Solved: VLAN across MPLS?

Graham Bell · ‎06-08-2013

Hi,

Apologies for my first post being a question but I've got an urgent problem to solve before Monday morning. I'll try to keep it as simple as possible without missing out any important information.

We have moved our servers, routers, firewalls etc to a new site. Up to the move our smtp mail, remote access, outlook web access, branch office VPNs etc came in/out via our BTNet connection at our old site. We have a new BTNet connection at the new site and were promised that our current external fixed IP addresses would be transferred to the new connection yesterday when we moved so we would not need to reconfigure our firewalls and change DNS/MX records etc. Unfortunately this hasn't happened and isn't likely to for a while.

The old and new sites are connected via MPLS and the old site BTNet connection is still up and running with the existing IP addresses. I have a 3750 stack connected to the MPLS LAN interface at each end for inter VLAN routing.

So, my question - is there a way to use those external addresses on our firewall in the new site by somehow tunneling through the MPLS? Although I can route traffic across the MPLS, I'm looking for a layer 2 solution that will allow me to configure our external adresses on the new site firewall even though the BTNet connection that provides those addresses is on a remote site.

Hopefully I've provided enough information to at least explain the situation I'm in - further technical details available on request!

Thanks,

Graham

paulstone80 · ‎06-08-2013

Hi Graham,

As I understand it, you want to connect the BTNet router to the LAN at the old site, and then tunnel this traffic through to the new site, whereby it will go through the WAN interface of the Watchguard firewall.

It is possible to extend vlans using GRE tunnels but it is not supported by Cisco, or you can use L2TPv3 tunnels. I don't think either are supported on the 3750's.

How feasible is it to put the Watchguard back in at the old site?

HTH

Paul

****Please rate useful posts****

HTH Paul ****Please rate useful posts****

View solution in original post

paulstone80 · ‎06-08-2013

Hi Graham,

What equipment at the old site are the BTNet IP addresses assigned to?

Is there any NAT in place for the IP addresses?

HTH

Paul

****Please rate useful posts****

HTH Paul ****Please rate useful posts****

Graham Bell · ‎06-08-2013

Hi Paul,

The addresses are on a WAN port of our Watchgaurd firebox which was connected to the BTNet router. This firebox has been moved to the new site without any reconfiguration (LAN IP addresses have moved to new site also). We were expecting to be able to connect the WAN port directly to the new site BTNet router for a 'seamless' move.

Currently there is nothing connected to the BTNet router at the old site but I have a 3750 switch there connected to the MPLS which I can configure/connect as necessary.

Yes, NAT is performed on the external IP addresses for some internal services.

Thanks,

Graham

paulstone80 · ‎06-08-2013

Hi Graham,

As I understand it, you want to connect the BTNet router to the LAN at the old site, and then tunnel this traffic through to the new site, whereby it will go through the WAN interface of the Watchguard firewall.

It is possible to extend vlans using GRE tunnels but it is not supported by Cisco, or you can use L2TPv3 tunnels. I don't think either are supported on the 3750's.

How feasible is it to put the Watchguard back in at the old site?

HTH

Paul

****Please rate useful posts****

HTH Paul ****Please rate useful posts****

Graham Bell · ‎06-08-2013

Hi Paul,

Yes, you understand the situation correctly. For me to avoid a very lengthy reconfiguration of a firewall that I've just inherited - without documentation... I need the old site BTNet IP adresses to work when configured on the Watchguard WAN interface.

I could put the Watchguard back in the old site or alternatively we have a spare Watchguard at the old site that I could feasibly transfer the config to. Routing is in place to allow devices on the old site to reach devices on the new site via MPLS, so incoming firewall traffic would reach its destination I guess, but for outgoing traffic, the Watchguard LAN interface on the old site would be on a different subnet to that which the new site devices would expect so they would need reconfiguring.

The main problem I have is that I am new to this company/network and nobody seems to know how many services are offered in/out of the firewall hence my original plan to have BT migrate the external addresses from the old site to the new. There are 100+ firewall rules on the Watchguard, any one of which could be for a critical application but no aliases have been used so it's just a pile of unknown IP adresses to me!

It sounds from what you are saying that my original question around VLAN via MPLS is not practical, what are your thoughts if I can return the Watchguard to the old site?

Thanks,

Graham

paulstone80 · ‎06-09-2013

Hi Graham,

Do you have confirmation that the IP addresses at the old site are going to be transferred to the new site? Has a date been set for the transfer?

If I was in your situation I would look to put the spare watchguard in at the old site. This will maintain the NAT translations for your external services and get you back up and running.

As your environment is working again you have two options based on whether the IP addresses are gong to be transferred.

1. Arrange a date and time for the IP transfer to take place. Disable the old watchguard and enable the new one. I should think that for the IPs to transfer it will be a cut off service at the old site rather than a staged migration.

2. If the IPs are not being transferred then you have an environment where you can migrate services from the old BTNet service to the new one in a controlled manner. I would monitor the hit counters on the watchguard to identify what services are being used.

Start working on creating the new NAT translations on the watchguard at the new site. For seamless transition to new the new IPs you can arrange with your ISP to lower the TTL of the DNS records to a value of seconds. Do this at least 24hrs before you want to change the IP of the record so that the TTL has time to propagate. When you come to update the IP in DNS you will only lose service for a matter of seconds before the cached record expires on the client and a new record is requested.

It seems like you can get a temporary fix up and running using the spare watchguard. I would be wary of how long the old BTNet service will run for. You need confirmation that BT are not going to switch this off or change the config without your permission otherwise you will have a large problem!

HTH

Sent from Cisco Technical Support Android App

HTH Paul ****Please rate useful posts****

Graham Bell · ‎06-13-2013

Hi Paul,

Sorry for not getting back to you sooner. Ended up getting snowed under with 101 other things during the move making it impossible to relocate the Firebox back to the original site. Luckily we managed to hammer BT first thing Monday morning and they made the IP change for us within minutes.

Not ideal as we had thousands of emails to come through to us that had backed up over the weekend but at least it made the job easier for me in the long run.

Thanks for your help, much appreciated!

Graham

paulstone80 · ‎06-14-2013

No worries, at least you got a quick resolution from BT and you're operational again

HTH

Paul

****Please rate useful posts****

HTH Paul ****Please rate useful posts****