We would like to implement a solution on a remote site where there is a MPLS connection and a Internet connection. In fact, we have a permanent VPN tunnel between this site and a central site. We would like to install a Cisco router which will be between the firewall and Internet/MPLS and which will take the decision to use the MPLS link in priority and the Internet connection when the MPLS is not available to route the VPN.
Therefore, I need your help to find a solution. We think to buy 1921 models to make it happen (two devices for redundancy). My idea was to create a transition LAN between the firewall where the VPN is established and the router. On the router, it will have both Internet and MPLS connections and will check the MPLS connection to verify if the link is UP to route the VPN through it, but if not, the VPN should pass through the Internet link. The problem I see is that the VPN can use private IP address to pass through the MPLS, but not for VPN. So if the VPN has to go through Internet, traffic will have to be natted, but not for the MPLS use. How can I do that? By using SLA track, is it possible? And how to configure NAT only if trafic pass through Internet?
Is there a way to proceed? Is the Cisco model well adapted?
Thank you very much for your answers.
Solved! Go to Solution.
For Main office take 1941 (don't think about 1921), but calculate port count you need. Surely it's possible to configure sub-interfaces, but that is not always good. Make sure you meet ISP's (MPLS) requiremement for port type.
For branch - 881 could be enough up to 4M. Surely 892 is better.
PS: pay attention to Smartnet you need.
PS2: if you want to encrypt traffic by routers you will need SEC license (but, looks like, it's not your case).
Could you please draw a diagram with all the links and devices?
What device is a first hop for end-users? Is it a firewall or some L3 switch?
I would say that typical design is:
Then you could either leverage on dynamic routing only or even apply PFR to send business traffic over MPLS and less important over Internet/VPN.
PS: if you prefer ASA to do encryption - that is not a problem.
Thank you very much for your reply.
Here is a small drawing of the situation we would like to have.On one site (on the bottom), we would have two routers in cluster connected with a transition LAN (vlan 400), and these routers will have to be connected in both vlan from Internet and MPLS (200 and 500). This transition LAN will be used only for the VPN establishment, all other Internet trafic will pass directly from firewalls to Internet (with vlan 200).
At the other hand, the site at the top of the drawing will be connected with a single router, but with both Internet and MPLS link. In the same way, Internet connection is independant and so, the transition vlan will be also only used for the VPN.
The VPN is established between the firewalls, and not from the new routers to buy. But this situation could change regarding what you recommand.
Is this drawing answers to your questions? Is what you've recommanded still relevant?
Thank you very much for your help.
I'm not sure if Checkpoint is able to run dynamic routing over VPN.
Please reply my questions:
Not sure if CE needs here, so Office diagram has CEs, Branch doesn't.
Not sure, if Office needs L3 switch; if not, then first-hop could be on WAN block.
I assume that there is no need to have firewall toward MPLS and MPLS provider has any dynamic routing protocol.
We have GRE tunnel (orange curves) between WAN blocks for dynamic routing. Checkpoint is doing encryption of GRE as well as NAT for Internet traffic.
I assume there is no need to firewall traffic between office and branch.
WAN routers is running dynamic protocol (EIGRP/OSPF/BGP), so they could use both link (even simultaneously).
As an improvement, you could use PFR to run critical (or interactive) applications over MPLS and all the others over Internet tunnels.
This design is scaleable, but if you need to interconnect only 2-3 sites with MPLS as a primary (I would make MPLS secondary), then it's enough to have single pair of routers to establish dynamic routing over MPLS and having Firewall as a last resort. In this case firewall will be running any kind of VPN. Dynamic routing could be established even from L3 switch.
Sorry for my late answer.
Here are the answers to your questions:
For the rest of your questions:
The CE are on both sites (Main offices and remote site). But in fact, in my drawing, the main office is on the top. I assume that it's strange but I've simplified the drawing. In fact, the main office is running with a full redundant DRP site, but we don't want for the moment to install the redundant MPLS link/router/switch on the DRP site.
I don't think indeed that L3 switch are needed as we would have firewalls, then switch, then routers to route VPN traffic through MPLS/Internet. But maybe that we could use a switch L3 to merge switch and router functionalities to have less devices.
I confirm that there is no need of firewal towards MPLS
There is no need of firewall between branch offices as explained (trafic is already filtered before entering in the VPN on the firewalls).
The GRE solution sounds great. I'm not an expert in the CIsco environment, but more in the Checkpoint one, so have you an example of a configuration for this implementation?
Thank you very much for your time and your help on my project, I really appreciate
And sorry for my English which is not perfect at all.
A couple more questions:
Sorry, I didn't understand you point here: "In fact, the main office is running with a full redundant DRP site, but we don't want for the moment to install the redundant MPLS link/router/switch on the DRP site."
PS: it's not a problem to provide you a sample configuration, but let's finish with the design first.
In fact, in our branch office, we have a primary site and a secondary site (considered as DRP). The whole infrastructure is based on extended vlan and a cluster of Checkpoint firewalls (active-standby). But in the project, we want to install the MPLS link only on the main site. It's the reason why I've only showed the active site on my drawing, as the secondary site is not necessary. But in the future, we will certainly add a MPLS link to this site with a second router.
Once again, thank you very much for your help.
I guess you need to provide diagram including geografical locations and curent routing schema, so our new design won't brake anything.
About routers: if you run around 100M or more, then I would recommend to purchase 2951 or even 3925/3945 for Office and, 892 (up to 10M) or 1941 (up to 40-50M) for branch.
After you provide diagram with description (so we could understand how the DRP affects design) - let's discuss dynamic routing.
PS: ask MPLS provider if they have an option for dynamic routing protocol (BGP/OSPF).
I've made two drawings about the current situation and what we would have (depending of what you'll say).
The current situation:
What we could expect:
Our provider doesn't want to use a dynamic routing protocol due to the fact that he has to pass through a different provider in Singapore. Its MPLS is not available all around the world, so he has to use networks of local providers.
I hope these drawings are complete as you expected.
Thank you very much again.
Coudl you please clarify: what is the process for switchover from primary to secondary DRP?
As far as MPLS ISP has no dynamic routing protocol. you need to build GRE tunnel over MPLS.