11-22-2013 01:47 PM - edited 03-04-2019 09:39 PM
Hello
I have an AVPN cloud
My current sites have their own external IP subnet and an centralized internet connection.
I am integrating sevetral new sites onto my avpn cloud.
The new sites have their own external ip subnet asnd a different centralized internet connection
Since we are all on 1 AVPN cloud, how do I force the new sites to use their centralized internet connection and not mine?
ip route 0.0.0.0 0.0.0.0 (WAN ip address of AVPN router that is located at site of their centralized internet connection)?
I would somehow need to direct throiugh the LAN side of the AVPN router so it could then be directed out their default gateway firewall?
Solved! Go to Solution.
12-01-2013 02:46 PM
Hi Steve,
I can imagine several possible reasons.
I'd need to know more details of your case:
IP addresses used for your BGP peering, GRE tunnels, sh ip bgp ... output for that subnet which is taking incorrect path, etc.
One crucial question though:
When your GRE tunnel is Up, is your BGP peering still Up on both sites?
Are you still receiving BGP prefixes?
Best regards,
Milan
12-02-2013 01:28 AM
Hi Steve,
a) when your Site 3 is using the tunnel to reach the Internet through Site 5, how does the router on Site 5 forward the traffic returning from the Internet?
Is there a static route for Site 3 subnets configured with the Tunnel as next-hop?
Or is it just using the prefix received via BGP - an asymmetric routing used then though?
b) I suppose each site is using a different AS number?
c) Can you check on Site 1 by
sh ip bgp nei ... avd
if the router is advertising the LAN subnets correctly to the backbone?
Best regards,
Milan
11-22-2013 02:28 PM
I assume it will some sort of policy based routing.
Currently we get our defaulte route thru BGP
11-22-2013 03:01 PM
Essentially, new sites want to cross our mutual AVPN and go out their own internet.
11-24-2013 09:02 AM
Steve
When you say AVPN are you referring to a VPN network ie. site to site VPNs from external sites ?
It's not clear how the topology is setup. Do VPNs terminate on the router ? If so where is the firewall they are meant to use in relation to the router and which interfaces are used for the traffic ie.
remote site VPN -> WAN interface of router -> ???
Are the clients from remote sites then meant to go through their own firewall and be natted before going out ?
The way you have desribed it is that all VPNs terminate on one router and then you want a subset of those VPNs to go via a different firewall but i may have misunderstood.
Jon
11-25-2013 12:17 AM
Hi,
are you talking about the AT&T AVPN MPLS service here?
If yes, then you need to make some agreement with them how to ensure some sites to prefer the default route advertised from one of your sites while other sites to use the default route advertised from another site.
They could play with communities or route targets, but the configuration would need to be changed on their PE routers.
Another possibilty would be creating tunnels from the sites to your Intenet gateways - but quite complicated I'm afraid.
And from security point of view:
Why not to use proxy connections only to connect to the Internet?
Then you could simply configure per site (or even per user) which proxy to use.
Best regards,
Milan
11-25-2013 06:02 AM
Jon and Milan
Thank you for your responses
You are correct in that we need to make an agreement with AT&T on how to differentiate traffic from various sites. Attached is a topology. The devices in red are the sites that need to be segmented, grouped off on their own.
I think the answer may be in BGP communities. Do you have any experience with this?
11-25-2013 06:12 AM
11-25-2013 06:13 AM
11-25-2013 06:29 AM
Yes,
we have done some prefix filtering based on communities in our network with AT&T and it worked fine.
But generally, I definitely prefer using proxies for an Internet access.
Best regards,
Milan
11-25-2013 06:50 AM
Milan
Thank you for the response
Can you add more detail of how the proxy would work with this scenario
11-25-2013 07:18 AM
Hi Steve,
many applications are proxy-capable nowadays (http, https browsing, ftp, etc.).
I.e., you can just configure on the client device which proxy (IP address and tcp port) to use to to access the Internet.
And then you can have an Internet proxy device in each of your DCs and you can just choose which proxy to use by the client settings.
You don't need any default route in an ideal case - your clients are connectiong to the proxies only.
And the proxies are connecting to the Internet then.
There are some applications not capable to use proxies sometimes.
In that case, they don't need to connect to the whole Internet though, just to a specific small subnet or even a host.
You could then advertise those small public destination prefixes from particular DCs to your network and make the applications to choose the proper Internet gateway this way.
Best regards,
Milan
11-25-2013 12:33 PM
All
GRE TUNNEL examples using statics to advertise the default route: It looks as though the interim solution will be to create a GRE tunnel from (4) of the new sites to the (5th) new site that has the internet link advertising the 0.0.0.0 across the tunnel. anyone have experience in building that config?
The next step in the longer term solution is to create a separate AVPN for the (5) new sites ad use a service called UNILINK which allows access between AVPN tunnels for specific sites.
These (2) interim soltuins will give way to the final solution which is to integrate ALL sites onto the same AVPN network. The reason for delay is for security implementations.
11-28-2013 01:43 AM
Hi,
yes, I can go the way with GRE tunnels, I think..
For a small number of sites.
You just need to be careful and avoid the default route received via a tunnel from being advertised back to the backbone.
And there might be some issues with MTU through the tunnesl in theory. But current IOS should not suffer with that anymore.
Best regards,
Milan
12-01-2013 02:18 PM
Milan
Thank you for the reply
I implemented the GRE tunnel in the (5) sites required. Now I am having BGP issues with several of those sites. When I traceroute from site_1 to LAN subnet being advertised via BGP on site_2, the GRE default route is taken instead of crossing the AVPN. The GRE tunnel appears to be blocking the BGP updates.
Any experience with this problem?
Any guidance/solution to help resolve this issue?
12-01-2013 02:46 PM
Hi Steve,
I can imagine several possible reasons.
I'd need to know more details of your case:
IP addresses used for your BGP peering, GRE tunnels, sh ip bgp ... output for that subnet which is taking incorrect path, etc.
One crucial question though:
When your GRE tunnel is Up, is your BGP peering still Up on both sites?
Are you still receiving BGP prefixes?
Best regards,
Milan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide