internet breakout

HI;
We want to provide local breakout via internet to the MPLS site, all the site switches in the LAN env. are connected to the site router via OSPF. We have a checkpoint FW for the local breakout, can someone lay some config snippet for how it would be done? Appreciate your help.
totaramAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
We want to provide local breakout via internet to the MPLS site,

what do you mean?

Haven't get your question clearly.. can you explain bit more
0
totaramAuthor Commented:
Sure... the customer does not want to invest in upgrading the MPLS bandwidth, rather wants the web/non-critical traffic to get routed via internet. Off course, we are have an internet connection coming into the site.
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
Got it ,

We may need to redesign your network.  you need to write policy based routing on the L3 device to take a routing decision for the destination packets

Example,

If the destination ip address is in MPLS, then the next hop should be router MPLS router lan ip and for the rest, you can forward it to internet router.

General practice of policy based routing

1.write acl to match the destination
2.write route-map and call the acl
3.Call the route-map on the incoming interface of the L3 device ( which is one hop behind in MPLS router / Internet router)

If you can provide your current topology(not exact), then i can redesign and send back to you
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

totaramAuthor Commented:
The current topology is as follows:

MPLS Cloud <---> Site router <--> LAN Switch <--> Checkpoint FW<-->Internet cloud

There can be 2 site routers for some site, one providing the primary and other providing the Backup.
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
Great,

You can make LAN switch as routing decision making router.

Here is the sample config for cisco switch

ip route 10.0.0.0 255.255.255.0 <site router>
ip route  172.16.0.0 255.240.0.0 <site router>
ip route 192.168.0.0 255.255.255.0 <site router>

ip route 0.0.0.0 0.0.0.0 <check point ip>

access-list 10 10.0.0.0 0.0.0.255
access-list 10 172.16.0.0 0.0.15.255
access-list 10 192.168.0.0. 0.0.255.255

route-map PBR permit 10
match ip address 10
set ip next-hop <site router lan interface ip>

int <switch incoming interface>
ip policy route-map PBR

This could solve your issue
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
totaramAuthor Commented:
Thanks, it looks very nicely laid out.. Do we need to make any changes on the checkpoint FW, so far as the routing goes? Also, incoming internet traffic will hit the FW first.
0
totaramAuthor Commented:
Also, it looks we do need any changes on the site router, only the LAN Sw?
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
No need to change anything on the site router as well on the Firewalls.

The changes needs to be done only on LAN switches as this device is going to act as routing decision maker

Thanks
0
totaramAuthor Commented:
I guess the only changes that need to happen on FW are opening the web traffic ports like 93 etc.
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
@totaram,

Yes. Firewall changes are per your requirement. But I would like to notify here that, no need of any config on firewall with respect to policy based routing.

I can summarize few config on firewall  ; 1. NAT to get internet for your local network as well as outside users to access your servers  2.Firewall policies both inside to outside and vice versa 3.Firewall management

Thanks.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.