How to use MPLS for WAN, but local T1/DSL for general internet use

Unanswered Question
Mar 12th, 2012
User Badges:

Good afternoon,


Right now at our branch locations, we use MPLS via BGP for our WAN connection.  When branch users use the internet they are routed to Headquarters and go out the Headquarters internet circuit. 

Many branches have their own local internet circuit, either T1 or DSL, that we use for failover.

We want the branches' to use their local internet circuit for their internet, but continue to route to headquarters via MPLS via BGP for all other network traffic.


My thought was to add a static route: ip route 0.0.0.0 0.0.0.0 "T1 IP ADDRESS"


When I do this internet traffic continues to route through to Headquarters internet circuit.

I do a "sho ip bgp" and in the Network column I see "0.0.0.0" and next to it in the Next Hop column the MPLS Far-end IP Address.


I believe this means all unknown traffic (0.0.0.0) go to the MPLS Far-end IP Address, which in turn would send you to the Headquarters internet.


Does anyone know how can I send network traffic to our MPLS neighbor (WAN traffic), but send general internet traffic out their locally installed circuit?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Edison Ortiz Mon, 03/12/2012 - 12:03
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

The static default route should do it since it has a lower AD than the BGP learned route.

Please post the 'show ip route' while having the static route implemented along with the 'show run' output.

bsciarra1 Mon, 03/12/2012 - 19:10
User Badges:

Okay a little background.  Our local internet circuit is used as a dmvpn failover via eigrp if primary MPLS circuit goes down. 

When changing default route I did ip route 0.0.0.0 0.0.0.0 "Local T1 IP" 91

The "91" means administrative distance of 91.  I was told this would allow our dmvpn tunnel traffic via eigrp and general internet traffic via static route to co-exist.

What actually happened was it defaulted the bgp default route, hence internet traffic still going to headquarters.

So i removed the 91, now I have ip route 0.0.0.0 0.0.0.0 "Local T1 IP"

This implementation causes internet traffic to fail. 

I then shut down the dmvpn tunnel thinking this was the cause.  I did "no tunnel source fa0/1" in the int tunnel1 interface configuration.

Then I applied my default route change (without the 91), and had the same result - all packet loss for internet traffic.


Here is the sho ip route with the changed default route:

 

Fenwick_2811#sho ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 72.86.148.1 to network 0.0.0.0

