01-16-2014 02:31 AM - edited 03-04-2019 10:05 PM
Hi Everybody,
We would like to implement a solution on a remote site where there is a MPLS connection and a Internet connection. In fact, we have a permanent VPN tunnel between this site and a central site. We would like to install a Cisco router which will be between the firewall and Internet/MPLS and which will take the decision to use the MPLS link in priority and the Internet connection when the MPLS is not available to route the VPN.
Therefore, I need your help to find a solution. We think to buy 1921 models to make it happen (two devices for redundancy). My idea was to create a transition LAN between the firewall where the VPN is established and the router. On the router, it will have both Internet and MPLS connections and will check the MPLS connection to verify if the link is UP to route the VPN through it, but if not, the VPN should pass through the Internet link. The problem I see is that the VPN can use private IP address to pass through the MPLS, but not for VPN. So if the VPN has to go through Internet, traffic will have to be natted, but not for the MPLS use. How can I do that? By using SLA track, is it possible? And how to configure NAT only if trafic pass through Internet?
Is there a way to proceed? Is the Cisco model well adapted?
Thank you very much for your answers.
Best regards,
Damien
Solved! Go to Solution.
01-24-2014 03:00 AM
Hello, Damien.
For Main office take 1941 (don't think about 1921), but calculate port count you need. Surely it's possible to configure sub-interfaces, but that is not always good. Make sure you meet ISP's (MPLS) requiremement for port type.
For branch - 881 could be enough up to 4M. Surely 892 is better.
PS: pay attention to Smartnet you need.
PS2: if you want to encrypt traffic by routers you will need SEC license (but, looks like, it's not your case).
01-16-2014 07:00 AM
Hello.
Could you please draw a diagram with all the links and devices?
What device is a first hop for end-users? Is it a firewall or some L3 switch?
I would say that typical design is:
Then you could either leverage on dynamic routing only or even apply PFR to send business traffic over MPLS and less important over Internet/VPN.
PS: if you prefer ASA to do encryption - that is not a problem.
01-17-2014 01:38 AM
Hi,
Thank you very much for your reply.
Here is a small drawing of the situation we would like to have.On one site (on the bottom), we would have two routers in cluster connected with a transition LAN (vlan 400), and these routers will have to be connected in both vlan from Internet and MPLS (200 and 500). This transition LAN will be used only for the VPN establishment, all other Internet trafic will pass directly from firewalls to Internet (with vlan 200).
At the other hand, the site at the top of the drawing will be connected with a single router, but with both Internet and MPLS link. In the same way, Internet connection is independant and so, the transition vlan will be also only used for the VPN.
The VPN is established between the firewalls, and not from the new routers to buy. But this situation could change regarding what you recommand.
Is this drawing answers to your questions? Is what you've recommanded still relevant?
Thank you very much for your help.
Regards,
Damien
01-17-2014 11:33 PM
Hello.
I'm not sure if Checkpoint is able to run dynamic routing over VPN.
Please reply my questions:
Draft guess:
Not sure if CE needs here, so Office diagram has CEs, Branch doesn't.
Not sure, if Office needs L3 switch; if not, then first-hop could be on WAN block.
I assume that there is no need to have firewall toward MPLS and MPLS provider has any dynamic routing protocol.
We have GRE tunnel (orange curves) between WAN blocks for dynamic routing. Checkpoint is doing encryption of GRE as well as NAT for Internet traffic.
I assume there is no need to firewall traffic between office and branch.
WAN routers is running dynamic protocol (EIGRP/OSPF/BGP), so they could use both link (even simultaneously).
As an improvement, you could use PFR to run critical (or interactive) applications over MPLS and all the others over Internet tunnels.
This design is scaleable, but if you need to interconnect only 2-3 sites with MPLS as a primary (I would make MPLS secondary), then it's enough to have single pair of routers to establish dynamic routing over MPLS and having Firewall as a last resort. In this case firewall will be running any kind of VPN. Dynamic routing could be established even from L3 switch.
01-20-2014 06:21 AM
Hello,
Sorry for my late answer.
Here are the answers to your questions:
For the rest of your questions:
The CE are on both sites (Main offices and remote site). But in fact, in my drawing, the main office is on the top. I assume that it's strange but I've simplified the drawing. In fact, the main office is running with a full redundant DRP site, but we don't want for the moment to install the redundant MPLS link/router/switch on the DRP site.
I don't think indeed that L3 switch are needed as we would have firewalls, then switch, then routers to route VPN traffic through MPLS/Internet. But maybe that we could use a switch L3 to merge switch and router functionalities to have less devices.
