Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

 IP IP VPN is used to establish connectivity to the CNAAS FW Firewall from SUNET management servers.    For information about SUNET management VPN's see Management and transport VPNs

On-net FW installations

CNAAS on-net firewalls are managed outbound (a dedicated connection).  A hub-spoke IP-VPN VRF (infra-cpe-mgmt) is used for this purpose on the SUNET PE router. The firewall do not need to allow any connections from the Internet on the Internet facing interface.  A special VRF is used for this purpose "infra-cpe-mgmt". same VPN/ VRF is used for different customer FW / CPE attachments to the same PE.  On the  CNAAS firewall the interface connected to the SUNET PE is separated from other interfaces using a local VRF "SUNET-infra-cpe-mgmt".  The CNAAS firewall should use security policys allowing traffic only for the required announce(from PE) SUNET management servers. See Management and transport VPNs section "VRF Infra-cpe-mgmt (SPOKE)".  

The IP VPN connection to the PE is established using VLAN-ID 9 and eBGP is used between the  PE and the CNAAS distribution switch. A policy is used on the CNAAS Firewall to restrict BGP announcements to only include the loopback attached to the "SUNET-infra-cpe-mgmt" VRF. 

The loopback address for the Link and loopback addresses are assigned from the following ranges:

links PE - CNAAS / CNAAS FW)
86.105.113.128/26 (https://ipam.sunet.se/prefix/list#/query_string=86.105.113.128/26&search_opt_parent=undefined&search_opt_child=undefined&explicit=true)

loopbacks (CNAAS FW) 
86.105.113.192/26 (https://ipam.sunet.se/prefix/list#/query_string=86.105.113.192/26&search_opt_parent=undefined&search_opt_child=undefined&explicit=true)



Example configuration SUNET PE: 

Code Block
Example configuration SUNET PE. In case the VRF is present new connections are added to the same VRF.

Code Block
routing-instances { 
    infra-cpe-mgmt {
        routing-options {
            auto-export;
        }
        protocols {
            bgp {
                group vr-s1<cnaas_fw_node_name> {
                    import primary-in;
                    peer-as 64656<cnaas_switch_peer_asn>;
                    as-override;
                    neighbor 86.105.113.133<cnaas_switch_peer_ip> {
                        family inet {
                            unicast {
                                prefix-limit {
                                    maximum 10;
                                    teardown {
                                        80;
                                        idle-timeout 5;
                                    }
                                }
                            }           
                        }               
                    }                   
                }                       
            }                           
        }                               
        instance-type vrf;              
        interface xe-4/2/0<name>.9;           
        route-distinguisher 1653:883;   
        vrf-target {                    
            import target:1653:898;     
            export target:1653:899;     
        }                               
    }
}

interfaces {
    <name> {
        description "<description>";
        flexible-vlan-tagging;
        mtu 9192;
        encapsulation flexible-ethernet-services;
        unit 9 {
            description "infra-cpe-mgmt for <fw-node-name>";
            vlan-id 9;
            family inet {
                mtu 1500;
                address <link_address>;
            }
        }
    }
}


Example configuration CNAAS FW routing-instance "SUNET-infra-cpe-mgmt" On the firewall the interface connected to the SUNET PE is separated from other interfaces using a local VRF.  

Code Block
CNAAS FW:
routing-instances {
    SUNET-infra-cpe-mgmt {
        protocols {
            bgp {
                group sunet-mgmt {
                    type external;
                    export SUNET-infra-cpe-mgmt;
                    peer-as 64656<cnaas_switch_peer_asn>;
                    local-as 64657<SUNET-infra-cpe-mgmt_local_asn>;
                    multipath;
                    bfd-liveness-detection {
                        minimum-interval 1000;
                    }
                    neighbor 10.20.50.73<cnaas_switch_peer_ip> {
                        description d01<cnaas_switch_name>;
                    }
                    neighbor 10.20.50.74<cnaas_switch_peer_ip> {
                        description d02<cnaas_switch_name>;
                    }
                }
                log-updown;
            }
        }
        interface lo0.9;
        interface reth0.251;
        description SUNET-infra-cpe-mgmt;
        instance-type virtual-router;
    }
}

policy-statement SUNET-infra-cpe-mgmt {
    term 1 {
        from {
            protocol direct;
            route-filter <lo0.9_address>/32 exact;
        }
        then accept;
    }
    term default {
        then reject;
    }
}

Off-net FW installations  (e.g. using Tele2 Network)


Off-net CNAAS FW is managed inbound in the customer IP-VPN (in the same way an off-net CPE's are managed). On the SUNET NNI VRF IP-VPN NNI connection (NNI to the off-net network) connection routes used for management of the CNAAS Firewall (the link address to the CNAAS Firewall) is exported to the SUNET-MGMT-VRF. The customer VRF on the NNI imports routes  used by SUNET management servers.  The link address between the off-net CPE and the CNAAS Firewall is used for management connectivity (hostname of the CNAAS Firewall is set to the link address)

The address range 86.105.113.64/26 is used to assign /30 link networks for the off-net Firewall.

https://ipam.sunet.se/prefix/list#/query_string=86.105.113.64/26&search_opt_parent=undefined&search_opt_child=undefined&explicit=true


For information how to configure IP-VPN and IP-VPN inbound management see; Juniper PE kund IP-VPN and Juniper PE - Tele2 VPN-NNI IP-VPN

For general information about off-net IP-VPN see Tele2 VPN-NNI & off-net provided IP-VPN