Campus Network as a Service
FW CNaaS and SUNET-MGMT-VRF
IP VPN is used to establish connectivity to the CNAAS Firewall from SUNET management servers. For information about SUNET management VPN's see Management VPN
On-net FW installations
CNAAS on-net firewalls are managed outbound (a dedicated connection). A hub-spoke IP-VPN VRF (infra-cpe-mgmt) is used for this purpose on the SUNET PE router. The same VPN/ VRF is used for different customer FW / CPE attachments to the same PE. On the CNAAS firewall the interface connected to the SUNET PE is separated from other interfaces using a local VRF "SUNET-infra-cpe-mgmt". The CNAAS firewall should use security policys allowing traffic only for the required announce(from PE) SUNET management servers. See Management VPN section "VRF Infra-cpe-mgmt (SPOKE)".
The IP VPN connection to the PE is established using VLAN-ID 9 and eBGP is used between the PE and the CNAAS distribution switch. A policy is used on the CNAAS Firewall to restrict BGP announcements to only include the loopback attached to the "SUNET-infra-cpe-mgmt" VRF.
The loopback address for the Link and loopback addresses are assigned from the following ranges:
links PE - CNAAS / CNAAS FW)
86.105.113.128/26 (https://ipam.sunet.se/prefix/list#/query_string=86.105.113.128/26&search_opt_parent=undefined&search_opt_child=undefined&explicit=true)
loopbacks (CNAAS FW)
86.105.113.192/26 (https://ipam.sunet.se/prefix/list#/query_string=86.105.113.192/26&search_opt_parent=undefined&search_opt_child=undefined&explicit=true)
Example configuration SUNET PE:
Example configuration SUNET PE. In case the VRF is present new connections are added to the same VRF.
routing-instances {
infra-cpe-mgmt {
routing-options {
auto-export;
}
protocols {
bgp {
group <cnaas_fw_node_name> {
import primary-in;
peer-as <cnaas_switch_peer_asn>;
as-override;
neighbor <cnaas_switch_peer_ip> {
family inet {
unicast {
prefix-limit {
maximum 10;
teardown {
80;
idle-timeout 5;
}
}
}
}
}
}
}
}
instance-type vrf;
interface <name>.9;
route-distinguisher 1653:883;
vrf-target {
import target:1653:898;
export target:1653:899;
}
}
}
interfaces {
<name> {
description "<description>";
flexible-vlan-tagging;
mtu 9192;
encapsulation flexible-ethernet-services;
unit 9 {
description "infra-cpe-mgmt for <fw-node-name>";
vlan-id 9;
family inet {
mtu 1500;
address <link_address>;
}
}
}
}
Example configuration CNAAS FW routing-instance "SUNET-infra-cpe-mgmt"
CNAAS FW:
routing-instances {
SUNET-infra-cpe-mgmt {
protocols {
bgp {
group sunet-mgmt {
type external;
export SUNET-infra-cpe-mgmt;
peer-as <cnaas_switch_peer_asn>;
local-as <SUNET-infra-cpe-mgmt_local_asn>;
multipath;
bfd-liveness-detection {
minimum-interval 1000;
}
neighbor <cnaas_switch_peer_ip> {
description <cnaas_switch_name>;
}
neighbor <cnaas_switch_peer_ip> {
description <cnaas_switch_name>;
}
}
log-updown;
}
}
interface lo0.9;
interface reth0.251;
description SUNET-infra-cpe-mgmt;
instance-type virtual-router;
}
}
policy-statement SUNET-infra-cpe-mgmt {
term 1 {
from {
protocol direct;
route-filter <lo0.9_address>/32 exact;
}
then accept;
}
term default {
then reject;
}
}
Off-net FW installations (e.g. using Tele2 Network)
Off-net CNAAS FW is managed inbound in the customer IP-VPN (in the same way an off-net CPE's are managed). On the SUNET IP-VPN NNI connection (NNI to the off-net network) connection routes used for management of the CNAAS Firewall (the link address to the CNAAS Firewall) is exported to the SUNET-MGMT-VRF. The customer VRF on the NNI imports routes used by SUNET management servers. The link address between the off-net CPE and the CNAAS Firewall is used for management connectivity (hostname of the CNAAS Firewall is set to the link address).
The address range 86.105.113.64/26 is used to assign /30 link networks for the off-net Firewall.
For information how to configure IP-VPN and IP-VPN inbound management see; Juniper PE kund IP-VPN and Juniper PE - Tele2 VPN-NNI IP-VPN
For general information about off-net IP-VPN see Tele2 VPN-NNI & off-net provided IP-VPN