Solution required

Unanswered Question
Jun 17th, 2008
User Badges:


I have following scenario

Router<->Firewall<->Core Switch<->Server


There is a direct link from router to core swich as well. Router have two sub-interfaces for; Internet and MPLS. To access internet Server must go thru firewall and to access MPLS server must go thru direct link to router.

Can anyone guide how to accomplish this.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
joseph.derrick Tue, 06/17/2008 - 06:27
User Badges:


The scenario is not clear with me. When you speak of Internet server, are you referring to Internet sites (ie ?

And when you go through MPLS server, are you referring to an intranet ?

Please clarify.



bsn1980in Tue, 06/17/2008 - 06:49
User Badges:

Hi K0rg

I want to access internet(www) and MPLS from Server. Only difference would be, to access Internet, my server must go through firewall and to access MPLS it must go through the direct link between router and core switch.


patrickvanham Tue, 06/17/2008 - 06:48
User Badges:

It sounds like you wish to have regular IP traffic go through the firewall and label-switched traffic bypass the firewall. Is this correct?

bsn1980in Tue, 06/17/2008 - 20:46
User Badges:


My requirement is to reach Internet and MPLS which are connected on my router.

For Internet:

My LAN/Server must pass thru Firewall and vice versa.


My LAN/Server must pass thru the direct connection between Router and Core Switch and vice versa.

I have tried it thru PBR and it seems to be working fine.

Is there any other way to do so??


Collin Clark Wed, 06/18/2008 - 05:19
User Badges:
  • Purple, 4500 points or more

Depending on your IP scheme, you could use your IGP to bypass the firewall.

arunsing Wed, 06/18/2008 - 05:38
User Badges:

Yes but depends if you are using any routing protocol or not. You can publish a default route from the firewall and the specific networks accross mpls from your edge router.

Rick Morris Wed, 06/18/2008 - 10:01
User Badges:
  • Silver, 250 points or more

you can use PBR, EIGRP but it must be a routing protocol used to specify where the traffic goes.

For instance.

Traffic on the other end of the MPLS network might be

You could put in a static route for all traffic on your network to go out the directly connected link on the router.

ip route

ip route

These 2 routes tell the traffic where to go.

bsn1980in Fri, 06/20/2008 - 00:38
User Badges:

As a normal configuration of PBR, I have created an extended access-list with source and desination subnets, then match it and set next-hop to be the interface directly connected to router.

Rest of the traffice will go to firewall using default route. Also if my direct connection to Router fails, the next hop will not be reachable and all the traffic will then move through firewall.

Same configuration I have applied for incoming traffic from MPLS cloud on router as well.



patrickvanham Fri, 06/20/2008 - 02:02
User Badges:

If your ACL has specific subnets in the MPLS cloud you could set up static routes to the MPLS cloud towards the directly connected interface to the router and a default route to the firewall.

bsn1980in Fri, 06/20/2008 - 06:04
User Badges:

I have encountered a problem with this scenario; let me explain this:

Inside n/w: /24

MPLS remote n/w: /16

I have defined below static routes on

Core Switch: G0/0(i/f directly connected to Router) G0/1(i/f connected to FW)

Router: G0/0 (if connected to Core Switch) G0/1 (i/f connected to FW)

In this case my MPMS traffic from subnet goes out from directly connected interface to router and comes back.

But Internet traffic from subnet goes out using default route and comes back from the directly connected interface between router and switch using more sepcific default route. Hence not able to access internet.

I am doing NAT on router for internet access. The solution could be doing NAT on Firewall as well but with PBR this solution seems to be working fine.



patrickvanham Fri, 06/20/2008 - 06:17
User Badges:

That is because the route back is more specific directly towards the core switch. every packet towards /24 will take the directly connected route. On the router you would need to use PBR and source-based routing in your situation i.e. if the source is the MPLS cloud use Gi0/0, everything else follow default route towards firewall. An ACL like "permit ip any" could be used to determine egress interface on the router in a route-map. The route-map would be apllied in the internet and MPLS ingress interface(s)

bsn1980in Fri, 06/20/2008 - 06:31
User Badges:

Yes...This the reason of using PBR. I have only applied PBR on MPLS ingress interface as below. Also, I have removed the more specific static route for subnet Now, even if Gig0/0 goes down, all the traffic (MPLS & Internet) will follow path towards Firewall.


interface GigabitEthernet0/2

ip policy route-map MPLS-Traffic


access-list 100 permit ip


route-map MPLS-Traffic permit 10

match ip address 100

set interface Gig0/0


My query was, if I can use any other way out for this kind of situation OR PBR is the only option.




This Discussion