internet breakout

We want to provide local breakout via internet to the MPLS site, all the site switches in the LAN env. are connected to the site router via OSPF. We have a checkpoint FW for the local breakout, can someone lay some config snippet for how it would be done? Appreciate your help.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
We want to provide local breakout via internet to the MPLS site,

what do you mean?

Haven't get your question clearly.. can you explain bit more
totaramAuthor Commented:
Sure... the customer does not want to invest in upgrading the MPLS bandwidth, rather wants the web/non-critical traffic to get routed via internet. Off course, we are have an internet connection coming into the site.
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
Got it ,

We may need to redesign your network.  you need to write policy based routing on the L3 device to take a routing decision for the destination packets


If the destination ip address is in MPLS, then the next hop should be router MPLS router lan ip and for the rest, you can forward it to internet router.

General practice of policy based routing

1.write acl to match the destination
2.write route-map and call the acl
3.Call the route-map on the incoming interface of the L3 device ( which is one hop behind in MPLS router / Internet router)

If you can provide your current topology(not exact), then i can redesign and send back to you
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

totaramAuthor Commented:
The current topology is as follows:

MPLS Cloud <---> Site router <--> LAN Switch <--> Checkpoint FW<-->Internet cloud

There can be 2 site routers for some site, one providing the primary and other providing the Backup.
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:

You can make LAN switch as routing decision making router.

Here is the sample config for cisco switch

ip route <site router>
ip route <site router>
ip route <site router>

ip route <check point ip>

access-list 10
access-list 10
access-list 10

route-map PBR permit 10
match ip address 10
set ip next-hop <site router lan interface ip>

int <switch incoming interface>
ip policy route-map PBR

This could solve your issue

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
totaramAuthor Commented:
Thanks, it looks very nicely laid out.. Do we need to make any changes on the checkpoint FW, so far as the routing goes? Also, incoming internet traffic will hit the FW first.
totaramAuthor Commented:
Also, it looks we do need any changes on the site router, only the LAN Sw?
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
No need to change anything on the site router as well on the Firewalls.

The changes needs to be done only on LAN switches as this device is going to act as routing decision maker

totaramAuthor Commented:
I guess the only changes that need to happen on FW are opening the web traffic ports like 93 etc.
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:

Yes. Firewall changes are per your requirement. But I would like to notify here that, no need of any config on firewall with respect to policy based routing.

I can summarize few config on firewall  ; 1. NAT to get internet for your local network as well as outside users to access your servers  2.Firewall policies both inside to outside and vice versa 3.Firewall management

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.