cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4370
Views
0
Helpful
14
Replies

Help needed in sharing internet connection on MPLS network

mjaved_khan
Level 1
Level 1

Hi, we have our head office Cisco router configured with 12Mbps leased line and 12Mbps MPLS terminated onto same router. We have four branch offices connected through MPLS to head office and to each other. We want to share internet connection which is in our head office to branch offices. Can somebody please help in this configuration as we have basic Cisco knowledge. Below is our head office and one of branch office configuration. MPLS link is established and we can ping local LAN interface of each other.

Head Office Cisco router:

 

interface GigabitEthernet0/0.312
 description "IP-VPN-12 Mbps"
 encapsulation dot1Q 312
 ip address 192.168.149.30 255.255.255.252
!
interface GigabitEthernet0/0.340
 description "DIA-12 Mbps"
 encapsulation dot1Q 340
 ip address 37.216.210.14 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
!
interface GigabitEthernet0/1
 description "LAN"
 ip address 200.10.0.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
router bgp 65000
 bgp log-neighbor-changes
 network 200.10.0.0
 neighbor 192.168.149.29 remote-as 35819
 neighbor 192.168.149.29 password 12345678
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list natlist interface GigabitEthernet0/0.340 overload
ip route 0.0.0.0 0.0.0.0 37.216.210.13 
!
ip access-list extended natlist
 permit ip 200.10.0.0 0.0.0.255 any
 permit ip 200.20.0.0 0.0.0.255 any
 permit ip 200.30.0.0 0.0.0.255 any
 permit ip 200.40.0.0 0.0.0.255 any
 permit ip 200.50.0.0 0.0.0.255 any

 

 

Branch Office Cisco Router:

 

interface FastEthernet8
 description "LAN CONNECTION"
 ip address 200.50.0.254 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0
 description "WAN LINK"
 ip address 192.168.150.50 255.255.255.252
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
!
interface Async1
 no ip address
 encapsulation slip
!
interface GMPLS0
 no ip address
 no fair-queue
 no keepalive
!
router bgp 65000
 bgp log-neighbor-changes
 network 200.50.0.0
 neighbor 192.168.150.49 remote-as 35819
 neighbor 192.168.150.49 password 12345678
!
ip forward-protocol nd
!
!
no ip http server
ip http access-class 23
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.150.49
!
!

 

Thanks

1 Accepted Solution

Accepted Solutions

Ah, so thats good news for a start... hop No.3 is the head office router. I wonder that your ping from your branch office is being sourced from its "WAN" link and not the LAN.

On your Head office you have NAT, you are missing a command under an interface. Remember the traffic from MPLS sites will be coming in to this interface so this is like our inside interface too.

interface GigabitEthernet0/0.312

ip nat inside

 

Please remember, everything in your NAT ACL (natlist) will be NAT'd and not necessarily the MPLS WAN IP's. You have all 200 addresses there so they will only be NAT'd. But if you want you could add the 192 addresses to the ACL.

Hope it helps, and let us know your results.

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

14 Replies 14

Bilal Nawaz
VIP Alumni
VIP Alumni

I am assuming this is MPLS VPN, that the service provider are providing you. On your branch routers you have just a single static route pointing to the default gateway, which is probably the PE router 192.168.150.49, similar at your head office.

You also peer with them using BGP from Head office and also Branch office. I wonder if you advertise default route in to BGP the PE from head office, this will propagate to all your branch offices, directing traffic towards the Head Office. In this case you could possibly be looking at setting default originate to 192.168.149.29. This will advertise the default route and it will get propagated to the PE VRF's that carry your routing function for you within the MPLS cloud.

Let us know if we should explain more.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Bilal, thanks for your swift response, yes it is MPLS VPN and all your assumption is correct. Shall I run below command under bgp in head office to propagate default route to our MPLS network? 

neighbor 192.168.149.29 default-originate

 

Thanks

Yes that should do it, please remember this will propagate the default route to the rest of your MPLS VPN sites even if you don't actually have a default route. If your HQ is the only exit point then should be fine.

main thing is to get the PE routers to see the default.

hope it helps

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Bilal, I already advertised default route under bgp with the above command in head office router, now internet traffic is reaching to head office router but it is not going out. Below is the result from Branch office.

 

Router#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#traceroute 8.8.8.8
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.150.49 [AS 35819] 4 msec 24 msec 28 msec
  2 192.168.149.29 [AS 35819] 32 msec 32 msec 32 msec
  3 192.168.149.30 [AS 35819] 32 msec 32 msec 36 msec
  4  *  *  *
  5  *  *  *
  6  *  *  *
  7  *  *  *
  8  *  *  *

Ah, so thats good news for a start... hop No.3 is the head office router. I wonder that your ping from your branch office is being sourced from its "WAN" link and not the LAN.

On your Head office you have NAT, you are missing a command under an interface. Remember the traffic from MPLS sites will be coming in to this interface so this is like our inside interface too.

interface GigabitEthernet0/0.312

ip nat inside

 

Please remember, everything in your NAT ACL (natlist) will be NAT'd and not necessarily the MPLS WAN IP's. You have all 200 addresses there so they will only be NAT'd. But if you want you could add the 192 addresses to the ACL.

Hope it helps, and let us know your results.

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Thanks, I am able to access internet in my branch office now. I am really thankful to all your efforts.

