Solved: WAN sub-interfaces config; adding mpls

rzabaga01 · ‎08-12-2016

My ISP is going to be giving us mpls capability and told me I need to create sub interfaces for my WAN.

One is for the regular traffic and the other for MPLS.

I'm not 100% sure if I have the configuration correct. I'm looking for a second opinion. I'll paste my current interface config below then the configuration I'm planning to use. does anything strike you as missing or incorrect? I wasn't sure about the "crypto map vpn" and "rate limit" on both of the sub interfaces.

CURRENT:

interface FastEthernet0/0
description Public Net
ip address A.B.C.D 255.255.255.252
ip access-group internet-in-027 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
rate-limit output 40000000 7500000 15000000 conform-action transmit exceed-action drop
duplex auto
speed auto
no mop enabled
crypto map VPN

PROPOSED after our ISP breaks-out our service / adds mpls capability

interface FastEthernet0/0
description Public Net
no ip address
duplex auto
speed auto
no mop enabled

interface FastEthernet0/0.1
description Public Net.10
encapsulation dot1Q 10
ip address A.B.C.D 255.255.255.252
rate-limit output 40000000 7500000 15000000 conform-action transmit exceed-action drop
ip access-group internet-in-027 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
crypto map VPN
no mop enabled

interface FastEthernet0/0.2
description MPLS Public Net.20
encapsulation dot1Q 20
ip address E.F.G.H 255.255.255.252
rate-limit output 40000000 7500000 15000000 conform-action transmit exceed-action drop
ip access-group internet-in-027 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
crypto map VPN
no mop enabled

THANKS!!!!!!!!!!!!!!!!!!!!!!!!!!!!

mlund · ‎08-15-2016

Hi

For the crypto-map, it depends on if You are going to use also the new connection for crypto tunnels or not. If not remove it, if yes, then depending on how it is configured, You can use it as it is or maybe do another crypto map configuration for this interface.

For rate limit, this will allow for 40M on each subinterface, totally 80M. If the total should remind the same, then move the rate command back to head interface fa0/0

For dot1q, the first subint will have a dot1q tag 10, and the second will have tag 20. The original config does not have dot1q tags, so there will be a possibility that the fa0/0.1 should be configured with "dot1q 1 native".

/Mikael

View solution in original post

mlund · ‎08-15-2016

Hi

For the crypto-map, it depends on if You are going to use also the new connection for crypto tunnels or not. If not remove it, if yes, then depending on how it is configured, You can use it as it is or maybe do another crypto map configuration for this interface.

For rate limit, this will allow for 40M on each subinterface, totally 80M. If the total should remind the same, then move the rate command back to head interface fa0/0

For dot1q, the first subint will have a dot1q tag 10, and the second will have tag 20. The original config does not have dot1q tags, so there will be a possibility that the fa0/0.1 should be configured with "dot1q 1 native".

/Mikael

rzabaga01 · ‎08-15-2016

Thanks, I appreciate your reply. I think just the nature of mpls means it wont be necessary for crypto tunnels anymore - but I understand I could still set that up. I hadn't thought about the rate-limit like that - - I know our provider is changing our circuit from plain 20mb internet to a blended service including mpls - and upgrading us to 40mb. I will have to ask my ISP if that means 40mb on each simultaneously or not, or 40mb TOTAL. If it's 40mb in total, I guess applying the rate-limit to the physical interface is the way to go. I'll have to go look up the "dot1q 1 native" command....I don't think I've ever had to use that. Again, thanks a million for your input!

-Bob

Sugam Rangan · ‎08-16-2016

Taking about the Native dot1q config, you may need not to worry. This is something which ISP would have told you to go with. The tags you are using are sufficient and i believe and ISP will never let a CE device falls under Native Tagging. This is something which they will use for themselves.

Still confirm with them.

Talking about the Rate limit section, it may be possible it will be 20mb for each in total 40mb or 40mb for each in total 80mb. Probably first one will be the case. Ask ISP about the same.

Talking about Crypto: You must be creating them earlier on your internet link to reach your other office or DC Intranet locations. And for that you must have enabled some routing (probably static). As soon as you will converge to MPLS + Internet and if you will not remove the Crypto config then you may have 2 paths to reach the same location. 1st MPLS and another IPSec over inetrnet. Now it also depends which routing you are going to enable on your MPLS link. So i am making you aware to change routing section and well when you get the MPLS services, not only Interface section. And it will be better to remove Crypto config if you have not plan of keeping it as backup service in case MPLS service will go down. :)

rzabaga01 · ‎08-16-2016

Okay thanks. I asked the ISP and they told me the 40mb will be TOTAL. So I think in that case I would keep my "rate-limit" configured for 40mb on the physical wan interface. That seems to make the most sense to me. I won't put the rate limit on the virtual 0/0.1 or 0/0.2.

At this time I'm not utilizing the mpls service either. We may use in the future.

Sugam Rangan · ‎08-16-2016

Great, then you may have to keep Crypto Config as same in place.