Configure LAN Interfaces on SSE Gateways

Last updated
Save as PDF

For supported software information, click here.

For some on-premise deployments, a service provider administrator might want to connect a SASE gateway to the provider edge (PE) routers in its MPLS Layer 3 VPN network so that they can allocate separate VLAN IDs for each of their tenants. However, most SASE gateways are located in the cloud and are configured with site-to-site tunnels and WAN interfaces only. To make this connection possible, the service provider must configure a LAN interface on the LAN side of the SASE gateway that connects to the interfaces on the PE router.

The service provider administrator selects the gateway on which to create the LAN interface and provides the LAN interface's physical number and VLAN ID. The VLAN ID on the interface must match the VLAN ID on the interface of the PE router. Internal configuration validation ensures that the interface numbers and VLAN IDs are unique for each tenant. The service provider administrator can create one LAN interface per gateway.

Configuring LAN interfaces on SSE gateways uses RBAC to ensure that only service provider administrators can configure LAN interfaces on an SSE gateway. Tenant enterprise administrators can view the LAN Interface screens but they cannot edit the screens.

To configure LAN interfaces on SSE gateways:

Go to Configure > Security Service Edge > Settings > LAN Interface.

The screen displays currently configured LAN interfaces.
Click + Add LAN Interface. The following screen displays.

In the Interface and IP Address section, enter information for the following.

Field	Description
SSE Gateway (Required)	Select an SSE gateway.
VNI Number (Required)	Select a VNI interface.
VLAN ID	Enter the VLAN ID.
IP Address (Required)	Enter the IP address, such as 10.1.1.2/24.
VPN Name (Required)	Select a VPN.

Click Next. In the Routing Protocol section, enter information for the following fields.

Field	Description
Protocol	Select a protocol: EBGP None
BGP Local ASN (Required)	Enter the AS number of the local BGP site. Range: 1 through 4294967295 Default: None
BGP Neighbor Address (Required)	Enter the IPv4 or IPv6 address of the BGP neighbor.
BGP Remote ASN (Required)	Enter the AS number of the remote BGP site. Range: 1 through 4294967295 Default: None
Password	Enter a password.
Import BGP Peer Policy	Select an import BGP peer policy.
Export BGP Peer Policy	Select an export BGP peer policy.

Click Next. In the Name, Description, and Tag section, enter information for the following fields.

Field	Description
Name (Required)	Enter a name for the LAN interface.
Tags	Enter one or more tags. A tag is an alphanumeric text descriptor with no spaces or special characters. You can specify multiple tags added for the same object. The tags are used for searching the objects.
Description	Enter a description of the LAN interface.

Click Save.

Only the service provider administrator role should have Edit permissions for SSE LAN interfaces. To view the permissions for SSE LAN interfaces and modify them:

Log in as Service Provider Administrator.
Select the tenant that owns the SSE LAN interface that is used to connect to the PE router. Note that even though the SSE LAN interface belongs to a certain tenant, the tenant enterprise administrator cannot edit the LAN interface permissions. Only the service provider administrator has edit permission for the SSE LAN interface.
Go to Users > Roles > Enterprise Administrator.

The following screen displays.
Click the Vertical Dots icon, and then click Edit. The Edit Role screen displays. Select the Permissions tab.
Click More Permissions under Configuration Lifecycle Graph. The following screen displays.
Click More Permissions under SASE. The following screen displays.
Click More Permissions under Settings (Inherited). The following screen displays.
Ensure that the permission for LAN Interface is set to Read. If it is set to Edit, click the down arrow and select Read.
Click Save.