Nile Service Block
Core Concepts

Integrating Routers with the Nile Access Service

9min

When deploying the Nile Access Service, the integration between the Nile Service Block (NSB) and the customer's upstream routers or firewalls is a critical step. This article provides guidance on how to configure the router integration to ensure a successful Nile Access Service deployment.

Physical Connectivity

All Nile access and distribution switches provide several high-speed uplink ports to connect to the customer's upstream routers or firewalls. Nile recommends connecting, via the high-speed uplink ports, each of the NSB Gateways to the customer's upstream routers or firewalls.

Document image


The uplink speeds supported by the Nile Service Blocks range from 1Gbps to 100Gbps, with the choice of Ethernet or fiber optic ports depending on the required throughput and the customer's existing infrastructure.

Logical Setup and Routing

NSB Routing

Since the Nile Access Service operates at Layer 3, there is no Layer 2 VLAN trunking between the NSB and the customer's upstream routers. All traffic is routed between the Nile Service Block and the customer's upstream devices.

In the next section, we can see examples of OSPF and ECMP being used to route traffic across the transit networks that connect the NSB to the customer's firewall and routing infrastructure. The diagram below shows the topology used in the examples.

Document image


Nile support for OSPF and ECMP

The Nile Service Block (NSB) requires an upstream router or firewall for connectivity to the Nile Cloud. The NSB gateway, an access or distribution switch, serves as the connection point between the NSB and the upstream network device.

NSB gateways operate in an active-active configuration and act as the default gateway for all Nile Elements (access switches, access points, and sensors). Traffic is routed to the upstream router or firewall using either OSPF or static routes, with OSPF being the preferred method.

When OSPF is used, no configuration is necessary on the NSB gateways. The upstream firewall or router's configuration is sufficient for the NSB gateways to automatically learn routing parameters from Hello messages. If OSPF is not configured, the NSB gateway automatically employs static routes with Equal Cost Multi-Path (ECMP) for traffic forwarding.

  • OSPF (Open Shortest Path First): This is a simple and reliable way to manage the traffic flow between the NSB and the customer's routers or firewalls. The customer should configure OSPF on the upstream devices using the transit network subnets connecting to the Nile elements.

Example OSPF Configuration

(Firewall A) router ospf 1 router-id 10.10.10.1 default-information originate network 10.10.10.0 0.0.0.3 area 0 network 10.10.10.4 0.0.0.3 area 0 (Firewall B) router ospf 1 router-id 10.10.10.9 default-information originate network 10.10.10.8 0.0.0.3 area 0 network 10.10.10.12 0.0.0.3 area 0



  • ECMP (Equal-Cost Multi-Path): If the customer's routers or firewalls do not support OSPF, ECMP routing can be used. In this case, the upstream devices must be configured with equal-cost routes to the client subnets behind the Nile Service Block.

Example ECMP Configuration

(Firewall A) set protocols static route 10.50.100.0/22 next-hop 10.10.10.2 set protocols static route 10.50.100.0/22 next-hop 10.10.10.6 set protocols static route 0.0.0.0/0 next-hop 10.10.10.2 distance 1 set protocols static route 0.0.0.0/0 next-hop 10.10.10.6 distance 1 (Firewall B) set protocols static route 10.50.100.0/22 next-hop 10.10.10.10 set protocols static route 10.50.100.0/22 next-hop 10.10.10.14 set protocols static route 0.0.0.0/0 next-hop 10.10.10.10 distance 1 set protocols static route 0.0.0.0/0 next-hop 10.10.10.14 distance 1

Regardless of the routing protocol used, the key is to ensure that the routes to the client subnets behind the Nile Service Block are reachable from the customer's upstream devices. Nile will be the default gateway for all client subnets and these default gateways must be accessible from the upstream routers or firewalls.

Service Bringup

To activate the entire network of access switches, access points, and sensors, the NSB gateway requires the following parameters:

  1. Two uplink IP addresses: While one is optional, using two is recommended for redundancy.
  2. A subnet for AP and switches: This subnet is used to allocate IP addresses to Nile elements such as switches and access points.
  3. A subnet for Nile sensors: Nile sensors are treated as client devices and require a separate subnet for network monitoring.
  4. DNS Server (Optional)
  5. NTP server (Optional)

These settings are transmitted to the NSB gateway via Bluetooth.

Firewall/ACL Configuration

To allow all Nile Service Block elements to communicate with the necessary cloud services, any firewalls or router ACLs in the traffic path should be configured with the following rules:

  1. Permit outbound HTTPS (TCP/443) to the following URLs and IPs:
    • u1.nilesecure.com
    • ne-u1.nile-global.cloud
      (resolves to 52.13.104.212, 100.20.40.199, 52.12.186.175)
    • https://s3.us-west-2.amazonaws.com/nile-prod-us-west-2 (required for device upgrades only)
  2. Permit outbound DNS (UDP/53) to the following IP addresses:
    • Nile will use these as default DNS servers for NSB elements (not clients):
      • 8.8.8.8
      • 8.8.4.4
    • If you would prefer the NSB uses your own DNS servers, those will override our defaults. Your server must be configured to accept DNS requests from Nile Service Block elements.
  3. Permit outbound NTP (UDP/123) to the following URLs:
    • Nile will use these as default NTP servers for NSB elements (not clients):
      • time.google.com
      • pool.ntp.org
    • If you would prefer the NSB uses your own NTP servers, those will override our defaults. Your server must be configured to accept NTP requests from Nile Service Block elements.
  4. Permit RADIUS authentication (UDP/1812 and UDP/1813) from the Nile management subnet IP address to the customer's RADIUS server(s)
  5. Permit DHCP (UDP/67 and UDP/68) for subnets used in the Nile Service Block to the customer's DHCP servers.

By following these specific firewall configuration guidelines, you can ensure that the Nile Service Block elements can communicate with the required cloud services and authentication servers.

Updated 23 Oct 2024
Doc contributor
Doc contributor
Doc contributor
Doc contributor
Did this page help you?
PREVIOUS
Nile's layer 3 only network: Transcending VLANS
NEXT
Nile Access Service: Understanding Service Areas
Docs powered by Archbee