Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Cisco Employee

Info on applicability of a Scenario

Hi,

my customer is asking the feasibility of a network design, and if so, the possible configuration.

The scenario is reported in the picture below.

The customer is trying to build the service with a configuration on the router that can guarantee:

-Configuration on the same WAN interface (that is a ADSL/VDSL interface) of two subinterfaces (called VLAN ambito Internet and VLAN ambito MPLS)

-The two VLAN need ot be connected, so routing must be enabled between them, but as you can see from the picture the 2 VLAN need to be routed via and external firewall connected to the LAN. Here it is not specified if the LAN ports are embeddedon the router (so L2 ports) or they is an external switch connected to the router via a L3 port.

Could you please help me on this request?

Thanks

V

Screen Shot 2013-09-18 at 15.37.42.png

5 REPLIES
Silver

Info on applicability of a Scenario

Not sure if I am understanding the scenario completely but I think you are saying that traffic moving between the two WAN interfaces needs to traverse the firewall on the LAN. If so you could implement VRFs and separate the traffic this way. You would have two VRFs, one for MPLS and one for Internet. The LAN interfaces would be dot1q tagged with two different VLANs corresponding to the firewall interfaces.

Cisco Employee

Info on applicability of a Scenario

Hi Thanks,

right, the traffic moving between the two subinterfaces needs to traverse the firewall on the LAN.

I am not so expert n this kind of configuration, so i have some doubts:

-Are there any particular information that i need to consider? Isuppose that VRF MPLS ad VRF Internet need NAT in order to be routed, right?

-Any constraints on the VLAN on the LAN interface ?

Thanks

V

Silver

Info on applicability of a Scenario

No, you would not necessarily need to NAT. The idea behind VRFs is that you have two (or more) separate routing tables on your router and you assign interfaces (or subinterfaces) to the relevant VRFs. It might looking something like this:

ip vrf MPLS_VRF

ip vrf Internet_VRF

interface G0/0

description MPLS WAN

ip vrf forwarding MPLS_VRF

interface G0/1

description MPLS LAN

ip vrf forwarding MPLS_VRF

interface G0/2

description Internet WAN

ip vrf forwarding Internet_VRF

interface G0/3

description Internet LAN

ip vrf forwarding Internet_VRF

You would then have two routing tables (show ip route vrf ) and traffic can not traverse from one to the other. You would then set up routing to route everything via the firewall interfaces on the LAN.

The above example uses 4 separate physical ports though you can just use dot1q subinterfaces e.g:

interface G0/0.1

description MPLS WAN

ip vrf forwarding MPLS_VRF

Cisco Employee

Info on applicability of a Scenario

Ok Thanks,

it is clear, probably i will need NAT for private IP address.

Regarding the routing, in my undertsanding the routing table for the VRFs will remain separate, so i will need a configuration to let VRF access to Global routing table.

Silver

Info on applicability of a Scenario

You can do route leaking to do this.

Or alternatively you could just create one VRF and segregate traffic between that one VRF and the global routing table.

125
Views
4
Helpful
5
Replies
CreatePlease to create content