     68.0.0.0/32 is subnetted, 1 subnets
S       68.162.89.14 [1/0] via 72.86.148.1
     69.0.0.0/32 is subnetted, 1 subnets
S       69.68.57.109 [1/0] via 72.86.148.1
B    192.168.28.0/24 [20/0] via 12.117.75.21, 7w0d
     70.0.0.0/32 is subnetted, 1 subnets
S       70.17.253.47 [1/0] via 72.86.148.1
     71.0.0.0/32 is subnetted, 5 subnets
S       71.241.225.20 [1/0] via 72.86.148.1
S       71.252.114.72 [1/0] via 72.86.148.1
S       71.252.114.65 [1/0] via 72.86.148.1
S       71.252.113.87 [1/0] via 72.86.148.1
S       71.242.243.228 [1/0] via 72.86.148.1
     98.0.0.0/32 is subnetted, 1 subnets
S       98.141.153.66 [1/0] via 72.86.148.1
B    192.168.24.0/24 [20/0] via 12.117.75.21, 7w0d
B    192.168.9.0/24 [20/0] via 12.117.75.21, 2d00h
     141.158.0.0/32 is subnetted, 1 subnets
S       141.158.189.161 [1/0] via 72.86.148.1
B    192.168.27.0/24 [20/0] via 12.117.75.21, 2w6d
B    172.16.0.0/16 [20/0] via 12.117.75.21, 5d10h
     172.21.0.0/24 is subnetted, 1 subnets
C       172.21.21.0 is directly connected, Tunnel1
B    192.168.11.0/24 [20/0] via 12.117.75.21, 7w0d
     67.0.0.0/32 is subnetted, 1 subnets
S       67.62.157.106 [1/0] via 72.86.148.1
     162.83.0.0/32 is subnetted, 1 subnets
S       162.83.13.194 [1/0] via 72.86.148.1
B    192.168.4.0/24 [20/0] via 12.117.75.21, 7w0d
B    192.168.21.0/24 [20/0] via 12.117.75.21, 2w6d
     10.0.0.0/24 is subnetted, 15 subnets
B       10.0.11.0 [20/0] via 12.117.75.21, 7w0d
B       10.0.9.0 [20/0] via 12.117.75.21, 2d00h
B       10.0.2.0 [20/0] via 12.117.75.21, 3w0d
B       10.0.3.0 [20/0] via 12.117.75.21, 7w0d
B       10.0.1.0 [20/0] via 12.117.75.21, 7w0d
B       10.0.6.0 [20/0] via 12.117.75.21, 7w0d
C       10.0.7.0 is directly connected, Vlan10
B       10.0.4.0 [20/0] via 12.117.75.21, 7w0d
B       10.0.27.0 [20/0] via 12.117.75.21, 2w6d
B       10.0.24.0 [20/0] via 12.117.75.21, 7w0d
B       10.0.28.0 [20/0] via 12.117.75.21, 7w0d
B       10.0.19.0 [20/0] via 12.117.75.21, 7w0d
B       10.0.22.0 [20/0] via 12.117.75.21, 7w0d
B       10.0.23.0 [20/0] via 12.117.75.21, 7w0d
B       10.0.21.0 [20/0] via 12.117.75.21, 2w6d
B    192.168.6.0/24 [20/0] via 12.117.75.21, 7w0d
B    192.168.23.0/24 [20/0] via 12.117.75.21, 7w0d
B    192.168.22.0/24 [20/0] via 12.117.75.21, 7w0d
C    192.168.7.0/24 is directly connected, FastEthernet0/0
     72.0.0.0/24 is subnetted, 1 subnets
C       72.86.148.0 is directly connected, FastEthernet0/1
     12.0.0.0/8 is variably subnetted, 19 subnets, 3 masks
B       12.113.9.116/30 [20/0] via 12.117.75.21, 2d00h
B       12.115.74.36/30 [20/0] via 12.117.75.21, 7w0d
C       12.117.75.20/30 is directly connected, Serial0/0/0
C       12.117.75.21/32 is directly connected, Serial0/0/0
B       12.113.9.88/30 [20/0] via 12.117.75.21, 7w0d
B       12.115.51.12/30 [20/0] via 12.117.75.21, 7w0d
B       12.85.233.240/30 [20/0] via 12.117.75.21, 2w6d
B       12.115.51.28/30 [20/0] via 12.117.75.21, 7w0d
B       12.113.9.20/30 [20/0] via 12.117.75.21, 7w0d
B       12.84.0.60/30 [20/0] via 12.117.75.21, 2w6d
B       12.115.225.244/30 [20/0] via 12.117.75.21, 7w0d
B       12.84.0.36/30 [20/0] via 12.117.75.21, 3w0d
B       12.38.168.0/24 [20/0] via 12.117.75.21, 3w1d
S       12.111.219.50/32 [1/0] via 72.86.148.1
B       12.117.116.172/30 [20/0] via 12.117.75.21, 7w0d
B       12.117.68.132/30 [20/0] via 12.117.75.21, 7w0d
B       12.117.116.176/30 [20/0] via 12.117.75.21, 7w0d
B       12.113.9.164/30 [20/0] via 12.117.75.21, 7w0d
B       12.113.24.128/30 [20/0] via 12.117.75.21, 7w0d
     166.143.0.0/32 is subnetted, 1 subnets
S       166.143.170.164 [1/0] via 72.86.148.1
     63.0.0.0/32 is subnetted, 1 subnets
S       63.238.164.84 [1/0] via 72.86.148.1
B    192.168.2.0/24 [20/0] via 12.117.75.21, 3w0d
B    192.168.19.0/24 [20/0] via 12.117.75.21, 1w3d
     151.196.0.0/32 is subnetted, 1 subnets
S       151.196.59.184 [1/0] via 72.86.148.1
     135.89.0.0/16 is variably subnetted, 4 subnets, 2 masks
B       135.89.152.56/29 [20/0] via 12.117.75.21, 4d03h
B       135.89.152.128/28 [20/0] via 12.117.75.21, 4d03h
B       135.89.154.152/29 [20/0] via 12.117.75.21, 7w0d
B       135.89.157.160/28 [20/0] via 12.117.75.21, 7w0d
B    192.168.3.0/24 [20/0] via 12.117.75.21, 7w0d
S*   0.0.0.0/0 [1/0] via 72.86.148.1
Fenwick_2811#


