Hi,

Thank you very much for your reply.

Here is a small drawing of the situation we would like to have.On one site (on the bottom), we would have two routers in cluster connected with a transition LAN (vlan 400), and these routers will have to be connected in both vlan from Internet and MPLS (200 and 500). This transition LAN will be used only for the VPN establishment, all other Internet trafic will pass directly from firewalls to Internet (with vlan 200).

At the other hand, the site at the top of the drawing will be connected with a single router, but with both Internet and MPLS link. In the same way, Internet connection is independant and so, the transition vlan will be also only used for the VPN.

The VPN is established between the firewalls, and not from the new routers to buy. But this situation could change regarding what you recommand.

Is this drawing answers to your questions? Is what you've recommanded still relevant?

Thank you very much for your help.

Regards,

Damien

Hello.

I'm not sure if Checkpoint is able to run dynamic routing over VPN.

Please reply my questions:

• What devices are first-hops for end-users (remote site and office)? Do you have any L3 switch capable of dynamic routing?
• What devices are CE and what type of port is in used (per link - Internet and MPLS)?
• Who is managing CE device (you or provider)?
• Do you have a requirement to run firewall for MPLS-faced links and inter-site traffic?
• What is an expected traffic load per link, what is a number of users per site?
• What device is doing NAT for end-user Internet access at Office/branch?
• How does your branch end-users access Internet (via Office, or using local link)?

Draft guess:

Not sure if CE needs here, so Office diagram has CEs, Branch doesn't.

Not sure, if Office needs L3 switch; if not, then first-hop could be on WAN block.

I assume that there is no need to have firewall toward MPLS and MPLS provider has any dynamic routing protocol.

We have GRE tunnel (orange curves) between WAN blocks for dynamic routing. Checkpoint is doing encryption of GRE as well as NAT for Internet traffic.

I assume there is no need to firewall traffic between office and branch.

WAN routers is running dynamic protocol (EIGRP/OSPF/BGP), so they could use both link (even simultaneously).

As an improvement, you could use PFR to run critical (or interactive) applications over MPLS and all the others over Internet tunnels.

This design is scaleable, but if you need to interconnect only 2-3 sites with MPLS as a primary (I would make MPLS secondary), then it's enough to have single pair of routers to establish dynamic routing over MPLS and having Firewall as a last resort. In this case firewall will be running any kind of VPN. Dynamic routing could be established even from L3 switch.

Hello,

Sorry for my late answer.

Here are the answers to your questions:

• What devices are first-hops for end-users (remote site and office)? Do you have any L3 switch capable of dynamic routing? First hops for end-users are firewalls. We don't have any L3 switch for this project but we could if needed, depending on the solution we will put in place.
• What devices are CE and what type of port is in used (per link - Internet and MPLS)? CE routers are in Ethernet for the LAN ports, but I don't know the material used.
• Who is managing CE device (you or provider)? Provider.
• Do you have a requirement to run firewall for MPLS-faced links and inter-site traffic? Not specially. As the VPN is created from firewalls, all needed firewall actions are done there.
• What is an expected traffic load per link, what is a number of users per site? It's something like 25 users on the remote site to access files servers and other applications on the main office.
• What device is doing NAT for end-user Internet access at Office/branch? It's the firewall which is managing NAT.
• How does your branch end-users access Internet (via Office, or using local link)? They use their own Internet link. It's the reason why there is a switch on my drawing with specific VLAN to have a direct Internet access from the firewall and a direct Internet access from the router which will route the VPN through the MPLS/Internet.

For the rest of your questions:

The CE are on both sites (Main offices and remote site). But in fact, in my drawing, the main office is on the top. I assume that it's strange but I've simplified the drawing. In fact, the main office is running with a full redundant DRP site, but we don't want for the moment to install the redundant MPLS link/router/switch on the DRP site.

I don't think indeed that L3 switch are needed as we would have firewalls, then switch, then routers to route VPN traffic through MPLS/Internet. But maybe that we could use a switch L3 to merge switch and router functionalities to have less devices.

I confirm that there is no need of firewal towards MPLS

There is no need of firewall between branch offices as explained (trafic is already filtered before entering in the VPN on the firewalls).

The GRE solution sounds great. I'm not an expert in the CIsco environment, but more in the Checkpoint one, so have you an example of a configuration for this implementation?

Thank you very much for your time and your help on my project, I really appreciate

And sorry for my English which is not perfect at all.

Best regards,

Hello.

