dú)立的網(wǎng)絡(luò)安全域，

單個(gè)租戶(hù)或業(yè)務(wù)部署時(shí)可根據(jù)互訪(fǎng)需要規(guī)劃多個(gè)VPC，VPC間互訪(fǎng)用VPC出口防火墻進(jìn)行安全訪(fǎng)問(wèn)控制；VPC1FW1GWsubnetsubnet…VPC1FW2GWsubnetsubnet…防火墻服務(wù)-東西互訪(fǎng)EPG：EndPointGroup，端點(diǎn)組；缺省情況下VPC內(nèi)部網(wǎng)段間可以互訪(fǎng)，當(dāng)VPC內(nèi)部網(wǎng)段間或網(wǎng)段內(nèi)部有互訪(fǎng)控制的情況下，可通過(guò)創(chuàng)建將成員加入端點(diǎn)組，然后定義組間安全策略來(lái)進(jìn)行控制；VPCFWGWSubnet（EPG1）Subnet（EPG2）…SLB負(fù)載均衡當(dāng)前VPC模型中VAS提供的另一個(gè)服務(wù)就是服務(wù)器負(fù)載均衡，管理員對(duì)需要進(jìn)行負(fù)載均衡的業(yè)務(wù)配置一個(gè)對(duì)外的VIP，然后通過(guò)指定的負(fù)載均衡算法將對(duì)VIP的訪(fǎng)問(wèn)請(qǐng)求分擔(dān)到多個(gè)實(shí)體member節(jié)點(diǎn)進(jìn)行處理；訪(fǎng)問(wèn)模型VPCLBGWSubnetSubnet…3rdVAS當(dāng)前場(chǎng)景模型中支持第三方VAS服務(wù)，AC不管理第三方VAS設(shè)備，只是開(kāi)通到第三方VAS設(shè)備的網(wǎng)絡(luò)，引流需要在CE設(shè)備上手工配置。訪(fǎng)問(wèn)模型VPC3rdVASGWSubnetSubnet…VAS概述DCN-SDN方案中的VASVAS的場(chǎng)景應(yīng)用VAS的部署傳統(tǒng)VAS服務(wù)發(fā)放傳統(tǒng)VAS流量轉(zhuǎn)發(fā)模型SFC概述DCN-SDN方案中的SFCVAS功能全景硬件FW直掛集中式網(wǎng)關(guān)LeafLeafVXLAN集中網(wǎng)關(guān)服務(wù)器LeafLeafLeafSpineL4-L7NVENVENVE交換層網(wǎng)關(guān)層Spineinternet廣域網(wǎng)專(zhuān)線(xiàn)接入廣域網(wǎng)出口PENVENVELeafLeafFW組2互聯(lián)網(wǎng)出口PEVXLAN域FW組1硬件FW/LB旁?huà)旒惺骄W(wǎng)關(guān)LeafLeafVXLAN集中網(wǎng)關(guān)服務(wù)器LeafLeafLeafSpineL4-L7NVENVENVE交換層網(wǎng)關(guān)層Spineinternet廣域網(wǎng)專(zhuān)線(xiàn)接入廣域網(wǎng)出口PENVENVELeafLeafFW組互聯(lián)網(wǎng)出口PEVXLAN域LB組Leaf硬件或軟件FW/硬件LB旁?huà)霺erviceLeafLeafLeafVXLAN集中式或分布網(wǎng)關(guān)的BorderLeaf服務(wù)器ServiceLeafSpineL4-L7NVENVENVE交換層Spineinternet廣域網(wǎng)專(zhuān)線(xiàn)接入廣域網(wǎng)出口PENVENVELeafFW組互聯(lián)網(wǎng)出口PEVXLAN域LB組LeafServiceLeaf其他硬件VAS設(shè)備旁?huà)旒惺骄W(wǎng)關(guān)LeafLeafVXLAN集中網(wǎng)關(guān)服務(wù)器LeafLeafLeafSpineL4-L7NVENVENVE交換層網(wǎng)關(guān)層Spineinternet廣域網(wǎng)專(zhuān)線(xiàn)接入廣域網(wǎng)出口PENVENVELeafLeafVAS組2互聯(lián)網(wǎng)出口PEVXLAN域VAS組1Leaf其他硬件VAS設(shè)備旁?huà)霺erviceLeafLeafLeaf服務(wù)器ServiceLeafSpineL4-L7NVENVENVE交換層Spineinternet廣域網(wǎng)專(zhuān)線(xiàn)接入廣域網(wǎng)出口PENVENVELeafVAS組2互聯(lián)網(wǎng)出口PEVXLAN域VAS組1LeafServiceLeaf部署方式比較部署方式支持的VAS設(shè)備流量特點(diǎn)部署VAS設(shè)備擴(kuò)展性網(wǎng)關(guān)設(shè)備擴(kuò)展性VAS直掛網(wǎng)關(guān)Huawei硬件FW1.所有南北流量都經(jīng)過(guò)VAS；

