Solved

MPLS VPN

Posted on 2011-09-22
10
1,364 Views
Last Modified: 2012-05-12
I'm changing over from a Qwest MPLS solution to Windstream MPLS and I'm a bit confused and just looking for some info.  With Qwest my Setup looked like HQLAN -> Cisco 2811 -> Qwest Managed Router -> Qwest -> Qwest Managed Router -> Cisco 1841 -> BranchLAN.

Turnup is about a week or so out and I'm just trying to understand how this is going to work.

This Windstream MPLS is a MPLS VPN solution that I'm not familiar with.  They requested some free IPs to use on my private LANs for equipment.  They just sent me what they're configuring their transport gear for in the HQ location:

interface GigabitEthernet1/1/2.1229
description 3Mb VPN
 encapsulation dot1Q 1229
ip vrf forwarding vrf
ip address 10.0.0.253 255.255.255.0
service-policy input BestEffort-3Mb
service-policy output BestEffort-3Mb
exit

What's throwing me off is why they are using a vlan other than default and if they're using a private address on the interface that i'll be hooking this directly into my switch.  My default gateway is 10.0.0.254 so on my router would I be adding a route to my branch office to go through 10.0.0.253?

To further specify my current setup these are the interfaces on my 2811:
FA0/0 - LAN
FA0/1 - Public IPs/Internet
FA0/0/0 - Current Qwest facing MPLS link

So when we move over to Windstream I won't be using FA0/0/0 anymore?
0
Comment
Question by:ceberts
  • 6
  • 4
10 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 36586282

The are trunking vlans to you so in the future if you want additional services they can extend them to you rapidly. New services would be an additional vlan on the trunk. They also could provide internet to you via an additional vlan as well. Are you buying just a L3VPN without internet? They did it to extend additional services to you seamlessly.

harbor235 ;}
0
 

Author Comment

by:ceberts
ID: 36587393
We'll have an IA Voice+Data for internet and phone lines out as well.  But it looks like they have a separate Adtran unit installed for that.  I understand why they'd put my service on a vlan but I thought they should only use the vlan on the provider side and not the customer side.  They marked the port that I assume was going to be plugged into my network as vlan 1229, so effectively I won't be able to communicate with it as we only run on the default vlan (no IP phones just a pure data network).
0
 
LVL 32

Expert Comment

by:harbor235
ID: 36587534


Its all for potential use, what if you wanted another VPN isolated from the other, this would be simple to implement, very flexible and maintains seperation all teh way to your handoff, no mixing, enhanced security as well.

harbor235 ;}
0
 

Author Comment

by:ceberts
ID: 36587645
I'm pretty sure I understand the provider side.  But what I'm looking for is how I hook up to this on the client side.  My current default gateway is 10.0.0.254, so basically the default route out to the internet will go out the IA, but any traffic out to the branch office will route out through 10.0.0.253 with my current understanding.  However 254 can't talk to 253 if 253 is on vlan 1229 and 254 is on vlan 1.  So unless I'm missing something, either my provider needs to change the port that faces my side to vlan 1 or I change my entire network to vlan 1229?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 36588230

I think i see what you mean but your are leaving out some of the technical details.

what is IA?

Did they provide the GW info? is there HSRP running ? I ask because .253 physical could use .254 VIP. if not the GW may be .253.

They should be telling you what needs to be done on your side, do you have a picture showing what they provide and what you provide?

is this what you have?
                                                               MPLS cloud
                                                                         |
                                                                     CE (transport gear? .253 GigabitEthernet1/1/2.1229 )
                                                                        |
                                                                        |  -10.0.0.0/24
                                                                     ur 2811?
                                                                        |    -10.x.x.x/24?

Draw what you have?

harbor235 ;}
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:ceberts
ID: 36588357
The IA is just my T1 that handles our internet and phone lines.  This should be how the network looks I believe.
hqnetwork.png
0
 

Author Comment

by:ceberts
ID: 36588397
And sorry I forgot to address your other questions, they haven't mentioned HSRP.  Nor any gateway info.  I was under the impression that any traffic for my branch office needs to be directed out 253 while any other internet traffic heads out 254 to the T1.
0
 
LVL 32

Accepted Solution

by:
harbor235 earned 500 total points
ID: 36588534

Aah I see now, so whats missing is any internal network, where are teh internal devices? I will assume there is another interface off the 2811 and that the Windstream device is managed by them. Are your internal devices on the 10.0.0.0/24 as well? If so you need a default route to .254 with an additional route for your remote site MPLS VPN networks.

for example:

route add default gw 10.0.0.254
route add 10.100.0.0/6 10.0.0.253

If your internal nets are on a seperate internal net than a single default route to the internal interface IP off the 2811 will do as long as the 2811 is also aware of remote site MPLS VPN routes. Which means a routing protocol between the Windstream and the 2811 or static routing

harbor235 ;}

0
 

Author Comment

by:ceberts
ID: 36588870
The internal devices are all on that 2960 switch and are part of my 10.0.0.0/24 network, I forgot to put the cloud in the image to picture it.  But what you said pretty much confirms what I"m thinking.  I'll verify with them next week before I reconfigure my routers but I just wanted to make sure I was heading into this with as much understanding on my part as possible.  Thanks for your help.
0
 

Author Closing Comment

by:ceberts
ID: 36588891
Just need to talk with provider about VLAN tag on their interface facing my network but other than that I'm pretty clear on how this works.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now