Currently we have a fairly simple setup conencting to our ISP. Our ISP has given us the following L3 info:
Default gateway: 184.108.40.206
Router/Firewall Outside interface: 220.127.116.11
Available IPs: 18.104.22.168-246
Internal IPs: 22.214.171.124/28
The ISP connects to our external switch that our external firewall also connects to, both ports are part of the same L2 vlan.
Our firewall has the IP 126.96.36.199/29 with a default gw of 188.8.131.52. On the firewall the extrernal IPs used (for mips, vips, etc)
are in the 184.108.40.206/28 block.
This setup works, but it forces me to use the firewall for everything since it is essentially our edge router, as all traffic from the ISP goes to
220.127.116.11. I'd like to move that IP (18.104.22.168) to a VLAN interface and let that VLAN handle the routing, but not sure how to do that. The goal is to have other devices parallel to our firewall (vpn, dmz, etc.) devices that would have to use an IP from the "available IPs" from our ISP I guess, 22.214.171.124-246.
I know I could assign 126.96.36.199 to a vlan and define a default route pointing to 188.8.131.52. But how do I handle the 184.108.40.206/28
subnet? The ISP doesn't do any vlan tagging.
Potential config on switch:
description connection to isp
ip address 220.127.116.11 255.255.255.248
ip route 0.0.0.0 0.0.0.0 18.104.22.168
ip route 22.214.171.124 255.255.255.240 126.96.36.199 (The external firewall interface)
Other external devices:
All other external devices will be sitting in the same VLAN and should be able to ARP out and figure out where to go. WIth the internal gateway address now defined on the vlan (.244) and the firewall using one of the "available IPs (.245)", that only leaves one more IP in that range to use (.246). So I should be able to assign that to my vpn/dmz device, right?
This seems feasible, but I'm not sure about the internal IP block (188.8.131.52/28), is there any way for a device with one of these IPs to be dropped in to the external vlan? Since the vlan is a different subnet I have no idea how that would work.
Clear as mud? I'm just trying to move more of our devices to the edge, it's just something that would work better for us currently. I *know* most DMZs and other gear hang off of the firewall, this is a different case that would take a much larger post to describe :/ It involves politics and too many managers!
What happened to .242 and .243? A /29 is 8 ip addresses with 6 hosts.
And, surely your internal network isn't the address range they gave you, correct? Those are just additional addresses they will route to you at .244. That have a static that says 53.whatever/28 is at whatever.244/29. If you are setting up a new device with 2 interfaces, why wouldn't you put the external interface in the same vlan as the firewall, with an address of .245 /29 and the internal interface would be on your true internal network. Why would your new device need to even know about 53.whatever/28 ?
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...