SCENARIO
So, after waiting for 9 months your Metro E Circuit is finally installed, the engineer comes out he slaps in a Ciena or Juniper layer 2 service delivery switch and two hours later he is gone. What do I do now? Sounds familiar?
A metro E EDI circuit delivers high speed internet at a guaranteed speed over fiber. Customers sign a (SLA) service level agreement. Two blocks of IP’s are issued one known as p2p and the other which is known as customer LAN. In most cases the p2p will be a /30 and the customer LAN /29.
A layer 2 service delivery switch does not do routing and is not a router, therefore a layer 3 commercial router with at least two interfaces will be needed not provided by ISP.
My requirements:
• To have secondary IP addresses configured to interface
• Host on configured interface should be able to go online without been NATed
• Host should be reachable from the internet via the IP addresses assigned to them
Equipment Tested:
• Sonicwall TZ215
• Watchguard T30
Solution 1 Using Sonicwall TZ215
P2P IP Block: 9.9.9.9/30
LAN IP Block: 7.7.7.7/29
Secondary IP address block will be routed to the sonicwall WAN IP address (p2p).
First setup your router/firewall as you would usually do with a static IP from the ISP (p2p), now you should be able to browse the internet from the NATed LAN port on router/firewall|
After verifying you are able to reach the internet from previously configured WAN interface, lets move on to configuring another interface on the sonicwall. This interface will be in the DMZ zone we will use interface X2 for this example. Interface X2 will be configured with secondary IP block assignment.
Navigate to (network | interfaces)
Very Important step to check routed mode
Click Advance Tab
Create an outbound NO-NAT Policy
Outbound Policy
Navigate to Network | NAT Policies
Create an inbound NO-NAT Policy
Inbound Policy
Navigate to Network | NAT Policies
Last but not least create static route.
Navigate to Network | Routing