topic Re: Solution required in Routing and SD-WAN

Solution required

bsn1980in — Mon, 04 Mar 2019 06:23:05 GMT

I have following scenario

Router<->Firewall<->Core Switch<->Server

|_____________________|

There is a direct link from router to core swich as well. Router have two sub-interfaces for; Internet and MPLS. To access internet Server must go thru firewall and to access MPLS server must go thru direct link to router.

Can anyone guide how to accomplish this.

Regards

BSN

Re: Solution required

joseph.derrick — Tue, 17 Jun 2008 13:27:34 GMT

Hi BSN,

The scenario is not clear with me. When you speak of Internet server, are you referring to Internet sites (ie www.yahoo.com) ?

And when you go through MPLS server, are you referring to an intranet ?

Please clarify.

Thanks,

K0rg

Re: Solution required

Collin Clark — Tue, 17 Jun 2008 13:36:57 GMT

It does not make sense to bypass your security devices, however you could accomplish this (depends on platform/IOS of core switch) with Policy-based routing.

http://www.cisco.com/en/US/products/ps6599/products_white_paper09186a00800a4409.shtml

Hope that helps

Re: Solution required

patrickvanham — Tue, 17 Jun 2008 13:48:47 GMT

It sounds like you wish to have regular IP traffic go through the firewall and label-switched traffic bypass the firewall. Is this correct?

Re: Solution required

bsn1980in — Tue, 17 Jun 2008 13:49:01 GMT

Hi K0rg

I want to access internet(www) and MPLS from Server. Only difference would be, to access Internet, my server must go through firewall and to access MPLS it must go through the direct link between router and core switch.

Rgds/bsn

Re: Solution required

bsn1980in — Wed, 18 Jun 2008 03:46:38 GMT

My requirement is to reach Internet and MPLS which are connected on my router.

For Internet:

My LAN/Server must pass thru Firewall and vice versa.

For MPLS:

My LAN/Server must pass thru the direct connection between Router and Core Switch and vice versa.

I have tried it thru PBR and it seems to be working fine.

Is there any other way to do so??

Rgds/bsn

Re: Solution required

Collin Clark — Wed, 18 Jun 2008 12:19:02 GMT

Depending on your IP scheme, you could use your IGP to bypass the firewall.

Re: Solution required

arunsing — Wed, 18 Jun 2008 12:38:16 GMT

Yes but depends if you are using any routing protocol or not. You can publish a default route from the firewall and the specific networks accross mpls from your edge router.

Re: Solution required

Rick Morris — Wed, 18 Jun 2008 17:01:17 GMT

you can use PBR, EIGRP but it must be a routing protocol used to specify where the traffic goes.

For instance.

Traffic on the other end of the MPLS network might be 172.16.0.0/16

You could put in a static route for all traffic on your network to go out the directly connected link on the router.

ip route 172.16.0.0 255.255.0.0

ip route 0.0.0.0 0.0.0.0

These 2 routes tell the traffic where to go.

Re: Solution required

bsn1980in — Fri, 20 Jun 2008 07:38:16 GMT

As a normal configuration of PBR, I have created an extended access-list with source and desination subnets, then match it and set next-hop to be the interface directly connected to router.

Rest of the traffice will go to firewall using default route. Also if my direct connection to Router fails, the next hop will not be reachable and all the traffic will then move through firewall.

Same configuration I have applied for incoming traffic from MPLS cloud on router as well.

Regards

bsn

Re: Solution required

patrickvanham — Fri, 20 Jun 2008 09:02:00 GMT

If your ACL has specific subnets in the MPLS cloud you could set up static routes to the MPLS cloud towards the directly connected interface to the router and a default route to the firewall.

Re: Solution required

bsn1980in — Fri, 20 Jun 2008 13:04:59 GMT

I have encountered a problem with this scenario; let me explain this:

Inside n/w: 10.10.10.0 /24

MPLS remote n/w: 172.16.0.0 /16

I have defined below static routes on

Core Switch:

172.16.0.0 255.255.0.0 G0/0(i/f directly connected to Router)

0.0.0.0 0.0.0.0 G0/1(i/f connected to FW)

Router:

10.10.10.0 255.255.255.0 G0/0 (if connected to Core Switch)

10.0.0.0 255.0.0.0 G0/1 (i/f connected to FW)

In this case my MPMS traffic from 10.10.10.0 subnet goes out from directly connected interface to router and comes back.

But Internet traffic from 10.10.10.0 subnet goes out using default route and comes back from the directly connected interface between router and switch using more sepcific default route. Hence not able to access internet.

I am doing NAT on router for internet access. The solution could be doing NAT on Firewall as well but with PBR this solution seems to be working fine.

Regards

BSN

Re: Solution required

patrickvanham — Fri, 20 Jun 2008 13:17:55 GMT

That is because the route back is more specific directly towards the core switch. every packet towards 10.10.10.0 /24 will take the directly connected route. On the router you would need to use PBR and source-based routing in your situation i.e. if the source is the MPLS cloud use Gi0/0, everything else follow default route towards firewall. An ACL like "permit ip 172.16.0.0 0.0.255.255 any" could be used to determine egress interface on the router in a route-map. The route-map would be apllied in the internet and MPLS ingress interface(s)

Re: Solution required

bsn1980in — Fri, 20 Jun 2008 13:31:06 GMT

Yes...This the reason of using PBR. I have only applied PBR on MPLS ingress interface as below. Also, I have removed the more specific static route for subnet 10.10.10.0/24. Now, even if Gig0/0 goes down, all the traffic (MPLS & Internet) will follow path towards Firewall.

interface GigabitEthernet0/2

ip policy route-map MPLS-Traffic

access-list 100 permit ip 172.25.243.0 0.0.0.255 10.10.10.0 0.0.0.255

route-map MPLS-Traffic permit 10

match ip address 100

set interface Gig0/0

My query was, if I can use any other way out for this kind of situation OR PBR is the only option.

Regards

BSN