Every now and then, my company sells a 3rd party DIA circuit to a customer (usually as part of a larger packaged solution, otherwise this makes no sense at all) where we are playing no role in the customer's layer 3 termination. It's literally just a 3rd party DIA circuit that we have no visibility to, which hands off to a customer-owned firewall or WAN appliance.
The challenge with these circuits is that while we don't have any visibility to them, we still need to do our best to provide active monitoring and be in a position to help facilitate troubleshooting should the client have an issue. In the past, we've tried to accomplish this in a number of ways I am opposed to. For example, we've ordered a /29 from the carrier (even though the client only needs a single IP) and thrown our own firewall-capable switch in-line between the client's CPE and the carrier. This works, but it bulky, and a waste of precious IPv4 space. Other times, we've ordered a routed /30 to go along with the p2p subnet, then placed our own firewall in-line, doing no stateful inspection or NATing with the client's subnet; just acting as transparent as possible. This, again, is a waste of IP space, and I am strongly opposed to placing a firewall in front of the client's firewall for a number of reasons. It just opens up the door to possible problems that are only going to frustrate both the end user and our support teams.
I am on a quest to see if there is a device out there which might provide a less bulky solution for monitoring in cases like this. I want to find a manageable box that can provide basic monitoring connectivity in-line between the carrier hand-off and the client, without the need for additional IP space, and without the exposure and cost of a full firewall. I am envisioning a box that is basically doing IP passthrough or bridging, while at the same time listening only on one or two specific obscure ports (ACL-protected) for SSH and ICMP traffic. Doesn't even need to talk SNMP as far as I'm concerned.
Does such a box exist? Or is there a more obvious solution that eludes me?
No comments:
Post a Comment