Network common specification

Network configuration

  • Network configuration image of Enterprise Cloud 2.0 is as follows.

  • The following configuration image is an example, and it is possible to implement a free topology, menu selection, IP address design as well as on-premises network.

diagram

Network menu list

The list of network menu is as follows.

Menu

Overview

Logical Network

  • Provides L2 network connecting any resources in the tenant.

  • You can flexibly reproduce free topology and IP address design on the cloud as well as on-premises network.

Internet Connectivity

  • Provides connectivity to the Internet from the tenant.

  • Transmission speed and quality can be selected according to the customer’s requirements, and there is no need to pay for data transfer.

VPN Connectivity

  • Provides the connectivity function from the tenant to the high quality IP-VPN service of NTTCom.

  • Transmission speed and quality can be selected according to the customer’s requirements, and there is no need to pay for data transfer.

Network-Based Security

  • Responding to diversified threats in an integrated manner in one stop.

  • It is possible to use only the Firewall function at first and upgrade to UTM as needed.

Firewall (vSRX)

  • Provides firewall feature that can be set anywhere.

  • Provides the most features of vSRX.

Firewall (Brocade 5600 vRouter)
EOS 1st July,2017
  • Provides firewall feature that can be set anywhere.

  • Brocade 5600 vRouter offers the most features available.

Load Balancer(NetScaler VPX)

  • Provides load balancing features that can be set anywhere.

  • Provides the most features of NetScaler VPX.

Usage limit of each service

The usage limit values for each menu are as follows.

Menu

Resource

Usage limit

Remarks, unit of use

Logical Network

Number of Logical Networks provided per tenant

64  
 

Number of subnets provided per tenant

128  
 

Number of ports provided per tenant

2048  

Internet Connectivity

Number of Internet Gateways provided per tenant

4  
 

Number of gateway interfaces per Internet Gateway

1  
 

Number of static routes per Internet Gateway

32  
 

Number of subnets provided per tenant

4

Available unit is subnet mask length / 32 to / 28

VPN Gateway

Number of VPN gateways provided per tenant

32  
 

Number of gateway interfaces per VPN gateway

1  
 

Number of static routes per VPN gateway

32  
Managed Firewall

Number of Managed Firewalls Per Tenant

Unlimited

 
 

Number of interfaces per Managed Firewall

7  
Managed UTM

Number of Managed UTMs per tenant

Unlimited

 
 

Number of interfaces per Managed UTM

7  
Managed WAF

Number of Managed WAFs provided per tenant

Unlimited

 
 

Number of interfaces per Managed WAF

1  
Firewall
(vSRX)

Number of provided firewalls per tenant

64  
 

Number of interfaces per firewall

8  
Firewall
(Brocade 5600 vRouter)

Number of provided firewalls per tenant

16

2017/7/1 End of Sales

 

Number of interfaces per firewall

4 or 8

Determined according to the plan

Load Balancer
(NetScaler VPX)

Number of Load Balancers provided per tenant

16  
 

Number of interfaces per Load Balancer

4 or 8

Determined according to the plan

 

Number of syslog transfer destination that can be set for each Load Balancer

8

Provided in version 11.0-67.12 or later

MTU Design Guide

Recommended value

  • It is recommended to set the MTU of the resource connected to the Logical Network to the following and communicate within the MTU size. The recommended value is 1500 bytes for the data plane, which is standard in the WAN environment such as the Internet, and 9000 bytes for the storage communication acceleration in the LAN, for the storage plane.

  • Note that if the MTU is different for resources connected to the same Logical Network, communication will not be possible.

Plane Type

Data plane (D)

Storage plane (S)

MTU recommended value

1500 9000

Initial value of each menu and whether you can change it or not

  • Please refer to the list below for the initial value of each menu and whether you can change it or not.

  • Note that if the MTU is different for resources connected to the same Logical Network, communication will not be possible.

Categories

Menu

Initial value (unit: byte)

Changeable

Server

Baremetal Server

Depends on OS setting

Depends on OS setting

 

Virtual Server

Depends on OS setting

Depends on OS setting

  OS
D: 1500
S: 1500 (※ 1)

Partially not possible (※ 2)

Storage Plane

Block storage (Provisioned I / O performance)

D: 1500
S: 9000

Impossible

 

File storage (premium)

S: 9000

Impossible

 

File storage (standard)

D: 1500
S: 9000

Impossible

Network

Logical Network

D: 9000
S: 9000

Impossible

 

Internet Connectivity

D: 1500

Impossible

 

VPN Gateway

D: 1500

Impossible

 

Firewall (vSRX)

D: 1500

Enabled

 

Firewall (Brocade 5600 vRouter) (* 3)

D: 1500

Impossible

 

Load Balancer (NetScaler VPX)

D: 1500

Impossible

SD-Exchange

Colocation Inter-Connectivity

D: 9000

Impossible

 

Enterprise Cloud 1.0 Inter-Connectivity

D: 1500

Impossible

 

Enterprise Cloud 2.0 Interconnectivity

Depends on connection source resource

Impossible

 

Amazon Web Services Inter-Connectivity

D: 1500

Impossible

 

Google Cloud Platform Inter-Connectivity

D: 1500

Impossible

 

Microsoft Azure connection

D: 1500

Impossible

 

Datacenter Inter-Connectivity

D: 1500

Impossible

Dedicated hypervisor

 
D: 1500
S: 1500

Enabled

Security

Network-based Security

D: 1500

Not available (only Managed WAF is available)

Middleware

Hyper-V

Depends on OS setting

Depends on OS setting

  SAP HANA
D: 1500
S: 9000

Impossible

  Oracle

Depends on OS setting

Depends on OS setting

  SQL Server

D: 1500

Enabled

  Arcserve Unified Data Protection (UDP) Advanced Edition

Depends on OS setting

Depends on OS setting

  Veeam Backup & Replication (VBR) for vSphere

Depends on OS setting

Depends on OS setting

  HULFT

Depends on OS setting

Depends on OS setting

  Windows Server Remote Desktop Services SAL

Depends on OS setting

Depends on OS setting

Platform Service

Cloud Foundary (* 3)

D: 1500

Enabled

 

Rancher (* 3)

D: 1500

Enabled

  WebRTC Platform

D: 1500

Impossible

  Power Systems

D: 1500

Impossible

Note

  • D refers to the data plane and S refers to the storage plane.