Here is the sho run with changed default route:


 

Fenwick_2811#sho run
Building configuration...

Current configuration : 7689 bytes
!
! Last configuration change at 16:31:33 Summer Mon Mar 12 2012 by admin
! NVRAM config last updated at 15:52:57 Summer Mon Mar 12 2012 by admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
!
hostname Fenwick_2811
!
boot-start-marker
boot system flash c2800nm-advsecurityk9-mz.124-15.T9.bin
warm-reboot count 10 uptime 10
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 4096
enable secret 5

!
no aaa new-model
clock timezone est -5
clock summer-time Summer recurring 2 Sun Mar 0:01 1 Sun Nov 0:01
dot11 syslog
!
!
ip cef
!
!
ip inspect name in2out rcmd
ip inspect name in2out tftp
ip inspect name in2out udp
ip inspect name in2out tcp timeout 43200
ip inspect name in2out realaudio
ip inspect name in2out vdolive
ip inspect name in2out netshow
no ip domain lookup
ip domain name

!
multilink bundle-name authenticated
!
!
crypto pki trustpoint

enrollment selfsigned
subject-name cn=IOS-

revocation-check none
rsakeypair

!
!
crypto pki certificate chain

certificate self-signed 01
          quit
!
!
username admin password 7

archive
log config
  hidekeys
!
!
crypto isakmp policy 5
authentication pre-share
group 2
crypto isakmp key

!
!
crypto ipsec transform-set

!
crypto ipsec profile

set transform-set dmvpnset
!
!
!
!
!
class-map match-all Telnet
match protocol telnet
class-map match-any Voice-Video
match ip precedence 5
class-map match-any Eclipse
match access-group name Eclipse
class-map match-all RDP
match access-group name RDP
class-map match-any Control
match ip precedence 3
!
!
policy-map Critical
class Telnet
  priority percent 30
class RDP
  bandwidth percent 30
policy-map MPLS-QOS
class Voice-Video
  priority percent 50
  set ip precedence 5
class Control
  bandwidth remaining percent 25
  set ip precedence 3
class Eclipse
  bandwidth remaining percent 75
class class-default
  fair-queue
  random-detect
!
!
!
!
interface Tunnel1
description DMVPN Tunnel to Corp
bandwidth 1000
ip address 172.21.21.7 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication dmvpn
ip nhrp map 172.21.21.1 63.238.164.84
ip nhrp map multicast 63.238.164.84
ip nhrp network-id 10
ip nhrp holdtime 300
ip nhrp nhs 172.21.21.1
no ip split-horizon eigrp 100
no ip mroute-cache
delay 1000
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile

!
interface FastEthernet0/0
description Fenwick LAN
ip address 192.168.7.1 255.255.255.0
ip helper-address 172.16.0.54
ip flow ingress
ip flow egress
duplex auto
speed auto
!
interface FastEthernet0/1
description Dagsboro Verizon DSL/Line

ip address 72.86.148.133 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1/0
switchport access vlan 10
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Serial0/0/0
description MPLS T1 DHEC.662847..ATI..
ip address 12.117.75.22 255.255.255.252
encapsulation ppp
service-policy output MPLS-QOS
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 10.0.7.1 255.255.255.0
!
router eigrp 100
redistribute bgp 65001 metric 1500 10 255 1 1500 route-map MATCH_LAN_INTERFACE
network 172.21.21.0 0.0.0.255
no auto-summary
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
network 10.0.7.0 mask 255.255.255.0
network 192.168.7.0
neighbor 12.117.10.217 remote-as

