Phase 7: Production Integration
Phase 7: Production Integration
| kvm-01 EVE-NG only. Workstation EVE-NG stays isolated (NAT). |
Integration Points
| Service | Integration | How |
|---|---|---|
DNS |
Lab devices in |
BIND zone delegation or manual A records |
ISE |
Lab endpoints authenticate against production ISE-02 |
Cloud bridge on VLAN 50, RADIUS reachable via VyOS inter-VLAN routing |
Vault PKI |
Lab devices request TLS/EAP-TLS certs |
Vault API (8200) reachable from VLAN 50 |
Syslog / SIEM |
Lab devices send logs to Wazuh |
Syslog (514/1514) permitted from VLAN 50 |
Telemetry |
gNMI streams from lab devices to Prometheus |
gnmic on k3s subscribes to lab device management IPs |
VLAN 50 (LAB) Network Design
| Parameter | Value |
|---|---|
VLAN ID |
50 |
Subnet |
10.50.50.0/24 |
Gateway |
10.50.50.1 (VyOS) |
Purpose |
Dedicated EVE-NG lab traffic |
WAN access |
Denied by default |
VyOS Firewall Rules (VLAN 50 → Production)
Only these flows permitted from VLAN 50:
| Source | Destination | Port | Service |
|---|---|---|---|
10.50.50.0/24 |
bind-01/bind-02 |
53 |
DNS |
10.50.50.0/24 |
VyOS VIP |
123 |
NTP |
10.50.50.0/24 |
ISE-02 |
1812, 1813 |
RADIUS |
10.50.50.0/24 |
Vault VIP |
8200 |
Vault API |
10.50.50.0/24 |
Wazuh |
514, 1514 |
Syslog |
10.50.50.0/24 |
* |
* |
DENY ALL |
Safety Controls
-
EVE-NG Cloud interfaces default to shut — activated per-topology only
-
No default route from VLAN 50 to WAN (labs do not get internet)
-
VyOS stateful firewall — return traffic only for established sessions
-
Change Request required before first activation:
CR-YYYY-MM-DD-eve-ng-production-bridge.adoc