Articles in this section

See more

What is the Software-Defined Infrastructure module?

Robert Waldie
  • Updated
Follow

The Software-Defined Infrastructure module grants users secure, centralised routed access to the remote IP network segments that are connected to Lighthouse nodes.

Background

While out-of-band management has traditionally focused on providing access to individual device consoles, there is also a need to access entire remote network segments for troubleshooting and management tasks.

IP access to a remote network is typically accomplished by establishing a VPN tunnel via the remote site's in-band gateway – during network disruptions or during initial setup, this access method may become unavailable.  Software-Defined Infrastructure is a resilient solution for remote IP access that remains available regardless of the state of the in-band network.

Architecture

The module's IP Access feature enables a central VPN service on Lighthouse.  IP access simplifies client configuration management and automates IP connectivity between the client and target remote network (e.g. network discovery and routing).

The OpenVPN service on Lighthouse creates a bridge between the connecting clients and the node's Management LAN interface. This allows connected clients to access hosts on the node's Management LAN, as if they were physically present at the remote site.

For further detail, see this article.

Advanced Usage

Network Access Policies

Network Access Policies (NAP) allow users to be granted access to node firewall zones on a per-group basis. This is available on the NetOps Console Server line. (OM22xx and OM120x)

Automatic Input Conversion

If no zones are assigned to a group in NAP menu, The tunnel will come up with no client routes

The raw zone as input on the NAP page is stored in the backend. During SDI VPN connection establishment the raw value of LAN, WAN (and case variants) is auto-converted to lower-case before matching devices and routes and granting VPN access.

Notes

OM series backward compatibility

Backward compatibility with previous versions was necessary to be supported to avoid confusion and difficulty for users with configurations in place.

When connecting to the SDI VPN after configuring NAP and associated options, the following policies are applied for each combination of nodes and the “Network Access Policies for Operations Manager Enabled” checkbox state. When:

  • unchecked

    • Classic Console Server - WAN LAN Policy

    • NetOps Console Server 20.Q2.0 and older - WAN LAN Policy

    • NetOps Console Server 20.Q3.0 and newer - WAN LAN Policy

  • checked

    • Classic Console Server - WAN LAN Policy

    • NetOps Console Server 20.Q2.0 and older - WAN LAN Policy

    • NetOps Console Server 20.Q3.0 and newer - Policy Zone Names (NAP)

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk