We have an expansive wide-area network (25+ sites) using AT&T MPLS technology. It uses BGP as the routing protocol. We do not control the core of the network, only our endpoints at each WAN site. We have an internet connection behind one of those endpoints, and we are attempting to provision secure access to the internet for each distinct client on our WAN.
For example, Client1 should reach the WAN endpoint (3845 router) where the internet connection, leave the router on a sub-interface associated with a vlan dedicated to that particular client and travel across the VLAN to a dedicated sub-interface on the firewall (a Sonicwall).
The VLANs and interfaces needed for this exist and have tested working within the LAN at the site with the internet connection. The router itself can get out to the internet using ping for each distinct client sub-interface and associated VLAN, as well as any devices on the LAN there.
We need some way to both advertise that the 3845 has the default route, which we generally know how to do in a simpler scenario, and then route the traffic based on the source network to the appropriate interface for that source network. In some cases, a client will have several sites on the WAN, and others only have 1 site. The VLANs defined should be able to accept traffic for all of any one client's sites through it.
We initially thought we would be able to use access-lists grouped by client for every source network with route-maps that have the next-hop defined applied to the LAN (Ethernet) side of the 3845 router. For testing purposes, we picked a block of public internet addresses to advertise a route for so we would not be interrupting internet service for the entire WAN, which is currently routing through a connection at another location. We were unable to advertise the route with this method. We defined the network in our BGP router config, but the route never showed up on other WAN endpoint devices.
We started troubleshooting at this point and were able to determine the only way we could get that network to advertise was to have a static route defined for it along with the network statement.
At this point, we tried several different things, including defining a route pointing to each subnet's gateway on the vlan sub-interfaces on the firewall. We didn't expect this would work, but attempted it to narrow our possibilities.
Currently, we can advertise the network and route to all sites, but only those sites that are included in the access-list that is permitted access to the VLAN sub-interface on the same subnet as the specified static route can get to the test subnet on the internet. Clearly the access-list is causing this limitation, but this is what we want. Ultimately, we would like the router to recognize the source network is part of a group for a particular client, and send âdefaultâ traffic out the proper sub-interface and VLAN.
I can provide some config if requested.