This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do you setup a Ethernet Virtual Private Line connection in UTM?

Greetings everyone,

Just finished a 16-hour day trying to configure Ethernet Virtual Private Line (EVPL) connections with my UTM to replace two RED-50's. No Luck. 

At our request, I asked our Internet provider to setup two EVPL's to replace two RED-50's devices to connect to our UTM. They keep rebooting and are not reliable.

I couldn't figure out how to setup these connections this evening, very disappointing to re-connect the RED's.

Does anyone have any experience setting up EVPL's on UTM?

Thanks for any input.

 



This thread was automatically locked due to age.
Parents
  • Hello Sean,

    if anybody shall be able to help, you have to give us a little more info about your setup.

    Several questions come to my mind:

    1.) Are there three sites you want to connect with each other? Or two "satellites" to one "main site"? Or?

    2.) What are the existing networks at these sites?

    3.) How is the "Ethernet-Port" handed over to you? (What kind of CPE is provided by your ISP?)

    4.) What is the level of trust you have to your ISP? I mean: do you think this is really "your" private connection?

    5.) Something has to be installed at the remote sites as a gateway, what are your plans?

    ... and many more, which I can only guess here.

    So please be more specific.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hello Sean,

    if anybody shall be able to help, you have to give us a little more info about your setup.

    Several questions come to my mind:

    1.) Are there three sites you want to connect with each other? Or two "satellites" to one "main site"? Or?

    2.) What are the existing networks at these sites?

    3.) How is the "Ethernet-Port" handed over to you? (What kind of CPE is provided by your ISP?)

    4.) What is the level of trust you have to your ISP? I mean: do you think this is really "your" private connection?

    5.) Something has to be installed at the remote sites as a gateway, what are your plans?

    ... and many more, which I can only guess here.

    So please be more specific.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Children
  • Good morning from Seattle, sorry for the vague details initially. I appreciated any help.

    We are setting up a fiber hub and spoke circuit with three locations. 

    (1) Location one (hub), Sophos UTM SG-210, 100Mbps DIA Internet, all traffic will proxy out of this location. EVPL circuits are bridged and available on port 1-1-3 of Adva.

    (2) Location two (spoke), EVPL circuit Port 1-1-3 on Adva, VLAN: 1202, Copper, 50Mbps.

    (3) Location three (spoke), EVPL circuit Port 1-1-3 on Adva, VLAN: 1201, Copper, 50Mbps.

    I attempted to connect all three locations last night by connecting the EVPL circuit and the internal LAN via switch the the LAN port of the UTM.

    I believe the circuits were all connected but could not communicate.

    Perhaps these EVPL's require an interface setup in the UTM I can bridge to the internal LAN interface of the hub location like I did with our RED-50's were replacing.

  • Hello Sean,

    that clarifies a bit...

    Still I have open questions: How are your IP-networks configured?

    You did not answer all of my spontaneous questions ...

    I try to read between the lines ... do you expect all interfaces to form "one big network" because they are all ethernet?

    I wouldn't go that way. Let's try to get this straight.

    How many devices / users are at your remote sites?

    I am asking to make some planning decisions for your network segments.

    If you go for a Layer2 networks spanning over all three sites you will force ALL traffic from ALL sites through the WAN.

    That's not very clever, although this would simplify your setup, your usable bandwidth will suffer.

    A far better approach would be to have separate LAN-segments at each site and to have a Layer3 (routing) setup between thses segments.

    If you have a very high level of trust in your ISP and how safe he did setup your virtual netwok for you, then you would not need any encryption and/or VPN-tunnels

    on the transfer nets, but if not, I would recommend settiing up IPsec Tunnels between those sites.

    The easiest thing would be to use Layer3 switches, where you could setup your own routing tables and use the switch as the default gateway at each site.

    If encryption has to be done, then you would need some kind of router/VPN/Firewall gateway at the edge of each site before going nto the adva devices (are these FSP150?)

    BTW: how are the VLANs configured? Why does every site have its own VLAN? You definitely need to tell us about your IP-ranges here.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.