1

I have two sets of ESXi hosts, one set for management and one for tenants. Each ESXi host has 8 nics and four vSwitches. All vSwitches are trunked via aggregated interfaces to a pair of EX in VC mode.

I only have one ISP connection with a network allocation (/28) which is bridged (the ISP provides the gateway that we use)

The EX uplink to the Sonic is ge-0/0/20, a trunked port for 5 VLANs: (10, 20, 30, 60, and ‘default/untagged’ vlan). The rest of the VLAN's are internal traffic, unrouted, no gateway.

I need to have direct internet connection on VLAN 60 (not NAT). I have setup a RVI on the switch, vlan.60 as per http://kb.juniper.net/InfoCenter/index?page=content&id=KB11000&actp=RSS

The Sonicwall supports “L2 Bridge Mode” so I can bridge my ISP connection (now connected @ X1 port) to the X0 port. They say on their KB that this way, you can effectively span your WAN subnet and insert the Sonicwall “transparently”: http://www.firewalls.com/blog/transparent_mode_or_bridge_mode/

If I bridge X0 to X1, I will only have a public interface for the sonicwall, I won't be able to use it's current LAN IP 10.0.14.254

Can I then assign my entire WAN subnet on my l3-interface of vlan.60 ? And, do I need to set the native-vlan-id of my ge-0/0/20 uplink to VLAN 60 ?

The Sonicwall is connected to EX ge-0/0/20 (gigabit port) through X0 and to the me0.0 ('vme') port through X3. ![Topology][1]

Topology: i.stack.imgur.com/Ijzw2.png

alex9183
  • 105
  • 7

1 Answers1

1

As I understand it, the bridge mode will turn the Sonic Wall into a L2 Bridge. They use confusing terminology on their homepage but that is how I understand it. If so you can imagine it as being just a wire between your EX and the ISP gateway. So you configure your port on the EX as if your ISP gateway would be plugged right into that port.

You set the port-mode of ge-0/0/20 to access with vlan 60 as the only member vlan. The vlan.60 L3 interface then gets an IP from the ISPs /28 only IF you want it to have an IP in that network. Mind you it's a public IP, you should check that no services on the switch are reachable from the outside. As you have the management interface connected to the Sonicwall as well, you could also use an internal IP for the switch management and connect via VPN or other means through the Sonicwall.

Sebastian Wiesinger
  • 610
  • 5
  • 9
  • Thank you, this is what I was assuming. I believe I can try also "trunk" port as long as it has its native-vlan-id set to 60. This way the other trunked VLAN's can also be uplinked to the NSA. Vlans 10,20,30 need to use the NSA as its gateway. The trunk approach might work? The NSA documentation states that vlan traffic is allowed on the bridge pair: http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5976. I would rather not dedicate a public IP to the switch, as I can easily access it via the sonic SSL-VPN (it has a java ssh client that connects to its internal 10.0.30.x IP) – alex9183 Apr 06 '13 at 03:40
  • Sure, you can trunk the port if you want. You would send the broadcast traffic from all trunked VLANs to the ISP. Theoretically the ISP could configure an IP in the VLANS and so participate in your internal VLANs. You would have to filter this on the NSA. If you don't need a public IP on the switch, don't configure a l3-interface on VLAN 60. – Sebastian Wiesinger Apr 06 '13 at 08:51
  • Good point. Will try the mac filter on the EX for the 4 VLANs to be trunked on the ge-0/0/20 port. Basically VLAN 10 is only for 2 nodes (a HA pair of the free Citrix NetScaler VPX load balancers), VLAN 20 only has 3 vCloud VM's (2 vCD cells and 1 vCIM cell), VLAN 30 has my ESXi host VMkernel interfaces (only 4 hosts for now) and VLAN "default" has my private network management VM's (around 18 VM's total). Should be something like [edit ethernet-switching-options secure-access-port] interface $NAME$ { allowed-mac $MAC1$; allowed-mac $MAC2$; } – alex9183 Apr 06 '13 at 12:01
  • Just a suggestion regarding the management network on the "default" VLAN (VLAN 1). VLAN 1 will be present on unconfigured ports by default on many vendors switches. I would suggest moving it to a dedicated vlan with any other vlan id than 1. – Sebastian Wiesinger Apr 06 '13 at 12:33
  • Thank you, didn't have any luck so far despite numberous attempts. I think the sonicwall is messing with the traffic that goes on the L2 bridge pair. I am confused due to the fact that the vme port is also acting as a router on the EX. Let's say my /27 allocation is 192.0.2.112/27 and my gateway 192.0.2.97. Can I define distinct routes for my "direct-external" vlan (60) to 192.0.2.97, and keep everything else (10,14,20,30) unrouted, so each node will have to use the sonicwall's interfaces on each vlan? ie vlan 10 nodes use 10.0.10.254 as gateway, vlan 20 use 10.0.20.254, and vlan 60 the ISP? – alex9183 Apr 07 '13 at 16:32
  • What do you mean with distinct routes? A port cannot act as a router. The EX has a routing table but that should not interfer with your hosts as long as you don't configure the EX as the gateway on a host. – Sebastian Wiesinger Apr 08 '13 at 06:28
  • Ok in the end I created interfaces on the Sonicwall for my 4 trunked VLAN's and I used the "Transparent Mode" instead of the L2 Bridge mode for my 5th VLAN (the "Direct-external"). I set this vlan to be tagged on my uplink port and now everything seems to work. Thanks – alex9183 Apr 09 '13 at 15:10