MPLS and Internet Connectivity on the same pipe

Soldato
Joined
17 Oct 2002
Posts
3,941
Location
West Midlands
Greetings, ive had a sample config from our MPLS provider explaining how Internet and MPLS can be put down the same pipe.

The scenario uses both a Cisco 3825 ISR with a HWIC-4ESW card installed and an ASA 5510.

Ive been informed that the link to the MPLS will be an 802.1q trunk carrying both internet traffic and MPLS traffic destined for internal use.

This is the config ive been given.

Code:
bridge irb
!
!
interface GigabitEthernet0/0
 description 
 ip address 10.254.5.70 255.255.255.248
 duplex full
 speed 100
 media-type rj45
 no cdp enable
!
interface GigabitEthernet0/1
 description Firewall_Outside_LAN
 bridge-group 1
 duplex full
 speed 100
 traffic-shape rate 10000000 250000 250000 1000
!
interface GigabitEthernet0/0/0
 To Thus MPLS Primary Interface
!
interface GigabitEthernet0/0/0.10
 description Link to Thus  encapsulation dot1Q 10
ip address 10.254.5.0255.255.255.252
!
interface GigabitEthernet0/0/0.20
 description Link to Internet 
 encapsulation dot1Q 20
 bridge-group 1
 traffic-shape rate 10000000 250000 250000 1000
!
router bgp 64721
 bgp log-neighbor-changes
 neighbor 10.254.5.10 remote-as 2529
 neighbor 10.254.5.10 default-originate
!
bridge 1 protocol ieee


This is also the brief ive been given with the example.

The customer has an existing MPLS connection at their head office.
The Internet circuit will be provided by re-configuring the MPLS circuit as a dot1Q trunk carrying a data VLAN and an Internet VLAN. The Internet VLAN will be bridged across the router and will be terminated on the outside VLAN.

The data VLAN will terminate on the CPE router.
The /29 network between the firewalls and the Thus Inside Edge router is public address space and the firewalls will provide the routing to the Internet for **** ******** ******.

The two switches belong to the customer and they will deal with all aspects of routing between the Inside LAN, the data network and the Internet. The CPE will originate and advertise a default route in BGP so that other sites can access the Internet via the main
Policing will be configured on Interfaces G1 and G0/0.20 to the to limit the Internet traffic to 10Mb.


I understand how traffic will be bridged on the router but cant see how traffic bound to the internet will pass through the firewall and back out of the router. Will i be required to trunk to the firewall or a switch then back to the router?

Any help would be appreciated.
 
The times i've seen this implemented, the firewall had to be hosted at the provider's site. In fact we just decided to not use this method at our place as it would be too much of a headache.
 
Unfortunately we don't have a choice in the matter, we have provisioned for a 10Mb pipe, with a 6Mb bearer, 2Mb of which will be allocated for Internet Traffic. Spoke sites will route there internet traffic through the hub site.

Ive been reassured that this is possible on the hub site using CPE devices.
 
It looks fairly simple, just vlans to the site, then one gets used for data and one breaks out over the bridge group to another interface, plug that into the pix and (i assume from the config) the pix back into a port on the router, configure routing to send internet traffic to the PIX...

As with all things cisco, there are several different ways to do everything, but it's completely possible...
 
It looks fairly simple, just vlans to the site, then one gets used for data and one breaks out over the bridge group to another interface, plug that into the pix and (i assume from the config) the pix back into a port on the router, configure routing to send internet traffic to the PIX...

As with all things cisco, there are several different ways to do everything, but it's completely possible...

Cheers for the reply, ive knocked up something resembling how i would envision it be achieved then got myself confused over how the physical connections would play out.

MPLSNetDesign.jpg



The link between the router and the firewall is probably the most confusing part. As the outside address of the router is a private address, the address space between the router and firewall is i imagine from whats been said public address space in our example being a /29 network then behind the firewall sits the hub sites private address range.
 
Unfortunately we don't have a choice in the matter, we have provisioned for a 10Mb pipe, with a 6Mb bearer, 2Mb of which will be allocated for Internet Traffic. Spoke sites will route there internet traffic through the hub site.

Ive been reassured that this is possible on the hub site using CPE devices.

You mean a 6Mb pipe on a 10Mb bearer?
 
I think I need a diagram to lay it out clearly (unfortunately I'm at home and don't have visio here).

They could have put the public range on the inside ('trust') interface of the firewall. (we do it on managed firewalls but don't generally let customers do it). So essentially the firewall outside IP uses something in their core as its gateway (and it's layer2 to their core) and your public range hangs from the inside interface of the firewall (and uses that as it's gateway). That would work.

I hope that makes some sense, it's been a long day!
 
I think I need a diagram to lay it out clearly (unfortunately I'm at home and don't have visio here).

They could have put the public range on the inside ('trust') interface of the firewall. (we do it on managed firewalls but don't generally let customers do it). So essentially the firewall outside IP uses something in their core as its gateway (and it's layer2 to their core) and your public range hangs from the inside interface of the firewall (and uses that as it's gateway). That would work.

I hope that makes some sense, it's been a long day!

Any help would be much appreciated, feel free to fiddle with the one above

http://www.interactiveit.com/downloads/MPLSNetDesign.vsd

The final spec we ironed out with Thus was for a Layer 3 IPVPN, but not having worked too much with MPLS before we didnt take into account the allocation for internet traffic, then the customer decided they would like all spoke sites to go through a firewall at the hub sites, all good fun and hence the issue.

Regards
 
Back
Top Bottom