MPLS options at company HQ

Unanswered Question
May 1st, 2012

Guys,

I've studied and lab'd out MPLS and MPLS VPNs several times.  The situation I'm presented with is a little different from most of the case studies I've seen in my MPLS books.  I've attached a diagram for your viewing pleasure which will hopefully help with understanding what I'm asking. 

We have a IPsec site to site tunnel from our main HQ router to a Cisco ASA 5510 in the core network in the colo.  This allows our HQ office to reach the private subnets in our core without using a Cisco VPN client.  The problem we are running into is that this seems to be putting undue strain on the Cisco 2811.  I feel like the 2811 should be able to handle it but doing any kind of upload or download through the tunnel spikes the CPU/Interrupts and makes the router CLI basically stop responding until the traffic transfer is stopped or completed.  During this time, certain cisco SCCP phones on our Broadworks platform cycle while the SIP phones on the same platform are ok.  We are trying to alleviate the load on the 2811 by setting up a VRF from the HQ network to the private VRF used in the Core for private subnet communication.  The problem I'm having is the the HQ also has some public traffic that I do not want to include in the VRFs and would like to have it travel through the P2P circuit we have and access the internet or other public devices through the core public IP Internet routing table. 

The flow would be this:

-going to a public address use the public internet routing table

-going to private address in the 10.x.x.x or 172.x.x.x - use VRF to core Private network.

This is a little different of a set up from most of the VRF VPN examples I've seen.  Most of those the CE devices is completely private.  This is not the case at our HQ.  If anyone has experience dealing with a similar situation I would be grateful for any advice/assistance.  Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
jwbensley Tue, 05/01/2012 - 06:07

You can drop your IPSEC tunnel to the colo environment into a VRF, you just need a way to route traffic in/out of the VRF then.

The easiest way here I think is to add a VLAN sub-interface onto the firewal in your office and add a sub-interface on the 2811 port facing the firewall that is inside the VRF also. The firewall can then be the breakout of the VRF into the HQ LAN.

leelove01 Tue, 05/01/2012 - 06:15

The firewall doesn't directly connect to the HQ.  There is a router that connects the point-to-point circuit from the HQ to the core. 

jwbensley Tue, 05/01/2012 - 06:21

As per your diagram, the firewall is connected to a switch, which the router is also connceted to, is this correct?

Assuiming your diagram is correct, you can, on the router, drop the IPSEC tunnel into a VRF, create a sub-interface on the 2811 interface facing the switch which is also in this VRF and tag the traffic from the IPSEC tunnel on its way out to the switch. On the switch, make the port facing the router and the port facing the firewall a trunk as appropriate (correct VLANs etc) and add a VLAN sub-interface on the firewall to pick up the VLAN containing the IPSEC tunnel traffic.

James.

leelove01 Tue, 05/01/2012 - 06:31

I'm sorry I should be more clear in my original post.  The FW on the diagram just shows the HQ.  It is currently just acting as the gateway for our private data.  The Tunnel originates on the 2811 and goes to a cisco ASA that isn't shown on the diagram but is reachable through the circuit to the core.  

So what I'm trying to accomplish is have the private data behind the HQ FW be able to communicate to the private subnets in the core network without messing up the public data, all while not using the IPsec tunnel. 

jwbensley Tue, 05/01/2012 - 11:29

Well, the only way the private data inside the HQ LAN can talk to the equipment in your colo environment without an IPSEC tunnel (or some other tunnel/encapsulating like transport method) is if you have a physical connection to there from the HQ LAN. Which I assume you don't, unless you do, and haven't stated so?

leelove01 Tue, 05/01/2012 - 12:33

The HQ's WAN link is actually a P2P circuit connecting to the core network in the colo.  So the connetion is there.  I'm setting up a GRE tunnel to do this for me for now as encryption isn't needed on a P2P so GRE should be fine.  However I would really like to also eventually set this up using MPLS VRF VPN.  My only hang up is how to seperate the public from pirvate through this.  The VRF VPN would be for the private data network at HQ and allow it to communicate via MP-BGP to another router in the core connecting it to the cores private VRF, while allowing the HQs public traffic to go out the same link but be part of the public routing table and not the vrf's.  Is that possible? 

Actions

Login or Register to take actions

This Discussion

Posted May 1, 2012 at 5:53 AM
Stats:
Replies:6 Avg. Rating:
Views:374 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 14,997
2 8,150
3 7,720
4 7,083
5 6,723
Rank Username Points
175
80
69
55
50