2.南北帶寬受VAS轉(zhuǎn)發(fā)能力限制；簡(jiǎn)單差差VAS旁?huà)炀W(wǎng)關(guān)Huawei硬件FW

3rdVAS1.南北流量、東西流量按需經(jīng)過(guò)VAS；

2.南北帶寬不受VAS；簡(jiǎn)單中差ServiceLeaf接入VASHuawei硬件FW

Huawei軟件FW

Huawei軟件LB

3rdVAS1.南北流量、東西流量按需經(jīng)過(guò)VAS；

2.南北帶寬不受VAS；3.南北流量繞行；復(fù)雜好好HuaweivFW推薦部署-組網(wǎng)LeafLeafM-LAGNVE管理網(wǎng)TOR物理服務(wù)器2USG6KV備N(xiāo)IC2NIC3NIC1：MGT+HRPSRIOV網(wǎng)卡2VF0SRIOV網(wǎng)卡1VF0vSwitch管理網(wǎng)網(wǎng)卡trunk物理服務(wù)器1USG6KV主NIC2NIC3NIC1：MGT+HRPSRIOV網(wǎng)卡2VF0SRIOV網(wǎng)卡1VF0vSwitch管理網(wǎng)網(wǎng)卡trunkInternal&ExternalVlanInternal&ExternalVlanHuaweivFW推薦部署-流程配置準(zhǔn)備上傳VFW鏡像、規(guī)格分類(lèi)、CFG文件；定義VFW用戶(hù)名、密碼、AC建聯(lián)配置、管理ip、SNMP、NTP、log-server；定義VFW設(shè)備name命名規(guī)則；宿主服務(wù)器、服務(wù)器各SRIOV網(wǎng)卡與連接的TOR（IP地址）端口對(duì)應(yīng)關(guān)系；批量拉起規(guī)劃在宿主服務(wù)器上要拉起的虛機(jī)規(guī)格、應(yīng)用的防火墻模板；動(dòng)態(tài)為每個(gè)VFW修改防火墻模板中需要個(gè)性化配置的參數(shù)（管理ip、路由、name等）；在指定服務(wù)器上使用指定模板拉起VM加載防火墻鏡像，注入CFG文件；配置HRP指定需要配置為主備的兩個(gè)VFW（不能位于同一HOST）；在VFW上分別下發(fā)HRP配置；導(dǎo)出報(bào)表導(dǎo)出報(bào)表上傳AC主要參數(shù)包括：VFW管理ip、規(guī)格類(lèi)別、NAME、TOR（IP）接口、VASdevice-groupID（主VFW管理實(shí)ip、備VFW管理實(shí)ip）；VAS概述DCN-SDN方案中的VASVAS的場(chǎng)景應(yīng)用VAS的部署傳統(tǒng)VAS服務(wù)發(fā)放傳統(tǒng)VAS流量轉(zhuǎn)發(fā)模型SFC概述DCN-SDN方案中的SFCVAS功能全景VAS服務(wù)全景特性VAS類(lèi)型特性能力可發(fā)放的portal防火墻ACL南北向防火墻支持基于五元組的狀態(tài)防火墻過(guò)濾FusionSphere/Openstack或者AC東西向防火墻支持基于五元組的狀態(tài)防火墻過(guò)濾AC基于EPG發(fā)放SNAT南北向防火墻N:1SNATFusionSphere/Openstack或者ACEIP南北向防火墻1:1DNATFusionSphere/Openstack或者ACQos南北向防火墻支持針對(duì)SNATIP和EIP的上下行流量限速FusionSphere/Openstack或者ACIpsecVPN南北向防火墻具有固定隧道端點(diǎn)ip的點(diǎn)到點(diǎn)IPSecVPNFusionSphere/Openstack或者ACSLBLoadBalancer服務(wù)器負(fù)載均衡FusionSphere/Openstack或者AC其他VAS特性其他第三方VAS其他AC上配置網(wǎng)絡(luò)或云平臺(tái)層次化綁定配置網(wǎng)絡(luò)及自然引流第三方portal手動(dòng)發(fā)放VAS服務(wù)FusionSphere網(wǎng)絡(luò)資源模型VDCVPC1vRouterSubnet1Subnet2ExtNetVPC2vRouterSubnet1Subnet2ExtNet概念解釋FusionSphereTenant是用戶(hù)或企業(yè)業(yè)務(wù)管理的基本單元。VDC：一個(gè)Tenant管理一個(gè)VDC一個(gè)VDC包含N個(gè)VPCVPCVPC能夠?yàn)樽鈶?hù)提供安全、隔離的網(wǎng)絡(luò)環(huán)境。在VPC中，租戶(hù)可以定義與傳統(tǒng)網(wǎng)絡(luò)無(wú)差別的虛擬網(wǎng)絡(luò)，用來(lái)部署虛擬機(jī)和應(yīng)用實(shí)例。VPC：1個(gè)外部網(wǎng)絡(luò)1個(gè)vRouterN個(gè)Subnet外部網(wǎng)絡(luò)外部網(wǎng)絡(luò)是用于連接系統(tǒng)外網(wǎng)絡(luò)的網(wǎng)絡(luò)，系統(tǒng)外網(wǎng)絡(luò)即為用戶(hù)已有網(wǎng)絡(luò)，可以是企業(yè)內(nèi)部網(wǎng)絡(luò)，也可以是公共網(wǎng)絡(luò)（Internet）等。外部網(wǎng)絡(luò)SubnetSubnet，Openstack定義的對(duì)象模型，為用戶(hù)提供二層子網(wǎng)。Subnet為VPC的子網(wǎng)，一個(gè)VPC內(nèi)可以有多個(gè)Subnet。同一Subnet內(nèi)的VM默認(rèn)互通，不同Subnet間可以設(shè)置ACL進(jìn)行隔離。SubnetProjectVPC1vRouter1Subnet1Subnet2ExtNetVPC2vRouter2Subnet1Subnet2ExtNetOpenStack網(wǎng)絡(luò)資源模型概念解釋OpenStackTenant是用戶(hù)或企業(yè)業(yè)務(wù)管理的基本單元。Project：一個(gè)Tenant管理一個(gè)Project一個(gè)Project包含N個(gè)網(wǎng)絡(luò)VPCVPC能夠?yàn)樽鈶?hù)提供安全、隔離的網(wǎng)絡(luò)環(huán)境。在VPC中，租戶(hù)可以定義與傳統(tǒng)網(wǎng)絡(luò)無(wú)差別的虛擬網(wǎng)絡(luò)，用來(lái)部署虛擬機(jī)和應(yīng)用實(shí)例。1個(gè)外部網(wǎng)絡(luò)1個(gè)RouterN個(gè)Subnet外部網(wǎng)絡(luò)外部網(wǎng)絡(luò)是用于連接系統(tǒng)外網(wǎng)絡(luò)的網(wǎng)絡(luò)，系統(tǒng)外網(wǎng)絡(luò)即為用戶(hù)已有網(wǎng)絡(luò)，可以是企業(yè)內(nèi)部網(wǎng)絡(luò)，也可以是公共網(wǎng)絡(luò)（Internet）等。