This is the topology:
CPE (WAN) --> ge-0/0/1 NTE (SRX340)ge-0/0/2 --> xe-1/2/4 MX240 xe-1/2/5 --> upstream ISP
I was given two options to configure the device as follows:
1: Supply Customer with /30. Apply one address to the CPE WAN interface and the second address to the MX240 xe-1/2/4 interface. The SRX340 then acts as a layer 2 switch for the VLAN. I then add a second VLAN between ge-0/0/2 and xe-1/2/4 for management as Layer 3 - Tested and working correctly.
2: Supply customer with /30. Apply one address to the CPE WAN and the second address to the ge-0/0/1 interface on the SRX340. Now create two VLANs between ge-0/0/2 and xe-1/2/4. One for management and one to carry the customer data. - Tested and working correctly.
Issue:
With Option 1, if the customer performs a traceroute they only see the xe-1/2/4 interface and then upstream ISP. Perfect. Except that the Customer then has to configure the CPE with a VLAN and other options. From a sell perspective, this is not good. Also, we cannot offer VoiP at NTE level as it is layer 2 for the Customer.
With Option 2: Traceroute will show the ge-0/0/2 interface address as well as the xe-1/2/4 interface address. To stop them seeing this I have applied an ICMP Firewall filter. But, they will still know that something is there because they see the timeouts on the trace. This option allows for CoS and therefore VoiP.
Questions:
1: Is there a way of stopping the customer seeing the echo responses so that the only hop they see in a traceroute is the gateway address? (From our network perspective)
2: I have heard of ISPs supplying a /28 and using 3 or 4 addresses for themselves and using a scenario like option 1 but having the SRX340 acting at Layer 3. I don not see how this is possible as the CPE still requires a gateway.... I cannot see how adding an IP address to each interface in the same subnet changes option 1 in any way at all?
3: Ideas on any of the above please?