Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

Basic routing question web traffic back to Head Office Internet Breakout over MPLS



Forgive me for this rather basic question but I am new to Cisco and currently getting to grips with a new MPLS configuration.


I have the following configuration 


Head office


head office firewall LAN -

head office firewall

Cisco ISR 4431

Cisco ISR 4431 (interface into MPLS customer edge "CE")

MPLS Provider Edge router

BGP enabled into MPLS


Branch network


Cisco 877VA router


I am in a position where devices on the branch network for example can access resources on the network (DNS/SMB etc)  but I would now like to route allow devices on the network to use head office internet breakout.


I have a static route configured on the branch router <MPLS PE> and when I ping, I get a "Destination host unreachable" from the MPLS PE router. The network is advertised into the MPLS via BGP


What routes do I need to add to allow internet breakout via Head office? Is there something additional needed for this to work?

Joseph W. Doherty
Hall of Fame Expert

From a routing perspective, generally all inside networks use a default network to get to the device that sends the traffic out to the Internet. Conversely, that device needs to "know" all internal networks (and routing needs to get outside traffic to those networks).

As you also mention a FW. That device needs to allow and translate (if using private IPs, usually the norm for IPv4) internal networks to pass through it (both ways).
Deepak Kumar
VIP Advocate


I am not sure what is the issue but here are general tricks:


1. Check the Branch Office router's routing table. Are you getting "Default Route" which is advertised by you?

2. Run a tracert command and check are you reaching to your Head office MPLS router?

4. Is there a default route/Policy Route which will route the unknown destination traffic from the branch office to HQ firewall?

5. Did you check all Nanting/Routing/Firewall rules on the firewall which will allow traffic from the Branch office subnet and route to the Internet and vice versa?



Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

thanks, managed to get this working.

We weren't advertising the routes into bgp so the branch networks at the other side were unsure where to route "unknown" traffic.

Every day is a school day :-)


Happy to know. DOn't forget to vote a helpful answer.

Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!