外部網(wǎng)絡(luò)SubnetSubnet，Openstack定義的對(duì)象模型，為用戶(hù)提供二層子網(wǎng)。Subnet為VPC的子網(wǎng)，一個(gè)VPC內(nèi)可以有多個(gè)Subnet。同一Subnet內(nèi)的VM默認(rèn)互通，不同Subnet間可以設(shè)置ACL進(jìn)行隔離。Subnet租戶(hù)VPC1LogicRouter1LogicSwitch1LogicSwitch2ExtNetVPC2LogicRouter2LogicSwitch1LogicSwitch2ExtNetlogicLinklogicLinklogicLinklogicLinklogicLinklogicLinkLogicPortAgileController-DCN網(wǎng)絡(luò)資源模型概念解釋ACTenant是用戶(hù)或企業(yè)業(yè)務(wù)管理的基本單元。租戶(hù)：管理多個(gè)網(wǎng)絡(luò)VPCVPC能夠?yàn)樽鈶?hù)提供安全、隔離的網(wǎng)絡(luò)環(huán)境。在VPC中，租戶(hù)可以定義與傳統(tǒng)網(wǎng)絡(luò)無(wú)差別的虛擬網(wǎng)絡(luò)，用來(lái)部署虛擬機(jī)和應(yīng)用實(shí)例。VPC：1個(gè)外部網(wǎng)絡(luò)、1個(gè)LogicRouter、N個(gè)LogicSwitch、N個(gè)LogicLink、N個(gè)LogicPort外部網(wǎng)絡(luò)外部網(wǎng)絡(luò)是用于連接系統(tǒng)外網(wǎng)絡(luò)的網(wǎng)絡(luò)，系統(tǒng)外網(wǎng)絡(luò)即為用戶(hù)已有網(wǎng)絡(luò)，可以是企業(yè)內(nèi)部網(wǎng)絡(luò)，也可以是公共網(wǎng)絡(luò)（Internet）等。外部網(wǎng)絡(luò)SubnetSubnet，Openstack定義的對(duì)象模型，為用戶(hù)提供二層子網(wǎng)。Subnet為VPC的子網(wǎng)，一個(gè)VPC內(nèi)可以有多個(gè)Subnet。同一Subnet內(nèi)的VM默認(rèn)互通，不同Subnet間可以設(shè)置ACL進(jìn)行隔離。LogicSwitch：N個(gè)LogicLinkN個(gè)LogicPortLogicPortAC準(zhǔn)備VAS資源池-硬件FW啟動(dòng)FW物理鏈路搭建啟動(dòng)設(shè)備納管FW自動(dòng)發(fā)現(xiàn)或手工添加設(shè)備添加管理IP建立Netconf連接創(chuàng)建FW設(shè)備組可選配置2臺(tái)FW組成HA組（1:1鏡像模式）FW加入資源池單節(jié)點(diǎn)VAS或VAS設(shè)備組加入資源池需要指定直掛/旁?huà)?、需要指定所屬的Fabric、可以被多個(gè)Fabric關(guān)聯(lián)需要指定內(nèi)外部鏈路類(lèi)型vlanif/subifvsys/子接口/tunnel接口/以及整機(jī)帶寬、Session資源、策略數(shù)等資源池化AC準(zhǔn)備VAS資源池-軟件FW部署VFW在iDeploy上批量拉起VFW導(dǎo)出報(bào)表并上報(bào)ACVFW加入資源池根據(jù)iDeploy導(dǎo)出報(bào)表生成VAS資源池建立與VAS的netconf連接發(fā)放VAS服務(wù)-FWPortal上業(yè)務(wù)模型建立Openstack創(chuàng)建FW關(guān)聯(lián)Router或者FusionSphere創(chuàng)建FW關(guān)聯(lián)VPC或者AC上創(chuàng)建LogicFW關(guān)聯(lián)LogicRouter在VPC上創(chuàng)建ACL、SNAT、EIP、Qos、IPsecVPN等服務(wù)AC上邏輯模型建立選定VAS資源池，創(chuàng)建LogicFW創(chuàng)建LogicFW和LogicRouter間的邏輯網(wǎng)絡(luò)在LogicFW上創(chuàng)建ACL、SNAT、EIP、Qos、IPsecVPN等設(shè)備上物理模型建立在物理FW，創(chuàng)建vSYS;創(chuàng)建物理FW和物理Router間的網(wǎng)絡(luò)在vSYS上配置securitypolicy、Natpolicy、NatServer、TrafficPolicy等logicportLogicRouterLogicFWlogicportExternalLinkVASlogicportLogicRouterlogicportInternalLinkvlanifVRFvSYSvlanifExternalvlanPolicyvlanifVRFvlanifInternalvlanvRoutervFWACL服務(wù)SNAT服務(wù)EIP服務(wù)Qos服務(wù)IPSec服務(wù)發(fā)放VAS服務(wù)-LBPortal上業(yè)務(wù)模型建立Openstack創(chuàng)建LB關(guān)聯(lián)Router或者FusionSphere創(chuàng)建LB關(guān)聯(lián)VPC或者AC上創(chuàng)建LogicLB關(guān)聯(lián)LogicRouter配置LB的vip、member、負(fù)載均衡算法、健康監(jiān)測(cè)等AC上邏輯模型建立選定VAS資源池，創(chuàng)建LogicLB創(chuàng)建LogicLB和LogicRouter間的邏輯網(wǎng)絡(luò)在LogicLB上配置LB的vip、member、負(fù)載均衡算法、健康監(jiān)測(cè)等設(shè)備上物理模型建立在物理LB，創(chuàng)建VS（VirtualServer）創(chuàng)建物理LB和物理Router間的網(wǎng)絡(luò)在VS上配置vip、member、負(fù)載均衡算法、健康監(jiān)測(cè)等vRoutervLBLB服務(wù)logicportLogicRouterLogicLBlogicportExternalLinklogicportLogicRouterlogicportInternalLinkvlanifVRFvlanifExternalvlanvlanifVRFvlanifInternalvlanVS發(fā)放VAS服務(wù)-其他VAS服務(wù)Portal上業(yè)務(wù)模型建立AC上創(chuàng)建3rdLogicVAS關(guān)聯(lián)LogicRouterAC上邏輯模型建立L2BR創(chuàng)建LogicLB和LogicRouter間的網(wǎng)絡(luò)如果需要引流到3rdVAS，則在CE設(shè)備上手工添加引流策略設(shè)備上物理模型建立物理Router到3rd物理VAS的網(wǎng)絡(luò)及PBR流量重定向在3rdVAS管理界面上手工開(kāi)通到物流Router