05-01-2012 05:53 AM - edited 03-07-2019 06:26 AM
Guys,
I've studied and lab'd out MPLS and MPLS VPNs several times. The situation I'm presented with is a little different from most of the case studies I've seen in my MPLS books. I've attached a diagram for your viewing pleasure which will hopefully help with understanding what I'm asking.
We have a IPsec site to site tunnel from our main HQ router to a Cisco ASA 5510 in the core network in the colo. This allows our HQ office to reach the private subnets in our core without using a Cisco VPN client. The problem we are running into is that this seems to be putting undue strain on the Cisco 2811. I feel like the 2811 should be able to handle it but doing any kind of upload or download through the tunnel spikes the CPU/Interrupts and makes the router CLI basically stop responding until the traffic transfer is stopped or completed. During this time, certain cisco SCCP phones on our Broadworks platform cycle while the SIP phones on the same platform are ok. We are trying to alleviate the load on the 2811 by setting up a VRF from the HQ network to the private VRF used in the Core for private subnet communication. The problem I'm having is the the HQ also has some public traffic that I do not want to include in the VRFs and would like to have it travel through the P2P circuit we have and access the internet or other public devices through the core public IP Internet routing table.
The flow would be this:
-going to a public address use the public internet routing table
-going to private address in the 10.x.x.x or 172.x.x.x - use VRF to core Private network.
This is a little different of a set up from most of the VRF VPN examples I've seen. Most of those the CE devices is completely private. This is not the case at our HQ. If anyone has experience dealing with a similar situation I would be grateful for any advice/assistance. Thanks!
05-01-2012 06:07 AM
You can drop your IPSEC tunnel to the colo environment into a VRF, you just need a way to route traffic in/out of the VRF then.
The easiest way here I think is to add a VLAN sub-interface onto the firewal in your office and add a sub-interface on the 2811 port facing the firewall that is inside the VRF also. The firewall can then be the breakout of the VRF into the HQ LAN.
05-01-2012 06:15 AM
The firewall doesn't directly connect to the HQ. There is a router that connects the point-to-point circuit from the HQ to the core.
05-01-2012 06:21 AM
As per your diagram, the firewall is connected to a switch, which the router is also connceted to, is this correct?
Assuiming your diagram is correct, you can, on the router, drop the IPSEC tunnel into a VRF, create a sub-interface on the 2811 interface facing the switch which is also in this VRF and tag the traffic from the IPSEC tunnel on its way out to the switch. On the switch, make the port facing the router and the port facing the firewall a trunk as appropriate (correct VLANs etc) and add a VLAN sub-interface on the firewall to pick up the VLAN containing the IPSEC tunnel traffic.
James.
05-01-2012 06:31 AM
I'm sorry I should be more clear in my original post. The FW on the diagram just shows the HQ. It is currently just acting as the gateway for our private data. The Tunnel originates on the 2811 and goes to a cisco ASA that isn't shown on the diagram but is reachable through the circuit to the core.
So what I'm trying to accomplish is have the private data behind the HQ FW be able to communicate to the private subnets in the core network without messing up the public data, all while not using the IPsec tunnel.
05-01-2012 11:29 AM
Well, the only way the private data inside the HQ LAN can talk to the equipment in your colo environment without an IPSEC tunnel (or some other tunnel/encapsulating like transport method) is if you have a physical connection to there from the HQ LAN. Which I assume you don't, unless you do, and haven't stated so?
05-01-2012 12:33 PM
The HQ's WAN link is actually a P2P circuit connecting to the core network in the colo. So the connetion is there. I'm setting up a GRE tunnel to do this for me for now as encryption isn't needed on a P2P so GRE should be fine. However I would really like to also eventually set this up using MPLS VRF VPN. My only hang up is how to seperate the public from pirvate through this. The VRF VPN would be for the private data network at HQ and allow it to communicate via MP-BGP to another router in the core connecting it to the cores private VRF, while allowing the HQs public traffic to go out the same link but be part of the public routing table and not the vrf's. Is that possible?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide