Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Solution required

Hi

I have following scenario

Router<->Firewall<->Core Switch<->Server

|_____________________|

There is a direct link from router to core swich as well. Router have two sub-interfaces for; Internet and MPLS. To access internet Server must go thru firewall and to access MPLS server must go thru direct link to router.

Can anyone guide how to accomplish this.

Regards

BSN

13 REPLIES
New Member

Re: Solution required

Hi BSN,

The scenario is not clear with me. When you speak of Internet server, are you referring to Internet sites (ie www.yahoo.com) ?

And when you go through MPLS server, are you referring to an intranet ?

Please clarify.

Thanks,

K0rg

New Member

Re: Solution required

Hi K0rg

I want to access internet(www) and MPLS from Server. Only difference would be, to access Internet, my server must go through firewall and to access MPLS it must go through the direct link between router and core switch.

Rgds/bsn

Re: Solution required

It does not make sense to bypass your security devices, however you could accomplish this (depends on platform/IOS of core switch) with Policy-based routing.

http://www.cisco.com/en/US/products/ps6599/products_white_paper09186a00800a4409.shtml

Hope that helps

New Member

Re: Solution required

It sounds like you wish to have regular IP traffic go through the firewall and label-switched traffic bypass the firewall. Is this correct?

New Member

Re: Solution required

Hi

My requirement is to reach Internet and MPLS which are connected on my router.

For Internet:

My LAN/Server must pass thru Firewall and vice versa.

For MPLS:

My LAN/Server must pass thru the direct connection between Router and Core Switch and vice versa.

I have tried it thru PBR and it seems to be working fine.

Is there any other way to do so??

Rgds/bsn

Re: Solution required

Depending on your IP scheme, you could use your IGP to bypass the firewall.

New Member

Re: Solution required

Yes but depends if you are using any routing protocol or not. You can publish a default route from the firewall and the specific networks accross mpls from your edge router.

Silver

Re: Solution required

you can use PBR, EIGRP but it must be a routing protocol used to specify where the traffic goes.

For instance.

Traffic on the other end of the MPLS network might be 172.16.0.0/16

You could put in a static route for all traffic on your network to go out the directly connected link on the router.

ip route 172.16.0.0 255.255.0.0

ip route 0.0.0.0 0.0.0.0

These 2 routes tell the traffic where to go.

New Member

Re: Solution required

As a normal configuration of PBR, I have created an extended access-list with source and desination subnets, then match it and set next-hop to be the interface directly connected to router.

Rest of the traffice will go to firewall using default route. Also if my direct connection to Router fails, the next hop will not be reachable and all the traffic will then move through firewall.

Same configuration I have applied for incoming traffic from MPLS cloud on router as well.

Regards

bsn

New Member

Re: Solution required

If your ACL has specific subnets in the MPLS cloud you could set up static routes to the MPLS cloud towards the directly connected interface to the router and a default route to the firewall.

New Member

Re: Solution required

I have encountered a problem with this scenario; let me explain this:

Inside n/w: 10.10.10.0 /24

MPLS remote n/w: 172.16.0.0 /16

I have defined below static routes on

Core Switch:

172.16.0.0 255.255.0.0 G0/0(i/f directly connected to Router)

0.0.0.0 0.0.0.0 G0/1(i/f connected to FW)

Router:

10.10.10.0 255.255.255.0 G0/0 (if connected to Core Switch)

10.0.0.0 255.0.0.0 G0/1 (i/f connected to FW)

In this case my MPMS traffic from 10.10.10.0 subnet goes out from directly connected interface to router and comes back.

But Internet traffic from 10.10.10.0 subnet goes out using default route and comes back from the directly connected interface between router and switch using more sepcific default route. Hence not able to access internet.

I am doing NAT on router for internet access. The solution could be doing NAT on Firewall as well but with PBR this solution seems to be working fine.

Regards

BSN

New Member

Re: Solution required

That is because the route back is more specific directly towards the core switch. every packet towards 10.10.10.0 /24 will take the directly connected route. On the router you would need to use PBR and source-based routing in your situation i.e. if the source is the MPLS cloud use Gi0/0, everything else follow default route towards firewall. An ACL like "permit ip 172.16.0.0 0.0.255.255 any" could be used to determine egress interface on the router in a route-map. The route-map would be apllied in the internet and MPLS ingress interface(s)

New Member

Re: Solution required

Yes...This the reason of using PBR. I have only applied PBR on MPLS ingress interface as below. Also, I have removed the more specific static route for subnet 10.10.10.0/24. Now, even if Gig0/0 goes down, all the traffic (MPLS & Internet) will follow path towards Firewall.

!

interface GigabitEthernet0/2

ip policy route-map MPLS-Traffic

!

access-list 100 permit ip 172.25.243.0 0.0.0.255 10.10.10.0 0.0.0.255

!

route-map MPLS-Traffic permit 10

match ip address 100

set interface Gig0/0

!

My query was, if I can use any other way out for this kind of situation OR PBR is the only option.

Regards

BSN

143
Views
0
Helpful
13
Replies