Essentially, new sites want to cross our mutual AVPN and go out their own internet.

Jon and Milan

Thank you for your responses

You are correct in that we need to make an agreement with AT&T on how to differentiate traffic from various sites. Attached is a topology. The devices in red are the sites that need to be segmented, grouped off on their own.

I think the answer may be in BGP communities. Do you have any experience with this?

Yes, 

we have done some prefix filtering based on communities in our network with AT&T and it worked fine.

But generally, I definitely prefer using proxies for an Internet access.

Best regards,

Milan

Milan

Thank you for the response

Can you add more detail of how the proxy would work with this scenario

Hi Steve,

many applications are proxy-capable nowadays (http, https browsing, ftp, etc.).

I.e., you can just configure on the client device which proxy (IP address and  tcp port) to use to to access the Internet.

And then you can have an Internet proxy device in each of  your DCs and you can just choose which proxy to use by the client settings.

You don't need any default route in an ideal case - your clients are connectiong to the proxies only.

And the proxies are connecting to the Internet then.

There are some applications not capable to use proxies sometimes.

In that case, they don't need to connect to the whole Internet though, just to a specific small subnet or even a host.

You could then advertise those small public destination prefixes from particular DCs to your network and make the applications to choose the proper Internet gateway this way.

Best regards,

Milan

All

GRE TUNNEL examples using statics to advertise the default route: It looks as though the interim solution will be to create a GRE tunnel from  (4) of the new sites to the (5th) new site that has the internet link advertising the 0.0.0.0 across the tunnel. anyone have experience in building that config?

The next step in the longer term solution is to create a separate AVPN for the (5) new sites ad use a service called UNILINK which allows access between AVPN tunnels for specific sites.

These (2) interim soltuins will give way to the final solution which is to integrate ALL sites onto the same AVPN network. The reason for delay is for security implementations.

Hi,

yes, I can go the way with GRE tunnels, I think..

For a small number of sites.

You just need to be careful and avoid the default route received via a tunnel from being advertised back to the backbone.

And  there might be some issues with MTU through the tunnesl in theory. But current IOS should not suffer with that anymore.

Best regards,

Milan

Milan

Thank you for the reply

I implemented the GRE tunnel in the (5) sites required. Now I am having BGP issues with several of those sites. When I traceroute from site_1 to LAN subnet being advertised via BGP on site_2, the GRE default route is taken instead of crossing the AVPN. The GRE tunnel appears to be blocking the BGP updates.

Any experience with this problem?

Any guidance/solution to help resolve this issue?