Solved: New implementaion - Page 2

vipinrajrc · ‎10-25-2011

Hi Experts,

I need to implement the following scenarion in one of my clients.

I am having so much regarding this please help

My needs are

1) Configure the attched scenario

2) Internet must be up and running

3) Make the servers publically available (NAT)

4) Make a good security

5) Do the failover mechanism

6) Create IPVPN to other 5 sites.

-------------------------------------------------------------------------

from the figure it is clear that there is two ISP connection. ISP connection terminates only at the router2851.

Please suggest if the followings are right or not?

I) So for internet connection i need to configure

a) Default route in 2851router

b) Default route from ASA5510 to router's interface that is connecred to ASA

c) PAT from ASA's inside private addresses to ASA's outside private address

d) Then another PAT from ASA's outside interface to router's WAN interface.

Do i need to configure anything for make internet UP for the internal network.

II) Static NAT of servers inside the ASA's inside interface

a) Since the servers are two hops away from router's WAN interface is it possible to do a static NAT from the ASA itself?

b) or Do i need to configure NAT in router? if it so how can i configure that.

III) Failover mechanism

a) is RTR configuration is enough for this ISP switching? or do i need to configure BGP or something Please advice i've no idea in this

IV) IPVPN to multiple sites

a) from the ISP's website it is showing IPVPN is related to MPLS, So do i need to configure anything from our side? or ISP will do this?

initially i thought it was similar to site-to-site vpn.

Also for failover of wan interface do i need to create NAT and default route for each interface ???

Please provide your suggestions also find the attachment.

Thanks and regards

Vipin

Thanks and Regards, Vipin

vipinrajrc · ‎10-29-2011

Hi Varma,

I have one doubt.

What will be the requirement of MPLS IPVPN from branch office side?

do they have same series router? right now i am not sure about the device in Branch offices.

Could you tell whether i need to purchase any new router? or a router which is capable of cryptographic services is enough?

Thanks

Vipin

Thanks and Regards, Vipin

Vaibhava Varma · ‎10-29-2011

Hi Vipin

For MPLS VPN Services The CE-Routers ( branch office routers) can be any ISR Routers (2811,2821,2851 e.t.c ) capable to run either Static,OSPF,EIGRP,BGP as the PE-CE Routing Protocols...

From my understanding no new router is needed if we have the current routers falling to above category will be capable enough.

Hope this helps to answer your query.

Regards

Varma

vipinrajrc · ‎10-29-2011

Hi Varma,

So after the IPVPN configuration will the branch routers are able to communicate to each other?

or just branch to main office?

Thanks

Vipin

Thanks and Regards, Vipin

Vaibhava Varma · ‎10-29-2011

Hi Vipin

MPLS-VPN Services are by default configured by ISP for a Full-mesh any-to-any communication ie Branch-Branch, Branch-Hub. But we can always ask the ISP for a more customized solution per our business needs and go a for Partial Mesh or Hub-Spoke Model.

So when you are placing an order with the ISP please explicitly clarify to them for the required topology model to be used for your MPLS VPN services.

Hope this helps to answer your query.

Regards

Varma

vipinrajrc · ‎10-29-2011

Hi Varma,

only thing we need to configure IPVPN is a ISR router and the same ISP connection right?

Is there any limitation in IPVPN?

I need to prepare a document regarding this. That is why i keep asking.

Thanks

Vipin

Thanks and Regards, Vipin

Vaibhava Varma · ‎10-29-2011

Hi Vipin

Yes for an MPLS-VPN Service from CE perspective we need a supporting CE Router and MPLS-VPN service from same ISP as we have discussed above.

MPLS VPNs are the most flexible and scalable service offering for connecting different locations of a customer with only limitation sometimes for troubleshooting issues in coordination with the ISP.

Please feel free to ask questions and will try to help you from my best understanding.

Regards

Varma

Kishore Chennupati · ‎10-29-2011

Hi Vipin,

If you allow me I would rephrase the question as" What the design considerations of MPLS-VPN?"

From customer point of view its very simple

You need to look at a few things.

1. Hardware- supporting routers/l3 switches with latest IOS and no BUGs etc.

2. bandwidth considerations- How much bandwidth does each site require

3. Qos- Do you need any quality of service etc with your ISP for this MPLS VPN.

4. What routing policies do the ISP support? I mean ifyou wannt high availabiliyt based routing etc primary.bakup etc.

These are some of the things that you need to keep in mind. As such there is no limitation for an MPLS VPN.

But there are considerations The only major consideration that I have come across is having MPLS VPN across differnet countries. I supported customer who had MPLS VPNs in different countries doing Inter-AS MPLS etc with Qos and all

so the ISP's need to sort of work together to make sur eeverything is good. But, as I mentioned earlier if thery are in the same ISP then its easy to administrate.

HTH

Kishore

Vaibhava Varma · ‎10-29-2011

Good Summary Kishore

Kishore Chennupati · ‎10-29-2011

Thanks heaps V. Appreciate that