A couple more questions:

• how many sites do you have?
• does your MPLS provider have any option to run dynamic routing?
• what is the link bandwidth in Office and per site (to clarify router performance)?

Sorry, I didn't understand you point here: "In fact, the main office is running with a full redundant DRP site, but we don't want for the moment to install the redundant MPLS link/router/switch on the DRP site."

PS: it's not a problem to provide you a sample configuration, but let's finish with the design first.

Hello,

• For the moment, we want to have only one site (the branch office + a remote site). But in the future, if the solution works as expected, we will migrate all other sites (7 sites maximum with maximum 20 users for each, but one of them is a bigger site and have 200 users) ;
• Our MPLS provider doesn't want to provide this option while this is a high distance MPLS (between Belgium and Singapore) and so, he doesn't have the full control on it because he has to pass through another local provider to have the MPLS from end-to-end ;
• In the Branch Office, we will have a MPLS of 8Mb and the Internet connection is 100Mb. For the remote site, the MPLS connection will be 2Mb, but I don't have the bandwidth for the Internet connection. Normally, it's maximum 10Mb.

In fact, in our branch office, we have a primary site and a secondary site (considered as DRP). The whole infrastructure is based on extended vlan and a cluster of Checkpoint firewalls (active-standby). But in the project, we want to install the MPLS link only on the main site. It's the reason why I've only showed the active site on my drawing, as the secondary site is not necessary. But in the future, we will certainly add a MPLS link to this site with a second router.

Once again, thank you very much for your help.

Best regards,

Damien

Hello.

I guess you need to provide diagram including geografical locations and curent routing schema, so our new design won't brake anything.

About routers: if you run around 100M or more, then I would recommend to purchase 2951 or even 3925/3945 for Office and, 892 (up to 10M) or 1941 (up to 40-50M) for branch.

After you provide diagram with description (so we could understand how the DRP affects design) - let's discuss dynamic routing.

PS: ask MPLS provider if they have an option for dynamic routing protocol (BGP/OSPF).

Hello,

I've made two drawings about the current situation and what we would have (depending of what you'll say).

The current situation:

What we could expect:

Our provider doesn't want to use a dynamic routing protocol due to the fact that he has to pass through a different provider in Singapore. Its MPLS is not available all around the world, so he has to use networks of local providers.

I hope these drawings are complete as you expected.

Thank you very much again.

Best regards,

Damien

Hello.

Coudl you please clarify: what is the process for switchover from primary to secondary DRP?

As far as MPLS ISP has no dynamic routing protocol. you need to build GRE tunnel over MPLS.

Hello,

The switchover procedure for the DRP could be at different levels. For example, if the main firewall fails, all trafic will pass through the firewall of the DR site. And it's the same for the switch (but depending on the case, we could completely switch over all the production to the DR site for performances reasons). But if the whole main site is down, all the production is switched over the DR site but we loose the MPLS link then. I notice that I've forgotten to draw the router on the DR site as we need a reundandcy at this level at least. By this way, in case of failover to the DR site, the router on the DR site will become the active one (HSRP ?) and will decide to route the VPN through Internet as this site will have no MPLS link (in the first step in which one we want to go now).

Tunnel GRE seems to be the configuration to have, but how can me manage the automatic routing on MPLS or Internet depending on the reachability of them?

Thank you again.

Regards,

Damien

Hello.

DRP design looks good.

But anyway I would suggest to install "WAN routing" block before firewall.

Routers could run HSRP to provide first-hop redundancy.

I'm ading GRE over MPLS, as you have problem to establish dynamic routing with ISP.

Do you have any concerns about the diagram (it shows primarily L3 links)?

Hello,

What do you mean by "WAN routing blocks"? You mean that we'll need extra routers to make this solution working?

On your drawing, the CE ISP Managed router for Internet in the Branch Office is missing. But anyway, it sounds great like this.

Best regards,

Damien

Hello.

I called it after function.

All your routers have "router to buy", so I guessed you have budget and willingness to buy.

I've already told that I'm not sure if we highlight CE routers on the diagram, it's a matter of discussion.

Actually if you manage MPLS CE yourself, than we could reuse the router (if it's capable).

PS: for office you could place one router in primary location and another one in DRP.

Hi,

Unfortunately, we have not a huge budget for that so the less we buy, the more our customer will be happy :-)

Therefore, what do you propose regarding the final design? Tunnels GRE with an ip sla track?

Thank you.

Best regards,

Damien