MPLS and Internet Traffic on same pipe

Unanswered Question
Apr 16th, 2008
User Badges:

Greetings, ive had a sample config from our MPLS provider explaining how Internet and MPLS can be put down the same pipe.

The scenario uses both a Cisco 3825 ISR with a HWIC-4ESW card installed and an ASA 5510.

Ive been informed that the link to the MPLS will be an 802.1q trunk carrying both internet traffic and MPLS traffic destined for internal use.

This is the sample config ive been given.

bridge irb



interface GigabitEthernet0/0


ip address

duplex full

speed 100

media-type rj45

no cdp enable


interface GigabitEthernet0/1

description Firewall_Outside_LAN

bridge-group 1

duplex full

speed 100

traffic-shape rate 10000000 250000 250000 1000


interface GigabitEthernet0/0/0

To Thus MPLS Primary Interface


interface GigabitEthernet0/0/0.10

description Link to Thus encapsulation dot1Q 10

ip address


interface GigabitEthernet0/0/0.20

description Link to Internet

encapsulation dot1Q 20

bridge-group 1

traffic-shape rate 10000000 250000 250000 1000


router bgp 64721

bgp log-neighbor-changes

neighbor remote-as 2529

neighbor default-originate


bridge 1 protocol ieee

This is also the brief ive been given with the example.

The customer has an existing MPLS connection at their head office.

The Internet circuit will be provided by re-configuring the MPLS circuit as a dot1Q trunk carrying a data VLAN and an Internet VLAN. The Internet VLAN will be bridged across the router and will be terminated on the outside VLAN.

The data VLAN will terminate on the CPE router.

The /29 network between the firewalls and the Thus Inside Edge router is public address space and the firewalls will provide the routing to the Internet for **** ******** ******.

The two switches belong to the customer and they will deal with all aspects of routing between the Inside LAN, the data network and the Internet. The CPE will originate and advertise a default route in BGP so that other sites can access the Internet via the main

Policing will be configured on Interfaces G1 and G0/0.20 to the to limit the Internet traffic to 10Mb.

I understand how traffic will be bridged on the router but cant see how traffic bound to the internet will pass through the firewall and back out of the router. Will i be required to trunk to the firewall or a switch then back to the router?

Any help would be appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
mheusing Wed, 04/16/2008 - 07:21
User Badges:
  • Cisco Employee,


the "bridge" works in both directions; frames from the internet will be forwarded to the firewall out of interface GigabitEthernet0/1 and frames to the internet router out through interface GigabitEthernet0/0/0.20

There is no requirement to trunk the firewall.

Traffic arriving from the MPLS VPN will be routed out interface GigabitEthernet0/0, but this portion is missing in the config. So interface GigabitEthernet0/0 connects to the intranet, which might be another firewall interface, if you do not trust the ISP and/or other MPLS VPN locations.

Thus you could even offer internet access to the MPLS VPN with this solution by inserting a default route into the MPLS VPN.

Hope this helps! Please use the rating system.

Regards, Martin

exonetinf1nity Wed, 04/16/2008 - 07:38
User Badges:

Thank you for the information but im afraid im still at a loss, would i be correct in assuming that the bridge interface also requires an IP address which isn't part of the config supplied?

If you know of any examples it would be appreciated as i cant see how connectivity between the two devices would be established.


exonetinf1nity Wed, 04/16/2008 - 08:38
User Badges:

Please find attached what i would envision the physical connection to look like.

The link between the router and the firewall is probably the most confusing part. As the outside address of the router is a private address, the address space between the router and firewall is i imagine from whats been said public address space in our example being a /29 network then behind the firewall sits the hub sites private address range.



This Discussion