Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member


I have a question about MPLS. We currently have 3 sites internationally, with the main site in NY. Both sites are connected to NY with a private line (a T1 and a Layer 2 Ethernet connection). All three sites have their own internet connection, so there is a firewall on each site for internet. In NY we have two internet providers and we run BGP between the two, both behind the same firewall.

We want to upgrade the T1 link to something higher, and our provider is proposing MPLS to replace the T1 link and one of our internet connections in NY (and possibly the other site)...maybe eventually will add the third site to the MPLS network. My question is...since MPLS is a single link, how would I manage network traffic between sites (considering the handoff would be behind the firewalls)? It would be easy if we just had the MPLS handoff plug into one of our routers directly into our network, but if it's behind a firewall we'll have all sorts of NAT issues between sites....and since this provides a connection to the internet also, we would probably want to keep it behind the firewall.

How do you guys generally handle MPLS deployments and how would you design it in this case?

New Member


Can anyone give me some input on this please?

Hall of Fame Super Silver



once you have all three sites connected to the MPLS cloud you can give up the internet connections at the remote sites and you can have internet access through the NY firewall.

If you have address overlapping at your sites you need to keep your firewalls or to configure NAT on routers at remote sites.

MPLS a single link ? What do you mean ?

hope to help


New Member


Well we would want to keep the connections at the remote sites (they're very remote...Hong Kong and London:) ).

What I mean by MPLS being a single link is I get one hand off at NY (and the remote sites), and through that connection I would access both remote sites and the internet, since the internet would go through the MPLS cloud.

Since the internet is going through that MPLS cloud I need to keep it behind the firewall, which means all the remote sites would access NY through that firewall, which means I'd have to do all kinds of natting and ACL's so the remote sites could access our servers in NY (and vice versa).

How would I design it so that I could access the remote sites without going through the firewalls and still go through the firewall for the internet?

CreatePlease to create content