I confirm that there is no need of firewal towards MPLS
There is no need of firewall between branch offices as explained (trafic is already filtered before entering in the VPN on the firewalls).
The GRE solution sounds great. I'm not an expert in the CIsco environment, but more in the Checkpoint one, so have you an example of a configuration for this implementation?
Thank you very much for your time and your help on my project, I really appreciate
And sorry for my English which is not perfect at all.
Best regards,
01-20-2014 10:11 PM
Hello.
A couple more questions:
Sorry, I didn't understand you point here: "In fact, the main office is running with a full redundant DRP site, but we don't want for the moment to install the redundant MPLS link/router/switch on the DRP site."
PS: it's not a problem to provide you a sample configuration, but let's finish with the design first.
01-21-2014 04:08 AM
Hello,
In fact, in our branch office, we have a primary site and a secondary site (considered as DRP). The whole infrastructure is based on extended vlan and a cluster of Checkpoint firewalls (active-standby). But in the project, we want to install the MPLS link only on the main site. It's the reason why I've only showed the active site on my drawing, as the secondary site is not necessary. But in the future, we will certainly add a MPLS link to this site with a second router.
Once again, thank you very much for your help.
Best regards,
Damien
01-21-2014 04:41 AM
Hello.
I guess you need to provide diagram including geografical locations and curent routing schema, so our new design won't brake anything.
About routers: if you run around 100M or more, then I would recommend to purchase 2951 or even 3925/3945 for Office and, 892 (up to 10M) or 1941 (up to 40-50M) for branch.
After you provide diagram with description (so we could understand how the DRP affects design) - let's discuss dynamic routing.
PS: ask MPLS provider if they have an option for dynamic routing protocol (BGP/OSPF).
01-21-2014 07:51 AM
Hello,
I've made two drawings about the current situation and what we would have (depending of what you'll say).
The current situation:
What we could expect:
Our provider doesn't want to use a dynamic routing protocol due to the fact that he has to pass through a different provider in Singapore. Its MPLS is not available all around the world, so he has to use networks of local providers.
I hope these drawings are complete as you expected.
Thank you very much again.
Best regards,
Damien
01-21-2014 11:55 AM
Hello.
Coudl you please clarify: what is the process for switchover from primary to secondary DRP?
As far as MPLS ISP has no dynamic routing protocol. you need to build GRE tunnel over MPLS.
01-22-2014 12:22 AM
Hello,
The switchover procedure for the DRP could be at different levels. For example, if the main firewall fails, all trafic will pass through the firewall of the DR site. And it's the same for the switch (but depending on the case, we could completely switch over all the production to the DR site for performances reasons). But if the whole main site is down, all the production is switched over the DR site but we loose the MPLS link then. I notice that I've forgotten to draw the router on the DR site as we need a reundandcy at this level at least. By this way, in case of failover to the DR site, the router on the DR site will become the active one (HSRP ?) and will decide to route the VPN through Internet as this site will have no MPLS link (in the first step in which one we want to go now).
Tunnel GRE seems to be the configuration to have, but how can me manage the automatic routing on MPLS or Internet depending on the reachability of them?
Thank you again.
Regards,
Damien
01-22-2014 08:46 AM
Hello.
DRP design looks good.
But anyway I would suggest to install "WAN routing" block before firewall.
Routers could run HSRP to provide first-hop redundancy.
I'm ading GRE over MPLS, as you have problem to establish dynamic routing with ISP.
Do you have any concerns about the diagram (it shows primarily L3 links)?
01-22-2014 11:56 PM
Hello,
What do you mean by "WAN routing blocks"? You mean that we'll need extra routers to make this solution working?
On your drawing, the CE ISP Managed router for Internet in the Branch Office is missing. But anyway, it sounds great like this.
Best regards,
Damien
01-23-2014 01:34 AM
Hello.
I called it after function.
All your routers have "router to buy", so I guessed you have budget and willingness to buy.
I've already told that I'm not sure if we highlight CE routers on the diagram, it's a matter of discussion.
Actually if you manage MPLS CE yourself, than we could reuse the router (if it's capable).
PS: for office you could place one router in primary location and another one in DRP.
01-23-2014 01:42 AM
Hi,
Unfortunately, we have not a huge budget for that so the less we buy, the more our customer will be happy :-)
Therefore, what do you propose regarding the final design? Tunnels GRE with an ip sla track?
Thank you.
Best regards,
Damien
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide