IP VPN is used to establish connectivity to the CNAAS FW from SUNET management servers.
CNAAS on -net firewalls are managed outbound (a dedicated connection). The firewall do not need to allow any connections from the Internet on the Internet facing interface. A special hub-spoke IP-VPN VRF (infra-cpe-mgmt) is used for this purpose on the SUNET PE router.
SUNET PE:
routing-instances {
infra-cpe-mgmt {
routing-options {
auto-export;
}
protocols {
bgp {
group <cnaas_fw_node_name> {
import primary-in;
peer-as <cnaas_switch_peer_asn>;
as-override;
neighbor <cnaas_switch_peer_ip> {
family inet {
unicast {
prefix-limit {
maximum 10;
teardown {
80;
idle-timeout 5;
}
}
}
}
}
}
}
}
instance-type vrf;
interface <name>.9;
route-distinguisher 1653:883;
vrf-target {
import target:1653:898;
export target:1653:899;
}
}
}
|
On the firewall the interface connected to the SUNET PE is separated from other interfaces using a local VRF.
CNAAS FW:
routing-instances {
SUNET-infra-cpe-mgmt {
protocols {
bgp {
group sunet-mgmt {
type external;
export SUNET-infra-cpe-mgmt;
peer-as <cnaas_switch_peer_asn>;
local-as <SUNET-infra-cpe-mgmt_local_asn>;
multipath;
bfd-liveness-detection {
minimum-interval 1000;
}
neighbor <cnaas_switch_peer_ip> {
description <cnaas_switch_name>;
}
neighbor <cnaas_switch_peer_ip> {
description <cnaas_switch_name>;
}
}
log-updown;
}
}
interface lo0.9;
interface reth0.251;
description SUNET-infra-cpe-mgmt;
instance-type virtual-router;
}
}
policy-statement SUNET-infra-cpe-mgmt {
term 1 {
from {
protocol direct;
route-filter <lo0.9_address>/32 exact;
}
then accept;
}
term default {
then reject;
}
}
|
Off-net CNAAS FW is managed inbound in the customer VPN. On the SUNET NNI VRF routes used for management of the CNAAS Firewall (the link address to the CNAAS Firewall) is exported to the SUNET-MGMT-VRF. The customer VRF on the NNI imports routes used by SUNET management servers.