topic Re: OSPF between virtual routers in General Topics

OSPF between virtual routers

mr.linus — Thu, 20 Aug 2015 09:35:07 GMT

Hey all,

Is it possible to run OSPF between 2 virtual routers on a single PaloAlto device?

Since you need to have an interconnecting interface, I guess you need to have the traffic physically leave the firewall and come back in on another port in the other vr; and then use that interface as routing subnet to talk OSPF.

But I was wondering of it is also possible to do this internally? Just between the two VRs.

I found a related article for BGP pering using loopback Ips: BGP-Peering-Between-Virtual-Routers
But this does not seems to work with OSPF (ERROR: In virtual-router IPS1-vr, only OSPFv2 passive mode can be supported on interface loopback.1 in area 0.0.0.0).

Anybody have any experience with this, or any ways around this?

Kind regards

Re: OSPF between virtual routers

torm — Thu, 20 Aug 2015 10:12:12 GMT

Hi,

I've done this a few time with both BGP and OSPF, but always with having the traffic physically leaving the firewall like you say.

It's usually been scenarios with multiple vsys, with OSPF/BGP needed between VRs in different vsys's. This has been stable and worked as expected. With a multi-vsys environment, I think it makes sense to have the traffic leave the device, as there are some throughput limitations on inter-vsys routing, and you would have one session pr vsys for each "session" anyway.

Never tried exactly the same scenario as you are describing though. Not sure if I would trust the routing functionally in Palo Alto enough to do that anyway. Have seen some strange bugs related to ospf in previous releases. But if you manage to get it working, it would be nice to know how 🙂

- Tor

Re: OSPF between virtual routers

howardtopher — Fri, 21 Aug 2015 20:31:33 GMT

I've done it with BGP. I use a physical interface IP (or subinterface IP) on each virtual router and peer between the two. This way the traffic does not leave the firewall.

For example:

interface e 1/1 has IP 10.10.10.1/30 in VR1

interface e 1/2 has IP 10.10.11.1/30 in VR2

In VR1, set a static route pointing 10.10.11.1/30 to "next vr" VR2. In VR2 do the same with a static route pointing 10.10.10.1/30 to "next vr" VR1.

After that you can configure the BGP peering. Make sure to use iBGP and the "export next hop" as "use self". You'll have to set import and export rules up. Export rules in VR1 to set what gets advertised to VR2, and then a matching import rule in VR2 to accept only those exports from VR1. And the other way around to get a two-way route exchange.

Going from zone to zone you're going to need a gateway protocol. I don't think OSPF will work like this.