Multi-interface configuration

Introduction

For greater security, you can configure multiple network interfaces to segregate the different types of NSP traffic.

When the NSP uses only one network for all communication, the NSP client traffic shares the same network as the NE mediation traffic and the internal communication between NSP components. Such a configuration may pose a considerable security risk.

You can segregate the NSP client, mediation, and internal traffic by configuring the NSP to use interfaces in separate networks for each traffic type.

Traffic isolation

The multi-interface implementation isolates different traffic types to one or more of the following networks:

Using separate networks enables you to apply additional security policies. For example, the NSP PostgreSQL service is an internal service only, and the only legitimate clients are NSP components, and not northbound browser or API clients. To help secure the PostgreSQL service from unintended access, you can apply a firewall rule to block the PostgreSQL port on the client interface.

System conversion to multi-interface

You can convert an existing NSP system from a single-interface deployment to a multi-interface deployment, as described in Workflow for NSP system conversion to multi-interface.

NSP cluster multi-interface configuration

You specify the NSP cluster interface addresses for your deployment in the platformingressApplications section of the NSP configuration file. The configuration steps are described in each NSP deployment procedure, and the parameters are shown below for network planning purposes.

Note: The client_IP value is mandatory; the address is used for interfaces that remain unconfigured, such as in a single-interface deployment.

Note: If the client network uses IPv6, you must specify the NSP cluster hostname as the client_IP value.

Note: The trapForwarder addresses that you specify must differ from the client_IP value, even in a single-interface deployment.

  ingressApplications:

    ingressController:

      clientAddresses:

        virtualIp: "client_IP"

        advertised: "client_public_address"

      internalAddresses:

        virtualIp: "internal_IP"

        advertised: "internal_public_address"

    trapForwarder:

      mediationAddresses:

        virtualIpV4: "trapV4_mediation_IP"

        advertisedV4: "trapV4_mediation_public_address"

        virtualIpV6: "trapV6_mediation_IP"

        advertisedV6: "trapV6_mediation_public_address"

where

client_IP is the address for external client access

internal_IP is the address for internal communication

trapV4_mediation_IP is the address for IPv4 network mediation

trapV6_mediation_IP is the address for IPv6 network mediation

each public_address value is an optional address to advertise instead of the associated _IP value, for example, in a NAT environment

NSP Flow Collector address configuration

If flow data collection is enabled in your deployment, you must also set the following parameters, which are also in the platformingressApplications section of the NSP configuration file:

    flowForwarder:

      mediationAddresses:

        virtualIpV4: "flowV4_mediation_IP"

        advertisedV4: "flowV4_mediation_public_address"

        virtualIpV6: "flowV6_mediation_IP"

        advertisedV6: "flowV6_mediation_public_address"

where

flowV4_mediation_IP is the address for IPv4 flow collection

flowV6_mediation_IP is the address for IPv6 flow collection

each _public_address value is an optional address to advertise instead of the associated mediation_IP value, for example, in a NAT environment

Multi-interface configuration for ancillary components and systems

If an NSP cluster is configured to use a separate internal interface, you must specify the internal interface address as the NSP cluster address in the configuration of system components outside the NSP cluster such as an NSP auxiliary database or the NFM-P.

Note: The WS-NOC is an exception; you must specify the NSP client address as the NSP cluster address in the WS-NOC configuration, regardless of whether the internal interface is used by other components.