的網(wǎng)絡(luò)在3rdVAS管理界面上手工開(kāi)通特性業(yè)務(wù)vRouterLogicVASlogicportLogicRouterLogicVASlogicportExternalLinklogicportLogicRouterlogicportInternalLinkvlanifVRF3rdVASvlanifExternalvlanvlanifVRFvlanifInternalvlanPBRPBRVAS概述DCN-SDN方案中的VASVAS的場(chǎng)景應(yīng)用VAS的部署傳統(tǒng)VAS服務(wù)發(fā)放傳統(tǒng)VAS流量轉(zhuǎn)發(fā)模型SFC概述DCN-SDN方案中的SFCVAS功能全景VAS旁?huà)霺erviceLeaf物理組網(wǎng)LeafLeaf服務(wù)器ServiceLeafSpineL4-L7NVENVENVE交換層Spineinternet廣域網(wǎng)專(zhuān)線(xiàn)接入廣域網(wǎng)出口PENVENVELeafFW組/3rdVAS組2互聯(lián)網(wǎng)出口PEVXLAN域LB組/3rdVAS組1LeafServiceLeaf外網(wǎng)訪(fǎng)問(wèn)VPC-邏輯網(wǎng)絡(luò)LogicRouter(VPC1)ExternalNetworkCentralizedGateWayLogicPort2LogicPort3EndPortLogicPort7LogicPort8EndPortLogicPort6LogicRouter(Internet/Intranet)LogicSwitch5LogicSwitch1ServerLeafLogicPort1BorderLeafLogicPort9LogicPort10LogicFWLogicSwitch3LogicSwitch2ServiceLeafLogicPort4集中式網(wǎng)關(guān)RootSYSVRF1CentralizedGateWayBDIF1BDIF2VM/BM1VLAN200VLAN300VM/BM2BDIF5Internet/IntranetPublicVRF1BD5BD1ServerLeafVLAN100BorderLeafBDIF3VLAN1000VLAN1001vSYS1BD3BD2ServiceLeaf2345PE公網(wǎng)/私網(wǎng)VRFInternet/Intranet1外網(wǎng)訪(fǎng)問(wèn)VPC-物理網(wǎng)絡(luò)集中式網(wǎng)關(guān)VPC訪(fǎng)問(wèn)外網(wǎng)-邏輯網(wǎng)絡(luò)LogicRouter(VPC1)ExternalNetworkCentralizedGateWayLogicPort2LogicPort3EndPortLogicPort7LogicPort8EndPortLogicPort6LogicRouter(Internet/Intranet)LogicSwitch5LogicSwitch1ServerLeafLogicPort1BorderLeafLogicPort9LogicPort10LogicFWLogicSwitch3LogicSwitch2ServiceLeafLogicPort4集中式網(wǎng)關(guān)RootSYSVRF1CentralizedGateWayBDIF1BDIF2VM/BM1VLAN200VLAN300VM/BM2BDIF5Internet/IntranetPublicVRF1BD5BD1ServerLeafVLAN100BorderLeafBDIF3VLAN1000VLAN1001vSYS1BD3BD2ServiceLeaf1234PE公網(wǎng)/私網(wǎng)VRFInternet/Intranet5VPC訪(fǎng)問(wèn)外網(wǎng)-物理網(wǎng)絡(luò)集中式網(wǎng)關(guān)VPC間互訪(fǎng)-邏輯網(wǎng)絡(luò)LogicRouter2(VPC2)CentralizedGateWayLogicPort11LogicPort8EndPort1LogicPort15LogicPort16EndPort2LogicPort12LogicRouter1(VPC1)LogicSwitch6LogicSwitch1ServerLeafLogicPort14LogicPort3LogicPort4LogicFWLogicSwitch4LogicSwitch3ServiceLeafLogicPor9ServerLeafLogicPort13EndPort4EndPort3集中式網(wǎng)關(guān)VPC間互訪(fǎng)-物理網(wǎng)絡(luò)vSYS2VRF2CentralizedGateWayBDIF1BDIF3VM/BM1Vlan100Vlan200VM/BM2BDIF6VRF1BD6BD1ServerLeafVlan400Vlan2000Vlan2001vSYS1BD4BD3ServiceLeafBDIF4ServerLeafVlan300VM/BM4VM/BM312345集中式網(wǎng)關(guān)VPC不同子網(wǎng)按需隔離互訪(fǎng)-邏輯網(wǎng)絡(luò)CentralizedGateWayLogicPort11LogicPort8EndPort1LogicPort15LogicPort16EndPort2LogicPort12LogicRouter1(VPC1)LogicSwitch6LogicSwitch1ServerLeafLogicPort14LogicPort3LogicPort4LogicFWLogicSwitch4LogicSwitch3ServiceLeafLogicPor9ServerLeafLogicPort13EndPort4EndPort3集中式網(wǎng)關(guān)VPC不同子網(wǎng)按需隔離互訪(fǎng)-物理網(wǎng)絡(luò)CentralizedGateWayBDIF1BDIF3VM/BM1Vlan100Vlan200VM/BM2BDIF6VRF1BD6BD1ServerLeafVlan400Vlan2000Vlan2001vSYS1BD4BD3ServiceLeafBDIF4ServerLeafVlan300VM/BM4VM/BM31423集中式網(wǎng)關(guān)3rdVAS旁?huà)霺erviceLeaf-邏輯網(wǎng)絡(luò)CentralizedGateWayLogicPort11LogicPort8LogicPort12LogicRouter1(VPC1)LogicPort3LogicPort4LogicVASLogicSwitch4LogicSwitch3ServiceLeafLogicPor9集中式網(wǎng)關(guān)3rdVAS旁?huà)霺erviceLeaf-物理網(wǎng)絡(luò)CentralizedGateWayBDIF1BDIF3BDIF6VRF1Vlan2000Vlan20013rd

