Bridging MPLS Link between ISR Router and ASA Firewall

Answered Question
Sep 30th, 2008

Greetings, ive been wrestling with this for awhile now.

We have an MPLS link presented on ethernet comming into the premises, the link is configured as a 802.1q trunk with two vlans, one for a link into the MPLS cloud lets call it vlan 10 and one vlan which will provide an internet services for the business lets call it vlan 20. A /28 public address block has been allocated for internet access.

The ethernet link terminates on a Cisco 3825 ISR with a 4 Port ethernet Hwic installed.

What i would like to do is bridge the internet vlan onto the outside interface of an ASA 5510 then back onto the router so that internal users can access both internet resources and the mpls network on a common gateway.

Is this possible with the current hardware setup?

Regards

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 8 years 2 months ago

Hello Mark,

the MPLS link can be terminated on a L2 trunk with vlan 10 and vlan 20 configured on one of the ports of the 4 FE HWIC.

A second port is an access port for vlan 20 and connects to ASA.

The trick is to use a third vlan : vlan 30 for the second interface of the ASA that will be bridging between vlan 20 and vlan 30 and inspecting traffic

So the third port will be in vlan 30.

At layer 3 you will define only an address for vlan 30 in the internet access network

So I think it should be possible to achieve what you want to do

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Giuseppe Larosa Wed, 10/01/2008 - 01:35

Hello Mark,

the MPLS link can be terminated on a L2 trunk with vlan 10 and vlan 20 configured on one of the ports of the 4 FE HWIC.

A second port is an access port for vlan 20 and connects to ASA.

The trick is to use a third vlan : vlan 30 for the second interface of the ASA that will be bridging between vlan 20 and vlan 30 and inspecting traffic

So the third port will be in vlan 30.

At layer 3 you will define only an address for vlan 30 in the internet access network

So I think it should be possible to achieve what you want to do

Hope to help

Giuseppe

exonetinf1nity Wed, 10/01/2008 - 04:35

Thank you for the reply Giuseppe it makes perfect sense, i was having somewhat of a mind block. I was working under the premise that the trunk had to be terminated on the routed interface on an ISR and didnt actually think of terminating it on the HWIC.

Regards

Actions

This Discussion