IP VPN is used to establish connectivity to the CNAAS Firewall from SUNET management servers. For information about SUNET management VPN's see Management VPN
On-net FW installations
CNAAS on-net firewalls are managed outbound (a dedicated connection). A hub-spoke IP-VPN VRF (infra-cpe-mgmt) is used for this purpose on the SUNET PE router. The same VPN/ VRF is used for different customer FW / CPE attachments. On the CNAAS firewall the interface connected to the SUNET PE is separated from other interfaces using a local VRF "SUNET-infra-cpe-mgmt". The CNAAS firewall should use security policys allowing traffic only for the required announce(from PE) SUNET management servers. See Management VPN section "VRF Infra-cpe-mgmt (SPOKE)".
The IP VPN connection to the PE is established using VLAN-ID 9 and eBGP is used between the PE and the CNAAS distribution switch. A policy is used on the CNAAS Firewall to restrict BGP announcements to only include the loopback attached to the "SUNET-infra-cpe-mgmt" VRF.
The loopback address for the Link and loopback addresses are assigned from the following ranges:
links PE - CNAAS / CNAAS FW)
loopbacks (CNAAS FW)
Example configuration SUNET PE:
Example configuration CNAAS FW routing-instance "SUNET-infra-cpe-mgmt"
Off-net FW installations
Off-net CNAAS FW is managed inbound in the customer IP-VPN (in the same way an off-net CPE's are managed). On the SUNET NNI VRF routes used for management of the CNAAS Firewall (the link address to the CNAAS Firewall) is exported to the SUNET-MGMT-VRF. The customer VRF on the NNI imports routes used by SUNET management servers. The link address between the off-net CPE and the CNAAS Firewall is used for management connectivity (hostname of the CNAAS Firewall is set to the link address).
The address range 22.214.171.124/26 is used to assign /30 link networks for the off-net Firewall.