VASBD4BD3ServiceLeafBDIF41423集中式網(wǎng)關(guān)VIP為外網(wǎng)IP-邏輯網(wǎng)絡(luò)LogicRouter(VPC1)ExternalNetworkCentralizedGateWayLogicPort2LogicPort3EndPortLogicPort7LogicPort8EndPortLogicPort4LogicRouter(Internet/Intranet)LogicSwitch3LogicSwitch1ServerLeafLogicPort1BorderLeafLogicPort9LogicPort10LogicLBVIP=LogicSwitch3LogicSwitch2ServiceLeafEndPortLogicPort7LogicPort8EndPortLogicSwitch4ServerLeafLogicPort5集中式網(wǎng)關(guān)VIP為外網(wǎng)IP-物理網(wǎng)絡(luò)VRF1CentralizedGateWayBDIF1BDIF2VM/BM1VLAN200VLAN300VM/BM2BDIF5Internet/IntranetPublicVRF1BD3BD1ServerLeafVLAN100BorderLeafVLAN1000VLAN1001VSVIP=BD3BD2ServiceLeafPE公網(wǎng)/私網(wǎng)VRFInternet/Intranet12VM/BM3VLAN400VLAN500VM/BM4BD4ServerLeafBDIF63集中式網(wǎng)關(guān)VIP為內(nèi)網(wǎng)IP-邏輯網(wǎng)絡(luò)LogicRouter(VPC1)ExternalNetworkCentralizedGateWayLogicPort2LogicPort3EndPortLogicPort7LogicPort8EndPortLogicPort4LogicRouter(Internet/Intranet)LogicSwitch3LogicSwitch1ServerLeafLogicPort1BorderLeafLogicPort9LogicPort10LogicLBVIP=LogicSwitch3LogicSwitch2ServiceLeafEndPortLogicPort13LogicPort14EndPortLogicSwitch4ServerLeafLogicPort5LogicPort11LogicPort12LogicFWLogicSwitch6LogicSwitch5LogicPort15LogicPort16集中式網(wǎng)關(guān)VIP為內(nèi)網(wǎng)IP-物理網(wǎng)絡(luò)VRF1CentralizedGateWayBDIF1BDIF3VM/BM1VLAN200VLAN300VM/BM2BDIF5Internet/IntranetPublicVRF1BD5BD1ServerLeafVLAN100BorderLeafVLAN1000VLAN1001VSVIP=BD5BD4ServiceLeafPE公網(wǎng)/私網(wǎng)VRFInternet/IntranetVM/BM3VLAN400VLAN500VM/BM4BD6ServerLeafBDIF6VLAN2000VLAN2001vSYSBD3BD2BDIF4BDIF2123集中式網(wǎng)關(guān)外網(wǎng)訪(fǎng)問(wèn)VPC-邏輯組網(wǎng)LogicFWLogicRouter(VPC1Distribut)EndPortLogicPort10LogicPort11EndPortLogicPort12LogicSwitch5ServerLeafExternalNetworkLogicPort2LogicRouter(Internet/IntranetDistribut)LogicSwitch1LogicPort1BorderLeafLogicRouter(VPC1Distribut)LogicPort7ServiceLeafLogicPort4LogicSwitch3LogicPort6LogicSwitch2LogicRouter(Internet/IntranetDistribut)LogicPort3分布式網(wǎng)關(guān)外網(wǎng)訪(fǎng)問(wèn)VPC-物理組網(wǎng)RootSYSVRF1(Distribut)VM/BM1Vlan200Vlan300VM/BM2BDIF5BD5ServerLeafBDIF1Internet/IntranetPublicVRF1(Distribut)BD1Vlan100BorderLeafVRF1(Distribut)Vlan1001ServiceLeafvSYSBDIF3BD3Vlan1000BD2Internet/IntranetPublicVRF1(Distribut)BDIF2PE公網(wǎng)/私網(wǎng)VRFInternet/Intranet1235674分布式網(wǎng)關(guān)VPC訪(fǎng)問(wèn)外網(wǎng)-邏輯網(wǎng)絡(luò)LogicFWLogicRouter(VPC1Distribut)EndPortLogicPort10LogicPort11EndPortLogicPort12LogicSwitch5ServerLeafExternalNetworkLogicPort2LogicRouter(Internet/IntranetDistribut)LogicSwitch1LogicPort1BorderLeafLogicRouter(VPC1Distribut)LogicPort7ServiceLeafLogicPort4LogicSwitch3LogicPort6LogicSwitch2LogicRouter(Internet/IntranetDistribut)LogicPort3分布式網(wǎng)關(guān)VPC訪(fǎng)問(wèn)外網(wǎng)-物理網(wǎng)絡(luò)RootSYSVRF1(Distribut)VM/BM1Vlan200Vlan300VM/BM2BDIF5BD5ServerLeafBDIF1Internet/IntranetPublicVRF1(Distribut)BD1Vlan100BorderLeafVRF1(Distribut)Vlan1001ServiceLeafvSYSBDIF3BD3Vlan1000BD2Internet/IntranetPublicVRF1(Distribut)BDIF2PE公網(wǎng)/私網(wǎng)VRFInternet1235674分布式網(wǎng)關(guān)VPC間互訪(fǎng)-邏輯網(wǎng)絡(luò)LogicFWLogicRouter(VPC2Distribut)EndPortLogicPort10LogicPort11EndPortLogicPort12LogicSwitch5ServerLeafEndPortLogicPort2LogicRouter(VPC1Distribut)LogicSwitch1LogicPort1ServerLeafLogicRouter(VPC2Distribut)LogicPort7ServiceLeafLogicPort4LogicSwitch3LogicPort6LogicSwitch2LogicRouter(VPC1Distribut)LogicPort3分布式網(wǎng)關(guān)VPC間互訪(fǎng)-物理網(wǎng)絡(luò)vSYS1VRF2(Distribut)VM/BM1Vlan200Vlan300VM/BM2BDIF5BD5ServerLeafBDIF1VRF1(Distribut)BD1Vlan100ServerLeafVRF2(Distribut)Vlan1001ServiceLeafvSYS2BDIF3BD3Vlan1000BD2VRF1(Distribut)BDIF2VM/BM31235674分布式網(wǎng)關(guān)VPC不同子網(wǎng)按需隔離互訪(fǎng)-邏輯網(wǎng)絡(luò)LogicFWLogicRouter(VPC1Distribut)EndPortLogicPort10LogicPort11EndPortLogicPort12LogicSwitch5ServerLeafEndPortLogicPort2LogicRouter(VPC1Distribut)LogicSwitch1LogicPort1ServerLeafLogicPort7ServiceLeafLogicPort4LogicSwitch3LogicPort6LogicSwitch2LogicRouter(VPC1Distribut)LogicPort3分布式網(wǎng)關(guān)VPC不同子網(wǎng)按需隔離互訪(fǎng)-物理網(wǎng)絡(luò)vSYS1VRF1(Distribut)VM/BM1Vlan200Vlan300VM/BM2BDIF5BD5ServerLeafBDIF1VRF1(Distribut)BD1Vlan100ServerLeafVlan1001ServiceLeafBDIF3BD3Vlan1000BD2VRF1(Distribut)BDIF2VM/BM3123456分布式網(wǎng)關(guān)VIP為外網(wǎng)IP-邏輯網(wǎng)絡(luò)LogicLBLogicRouter(VPC1Distribut)EndPortLogicPort10LogicPort11EndPortLogicPort4LogicSwitch3ServerLeafExternalNetworkLogicPort2LogicRouter(Internet/IntranetDistribut)LogicSwitch1LogicPort1BorderLeafLogicRouter(VPC1Distribut)LogicPort7ServiceLeafLogicPort4LogicSwitch3LogicPort6LogicSwitch2LogicRouter(Internet/IntranetDistribut)LogicPort3LogicSwitch4LogicPort5分布式網(wǎng)關(guān)VIP為外網(wǎng)IP-物理網(wǎng)絡(luò)VRF1(Distribut)VM/BM1Vlan200Vlan300VM/BM2BDIF3BD3ServerLeafBDIF1Internet/IntranetPublicVRF1(Distribut)BD1Vlan100BorderLeafVRF1(Distribut)Vlan1001ServiceLeafVSVIP=BDIF3BD3Vlan1000BD2Internet/IntranetPublicVRF1(Distribut)BDIF2PE公網(wǎng)/私網(wǎng)VRFInternet/Intranet12BD4BDIF434分布式網(wǎng)關(guān)VIP為內(nèi)網(wǎng)IP-邏輯網(wǎng)絡(luò)LogicFWLogicRouter(VPC1Distribut)EndPortLogicPort10LogicPort11EndPortLogicPort4LogicSwitch3ServerLeafExternalNetworkLogicPort2LogicRouter(Internet/IntranetDistribut)LogicSwitch1LogicPort1BorderLeafLogicRouter(VPC1Distribut)LogicPort9ServiceLeafLogicPort13LogicSwitch6LogicPort8LogicSwitch5LogicRouter(Internet/IntranetDistribut)LogicPort12LogicSwitch4LogicPort5LogicLBLogicPort7LogicSwitch3LogicPort6LogicSwitch2LogicPort4LogicPort3分布式網(wǎng)關(guān)VIP為內(nèi)網(wǎng)IP-物理網(wǎng)絡(luò)VRF1(Distribut)VM/BM1Vlan200Vlan300VM/BM2BDIF3BD3ServerLeafBDIF1Internet/IntranetPublicVRF1(Distribut)BD1Vlan100BorderLeafVRF1(Distribut)Vlan2001ServiceLeafVSVIP=BDIF6BD6Vlan2000BD5Internet/IntranetPublicVRF1(Distribut)BDIF5PE公網(wǎng)/私網(wǎng)VRFInternet/IntranetBD4BDIF4Vlan1001VSVIP=BDIF3BD3Vlan1000BD2BDIF2123分布式網(wǎng)關(guān)VAS概述DCN-SDN方案中的VASSFC概述DCN-SDN方案中的SFCVAS功能全景傳統(tǒng)VAS業(yè)務(wù)的局限與應(yīng)對(duì)傳統(tǒng)VAS特點(diǎn)靜態(tài)配置引流策略、部署復(fù)雜，無(wú)法實(shí)現(xiàn)復(fù)雜引流場(chǎng)景VAS服務(wù)依賴(lài)物理拓?fù)?，拓?fù)涔潭ǎ瑯I(yè)務(wù)不靈活業(yè)務(wù)的新訴求FW/LB功能NFV化，部署動(dòng)態(tài)性增強(qiáng)、功能單一化導(dǎo)致引流復(fù)雜網(wǎng)關(guān)分布式、同子網(wǎng)東西向安全控制增多，引流更加復(fù)雜業(yè)務(wù)自助服務(wù)和部署、位置不確定應(yīng)對(duì)VAS業(yè)務(wù)功能與物理拓?fù)浣怦钤赟DN控制器的控制下，使用Overlay技術(shù)將VAS服務(wù)鏈映射和物理服務(wù)設(shè)備解耦，只要承載網(wǎng)IP可達(dá)，即可將虛擬層服務(wù)鏈映射到承載層服務(wù)設(shè)備的技術(shù)，即：ServiceFunctionChain。SFC的概念業(yè)務(wù)鏈定義：是一個(gè)業(yè)務(wù)功能（一種對(duì)數(shù)據(jù)報(bào)文實(shí)現(xiàn)特定的檢查和處理的網(wǎng)絡(luò)功能，可以設(shè)備上的一種模塊或者虛擬實(shí)例。)有序圖，保證指定的業(yè)務(wù)流按順序通過(guò)這些業(yè)務(wù)功能節(jié)點(diǎn)典型業(yè)務(wù)鏈的例子：Internet->防火墻->IDS->負(fù)載均衡器->WEB服務(wù)器

