Help with MPLS routing

[LuckyTaxi]

We have a client that is bringing in a MPLS router into our network. Right now they connect to our site using a tunnel between our two firewalls. I have a policy in place that locks them down to 4 specific servers (the servers have a gateway of 10.199.1.1 w/ a subnet of /24). Keep that in mind. Now, vendor configured the MPLS router w/ a gateway of 10.199.1.250. If I plug the router into our switch, I should be able to ping the MPLS router, no? So says the vendor.

Now, let's assume that's how it works. How the heck do I pass traffic from the 4 servers throguh the MPLS router? I'll have to kill the existing tunnel but the VLAN's gateway is 10.199.1.1 so that's what the servers are defaulted to. If traffic goes through the MPLS, how can I access those 4 boxes from my internal LAN then?

 

[Cooky]

Are you trying to connect to your client through MPLS, or simply through that new "MPLS router"?
In an extranet MPLS scenario, you shouldn't need a new router.
The carrier simply advertise the correct route target and route distinguisher into the MPLS network.

Without knowing all the specifics and details, it looks like you can do a policy based routing on the L3 device that handles routing for the 10.199.1.0/24 subnet, and route traffic from the 4 servers to the client.

 

[LuckyTaxi]

In our current LAN we use 192.168.10.0 and 192.168.1.0 (both /24). Our clients sit on the 10.199.x.x network w/ gateway of 10.199.1.1.
We're able to get to the 10.199.x.x network from any of our nodes from the two networks listed above.

This particular client comes in through a tunnel we established using routers on both end. A new router was installed for the MPLS network.
Right now it's just sitting there until we figure out why they can't ping the MPLS router from their end. I hooked up my laptop to the MPLS router
w/ a gateway of 10.199.1.250 and I was able to ping their network and the gateway just fine. The question I have is, if I plug the router into
my switch, how the heck do I route traffic from the 4 servers through the MPLS. I will need to disconnect the tunnel so they can onlly come in through the MPLS.
Would I just modify the servers' default gw to point to 10.199.1.250, but what about us having access to the box from our network?

 

[drebo]

You wouldn't.

Set up a static route on the current gateway for the servers (this will preserve your clients' ability to access the servers) for the far-end network pointing to the new router.

In Cisco IOS world, assuming the far end network is 172.16.0.0/24, something like this:

ip route 172.16.0.0 255.255.255.0 10.199.1.250

This enterred into your current 10.199.1.1 router will direct any traffic destined for the remote network through the MPLS network. No change needed to the default gateway of the servers (any change here would not allow your nodes access to those servers, as there would be no route back).

 

[LuckyTaxi]

Originally posted by: drebo
You wouldn't.

Set up a static route on the current gateway for the servers (this will preserve your clients' ability to access the servers) for the far-end network pointing to the new router.

In Cisco IOS world, assuming the far end network is 172.16.0.0/24, something like this:

ip route 172.16.0.0 255.255.255.0 10.199.1.250

This enterred into your current 10.199.1.1 router will direct any traffic destined for the remote network through the MPLS network. No change needed to the default gateway of the servers (any change here would not allow your nodes access to those servers, as there would be no route back).

So I have to add a route on the 4 servers to their network?

 

[drebo]

No, that's not what I said, although that would probably work.

You have to add a route on the gateway of the four servers to their network.

Either way, though, the servers need to know how to get back to their network, and that requires a route of some kind.

 

[LuckyTaxi]

Originally posted by: drebo
No, that's not what I said, although that would probably work.

You have to add a route on the gateway of the four servers to their network.

Either way, though, the servers need to know how to get back to their network, and that requires a route of some kind.

I understand but when you say "add a route on the gateway," I thought I had to do it on the server level. I take it I will need to look on my firewall/router then?

 

[drebo]

It might help if you told us what kind of router you have and what connections/subnets are currently connected to it.

 

[LuckyTaxi]

Sonicwall on their end and Juniper on our end - currently we have a PTP Tunnel between the two sites.
There's a policy in place that only allows them to connect to the 10.199.1.0/24 subnet from their end.
We're able to connect to this subnet since it's on our internal LAN (our LAN is 192.168.1.x/24).

Their vendor assigned the MPLS Router as 10.199.1.250 and my gw for their 4 servers are assigned to 10.199.1.1.

 

[drebo]

How do you direct traffic from 192.168.1.0/24 to 10.199.1.0/24? Do you have VLANs on your switch that trunk to the Juniper? Or are you doing something stupid like proxy arp?

Also, stop talking about the point to point tunnel. It doesn't matter anymore. All that matters is their traffic comes in on a router with an IP address of 10.199.1.250. What you need to resolve is how to direct traffic from your servers in two directions at once.

Which device has the IP address of 10.199.1.1? Is that your Juniper? Does your Juniper have multiple interfaces? Does the Juniper device also have an interface on the 192.168.1.0/24 network?

If the answer to all three of those questions is "Yes", then all you need to do is put a static route on the Juniper directing traffic to the foreign network to the gateway at 10.199.1.250. If the answer to any of those questions is "No", then you need to be more specific about what equipment you have and what your network diagram is, and you'll probably want to re-evaluate your setup, because it doesn't sound like a good one.

Someone correct me if I'm wrong, but I've always held to the notion that running multiple layer 3 subnets over the same layer 2 broadcast domain is a bad idea.

 

[freegeeks]

can you show a network diagram, it would be easier to give advice