Solved: Inter-LAN and Internet on same MPLS connection - Config Help Needed!

IcebergTitanic · ‎09-01-2011

Hi Folks -

Our client is getting an MPLS set up. Normally we have had clients use MPLS for their Site-to-Site connections, and then have a distinct internet connection. So you would go Internet through an ASA, while inter-LAN goes through a L3 switch, which is connected to the MPLS. No worries.

However, this client is going to use the MPLS connection for both internet and inter-LAN connections, including VOIP traffic.

From our discussions with the ISP, it sounds like they expect us to do an 802.1Q trunk line to their MPLS router.

The client has static external IP addresses that need to be available for such things as inbound email to an exchange server, etc. They don't want to lose the security of the firewall on the internet connection.

How is this best configured? Our current plan is to use the L3 switch as the primary router for traffic, with a trunk to the MPLS router. It would route traffic for the other sites' LANs through an intermediate VLAN to the router.

Internet traffic would go from the L3 switch to the inside interface of the ASA on the data VLAN, then back into the switch on a different port connected to the outside interface on the ASA. The trunk would carry this VLAN as native, and send it to the MPLS router.

Does that sound right? Is there another way to do this? Is there a *better* way to do this? How does the exterior static IP work with this setup? Will it still work?

*Note: The ASA has a base license, so we cannot do the trunking commands on the ASA itself.

Thanks in advance!

rais · ‎09-02-2011

The L3 switch can do a .1Q with the PE router. This L3 can connect to the outside of the ASA on one vlan and to the inside of the ASA on another vlan. ASA need not see vlan tags.

ISP can place inter-LAN sub-interface in a vrf and leave internet traffic sub-interface in the default RT.

Thanks.

View solution in original post

rais · ‎09-02-2011

The L3 switch can do a .1Q with the PE router. This L3 can connect to the outside of the ASA on one vlan and to the inside of the ASA on another vlan. ASA need not see vlan tags.

ISP can place inter-LAN sub-interface in a vrf and leave internet traffic sub-interface in the default RT.

Thanks.

IcebergTitanic · ‎09-02-2011

Ok, so that sounds pretty much like what we had envisioned, based on the description given us by the ISP. Thanks!

IcebergTitanic · ‎09-21-2011

We ended up having the ISP give us distinct separate connections for L2L and Internet. Then we used a L3 switch for inter-VLAN communications, including the L2L stuff. The ASA handles internet in and outbound.

Turns out the ISP didn't give us the "normal" setup where you get the two separated connections until we asked for it! BAH!

amit bhatnagar · ‎01-29-2012

Hello Similar query I have

I have a HUB lcation where all of my servers are there are no users and all servers are accessed over internet or MPLS .I am planning to have a 3750 Stack having various vlans exampls servers vlan , internet vlan , mpls vlan , client vlan but there GW will be Firewall .

One question here how do you advice on this architecture I was worried from secuirty Point as Internet and server traffic will be on one switch even in different vlan .

Any thoughts please