Bilal, I wish if you could help me again. We have installed one firewall in head office after router to share internet to branch offices which are connected with MPLS. We have configured firewall with static default route to router. I have disabled natting on router interfaces in head office.I can access internet from head office but not from branch offices. MPLS network is established through firewall as I can access branch office network behind firewall from head office. Below is configuration for head office and branch office router:

Head Office Cisco router:


interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.312
 description "IP-VPN-12 Mbps"
 encapsulation dot1Q 312
 ip address 192.168.149.30 255.255.255.252
!
interface GigabitEthernet0/0.340
 description "DIA-12 Mbps"
 encapsulation dot1Q 340
 ip address 37.216.210.14 255.255.255.240
!
interface GigabitEthernet0/1
 description "LAN"
 ip address 37.216.214.113 255.255.255.252 secondary
 ip address 10.10.10.253 255.255.255.0
 duplex auto
 speed auto
!
router bgp 65000
 bgp log-neighbor-changes
 network 10.10.10.0
 network 10.249.11.0
 network 192.168.10.0
 network 200.10.0.0
 redistribute connected
 redistribute static
 neighbor 192.168.149.29 remote-as 35819
 neighbor 192.168.149.29 password 12345678
 neighbor 192.168.149.29 default-originate
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 37.216.208.13
ip route 0.0.0.0 0.0.0.0 10.10.10.254 2
ip route 200.10.0.0 255.255.255.0 10.10.10.254
!

Branch Office Router:

 

!
interface FastEthernet8
 description "LAN CONNECTION"
 ip address 10.249.18.254 255.255.255.0 secondary
 ip address 200.50.0.254 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0
 description "WAN LINK"
 ip address 192.168.150.50 255.255.255.252
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
!
interface Async1
 no ip address
 encapsulation slip
!
interface GMPLS0
 no ip address
 no fair-queue
 no keepalive
!
router bgp 65000
 bgp log-neighbor-changes
 network 10.249.18.0
 network 200.50.0.0
 redistribute connected
 redistribute static
 neighbor 192.168.150.49 remote-as 35819
 neighbor 192.168.150.49 password 12345678
!
ip forward-protocol nd
!
!
no ip http server
ip http access-class 23
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.150.49
!
!

Firewall LAN IP is 10.10.10.254

It is bit more tricky now. How will you advertise default route to the MPLS provider routers (PE's)? Can your firewalls do bgp? [before we did bgp default originate]

Or maybe at HQ you can ask to do OSPF or something instead? Depends on what you're firewall supports. You have in packet/routing mode rather than transparent/inline mode so it is difficult.

Correct me if I'm wrong please, you have like this:

Branch --- MPLS --- HQ Firewall --- HQ Router --- Internet

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Thanks for your reply, We are using sonciwall firewall at head office and yes it can do bgp. Using OSPF will be complicated.

We have this network:

Branch --- MPLS ---Internet --- HQ Router--- HQ Firewall 

Our head office router has both MPLS and internet terminated and we have connected its LAN port to our firewall.

So everything is still the same? Normally you are meant to have like this:

Branch --- MPLS --- HQ Router --- HQ FW --- Internet

Since you already have default originate on your HQ router, from your branch office, is it still getting as far as HQ? You need to tell me where your internet is now connected, is it still on your router or is it moved to the firewall?

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Yes, everything is still same except I disabled natting on router since we installed firewall as due to this nat, internet was working on branch offices which you asked me do it in your earlier post. Now after disabling nat, Internet traffic is reaching up to HQ router but not going to firewall for internet access. I have disabled natting on HQ router's MPLS interface. Below is traceroute result from branch office. 192.168.149.30 is HQ router and 192.168.149.29 is ISP router.

Router#traceroute 8.8.8.8
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.150.49 24 msec 4 msec 4 msec
  2 192.168.149.29 [AS 35819] 32 msec 32 msec 32 msec
  3 192.168.149.30 [AS 35819] 32 msec 32 msec 36 msec
  4  *  *  *
  5  *  *  *
  6  *  *  *
  7  *  *  *
  8  *  *  *
  9  *  *  *
 10  *  *  *
 11  *  *  *

Internet is terminated on router and on router LAN interface we assign one IP address 10.10.10.253 and connected it to firewall LAN port with IP address 10.10.10.254

 

So you want internet traffic to reach HQ router from branch, and then go through firewall? But already internet connection is on HQ router...

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

HQ router is connected to firewall to provide internet access to all users in HO and branch offices in order to restrict access to internet. Internet connection is terminated on HQ router but natting is disabled due to firewall so we can't access internet with private local IPs until we use a public IP.

Yes we want internet traffic for branch offices to go through firewall. Internet at HO is OK as it going through firewall but we need same for branch offices.

It is not easily possible. You should terminate the internet connection on the HQ firewall, and not router.

I dont understand why you added these static routes? It does not achieve anything apart from default route to firewall:

ip route 0.0.0.0 0.0.0.0 37.216.208.13
ip route 0.0.0.0 0.0.0.0 10.10.10.254 2
ip route 200.10.0.0 255.255.255.0 10.10.10.254

If firewall has default route to the router as well then there is routing loop, they will send default traffic to each other,

It should be like this.

Branch >> MPLS >> HQ Router >> HQ FW >> INTERNET

The positioning of the firewall at the moment is inappropriate and should be directly connected to internet.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.