neighbor 12.117.75.21 remote-as

no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 72.86.148.1
ip route 12.111.219.50 255.255.255.255 72.86.148.1
ip route 63.238.164.84 255.255.255.255 72.86.148.1
ip route 67.62.157.106 255.255.255.255 72.86.148.1
ip route 68.162.89.14 255.255.255.255 72.86.148.1
ip route 69.68.57.109 255.255.255.255 72.86.148.1
ip route 70.17.253.47 255.255.255.255 72.86.148.1
ip route 71.241.225.20 255.255.255.255 72.86.148.1
ip route 71.242.243.228 255.255.255.255 72.86.148.1
ip route 71.252.113.87 255.255.255.255 72.86.148.1
ip route 71.252.114.65 255.255.255.255 72.86.148.1
ip route 71.252.114.72 255.255.255.255 72.86.148.1
ip route 98.141.153.66 255.255.255.255 72.86.148.1
ip route 141.158.189.161 255.255.255.255 72.86.148.1
ip route 151.196.59.184 255.255.255.255 72.86.148.1
ip route 162.83.13.194 255.255.255.255 72.86.148.1
ip route 166.143.170.164 255.255.255.255 72.86.148.1
!
ip flow-cache timeout active 2
ip flow-export version 9
ip flow-export destination 172.16.0.23 9999
!
ip http server
ip http secure-server
!
ip access-list extended Eclipse
permit tcp any any eq 2080
ip access-list extended RDP
permit tcp any any eq 3389
ip access-list extended Telnet
permit tcp any any eq telnet
!
logging trap debugging
logging facility local6
logging 172.16.1.46
access-list 7 permit 192.168.7.0
access-list 7 permit 10.0.7.0 0.0.0.255
access-list 109 permit icmp host 12.111.219.50 host 72.86.148.133 echo
access-list 109 permit udp any host 72.86.148.133 eq isakmp
access-list 109 permit esp any host 72.86.148.133
access-list 109 permit gre any host 72.86.148.133
access-list 109 permit tcp any host 72.86.148.133 eq 22
access-list 109 deny   ip any any log
snmp-server community

snmp-server ifindex persist
snmp-server enable traps tty
!
!
route-map MATCH_LAN_INTERFACE permit 10
match ip address 7
!
!
!
control-plane
!
banner login ^C



             WARNING:  Restricted and Authorized Access ONLY!
   If you are an unauthorized user of this system please exit immediately!
         All transactions are being logged for security purposes.


^C
!
line con 0
password 7

login local
line aux 0
password 7

login
modem InOut
transport input all
speed 115200
flowcontrol hardware
line vty 0
password 7

login local
transport input telnet ssh
line vty 1 4
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17179312
ntp server 172.16.0.90
!
end

Fenwick_2811#

issofunky Wed, 03/04/2015 - 10:14
User Badges:

Agree, the acl and Nat (inside and outside) are not there.

 

Most likely the traffic was all flowing to core and heading out to the internet from there.

 

before setting up the NAT, you might want to check company policy and see if there is content filtering or DNS re-write happening closer to the core.     If you provided the branch with Facebook access when the rest of the LAN never had it....might be problematic later on.

 

Jeff Van Houten Mon, 03/12/2012 - 19:51
User Badges:
  • Silver, 250 points or more

You're going to have to nat your local addresses to the cable modem interface address.


Sent from Cisco Technical Support iPad App

bsciarra1 Tue, 03/13/2012 - 06:52
User Badges:

Oh....

So I would put "ip nat inside" on my LAN IP (fa0/0) and put "ip nat outside" on my Internet-facing IP (fa0/1)?

Jeff Van Houten Tue, 03/13/2012 - 06:55
User Badges:
  • Silver, 250 points or more

You're also going to need an acl to determine what to nat. If you haven't configured nat on a router before I'd suggest looking through the Cisco site.


Sent from Cisco Technical Support iPad App

Actions

This Discussion