Solution required

Unanswered Question
Jun 17th, 2008

Hi

I have following scenario

Router<->Firewall<->Core Switch<->Server

|_____________________|

There is a direct link from router to core swich as well. Router have two sub-interfaces for; Internet and MPLS. To access internet Server must go thru firewall and to access MPLS server must go thru direct link to router.

Can anyone guide how to accomplish this.

Regards

BSN

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
joseph.derrick Tue, 06/17/2008 - 06:27

Hi BSN,

The scenario is not clear with me. When you speak of Internet server, are you referring to Internet sites (ie www.yahoo.com) ?

And when you go through MPLS server, are you referring to an intranet ?

Please clarify.

Thanks,

K0rg

bsn1980in Tue, 06/17/2008 - 06:49

Hi K0rg

I want to access internet(www) and MPLS from Server. Only difference would be, to access Internet, my server must go through firewall and to access MPLS it must go through the direct link between router and core switch.

Rgds/bsn

patrickvanham Tue, 06/17/2008 - 06:48

It sounds like you wish to have regular IP traffic go through the firewall and label-switched traffic bypass the firewall. Is this correct?

bsn1980in Tue, 06/17/2008 - 20:46

Hi

My requirement is to reach Internet and MPLS which are connected on my router.

For Internet:

My LAN/Server must pass thru Firewall and vice versa.

For MPLS:

My LAN/Server must pass thru the direct connection between Router and Core Switch and vice versa.

I have tried it thru PBR and it seems to be working fine.

Is there any other way to do so??

Rgds/bsn

Collin Clark Wed, 06/18/2008 - 05:19

Depending on your IP scheme, you could use your IGP to bypass the firewall.

arunsing Wed, 06/18/2008 - 05:38

Yes but depends if you are using any routing protocol or not. You can publish a default route from the firewall and the specific networks accross mpls from your edge router.

Rick Morris Wed, 06/18/2008 - 10:01

you can use PBR, EIGRP but it must be a routing protocol used to specify where the traffic goes.

For instance.

Traffic on the other end of the MPLS network might be 172.16.0.0/16

You could put in a static route for all traffic on your network to go out the directly connected link on the router.

ip route 172.16.0.0 255.255.0.0

ip route 0.0.0.0 0.0.0.0

These 2 routes tell the traffic where to go.

bsn1980in Fri, 06/20/2008 - 00:38

As a normal configuration of PBR, I have created an extended access-list with source and desination subnets, then match it and set next-hop to be the interface directly connected to router.

Rest of the traffice will go to firewall using default route. Also if my direct connection to Router fails, the next hop will not be reachable and all the traffic will then move through firewall.

Same configuration I have applied for incoming traffic from MPLS cloud on router as well.

Regards

bsn

patrickvanham Fri, 06/20/2008 - 02:02

If your ACL has specific subnets in the MPLS cloud you could set up static routes to the MPLS cloud towards the directly connected interface to the router and a default route to the firewall.

bsn1980in Fri, 06/20/2008 - 06:04

I have encountered a problem with this scenario; let me explain this:

Inside n/w: 10.10.10.0 /24

MPLS remote n/w: 172.16.0.0 /16

I have defined below static routes on

Core Switch:

172.16.0.0 255.255.0.0 G0/0(i/f directly connected to Router)

0.0.0.0 0.0.0.0 G0/1(i/f connected to FW)

Router:

10.10.10.0 255.255.255.0 G0/0 (if connected to Core Switch)

10.0.0.0 255.0.0.0 G0/1 (i/f connected to FW)

In this case my MPMS traffic from 10.10.10.0 subnet goes out from directly connected interface to router and comes back.

But Internet traffic from 10.10.10.0 subnet goes out using default route and comes back from the directly connected interface between router and switch using more sepcific default route. Hence not able to access internet.

I am doing NAT on router for internet access. The solution could be doing NAT on Firewall as well but with PBR this solution seems to be working fine.

Regards

BSN

patrickvanham Fri, 06/20/2008 - 06:17

That is because the route back is more specific directly towards the core switch. every packet towards 10.10.10.0 /24 will take the directly connected route. On the router you would need to use PBR and source-based routing in your situation i.e. if the source is the MPLS cloud use Gi0/0, everything else follow default route towards firewall. An ACL like "permit ip 172.16.0.0 0.0.255.255 any" could be used to determine egress interface on the router in a route-map. The route-map would be apllied in the internet and MPLS ingress interface(s)

bsn1980in Fri, 06/20/2008 - 06:31

Yes...This the reason of using PBR. I have only applied PBR on MPLS ingress interface as below. Also, I have removed the more specific static route for subnet 10.10.10.0/24. Now, even if Gig0/0 goes down, all the traffic (MPLS & Internet) will follow path towards Firewall.

!

interface GigabitEthernet0/2

ip policy route-map MPLS-Traffic

!

access-list 100 permit ip 172.25.243.0 0.0.0.255 10.10.10.0 0.0.0.255

!

route-map MPLS-Traffic permit 10

match ip address 100

set interface Gig0/0

!

My query was, if I can use any other way out for this kind of situation OR PBR is the only option.

Regards

BSN

Actions

This Discussion