Gateways are pushed down by OSPF. You would most likely be pushing the local VLAN GW with DHCP. OSPF would take care of it from there. Does that make sense?
So your SVIs run on layer 3 interfaces/sub-interfaces on the Palos. I would be running mine on a pair of Cat9ks one layer southbound.
You can either span the vlan all the way through to the PAN subinterfaces or route between the PAN & the 9Ks. I prefer routing between the two and like I mentioned before, breaking up my security zones using VRF and redistributing your default gateway(s) with a dynamic routing protocol. You can do VRF on the 9Ks all day long.
That depends on your design and preferences. You can create a 0.0.0.0/0 static route on the PAN and redistribute from there. If you are running internet facing routers, you can redistribute from there back into the PAN. Or, you can have your ISP redistribute the default into your internet facing routers and back down through. It's really up to you.
I think focusing on the Core Switch Layer (nexus/cat9k) that has multiple VRFs that egress Layer 3 routed ports on the Core to the Core Palo FW. In order for the Palo to come back down to a different VRF the Palo needs to know about thise VRF networks in the global route table. So right now im just using static to do this but BGP could help route leak and make it easier and cleaner. Now are you saying you have ONE vRouter per vrf and then vrouters can talk to each other?
Yes but then you need to get all your Routing layer subnets per vrf back into the global route table so the palo can route back down to a different vrf
Maybe I'm misunderstanding what you mean by "global route table". For example: Let's say you have a single PAN vRouter and all of it's attached interfaces (ie - VRFs on the 9K) all in an OSPF area 0. Then each VRF will have routes for every other VRF. But, they must be allowed through by your FW rules in the PAN. Perhaps I'm missing a piece of this equation?
So I have this setup and it appears to be "working" but I seem to be having some issues with ECMP and sessions. When I run a packet capture I am seeing tcp out of order messages.
My core 9500s (not stacked or using VSS) are dual connected to each Palo Alto in active/active. I have HA session owner to first packet and session setup to first packet as well.
I am seeing lots of "unknowns" "n/a" "aged-out" in my traffic logs. The core 9500s are running /30 layer 3 links to each palo. OSPF is used to advertise loopbacks into the route table and the 9500s and palos are using iBGP for the main routing protocol. I am seeing multiple-paths from the core 9500s and the palos. The 9500s are running HSRP. So OSPF is doing ecmp to loopbacks from 9500s to palos, palos doing ecmp to each 9500.
What should my ecmp settings be? Should my ha session options be different than they are?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!