Does packet filtering apply in case of MPLS? I am trying to join my main domain from a different town; I have a VPN tunnel via MPLS solution. - Paul Njoroge.
Packet filtering might be at play, depending on your network configuration. We'll explore Virtual Routing and Forwarding (VRF), which basically allows for a router to contain multiple instances of a routing table - so that one router can handle different "virtual" routes into the same network from different points of ingress.
You will need to collect some information. Get the IP address of the system that you are working on. Get the IP address(s) of the target systems that you are trying to connect to for joining the domain or getting information about the domain. Try pinging those systems from the server or workstation that you are trying to join the domain from. If you don't get any reply, ping those same IPs from the router. In this case, use
ping vrf (vrf name)
followed by the IP address of the system with which you are trying to check connectivity.
If your provider is controlling the setup of the VRFs within your MPLS cloud, you will need to check with it to make sure that the remote site is coming into the cloud on the right VRF. The next thing to check is if the remote site is allowed to contact the system(s) that you need to talk to for joining the domain. See what ports/protocols are allowed to cross the connection on the VRF that you are using. Just because ping does or doesn't work, the packet filtering that is configured on the MPLS cloud or the access list of what sites can talk to what systems could be seen from one end of the network could be both parts of the problem. If you are controlling the VRF setup, check closely to see where the problem is.
But the problem might not even be MPLS related - it could be caused by ACL or firewall settings. Try using a spare computer to repeat the domain joining process at different points on the network - local for the domain controller that you need to talk to, different subnets on the same network where the domain controller resides and if possible a different remote site that has been able to join a new system to the network in the past.
Along with all the above, it would be a good idea to have a protocol analyser running at each end to see which, if any, of the packets are making it through and what information is or isn't being returned. It might be that you need to make a change on both ends of the network to get things to work. Make sure that the workstation or server that you are trying to join to the domain is not running any type of software firewall that could be causing some of the problem.
Find your next job with techworld jobs