I have following scenario
There is a direct link from router to core swich as well. Router have two sub-interfaces for; Internet and MPLS. To access internet Server must go thru firewall and to access MPLS server must go thru direct link to router.
Can anyone guide how to accomplish this.
The scenario is not clear with me. When you speak of Internet server, are you referring to Internet sites (ie www.yahoo.com) ?
And when you go through MPLS server, are you referring to an intranet ?
I want to access internet(www) and MPLS from Server. Only difference would be, to access Internet, my server must go through firewall and to access MPLS it must go through the direct link between router and core switch.
It does not make sense to bypass your security devices, however you could accomplish this (depends on platform/IOS of core switch) with Policy-based routing.
Hope that helps
It sounds like you wish to have regular IP traffic go through the firewall and label-switched traffic bypass the firewall. Is this correct?
My requirement is to reach Internet and MPLS which are connected on my router.
My LAN/Server must pass thru Firewall and vice versa.
My LAN/Server must pass thru the direct connection between Router and Core Switch and vice versa.
I have tried it thru PBR and it seems to be working fine.
Is there any other way to do so??
Yes but depends if you are using any routing protocol or not. You can publish a default route from the firewall and the specific networks accross mpls from your edge router.
you can use PBR, EIGRP but it must be a routing protocol used to specify where the traffic goes.
Traffic on the other end of the MPLS network might be 172.16.0.0/16
You could put in a static route for all traffic on your network to go out the directly connected link on the router.
ip route 172.16.0.0 255.255.0.0
ip route 0.0.0.0 0.0.0.0
These 2 routes tell the traffic where to go.
As a normal configuration of PBR, I have created an extended access-list with source and desination subnets, then match it and set next-hop to be the interface directly connected to router.
Rest of the traffice will go to firewall using default route. Also if my direct connection to Router fails, the next hop will not be reachable and all the traffic will then move through firewall.
Same configuration I have applied for incoming traffic from MPLS cloud on router as well.
If your ACL has specific subnets in the MPLS cloud you could set up static routes to the MPLS cloud towards the directly connected interface to the router and a default route to the firewall.
I have encountered a problem with this scenario; let me explain this:
Inside n/w: 10.10.10.0 /24
MPLS remote n/w: 172.16.0.0 /16
I have defined below static routes on
172.16.0.0 255.255.0.0 G0/0(i/f directly connected to Router)
0.0.0.0 0.0.0.0 G0/1(i/f connected to FW)
10.10.10.0 255.255.255.0 G0/0 (if connected to Core Switch)
10.0.0.0 255.0.0.0 G0/1 (i/f connected to FW)
In this case my MPMS traffic from 10.10.10.0 subnet goes out from directly connected interface to router and comes back.
But Internet traffic from 10.10.10.0 subnet goes out using default route and comes back from the directly connected interface between router and switch using more sepcific default route. Hence not able to access internet.
I am doing NAT on router for internet access. The solution could be doing NAT on Firewall as well but with PBR this solution seems to be working fine.
That is because the route back is more specific directly towards the core switch. every packet towards 10.10.10.0 /24 will take the directly connected route. On the router you would need to use PBR and source-based routing in your situation i.e. if the source is the MPLS cloud use Gi0/0, everything else follow default route towards firewall. An ACL like "permit ip 172.16.0.0 0.0.255.255 any" could be used to determine egress interface on the router in a route-map. The route-map would be apllied in the internet and MPLS ingress interface(s)
Yes...This the reason of using PBR. I have only applied PBR on MPLS ingress interface as below. Also, I have removed the more specific static route for subnet 10.10.10.0/24. Now, even if Gig0/0 goes down, all the traffic (MPLS & Internet) will follow path towards Firewall.
ip policy route-map MPLS-Traffic
access-list 100 permit ip 172.25.243.0 0.0.0.255 10.10.10.0 0.0.0.255
route-map MPLS-Traffic permit 10
match ip address 100
set interface Gig0/0
My query was, if I can use any other way out for this kind of situation OR PBR is the only option.