  • (* 1) When using Bare metal Server, please be aware that both data plane and storage plane settings are required.

  • (* 2) The configuration of Red Hat Enterprise Linux for SAP Applications can not be changed.

  • (* 3) This is a menu that is currently under end of sales or service termination.

How to set a redundant configuration

  • Introduce how to configure network menu redundantly.

diagram

Menu

method

Redundant method

  • Logical Network

Layer 2

It is redundant by default and does not require settings by customer.

  • Internet Connectivity

  • VPN Connectivity

Layer 3

  • Logical Network side

    • Make it redundant with the VRRP function.

    • From the opposite resource, set a static route with the VRRP virtual IP address as the next hop.

  • External network side

    • Make it redundant with the BGP function. There is no need for customer operation.

  • Managed Firewall
  • Managed UTM

Layer 3

  • Firewall
    (vSRX)
  • Firewall
    (Brocade 5600 vRouter)
  • Load Balancer
    (NetScaler VPX)

Layer 3

NG Configuration example

  • Versatility that enables flexible network design like on-premise environment.

  • Because of the constraints of the communication protocol etc., it does not work normally with the following configuration, so please check the following configuration example and set it appropriately.

  • For other restrictions on each menu, please check the service descriptions of each menu.

NG Configuration example

Description

_images/ln_ng_asymmetry_traffic.png
  • Asymmetric communication (communication in which the return and return of traffic are separated) may not be able to communicate.

  • Please design so that traffic going and returning are symmetric communication with the same route.

_images/ln_ng_same_network.png
  • If you connect to the same logical network from the same resource and communicate using the same source MAC address, communication may not be failed.

  • Even if different subnets of the same Logical Network are specified, communication may not be possible as well. 80%. With multiple subnets created for one logical network, forwarding communications in terms of different address ranges is possible. However, it is not effective for security because communications are transferred to the same L2 network (same VLAN).

  • Connect to different Logical Networks from the same resource.

_images/ln_ng_real_mac_redundancy.png
  • Virtual Menu (Virtual Server, Managed Firewall, Load Balancer (NetScaler VPX), etc.) uses a real MAC address to perform redundancy like in Microsoft Failover Cluster or Linux Heartbeat (Processes virtual IP address for communication The redundancy method that MAC address changes after redundancy switching does not work.

  • As in the VRRP protocol, use a method to make redundant using virtual MAC addresses (a redundant method in which the MAC address that processes the virtual IP address for communication does not change after redundancy switching).

  • When using the VRRP protocol etc., set the same virtual IP address / virtual MAC address pair in Allowed Address Pairs section of the ports of all virtual menu resources to be redundant.

_images/ln_ng_mac_duplication.png
  • The following menus can not be connected to the same logical network for MAC address duplication prevention. If you connect, communication may be impossible.

    • Multiple Internet connectivity

    • Multiple VPN connectivity

    • Multiple Amazon Web Services Connectivity

    • Multiple Microsoft Azure Inter-connectivity

    • Multiple Google Cloud Platform Inter-connectivity

    • Multiple DC Inter-Connectivity

    • Combination of VPN connectivity, Amazon Web Services inter-connectivity, and Microsoft Azure inter-connectivity

_images/ln_ng_l2_roop.png
  • To prevent the L2 loop, the following menus can not be connected to the same logical network

    • Colocation Inter-Connectivity and Colocation Inter-Connectivity

    • Enterprise Cloud 1.0 Inter-Connectivity and Enterprise Cloud 1.0 Inter-Connectivity

    • Colocation Inter-Connectivity and Enterprise Cloud 1.0 Inter-Connectivity

_images/ln_ng_vrrp_id_duplication.png
  • To prevent MAC address duplication, design so that VRIDs (VRRP IDs) do not overlap between resources connected to the same Logical Network.

  • Since the virtual MAC address used for communication when using VRRP is the value of “00: 00: 5e: 00: 01: (VRRP group ID value)” on the basis of the VRRP group ID, if the same VRRP group ID is used, the MAC address is duplicated.

  • The usage status of VRID (VRRP ID) of the individual menu is as follows.

    • The VRRP group ID that can be used for Network based Security (Managed FW / UTM) is 1 to 100. Also, since VRRP group ID 11 is used in the NTTCom’s equipment, please use a value other than 11.

    • In Enterprise Cloud 1.0, the VRRP group ID 0 to 80 is used in the NTTCom’s equipment. Do not use 0 to 80 for other resources when using Enterprise Cloud 1.0 connection or when connecting to Enterprise Cloud 1.0 at the destination of collocation connection.

Note

  • When using multiple interfaces with Managed Firewall or Managed UTM, the specifications that can not be used in the configuration where the MAC address of the other device of each interface is duplicated were resolved on January 16, 2018.