SF(Physical)

SF(VM)

SF(Physical)

SF(VM)

SCSC交換機(jī)交換機(jī)網(wǎng)絡(luò)overlayVXLAN應(yīng)用A應(yīng)用BSFFSFFSFC的價(jià)值圖形化部署、降低OPEX▲根圖形化業(yè)務(wù)功能部署，簡(jiǎn)化部署流程▲椐業(yè)務(wù)流申請(qǐng)業(yè)務(wù)鏈，部署和回退方便▲支持業(yè)務(wù)路徑可視化，方便運(yùn)維和診斷VAS資源彈性伸縮、按需分配▲資源池化，業(yè)務(wù)按需分配▲資源池化，資源彈性伸縮VAS部署靈活、按需擴(kuò)展▲業(yè)務(wù)功能與Fabric解藕，靈活部署▲支持業(yè)務(wù)功能按需擴(kuò)展SFC在DCN-SDN解決方案中的位置SFC位置Huawei第三方合作用戶(hù)云平臺(tái)或APP可集群的AC控制器第三方控制器L2-L3物理服務(wù)器虛擬化平臺(tái)ESXiKVMHyper-VXEN業(yè)務(wù)呈現(xiàn)層網(wǎng)絡(luò)控制層網(wǎng)絡(luò)層物理網(wǎng)元vSwitchvRouterHuaweiL4-L7物理網(wǎng)元vFWvLB服務(wù)器第三方L4-L7物理網(wǎng)元vFWvLB網(wǎng)絡(luò)虛擬化場(chǎng)景中SFC的架構(gòu)AC控制器業(yè)務(wù)PortalL2/L3FabricHuaweiVAS3rdVAS3rd

管理系統(tǒng)3rd業(yè)務(wù)Portal云網(wǎng)一體化場(chǎng)景中SFC的架構(gòu)OpenStackL2/L3FabricHuaweiVAS3rdVAS3rd

