Vlan – Handling VLAN based MPLS circuits with site specific internet access

mplsvlan

I'm having difficulty wrapping my head around how to set this up and the MPLS vendor is being no help so I figured I would ask here.

I have a 2 node MPLS each site having internet access on the same circuit the MPLS rides in on. These circuits replace dedicated internet access at each site with an IPSEC tunnel between the sites. We want to leave our existing firewalls in place as they provide content filtering and VPN services. I am trying to configure a layer 3 switch (a cisco SG300-10P) at each site to set up this scenario.

The relevant info (ip addresses changed to protect my idiocy)

Site A

Local Lan: 172.18.0.0/16
Existing Firewall (internal): 172.18.0.254
MPLS Gateway to Site B: 172.18.0.1
Internet IP Range 192.77.1.144/28
Carrier Gateway to internet 192.77.1.145

Items 3 and 5 are on a single peice of copper coming from an adtran netvana (Carrier equip I have no access)

Site B

Local Lan: 192.168.2.0/23
Existing Firewall (internal): 192.168.2.1
MPLS Gateway to Site A: 192.168.2.2
Internet IP Range 216.60.1.16/28
Carrier Gateway to internet 216.60.1.16

Items 3 and 5 are on a single peice of copper coming from an adtran 908e (Carrier equip I have no access)

So given the above what I want to do at each site is set up these cisco switches so that:

Port 1 = Carrier Connection
Port 2 = Interal Lan
Port 3 = Firewall

Where the local lan is not exposed to the Internet IP range (ie if some yahoo sets their machine up on a provided internet ip with the carriers gateway it doesn't work) Or put differently from port 1 all traffic in the internet subnet can only exit on port 3 and from port 1 all traffic on the local lan subnet can only exit port 2.

Every attempt I have made so far results in no access between the ports at all or basic dumb swith behavior (any host on any port can get across all of the IP ranges).

First question here so please be kind. 🙂 If you need more information I would be happy to provide it.

Best Answer

Depending on how the service is delivered by the SP will dictate how you can separate the services on your end.

Typical methods are either a port per service or a VLAN tag per service.

If the SP is tagging the traffic you can just set up your switch to trunk to the SP and then separate the traffic into two access ports (one to FW and one to LAN).

If it's a port per service then just create two VLANs with the services in different VLANs for isolation.

Problem Summary

Your problem is that you've got multiple routers on the same subnet:

The Internet gateway at 192.168.1.1
The Windstream MPLS router at 192.168.1.2

This is a faulty design; I completely understand that it "seems like" there is nothing wrong with this, but as you're discovering, this is a hard way to build the network.

Following up on our chat discussion, the exact problem is that SAINTJOSEPH's TCP SYN packets are delivered correctly; however, stateful inspection on your PaloAlto firewall drops SAINTSERVIUS' TCP SYN-ACK response, due to asymmetric routing in your environment. This is illustrated in the two following diagrams.

TCP SYN from SAINTJOSEPH to SAINTSERVIUS:

Your PaloAlto firewall drops the TCP SYN-ACK from SAINTSERVIUS to SAINTJOSEPH:

This tracert makes it very clear that SAINTSERVIUS defaults through 192.168.1.1 (the PaloAlto firewall):

Long Term Solutions

You should only have a single router next-hop for every subnet; however, you currently have two. This results in the drops shown in your wireshark screen capture (which indicates that TCP SYN-ACK packets never reach Windstream's MPLS network).

These are two long-term solutions which we discussed... I'm also including the quick hack we did to validate that the problem is stateful packet drops on the PaloAltos. I am assuming you are using multiple interfaces on the PaloAlto.

Option A: Keep the PaloAlto firewalls inline with your interoffice connections (more maintenance)
Option B: Move the PaloAlto firewalls in front of the internet connections (less maintenance, but also less comfortable)
Option C: Quick Windows static routing hack

Better Design, Option A (MPLS re-addressing required)

This is a another way to lay out the subnet for SAINTSERVIUS (retaining your numbering scheme with /23 subnets, although it's not required...). This option keeps interoffice routing on the PaloAlto firewalls, which feels more familiar to you right now.

This is a long-term solution. You would have to work with Windstream to readdress your infrastructure. This is a lot of work. In my opinion, keeping the firewalls in the middle of your interoffice traffic is less preferable.

Better Design, Option B (MPLS re-addressing required)

This is a another way to lay out the subnet for SAINTSERVIUS (retaining your numbering scheme with /23 subnets, although it's not required...). This option offloads interoffice LAN routing to your PowerConnect switches, and relies on the PaloAlto firewalls to protect against internet threats.

This is a long-term solution. You would have to work with Windstream to readdress your infrastructure. This is a lot of work, but it offers the advantage of not having to deal with firewalls for your interoffice communication.

Suboptimal Workaround, Option C (what you used after our chat)

Open a cmd.exe window and add this route on SAINTSERVIUS as the Administrator:

route ADD 192.168.2.0 MASK 255.255.254.0 192.168.1.2

Closing remarks

I should mention that you are one of the few people who followed through with sufficient details about your question When you started, we didn't have enough details to answer the question. Now, the issues are very clear; thank you for putting the time / effort into documenting the problem well.

Personal note: If you would like an electronic copies of the diagrams as SVG / Inkscape format, please feel free to contact me at my personal email (listed in my user profile).

Site A

Site B

Best Answer

Related Solutions

Vlan – Setting up PIM Sparse mode

Routing – Cannot Load Internal Website over MPLS