The guest vlan is 192.168.99.0 and the Internet connection is at the main location (Bryan).  Sorry for the drawing... I created it for myself just for a reference.   The second location is Madison, where I am trying to get the Guest Vlan to work.  The main switch in the Bryan location has a direct connection to the firewall for the Guest Vlan.

Okay..I'm a little confused about the config that you posted. I see the 192.168.99.0/24 subnet, but are you trying to bridge across the wan? If so, it's not necessary. It looks like you have only static routes, so all you should need to do is get rid of the bridging configuration and treat it like another subnet. You'll have a static route pointing from your Bryan router to 192.168.99.0/24 going to the next hop out of the MLP interface. Then on your firewall, you'd have a route from 192.168.99.0/24 going to the Bryan router. (I'm assuming 10.10.10.251 is the address for your FW).

HTH,
John

*** Please rate all useful posts ***

I was told by someone on another post that I would need to use IRB.  Yes, all I am trying to do is get the Guest access to work in our second location.  Yes, the 10.10.10.251 and the 192.168.99.1 are both on my firewall.  I already have an Internal wireless network in Madison that uses the 10.10.141.0/24 subnet, but it uses a DHCP server on my 10.10.10.0/24 network.  So you are saying I would need on my Bryan router: ip route 192.168.99.0 255.255.255.0 Multilink1 and the firewall would be: ip route 192.168.99.0 255.255.255.0 10.10.10.100?  If I do this, will this cause any problems with my Guest access in the Bryan location?

Can you provide a much more detailed diagram along with subnets? I'm seeing FR circuits, MLP, bridging, etc. I'd be able to give you a better solution if you could provide that. Do you have a firewall at each location, and are the locations connected via mpls? Are you only concerned about routing over MLP interfaces and I can safely ignore FR?

HTH,
John

*** Please rate all useful posts ***

Here is a more detailed network drawing.  The FR circuits are no longer in use.  The last tech never removed the config data.  I only have one firewall at the Bryan location, which is where the Internet connection is. Let me know if you have any problems reading the drawing.

From this diagram, it looks like Madison gets internet access from Bryan, is that correct? Also, do you have guest access at the Bryan location that is also using 192.168.99.0/24? If so, that could be the reason you may need to bridge if you wanted both sites to use the same subnet. I'll have to lab that up though. Otherwise, if your 192.168.99.0/24 is only at the Madison side, then you don't need to bridge across....

HTH,
John

*** Please rate all useful posts ***

Yes, Madison gets Internet access from Bryan and yes, the Bryan location is also using the 192.168.99.0/24. 

Thanks.

Ah, that makes more sense as to why you'd need to bridge it. Let me lab this up today and see what I can come up with for you..

HTH,
John

*** Please rate all useful posts ***

In all honesty, it would be easier if you were able to change the Madison subnet to something else so you wouldn't have to worry about bridging across. The problem that I'm running into is that in order to bridge, your serial interfaces (that lead to your MPLS cloud) and the vlan interface that is associated to this guest network need to be part of the bridge group in order to pass the traffic across the link. In other words, your vlan 99 subinterface and the serial interface need to both be associated to the same bridge group, but from my tests it is going to kill your wan interface.

I'm still playing around with some scenarios, but for now I'd suggest changing your Madison guest subnet to something other than 192.168.99.0/24 and then you can route to it instead.

HTH,
John

*** Please rate all useful posts ***

Yes, I found that out the other week... luckily I just rebooted the router so the old config came up. 

I thought about using a different vlan but I wasn't sure how to have it get the DHCP address from the firewall... any suggestions with that?

Sure thing...Is your firewall hosting the pool and is it the one at Bryan location?

Here's the Madison "old" config:

interface FastEthernet0/0.99

encapsulation dot1Q 99

ip helper-address 10.10.10.251

ip helper-address 192.168.99.1

no snmp trap link-status

bridge-group 99

If you wanted to create vlan 199, you could change it to:

interface FastEthernet0/0.199

encapsulation dot1Q 199

ip address 192.168.199.1 255.255.255.0

ip helper-address 10.10.10.251

ip helper-address 192.168.99.1

no snmp trap link-status

The addresses can stay the same for your helper address. On the firewall/router/DHCP scope, you'd create another pool that matches 192.168.199.0/24 subnet and set the default-gateway (Madison router/firewall for your Madison users) and dns servers. You should be good to go after that. Then you'd set up all of your routes on the Bryan side for 192.168.199.0/24 to point to MPLS interface.

HTH,
John

*** Please rate all useful posts ***

Yes.

Thanks.

Sorry..I edited my last reply with some suggestions...

HTH,
John

*** Please rate all useful posts ***