Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
250
Views
15
Helpful
4
Replies
martin.daley@eventura.com
Beginner
Beginner
‎04-03-2019 04:03 AM
‎04-03-2019 04:03 AM

Basic routing question web traffic back to Head Office Internet Breakout over MPLS

HI,

 

Forgive me for this rather basic question but I am new to Cisco and currently getting to grips with a new MPLS configuration.

 

I have the following configuration 

 

Head office

--------------

head office firewall LAN - 192.168.11.0

head office firewall 10.1.0.2

Cisco ISR 4431 10.1.0.1

Cisco ISR 4431 (interface into MPLS customer edge "CE") 192.168.200.1

MPLS Provider Edge router 192.168.200.2

BGP enabled into MPLS

 

Branch network

-------------------

Cisco 877VA router 10.1.56.254

 

I am in a position where devices on the branch network 10.1.56.2 for example can access resources on the 192.168.11.0/24 network (DNS/SMB etc)  but I would now like to route allow devices on the 10.1.56.0/24 network to use head office internet breakout.

 

I have a static route configured on the branch router 0.0.0.0 0.0.0.0 <MPLS PE> and when I ping google.co.uk, I get a "Destination host unreachable" from the MPLS PE router. The 192.168.11.0 network is advertised into the MPLS via BGP

 

What routes do I need to add to allow internet breakout via Head office? Is there something additional needed for this to work?

Labels:
0 Helpful
4 REPLIES 4
Joseph W. Doherty
Hall of Fame Expert Hall of Fame Expert
Hall of Fame Expert
‎04-03-2019 05:07 AM
‎04-03-2019 05:07 AM

From a routing perspective, generally all inside networks use a default network to get to the device that sends the traffic out to the Internet. Conversely, that device needs to "know" all internal networks (and routing needs to get outside traffic to those networks).

As you also mention a FW. That device needs to allow and translate (if using private IPs, usually the norm for IPv4) internal networks to pass through it (both ways).
Deepak Kumar
VIP Advocate VIP Advocate
VIP Advocate
‎04-03-2019 06:25 AM
‎04-03-2019 06:25 AM

Hi,

I am not sure what is the issue but here are general tricks:

 

1. Check the Branch Office router's routing table. Are you getting "Default Route" which is advertised by you?

2. Run a tracert command and check are you reaching to your Head office MPLS router?

4. Is there a default route/Policy Route which will route the unknown destination traffic from the branch office to HQ firewall?

5. Did you check all Nanting/Routing/Firewall rules on the firewall which will allow traffic from the Branch office subnet and route to the Internet and vice versa?

  

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
martin.daley@eventura.com
Beginner
Beginner
In response to Deepak Kumar
‎04-03-2019 09:01 AM
‎04-03-2019 09:01 AM

thanks, managed to get this working.

We weren't advertising the routes into bgp so the branch networks at the other side were unsure where to route "unknown" traffic.

Every day is a school day :-)

0 Helpful
Deepak Kumar
VIP Advocate VIP Advocate
VIP Advocate
In response to martin.daley@eventura.com
‎04-03-2019 10:02 AM
‎04-03-2019 10:02 AM

Hi,

Happy to know. DOn't forget to vote a helpful answer.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
Latest Contents
**New Episode** Cisco Champion Radio: S8|E16 Cisco Smart Bui...
Created by aalesna on 04-19-2021 07:21 PM
0
0
0
0
New Cisco Champion Radio release on Cisco Smart Building SolutionsListen: https://smarturl.it/CCRS8E16Follow us: https://twitter.com/CiscoChampion Now more than ever, sustainable and flexible building designs are at the forefront of every develo... view more
Configuring MACsec Switch to Host with ISE
Created by Timothy Glen on 04-19-2021 12:43 PM
0
5
0
5
DRAFT -- THIS DOCUMENT IS STILL IN DRAFT FORM Summary MACsec is IEEE standard 802.1AE. It was developed by the IEEE to compliment the 802.1X-2004 standard. MACsec was developed to allow authorized systems to connect and then encrypt data that is transmitt... view more
SD-WAN Overview & Advanced Deployment Lab | Part.1
Created by Mohamed Alhenawy on 04-16-2021 12:13 AM
1
15
1
15
Today I'm going to talk about SD-wan including SD-WAN advanced lab ,, first thing let's take a small brief about the SD_WAN.  What is SD-WAN?   SD-WAN is Software define wide area network and SD-WAN is key part of the technology o... view more
Cisco Meraki IoT specialist will introduce you to new and in...
Created by sullskog on 04-15-2021 01:09 AM
0
0
0
0
Leopold Fisher, Cisco Meraki IoT specialist, will introduce you to new and innovative additions to the Meraki portfolio coming in April 2021.         Meraki Vision Session MV smart camera range is getting big... view more
Dynamic Routing Protocols with IPv6: Configuration, Verifica...
Created by ciscomoderator on 04-13-2021 02:39 PM
0
5
0
5
Ask questions from Wednesday, April 14 to Tuesday, April 27, 2021. To participate in this event, please use the  button to ask your questions Dynamic Routing Protocols & IPv6 Have any questions on dynamic routing protocols with IPv6? In this eve... view more
Content for Community-Ad