Link to home
Start Free TrialLog in
Avatar of AMtek
AMtekFlag for United States of America

asked on

Typical CE Cisco router setup with MPLS/direct connection with two sites?

Wanted to see if I'm climbing the wrong tree or not -

Have a new MPLS setup going in place with a direct connection between two sites and both sites having internet - the ISP is providing an Ethernet hand-off with Adtran routers.

I have the task of configuring the CE (customer) router (Cisco) at both locations - with the config I believe it may just be a matter of ACLs and possibly NAT/PAT.

Is there more possibly to it - am I missing anything?
Would anyone know of an example config for Cisco?
Avatar of rauenpc
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of AMtek


Each site is supposed to have it's own separate internet connection from the same provider with a direct link (MPLS) between the sites.

Previously there was a separate ISP for each site and they were connected with an IPSec VPN.

So there is NAT/PAT already on each config for the internal network's routers (Cisco) along with an ACL for the IPSec - just wondering if/how much the configs might change with this setup.
Basically, all the configuration related to internet connectivity should remain the same, except any required changes like public IP, gateway, etc. if the ISP is changing. What will change is that you can remove the VPN configuration (assuming no other vpn configuration is needed for things like client vpn), and you will either run static routing or BGP on the MPLS-connected interface. Internet traffic will use the static default route to get to the outside world, and BGP/static routes will point to the subnets that exist internally between the sites. Just make sure that on the interface that connects to MPLS, don't enable nat otherwise things could get goofy or plainly not work.
Avatar of AMtek


ty, so the ISP installed their own routers, they said I didn't have to do anything with configs except for the external IP and a single static route for internet - they took my info for subnets in both sites and put info in their routers to broadcast.

so my question now is related to NAT/PAT - since the internet/direct link (MPLS) is over the same cable - how would I setup NAT/PAT?
I have several servers with static NAT configured in one site, then an overload statement for each subnet.

again each site has internet, thanks
If you get internet and MPLS on the same physical link, and this is with no logical separation using VLANs/tags, this can still be done, but it is just slightly more complicated... at first. Once you see it working, then it makes total sense.

You will need to make use of an extended ACL for this to work.

The access-list will first deny traffic that you DON'T want to be Nat'd, then it will permit all other traffic to be NAT'd. The example below is very broad. You can certainly reduce the private addresses to just those that exist within your organization.

!Deny NAT anytime the destination is a private IP address (RFC1918)
access-list 101 deny   ip any
access-list 101 deny   ip any
access-list 101 deny   ip any
!Permit the NAT any other time
access-list 101 permit ip any any

!Define the nat rule. Anything denied in ACL 101 will not qualify for NAT and therefore will pass through unaltered. Anything that is permitted by ACL 101 will be translated to the IP that exists on interface fa0/0
ip nat inside source list 101 interface fa0/0 overload

Open in new window

That's the basics of if. If you have multiple nat statements, you may need to apply this ACL to every statement, or, all things depending, you may need to make use of route-maps that call on these ACL's.

If anything, post your scrubbed config and we can help get that hammered out.