管理系統(tǒng)3rd業(yè)務(wù)PortalAC控制器業(yè)務(wù)PortalVAS概述DCN-SDN方案中的VASSFC概述DCN-SDN方案中的SFCSFC場(chǎng)景及業(yè)務(wù)模型SFC服務(wù)發(fā)放PBR引流及流量模型NSH引流及流量模型VAS功能全景場(chǎng)景需求外網(wǎng)和VPC內(nèi)網(wǎng)互訪(fǎng)VPC間互訪(fǎng)VPC內(nèi)互訪(fǎng)VPC-BFWLBGWsubnetsubnet…入口VPCSSLFW/NATIPS/IDSIPsecFW/NATIPS/IDSNATFW/NATIPS/IDS遠(yuǎn)程分支/園區(qū)遠(yuǎn)程用戶(hù)InternetVPC-AFWLBGWsubnetsubnet…VPC-CFWLBGWsubnetsubnet…基于GBP的SFC服務(wù)編排映射VAS服務(wù)consumerprovider應(yīng)用ConsumerEPGProviderEPGPolicyRulesSetServiceFunctionChainSF1SF2SFn……PolicyRuleClassifierAction=RedirectAC的GBP模型providerconsumerSCSFSFFSFFSFSFSFF轉(zhuǎn)發(fā)應(yīng)用場(chǎng)景1：外網(wǎng)和VPC內(nèi)網(wǎng)互訪(fǎng)ConsumerEPG=ExternalNetworkFieldProviderEPG=Tenant.vRouterPolicyRulesSetServiceFunctionChainSF1SF2SFn……PolicyRuleClassifierAction=Redirect應(yīng)用場(chǎng)景2：同租戶(hù)VPC間互訪(fǎng)ConsumerEPG=Tenant.vRouter1ProviderEPG=Tenant.vRouter2PolicyRulesSetServiceFunctionChainSF1SF2SFn……PolicyRuleClassifierAction=Redirect應(yīng)用場(chǎng)景3：同VPC子網(wǎng)間互訪(fǎng)ConsumerEPG=vRouter.vSwitch1ProviderEPG=vRouter.vSwitch2PolicyRulesSetServiceFunctionChainSF1SF2SFn……PolicyRuleClassifierAction=RedirectVAS概述DCN-SDN方案中的VASSFC概述DCN-SDN方案中的SFCSFC場(chǎng)景及業(yè)務(wù)模型SFC服務(wù)發(fā)放PBR引流及流量模型NSH引流及流量模型VAS功能全景SFC服務(wù)發(fā)放Portal上建立EPG創(chuàng)建CounsumerEPG創(chuàng)建ProviderEPGAC上建立業(yè)務(wù)鏈模板創(chuàng)建SFC模板添加SF實(shí)例AC上配置業(yè)務(wù)策略配置業(yè)務(wù)過(guò)濾策略;配置動(dòng)作：重定向；AC上應(yīng)用業(yè)務(wù)鏈應(yīng)用業(yè)務(wù)鏈；ConsumerEPGProviderEPGConsumerEPGProviderEPGServiceFunctionChainSF1……SF2SFnConsumerEPGProviderEPGPolicyRulesSetPolicyRuleClassifierAction=RedirectServiceFunctionChainSF1……SF2SFnConsumerEPGProviderEPGPolicyRulesSetPolicyRuleClassifierAction=RedirectServiceFunctionChainSF1……SF2SFnVAS概述DCN-SDN方案中的VASSFC概述DCN-SDN方案中的SFCSFC場(chǎng)景及業(yè)務(wù)模型SFC服務(wù)發(fā)放PBR引流及流量模型NSH引流及流量模型VAS功能全景基于PBR引流的SFCAgileControllerSFF1SF1SF2SFF2SF4SF3ConsumerProvider引流點(diǎn)下發(fā)PBR訪(fǎng)問(wèn)流量下發(fā)PBR引流策略SCVXLAN轉(zhuǎn)發(fā)隧道外網(wǎng)訪(fǎng)問(wèn)VPCVPCFWLBGWsubnetsubnet…入口VPCSSLFW/NATIPS/IDSIPsecFW/NATIPS/IDSNATFW/NATIPS/IDS遠(yuǎn)程分支/園區(qū)遠(yuǎn)程用戶(hù)Internet集中式網(wǎng)關(guān)-訪(fǎng)問(wèn)模型LogicRouter(VPC1)ExternalNetworkCentralizedGateWayLogicPort2LogicPort3EndPortLogicPort12LogicPort13EndPortLogicPor116LogicRouter(Internet/Intranet)LogicSwitch6LogicSwitch1ServerLeafLogicPort1BorderLeafLogicPort5LogicPort6LogicVAS1LogicSwitch3LogicSwitch2ServiceLeafLogicPort4LogicPort7LogicPort9LogicPort10LogicVAS2LogicSwitch5LogicSwitch4LogicPort8集中式網(wǎng)關(guān)-邏輯網(wǎng)絡(luò)PE公網(wǎng)/私網(wǎng)VRFInternet/IntranetVRF1CentralizedGateWayBDIF1BDIF2VM/BM1Vlan100BDIF6Internet/IntranetPublic

VRFBD6BD1ServerLeafVlan300BorderLeafVlan1000Vlan1001VAS1BD3BD2ServiceLeafBDIF3BDIF4Vlan2000Vlan2001VAS2BD5BD4BDIF5業(yè)務(wù)VXLAN隧道業(yè)務(wù)VXLAN隧道VRF1路由交叉業(yè)務(wù)VXLAN隧道業(yè)務(wù)VXLAN隧道業(yè)務(wù)VXLAN隧道業(yè)務(wù)VXLAN隧道PBR：Src/dstnhvas1PBR：Src/dstnhvas22341567集中式網(wǎng)關(guān)-

SFC模型VPC訪(fǎng)問(wèn)外網(wǎng)VPCFWLBGWsubnetsubnet…入口VPCSSLFW/NATIPS/IDSIPsecFW/NATIPS/IDSNATFW/NATIPS/IDS遠(yuǎn)程分支/園區(qū)遠(yuǎn)程用戶(hù)Internet集中式網(wǎng)關(guān)-訪(fǎng)問(wèn)模型LogicRouter(VPC1)ExternalNetworkCentralizedGateWayLogicPort2LogicPort3EndPortLogicPort12LogicPort13EndPortLogicPor116LogicRouter(Internet/Intranet)LogicSwitch6LogicSwitch1ServerLeafLogicPort1BorderLeafLogicPort5LogicPort6LogicVAS1LogicSwitch3LogicSwitch2ServiceLeafLogicPort4LogicPort7LogicPort9LogicPort10LogicVAS2LogicSwitch5LogicSwitch4LogicPort8集中式網(wǎng)關(guān)-邏輯網(wǎng)絡(luò)PE公網(wǎng)/私網(wǎng)VRFInternet/IntranetVRF1CentralizedGateWayBDIF1BDIF2VM/BM1Vlan100BDIF6Internet/IntranetPublic

VRFBD6BD1ServerLeafVlan300BorderLeafVlan1000Vlan1001VAS1BD3BD2ServiceLeafBDIF3BDIF4Vlan2000Vlan2001VAS2BD5BD4BDIF5業(yè)務(wù)VXLAN隧道業(yè)務(wù)VXLAN隧道默認(rèn)路由到Public業(yè)務(wù)VXLAN隧道業(yè)務(wù)VXLAN隧道業(yè)務(wù)VXLAN隧道業(yè)務(wù)VXLAN隧道PBR：Src/dstnhvas1PBR：Src/dstnhvas25473216集中式網(wǎng)關(guān)-

