Versions Compared

Old Version 7

changes.mady.by.user Rikard Johansson

Saved on

compared with

New Version Current

changes.mady.by.user Rikard Johansson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

IP VPN is used to establish connectivity to the CNAAS Firewall from SUNET management servers.  For information about SUNET management VPN's see Management VPNand transport VPNs

On-net FW installations

CNAAS on-net firewalls are managed outbound (a dedicated connection).  A hub-spoke IP-VPN VRF (infra-cpe-mgmt) is used for this purpose on the SUNET PE router. The same VPN/ VRF is used for different customer FW / CPE attachments to the same PE.  On the  CNAAS firewall the interface connected to the SUNET PE is separated from other interfaces using a local VRF "SUNET-infra-cpe-mgmt".  The CNAAS firewall should use security policys allowing traffic only for the required announce(from PE) SUNET management servers. See Management VPNand transport VPNs section "VRF Infra-cpe-mgmt (SPOKE)".  

...

Code Block
CNAAS FW:
routing-instances {
    SUNET-infra-cpe-mgmt {
        protocols {
            bgp {
                group sunet-mgmt {
                    type external;
                    export SUNET-infra-cpe-mgmt;
                    peer-as <cnaas_switch_peer_asn>;
                    local-as <SUNET-infra-cpe-mgmt_local_asn>;
                    multipath;
                    bfd-liveness-detection {
                        minimum-interval 1000;
                    }
                    neighbor <cnaas_switch_peer_ip> {
                        description <cnaas_switch_name>;
                    }
                    neighbor <cnaas_switch_peer_ip> {
                        description <cnaas_switch_name>;
                    }
                }
                log-updown;
            }
        }
        interface lo0.9;
        interface reth0.251;
        description SUNET-infra-cpe-mgmt;
        instance-type virtual-router;
    }
}

policy-statement SUNET-infra-cpe-mgmt {
    term 1 {
        from {
            protocol direct;
            route-filter <lo0.9_address>/32 exact;
        }
        then accept;
    }
    term default {
        then reject;
    }
}

Off-net FW installations  (e.g. using Tele2 Network)


Off-net CNAAS FW is managed inbound in the customer IP-VPN (in the same way an off-net CPE's are managed). On the SUNET IP-VPN NNI connection (NNI to the off-net network) connection routes used for management of the CNAAS Firewall (the link address to the CNAAS Firewall) is exported to the SUNET-MGMT-VRF. The customer VRF on the NNI imports routes  used by SUNET management servers.  The link address between the off-net CPE and the CNAAS Firewall is used for management connectivity (hostname of the CNAAS Firewall is set to the link address). 

...