2021/06/20

LAN-ing WAN connection

 Or maybe the more "techy-words" would be Distributed WAN Connection.. ;p

I got this due to my struggle with ISP's policy: 1 account 1 open port, whilst my infra sometimes need to be direct-attached for penetration test, or simply for bandwidth testing.

So, the goals in this issue are: 

  1. Usable all delivered WAN IP.
  2. Direct attached virtual infrastructure.

Declaration:
  • UTM appliance => Sonicwall NSA3600/2600.
  • Catalyst L2/L3 => C3750 & RG-S6220.
  • Active ISP service => min. /29 public IP Address.

Topology:

Logical                                       Physical


Prepare/isolate the "room".

We're LAN-ing something..

Network-102: Broadcast domain a.k.a VLAN.

(config)# vlan 999

(config-vlan)# name WAN

(config)# interface range *all ports designated for the goals*

(config-if-range)# switchport mode access

(config-if-range)# switchport access vlan 999 

done!

this vlan doesn't need gateway 

 

Get the inner-gate ready.

We need to make vlan 999 (and other access vlans) WAN accessible, so the connection between CORE (furthest catalyst) and EDGE (UTM appliance) should be trunked. 

(remember network-103: dot1q) ;p

Catalyst POV: 

(config)# *select interface to be trunked

(config-if)# switchport mode trunk

(config-if)# *allow vlans to be pass-through or simply do nothing to allow-all

 

Edge POV:


configuration shown above, enables virtual interface V999 inherited under X0 physical interface. IP unumbered should be selected to mark this virtul interface as "trunk" to its neighbors.

at this point, our trunk port is ready at core & edge level.

now we need to  distribute it to access level.


Distribute access:

Physical distribution access on physical port(s) on edge device:

makes sure "Native Bridge Mode" is selected to allow this physical port bridged to X0:V999.

From here, don't forget to add a port-group V999 in your virtual network.

If V999 ready and assigned into VM, then we're done.. Its directly connected to internet bypassing all EDGE policies.

Please be carefull since you're directly connected and bypassing gateway, you're on your own risk and very susceptible to any threats.

Goodluck!