IP VPN is used to establish connectivity to the CNAAS FW from SUNET management servers.
On-net FW installations
CNAAS on -net firewalls are managed outbound (a dedicated connection). The firewall do not need to allow any connections from the Internet on the Internet facing interface. A special VRF is used for this purpose "infra-cpe-mgmt".
Code Block |
---|
routing-instances {
infra-cpe-mgmt {
routing-options {
auto-export;
}
protocols {
bgp {
group vr-s1 {
import primary-in;
peer-as 64656;
as-override;
neighbor 86.105.113.133 {
family inet {
unicast {
prefix-limit {
maximum 10;
teardown {
80;
idle-timeout 5;
}
}
}
}
}
}
}
}
instance-type vrf;
interface xe-4/2/0.9;
route-distinguisher 1653:883;
vrf-target {
import target:1653:898;
export target:1653:899;
}
}
|
On the firewall the interface connected to the SUNET PE is separated from other interfaces using a local VRF.
Code Block |
---|
infra-cpe-mgmt VRF
CNAAS FW:
routing-instances {
SUNET-infra-cpe-mgmt {
protocols {
bgp {
group sunet-mgmt {
type external;
export SUNET-infra-cpe-mgmt;
peer-as 64656;
local-as 64657;
multipath;
bfd-liveness-detection {
minimum-interval 1000;
}
neighbor 10.20.50.73 {
description d01;
}
neighbor 10.20.50.74 {
description d02;
}
}
log-updown;
}
}
interface lo0.9;
interface reth0.251;
description SUNET-infra-cpe-mgmt;
instance-type virtual-router;
}
} |
Off-net FW installations
Off-net CNAAS FW is managed inbound in the customer VPN. On the SUNET NNI VRF routes used for management of the CNAAS Firewall (the link address to the CNAAS Firewall) is exported to the SUNET-MGMT-VRF. The customer VRF on the NNI imports routes used by SUNET management servers.
...