topic VRFs on a Palo Alto - can it displace a Cisco ASR router? in General Topics

VRFs on a Palo Alto - can it displace a Cisco ASR router?

j.bronson — Fri, 22 Aug 2014 23:05:30 GMT

Hello, we recently purchased a pair of PA-3020s to run HA with and replace a pair of ASA's. Think we've mostly got them configured to replace the ASAs with the assistance of the reseller's engineer and so far, so good - everything is working great.

However, we would also like to displace the Cisco ASR that we currently have outside of the ASAs. It's really doing some simple routing so I think it's overkill for what we use it for, plus it's not redundant and we don't have the money to buy a 2nd ASR to make it redundant. We do have two PA-3020s already so if we could configured them to do what we need that would be terrific, so long as they can handle the traffic load to the datacenter.

Our current ASR does have 2 VRFs on it though. Basically we have 2 gigabit metro ethernet connections coming into it active/passive. We have two layer 2 trunks coming into the ASR over the metro ethernet, each one is on a tagged VLAN. One of the trunks is our datacenter traffic and one is our Internet traffic. The party at the other end also has Cisco gear and splits the Datacenter traffic onto the Datacenter MPLS and the Internet traffic onto their Internet infrastructure. Datacenter routes are learned via OSPF. Internet routes for us are static, we just point 0.0.0.0 to their VRF at the other side of the metro ethernet connection.

So we really just need the Palo Alto to put datacenter traffic into one tagged VLAN trunk and internet traffic into another tagged VLAN trunk, straight layer 2.

However, when looking at the "Virtual Router" feature on the PA-3020s it doesn't really seem like a Cisco VRF. My reseller's engineer advised me that the virtual routers in Palo Alto land were more like a routing table. I read some documentation that suggested one should use VSYS instead, which is basically like having 2 separate Palo Alto instances. That seems a lot more complicated.

What would be the Palo Alto way of handling this traffic that would meet our desire to be done with the ASR and it's support costs and lack of redundancy?

Re: VRFs on a Palo Alto - can it displace a Cisco ASR router?

jvalentine — Fri, 22 Aug 2014 23:50:28 GMT

Generally speaking, the "Virtual Router" feature in PAN-OS offers many of the same capabilities and benefits as the Cisco "VRF' functionality.

- http://en.wikipedia.org/wiki/Virtual_routing_and_forwarding

Since PAN-OS does not support MPLS today, it would be more accurate to draw a parallel to "VRF-Lite". In PAN-OS, each virtual router has its own routing table, runs its own routing protocols, and has its own interfaces. You can do this without the added overhead of multiple VSYS. Without VSYS, a single administrator will be able to manage everything. With multiple VSYS, you would have "admin1" who can modify settings in vsys1/vrf1, and then you would logout and then log back in as "admin2" with access to vsys2/vrf2. Yes, it is more complicated. Unless you need administrative separation between the two vrf's, you don't need to use multiple vsys.

As a best-practice, I always recommend WAN routers outside of the firewalls... but I recommend them in an HA configuration as well. Based on what you've described, it does look possible to accomplish your goals using the Virtual Router functionality. Can you post a diagram of how you have things configured currently? That would help us determine whether or not it's feasible.

Re: VRFs on a Palo Alto - can it displace a Cisco ASR router?

j.bronson — Mon, 25 Aug 2014 13:57:55 GMT

I don't know that you really need a diagram as it's pretty simple and I couldn't post it here anyway. But there's not much to it, I can probably depict it pretty accurately in text:

Core Switch (Cisco6509)----------Firewall/Firewall(Active/Passive-ASA5520)----------Router with 2 VRF (ASR1002)------------UpstreamOrg Primary Site

------------UpstreamOrg Other Site (2nd MAN circuit)

With the understanding that the series of dashes are Ethernet circuits. The circuit(s) between the router and the UpstreamOrg is a metro Ethernet provided by XYZ phone company that hands off straight GigE on both ends.

We don't get into MPLS, that's the responsibility of the UpstreamOrg.

As for routing protocols, it's static for the Internet and OSPF for the datacenter traffic. The OSPF routes are learned from the UpstreamOrg, and the next hop for those routes is on VLAN ABCD which is on physical interface X containing subinterface Y (so in Cisco syntax the subinterface is named X.ABCD). The UpstreamOrg gave us a next hop for Internet traffic, so that route is on VLAN DEFG which is also on physical interface X containing subinterface Z (Cisco syntax: X.DEFG). (both subinterfaces are also on physical interface W which is the connection to the backup circuit - that would be W.ABCD and W.DEFG).