Integrating Routers with the Nile Access Service

when deploying the nile access service, integration between the nile service block (nsb) and the customer’s upstream routers or firewalls is a critical step this section provides guidance on how to configure router integration to ensure a successful deployment physical connectivity all nile access and distribution switches provide several high speed uplink ports for connecting to the customer’s upstream routers or firewalls nile recommends connecting each nsb gateway to the customer’s upstream devices through these high speed uplink ports the nile service block supports uplink speeds ranging from 1 gbps to 100 gbps both ethernet and fiber optic ports are available, depending on throughput requirements and the customer’s existing infrastructure logical setup and routing nsb routing because the nile access service operates entirely at layer 3, there is no layer 2 vlan trunking between the nsb and the customer’s upstream routers all traffic is routed between the nsb and upstream devices routing is achieved through open shortest path first (ospf) or equal cost multi path (ecmp) , with ospf as the recommended method ospf integration the nsb requires an upstream router or firewall for connectivity to the nile cloud each nsb gateway, which can be an access or distribution switch, serves as the default gateway for all nile elements such as access switches, access points, and sensors nsb gateways operate in an active active configuration traffic is routed to the upstream router or firewall using ospf by default no configuration is required on the nsb gateways themselves the upstream firewall or router configuration is sufficient for the nsb gateways to automatically learn routing parameters from ospf hello messages the customer must configure the upstream routers or firewalls to advertise a default route (0 0 0 0/0) towards the nsb gateways via ospf this ensures that nile elements have reachability to external networks and the nile cloud example ospf configuration ecmp integration if ospf is not available, the nsb gateways can use static routes with ecmp in this case the customer must configure the upstream devices with equal cost routes to the client subnets behind the nsb the key requirement is that all routes to client subnets remain reachable from the upstream devices example ecmp configuration regardless of the routing method, the nsb remains the default gateway for all client subnets upstream routers and firewalls must always be able to reach these gateways service bringup to activate access switches, access points, and sensors, the nsb gateway requires the following parameters two uplink ip addresses one is optional, but two are recommended for redundancy a subnet for switches and access points this subnet is used to assign ip addresses to nile elements a subnet for nile sensors sensors are treated as client devices and require a separate subnet for monitoring dns server (optional) ntp server (optional) these parameters are transmitted to the nsb gateway through bluetooth during bringup firewall and acl configuration firewalls or router acls must be configured to allow communication between nsb elements and nile cloud services the following rules are required https (tcp/443) permit outbound https traffic to the following domains and ips u1 nilesecure com ne u1 nile global cloud resolves to 52 13 104 212, 100 20 40 199, 52 12 186 175 https //s3 us west 2 amazonaws com/nile prod us west 2(required only for device upgrades) dns (udp/53) permit outbound dns to the following default servers used by nsb elements (not clients) 8 8 8 8 8 8 4 4 if customer dns servers are preferred, they must be configured to accept dns requests from nsb elements ntp (udp/123) permit outbound ntp traffic to the following default servers used by nsb elements (not clients) time google com pool ntp org if customer ntp servers are preferred, they must be configured to accept ntp requests from nsb elements radius permit radius authentication (udp/1812 and udp/1813) from the nile management subnet to the customer’s radius servers dhcp permit dhcp traffic (udp/67 and udp/68) from subnets used in the nsb to the customer’s dhcp servers summary by following these connectivity and firewall configuration guidelines, customers can ensure that the nile service block integrates seamlessly with upstream routers and firewalls, and that all nile elements can communicate securely with required cloud services and authentication systems