Multi-interface configuration
Introduction
For greater security, you can configure multiple network interfaces to segregate the different types of NSP traffic.
When the NSP uses only one network for all communication, the NSP client traffic shares the same network as the NE mediation traffic and the internal communication between NSP components. Such a configuration may pose a considerable security risk.
You can segregate the NSP client, mediation, and internal traffic by configuring the NSP to use interfaces in separate networks for each traffic type.
Traffic isolation
The multi-interface implementation isolates different traffic types to one or more of the following networks:
-
client—UI, browser, RESTCONF, Kafka and other northbound client traffic
-
internal—for communication such as the following:
Using separate networks enables you to apply additional security policies. For example, the NSP PostgreSQL service is an internal service only, and the only legitimate clients are NSP components, and not northbound browser or API clients. To help secure the PostgreSQL service from unintended access, you can apply a firewall rule to block the PostgreSQL port on the client interface.
System conversion to multi-interface
You can convert an existing NSP system from a single-interface deployment to a multi-interface deployment, as described in Workflow for NSP system conversion to multi-interface.
NSP cluster multi-interface configuration
You specify the NSP cluster interface addresses for your deployment in the platform—ingressApplications section of the NSP configuration file. The configuration steps are described in each NSP deployment procedure, and the parameters are shown below for network planning purposes.
Note: The client_IP value is mandatory; the address is used for interfaces that remain unconfigured, such as in a single-interface deployment.
Note: If the client network uses IPv6, you must specify the NSP cluster hostname as the client_IP value.
Note: The trapForwarder addresses that you specify must differ from the client_IP value, even in a single-interface deployment.
ingressApplications:
ingressController:
clientAddresses:
virtualIp: "client_IP"
advertised: "client_public_address"
internalAddresses:
virtualIp: "internal_IP"
advertised: "internal_public_address"
trapForwarder:
mediationAddresses:
virtualIpV4: "trapV4_mediation_IP"
advertisedV4: "trapV4_mediation_public_address"
virtualIpV6: "trapV6_mediation_IP"
advertisedV6: "trapV6_mediation_public_address"
where
client_IP is the address for external client access
internal_IP is the address for internal communication
trapV4_mediation_IP is the address for IPv4 network mediation
trapV6_mediation_IP is the address for IPv6 network mediation
each public_address value is an optional address to advertise instead of the associated _IP value, for example, in a NAT environment
NSP Flow Collector address configuration
If flow data collection is enabled in your deployment, you must also set the following parameters, which are also in the platform—ingressApplications section of the NSP configuration file:
flowForwarder:
mediationAddresses:
virtualIpV4: "flowV4_mediation_IP"
advertisedV4: "flowV4_mediation_public_address"
virtualIpV6: "flowV6_mediation_IP"
advertisedV6: "flowV6_mediation_public_address"
where
flowV4_mediation_IP is the address for IPv4 flow collection
flowV6_mediation_IP is the address for IPv6 flow collection
each _public_address value is an optional address to advertise instead of the associated mediation_IP value, for example, in a NAT environment
Multi-interface configuration for ancillary components and systems
If an NSP cluster is configured to use a separate internal interface, you must specify the internal interface address as the NSP cluster address in the configuration of system components outside the NSP cluster such as an NSP auxiliary database or the NFM-P.
Note: The WS-NOC is an exception; you must specify the NSP client address as the NSP cluster address in the WS-NOC configuration, regardless of whether the internal interface is used by other components.