SFC模型VPC間互訪(fǎng)VPC-1FWLBGWsubnetsubnet…VPC-2FWLBGWsubnetsubnet…集中式網(wǎng)關(guān)-訪(fǎng)問(wèn)模型LogicRouter(VPC1)EndPort3CentralizedGateWayLogicPort2LogicPort3EndPortLogicPort12LogicPort13EndPortLogicPort16LogicRouter(VPC2)LogicSwitch6LogicSwitch1ServerLeafLogicPort1ServerLeafLogicPort5LogicPort6LogicVAS1LogicSwitch3LogicSwitch2ServiceLeafLogicPort4LogicPort7LogicPort9LogicPort10LogicVAS2LogicSwitch5LogicSwitch4LogicPort8集中式網(wǎng)關(guān)-邏輯網(wǎng)絡(luò)VRF1CentralizedGateWayBDIF1BDIF2VM/BM1Vlan100BDIF6VRF2BD6BD1ServerLeafVlan300BorderLeafVlan1000Vlan1001VAS1BD3BD2ServiceLeafBDIF3BDIF4Vlan2000Vlan2001VAS2BD5BD4BDIF5業(yè)鏈VXLAN隧道業(yè)務(wù)VXLAN隧道到VRF1的交叉路由業(yè)務(wù)VXLAN隧道業(yè)鏈VXLAN隧道業(yè)鏈VXLAN隧道業(yè)鏈VXLAN隧道PBR：Src/dstnhvas1PBR：Src/dstnhvas2345672VM/BM31集中式網(wǎng)關(guān)-SFC模型同VPC子網(wǎng)間互訪(fǎng)VPCFWLBGWsubnetsubnet…集中式網(wǎng)關(guān)-訪(fǎng)問(wèn)模型LogicRouter(VPC1)EndPort3CentralizedGateWayEndPort1LogicPort12LogicPort13EndPort2LogicPort16LogicSwitch6LogicSwitch1ServerLeafLogicPort1ServerLeafServiceLeafLogicPort7LogicPort9LogicPort10LogicVASLogicSwitch5LogicSwitch4LogicPort8LogicPort2集中式網(wǎng)關(guān)-邏輯網(wǎng)絡(luò)VRF1CentralizedGateWayVM/BM1Vlan100BDIF6BD6BD1ServerLeafVlan300BorderLeafServiceLeafBDIF4Vlan2000Vlan2001VASBD5BD4BDIF5業(yè)務(wù)VXLAN隧道業(yè)務(wù)VXLAN隧道業(yè)務(wù)VXLAN隧道業(yè)務(wù)VXLAN隧道PBR：Src/dstnhvasVM/BM3BDIF13421分布式網(wǎng)關(guān)-SFC模型外網(wǎng)訪(fǎng)問(wèn)VPCVPCFWLBGWsubnetsubnet…入口VPCSSLFW/NATIPS/IDSIPsecFW/NATIPS/IDSNATFW/NATIPS/IDS遠(yuǎn)程分支/園區(qū)遠(yuǎn)程用戶(hù)Internet分布式網(wǎng)關(guān)-訪(fǎng)問(wèn)模型LogicVAS1LogicRouter(VPC1Distribut)EndPortLogicPort10LogicPort11EndPortLogicPort12LogicSwitch4ServerLeafExternalNetworkLogicPort2LogicRouter(Internet/IntranetDistribut)LogicSwitch1LogicPort1BorderLeafLogicRouter(VPC1Distribut)LogicPort7ServiceLeafLogicPort4LogicSwitch3LogicPort6LogicSwitch2LogicPort3LogicVAS2LogicPort14LogicPort9LogicSwitch6LogicPort13LogicSwitch5LogicPort8LogicRouter(Internet/IntranetDistribut)分布式網(wǎng)關(guān)-邏輯網(wǎng)絡(luò)VAS1VRF1(Distribut)VM/BM1Vlan100BDIF4BD4ServerLeafBDIF1Internet/IntranetPublicVRF(Distribut)BD1Vlan300BorderLeafVRF1(Distribut)Vlan1001ServiceLeafBDIF3BD3Vlan1000BD2BDIF2VAS2Vlan2001BDIF6BD6Vlan2000BD5BDIF5Internet/IntranetPublicVRF(Distribut)PE公網(wǎng)/私網(wǎng)VRFInternet/IntranetPBR：Src/dstnhL3VNI到VRF1的交叉路由PBR：Src/dstnhvas213456L3VNI互聯(lián)7L3VNI互聯(lián)2PBR：Src/dstnhvas1分布式網(wǎng)關(guān)-SFC模型VPC訪(fǎng)問(wèn)外網(wǎng)VPCFWLBGWsubnetsubnet…入口VPCSSLFW/NATIPS/IDSIPsecFW/NATIPS/IDSNATFW/NATIPS/IDS遠(yuǎn)程分支/園區(qū)遠(yuǎn)程用戶(hù)Internet分布式網(wǎng)關(guān)-訪(fǎng)問(wèn)模型LogicVAS1LogicRouter(VPC1Distribut)EndPortLogicPort10LogicPort11EndPortLogicPort12LogicSwitch4ServerLeafExternalNetworkLogicPort2LogicRouter(Internet/IntranetDistribut)LogicSwitch1LogicPort1BorderLeafLogicRouter(VPC1Distribut)LogicPort7ServiceLeafLogicPort4LogicSwitch3LogicPort6LogicSwitch2LogicPort3LogicVAS2LogicPort14LogicPort9LogicSwitch6LogicPort13LogicSwitch5LogicPort8LogicRouter(Internet/IntranetDistribut)分布式網(wǎng)關(guān)-邏輯網(wǎng)絡(luò)VAS1VRF1(Distribut)VM/BM1Vlan100BDIF4BD4ServerLeafBDIF1Internet/IntranetPublicVRF(Distribut)BD1Vlan300BorderLeafVRF1(Distribut)Vlan1001ServiceLeafBDIF3BD3Vlan1000BD2BDIF2VAS2Vlan2001BDIF6BD6Vlan2000BD5BDIF5Internet/IntranetPublicVRF(Distribut)PE公網(wǎng)/私網(wǎng)VRFInternet/IntranetPBR：Src/dstnhvas1到VRF1的交叉路由PBR：Src/dstnhL3VNIL3VNI互聯(lián)134567L3VNI互聯(lián)2PBR：Src/dstnhvas2分布式網(wǎng)關(guān)-SFC模型VPC間互訪(fǎng)VPC-1FWLBGWsubnetsubnet…VPC-2FWLBGWsubnetsubnet…分布式網(wǎng)關(guān)-訪(fǎng)問(wèn)模型LogicVAS1LogicRouter(VPC1Distribut)EndPortLogicPort10LogicPort11EndPortLogicPort12LogicSwitch4ServerLeafEndPortLogicPort2LogicRouter(VPC2Distribut)LogicSwitch1LogicPort1ServerLeafLogicRouter(VPC1Distribut)LogicPort7ServiceLeafLogicPort4LogicSwitch3LogicPort6LogicSwitch2LogicPort3LogicVAS2Lo