02-19-2013 01:41 PM - edited 03-04-2019 07:04 PM
I have a "core" router at my main site (Hub spoke configuration).
My remote sites connect back to the core router over VPN I'm using a 2921 router as my "core"
I have Metro Area Ethernet connecting most of my sites, the remander are coming in VIA MPLS.
On one Ethernet Interface, I recieve Metro Ethernet, MPLS network, and Internet, all via a trunked port. So in order to for the Internet to work, I'm setting a default route out the Internet.
The problem is that as the users come in from either the metro ethernet or MPLS, any Internet traffic wants to go directly out the default gateway, which will not work.
I need to have the traffic that comes in (yes definabale through an access list) automatically forwarded to the firewall (Set new next hop) and then off the back end of teh firewall, I can then put that VLAN back in to the router and out the Internet connection.
Would I be best to define the Internet traffic? and shape that, or define my private routed IP's to shape those?
Or should I be looking at something completely different?
Solved! Go to Solution.
02-19-2013 02:22 PM
Hi Joe
It would be easier if you would attach some picture to imagine the topology.
But if I correctly understood what you would like to accomplish I could sum up it like this:
All traffic which will arrive through both subinterfaces (metro+mpls) should go through router to firewall and from firewall back to router and to the internet.
PBR is one posibility (I am not sure if right one) but it will be complicated.
I will suggest you to create VRF on router for VPN traffic, Internet access will stay in global table, that way you will separate internet traffic from traffic which will need to go to firewall first.
In practise it will look like this -> http://www.ulozisko.sk/obrazky/592071/example.png
configuration:
ip vrf local-vrf
rd 1:1
int Fa0/0.20
ip vrf forwarding local-vrf
int Fa0/0.30
ip vrf forwarding local-vrf
int Fa0/2
ip vrf forwarding local-vrf
ip route 0.0.0.0 0.0.0.0 Fa0/0.10 name DEFAULT_TO_INTERNET
ip route vrf local-vrf 0.0.0.0 0.0.0.0 Fa0/2 name DEFAULT_TO_FW
Best Regards
Please rate helpful posts
02-19-2013 02:22 PM
Hi Joe
It would be easier if you would attach some picture to imagine the topology.
But if I correctly understood what you would like to accomplish I could sum up it like this:
All traffic which will arrive through both subinterfaces (metro+mpls) should go through router to firewall and from firewall back to router and to the internet.
PBR is one posibility (I am not sure if right one) but it will be complicated.
I will suggest you to create VRF on router for VPN traffic, Internet access will stay in global table, that way you will separate internet traffic from traffic which will need to go to firewall first.
In practise it will look like this -> http://www.ulozisko.sk/obrazky/592071/example.png
configuration:
ip vrf local-vrf
rd 1:1
int Fa0/0.20
ip vrf forwarding local-vrf
int Fa0/0.30
ip vrf forwarding local-vrf
int Fa0/2
ip vrf forwarding local-vrf
ip route 0.0.0.0 0.0.0.0 Fa0/0.10 name DEFAULT_TO_INTERNET
ip route vrf local-vrf 0.0.0.0 0.0.0.0 Fa0/2 name DEFAULT_TO_FW
Best Regards
Please rate helpful posts
02-19-2013 03:23 PM
Your picture looks spot on.
I'm not familiar with vrf, so I may need to do some reading.
Thanks very much for the tip. I'll score when I can understand what I'm doing.
02-19-2013 11:51 PM
Actually, in your case, it is called vrf-lite.
VRF are usually used with MPLS to separate customers routing tables on PEs. Basically it means that one router you can logically divided into multiple routers.
VRF-lite is used without MPLS when you need to completely separate traffic from each other (ACLs or PBR can be used in some cases but creating and maintaining configuration would be very difficult).
If we implement vrf-lite into your topology, physical topology would looks like one on included picture. But logical topology is different.
Traffic flow from VPN to Internet will look like this:
VPN <---> CORE_1 <---> FW <---> CORE_2 <---> Internet
Where CORE_1 and CORE_2 are two different routers.
Interfaces Fa0/0.20, Fa0/0.30 and Fa0/2 belong to router CORE_1 and interfaces Fa0/0.10 and Fa0/1 belong to router CORE_2.
In my previous post I mentioned two default routes, but they will only take care about traffic headed into internet, you must also configure static routes into VPNs (if you do not run any IGP with spokes)
for example:
ip route vrf local-vrf 10.0.0.0 255.0.0.0 Fa0/0.20
ip route vrf local-vrf 172.16.0.0 255.240.0.0 Fa0/0.30
Here are some links about vrf-lite:
http://packetlife.net/blog/2009/apr/30/intro-vrf-lite/
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/vrf.pdf
Best Regards
Please rate helpful posts
02-20-2013 08:19 AM
Thanks again. I have the Cisco VFR-lite PDF I'm reading and hope to have it figured out to implement tonight.
02-20-2013 11:52 AM
I'm starting to understand this, but my concern is an interface that is used by VPN is used by other services as well, so I'm concerned about isolating that.
Can I just use the VRF to isolate the Internet traffic, and let the rest be as is?
02-20-2013 01:45 PM
what do you mean "used by other services"?
vrf-lite configuration if local just for that one router.
You can VNP interfaces put into one vrf and interface toward internet into another vrf. You can also put VPN interfaces into vrf and interface toward internet leave int global table or vice versa, so you have three possibilities, choice is yours.
But you have to separate traffic if you want to accomplish traffic flow as shown on picture.
Best Regards
Please rate helpful posts
02-20-2013 08:02 PM
Thanks so much for your help. This took a big weight off my shoulders.
02-20-2013 10:55 PM
glad to help you
Best Regards
Please rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide