Versions Compared

Old Version 7

changes.mady.by.user Rikard Johansson

Saved on

compared with

New Version Current

changes.mady.by.user Rikard Johansson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

IP VPN is used to establish connectivity to the CNAAS Firewall from SUNET management servers.  For information about SUNET management VPN's see Management VPN

On-net FW installations

CNAAS on-net firewalls are managed outbound (a dedicated connection).  A hub-spoke IP-VPN VRF (infra-cpe-mgmt) is used for this purpose on the SUNET PE router. The same VPN/ VRF is used for different customer FW / CPE attachments to the same PE.  On the  CNAAS firewall the interface connected to the SUNET PE is separated from other interfaces using a local VRF "SUNET-infra-cpe-mgmt".  The CNAAS firewall should use security policys allowing traffic only for the required announce(from PE) SUNET management servers. See Management VPN section "VRF Infra-cpe-mgmt (SPOKE)".  

...

Code Block
CNAAS FW:
routing-instances {
    SUNET-infra-cpe-mgmt {
        protocols {
            bgp {
                group sunet-mgmt {
                    type external;
                    export SUNET-infra-cpe-mgmt;
                    peer-as <cnaas_switch_peer_asn>;
                    local-as <SUNET-infra-cpe-mgmt_local_asn>;
                    multipath;
                    bfd-liveness-detection {
                        minimum-interval 1000;
                    }
                    neighbor <cnaas_switch_peer_ip> {
                        description <cnaas_switch_name>;
                    }
                    neighbor <cnaas_switch_peer_ip> {
                        description <cnaas_switch_name>;
                    }
                }
                log-updown;
            }
        }
        interface lo0.9;
        interface reth0.251;
        description SUNET-infra-cpe-mgmt;
        instance-type virtual-router;
    }
}

policy-statement SUNET-infra-cpe-mgmt {
    term 1 {
        from {
            protocol direct;
            route-filter <lo0.9_address>/32 exact;
        }
        then accept;
    }
    term default {
        then reject;
    }
}

Off-net FW installations  (e.g. using Tele2 Network)


Off-net CNAAS FW is managed inbound in the customer IP-VPN (in the same way an off-net CPE's are managed). On the SUNET IP-VPN NNI connection (NNI to the off-net network) connection routes used for management of the CNAAS Firewall (the link address to the CNAAS Firewall) is exported to the SUNET-MGMT-VRF. The customer VRF on the NNI imports routes  used by SUNET management servers.  The link address between the off-net CPE and the CNAAS Firewall is used for management connectivity (hostname of the CNAAS Firewall is set to the link address). 

...