Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3015
Views
0
Helpful
4
Replies

Inter-LAN and Internet on same MPLS connection - Config Help Needed!

Go to solution
IcebergTitanic
Level 1
Level 1

‎09-01-2011 03:29 PM - edited ‎03-04-2019 01:28 PM

Hi Folks -

Our client is getting an MPLS set up. Normally we have had clients use MPLS for their Site-to-Site connections, and then have a distinct internet connection. So you would go Internet through an ASA, while inter-LAN goes through a L3 switch, which is connected to the MPLS. No worries.

However, this client is going to use the MPLS connection for both internet and inter-LAN connections, including VOIP traffic.

From our discussions with the ISP, it sounds like they expect us to do an 802.1Q trunk line to their MPLS router.

The client has static external IP addresses that need to be available for such things as inbound email to an exchange server, etc. They don't want to lose the security of the firewall on the internet connection.

How is this best configured? Our current plan is to use the L3 switch as the primary router for traffic, with a trunk to the MPLS router. It would route traffic for the other sites' LANs through an intermediate VLAN to the router.

Internet traffic would go from the L3 switch to the inside interface of the ASA on the data VLAN, then back into the switch on a different port connected to the outside interface on the ASA. The trunk would carry this VLAN as native, and send it to the MPLS router.

Does that sound right? Is there another way to do this? Is there a *better* way to do this? How does the exterior static IP work with this setup? Will it still work?

*Note:  The ASA has a base license, so we cannot do the trunking commands on the ASA itself.

Thanks in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rais
Level 7
Level 7

‎09-02-2011 06:37 AM

The L3 switch can do a .1Q with the PE router. This L3 can connect to the outside of the ASA on one vlan and to the inside of the ASA on another vlan. ASA need not see vlan tags.

ISP can place inter-LAN sub-interface in a vrf and leave internet traffic sub-interface in the default RT.

Thanks.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
rais
Level 7
Level 7

‎09-02-2011 06:37 AM

The L3 switch can do a .1Q with the PE router. This L3 can connect to the outside of the ASA on one vlan and to the inside of the ASA on another vlan. ASA need not see vlan tags.

ISP can place inter-LAN sub-interface in a vrf and leave internet traffic sub-interface in the default RT.

Thanks.

0 Helpful

Go to solution
IcebergTitanic
Level 1
Level 1
In response to rais

‎09-02-2011 07:59 AM

Ok, so that sounds pretty much like what we had envisioned, based on the description given us by the ISP. Thanks!

0 Helpful

Go to solution
IcebergTitanic
Level 1
Level 1

‎09-21-2011 01:40 PM

We ended up having the ISP give us distinct separate connections for L2L and Internet. Then we used a L3 switch for inter-VLAN communications, including the L2L stuff. The ASA handles internet in and outbound.

Turns out the ISP didn't give us the "normal" setup where you get the two separated connections until we asked for it! BAH!

0 Helpful

Go to solution
amit bhatnagar
Level 1
Level 1
In response to IcebergTitanic

‎01-29-2012 03:57 AM

Hello Similar query I have

I have a HUB lcation where all of my servers are there are no users and all servers are accessed over internet or MPLS .I am planning to have a 3750 Stack having various vlans exampls servers vlan ,  internet vlan , mpls vlan , client vlan but there GW will be Firewall .

One  question here how do you advice on this architecture I was worried from  secuirty Point as Internet and server traffic will be on one switch  even in different vlan .

Any thoughts please

0 Helpful
Customers Also Viewed These Support Documents