...
| Code Block |
|---|
CNAAS FW:
routing-instances {
SUNET-infra-cpe-mgmt {
protocols {
bgp {
group sunet-mgmt {
type external;
export SUNET-infra-cpe-mgmt;
peer-as <cnaas_switch_peer_asn>;
local-as <SUNET-infra-cpe-mgmt_local_asn>;
multipath;
bfd-liveness-detection {
minimum-interval 1000;
}
neighbor <cnaas_switch_peer_ip> {
description <cnaas_switch_name>;
}
neighbor <cnaas_switch_peer_ip> {
description <cnaas_switch_name>;
}
}
log-updown;
}
}
interface lo0.9;
interface reth0.251;
description SUNET-infra-cpe-mgmt;
instance-type virtual-router;
}
}
policy-statement SUNET-infra-cpe-mgmt {
term 1 {
from {
protocol direct;
route-filter <lo0.9_address>/32 exact;
}
then accept;
}
term default {
then reject;
}
}
|
Off-net FW installations (e.g. using Tele2 Network)
Off-net CNAAS FW is managed inbound in the customer IP-VPN (in the same way an off-net CPE's are managed). On the SUNET NNI VRF IP-VPN NNI connection (NNI to the off-net network) connection routes used for management of the CNAAS Firewall (the link address to the CNAAS Firewall) is exported to the SUNET-MGMT-VRF. The customer VRF on the NNI imports routes used by SUNET management servers. The link address between the off-net CPE and the CNAAS Firewall is used for management connectivity (hostname of the CNAAS Firewall is set to the link address).
...