BGP Multiple ISP VR Requirements

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

BGP Multiple ISP VR Requirements

I'm attempting to wrap my head around a very critical piece of setting up BGP between 2 ISP's concerning how many Virtual Routers are required.

 

I currently have 1 ISP (A) up and running on BGP just fine and my other ISP (B) will be converted to BGP on Monday.  Both will be advertising my public IP space from ARIN.

 

So my question is, do I put both ISP A's and ISP B's interfaces on the same VR or do they need to be on their own separate VR's?

 

I'm receiving a few conflicted answers to this question, so I'm looking for real world experience.

 

Currently I'm still a strong believer in that I need to just add my ISP B as its own Peer Group to my current primary Virtual Router, add ISP B's own subinterface to the Resdistribution Profile along with ISP A's subinterface, configure a new Import Rule for ISP B plus an Export Rule with a Prepend of 2 if I choose to, and finally check ECMP for "load balancing".

 

All this sounded great until I was told the following from a Palo rep: "Two interfaces ( belonging to same VR ) cannot have IP addresses from the same subnet. x.x.x.x/24"

 

That threw a wrench into my whole thought process because both ISP's are advertising my /24 from ARIN, but are physically connected with 2 different /30's to each ISP's switch.

Highlighted
L5 Sessionator

You can have one VR. Prefer one BGP peer and if that BGP peer goes down then it will automatically start using second ISP

 

Check this KB

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Prefer-a-BGP-Peer-for-Installing-...

Highlighted
L2 Linker

My import rules are default routes (0.0.0.0/0) so wouldn't ECMP be a better model for load balancing?

 

I do agree now though that a single VR is all that is required.

Highlighted
L7 Applicator

If you want to load balance then your options are to use ECMP (if you have PanOS 7 where this feature was introduced) or configure policy based routing.  With policy based routing you choose what types of traffic by source or other criteria to forward to which ISP.

 

ECMP

ECMP Load-Balancing Algorithms

Configure ECMP on a Virtual Router

Enable ECMP for Multiple BGP Autonomous Systems

 

Policy Based Routing

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Highlighted
L2 Linker

I tied each ISP's BGP link into one VR and what I was originally confused about was how to tie our /24 ARIN space in with these links.

 

In short I didn't realize you can apply the /24 public space to any interface and just advertise it out with the Redistribution Profile.  I was thinking it had to be applied to both external ethernet ports.

 

Not the case, just tie the /24 to one of the external facing ports as subinterfaces and then I put a simple /32 on the other ISP's subinterface for ping testing.  Not really necessary, but I was playing around.

Highlighted
L1 Bithead


@KyleFreise wrote:

I tied each ISP's BGP link into one VR and what I was originally confused about was how to tie our /24 ARIN space in with these links.

 

In short I didn't realize you can apply the /24 public space to any interface and just advertise it out with the Redistribution Profile.  I was thinking it had to be applied to both external ethernet ports.

 

Not the case, just tie the /24 to one of the external facing ports as subinterfaces and then I put a simple /32 on the other ISP's subinterface for ping testing.  Not really necessary, but I was playing around.


 

 

What happens if the physical interface goes down? Will the sub-interface go down as well?

Highlighted
L2 Linker

Yes if the primary interface (say ethernet1/18) goes down, then the subinterface (ethernet1/18.1) will go down as well.

 

I've yet had that happen on the BGP links as my issues stem from downstream routing issues during maintenance or routing equipment failure down one of the pipes.

Highlighted
L1 Bithead

This is currently the approach I am using. I was just wondering if there was a better way. Thanks for the reply.

Highlighted
L3 Networker

Can you explain a little more how you use a redistribution profile to advertise prefixes with BGP to your ISP? I have BGP running on many PAs and just use standard BGP with export rules and redistribution rules, no subinterfaces in use.

Highlighted
L2 Linker

My redistribution profile is using Source Type "connect" and the interfaces are the main untrust facing interfaces as well as their respective sub-interfaces.

 

The import rule is simply matching and allowing 0.0.0.0/0, while the export rule is matching the ARIN space we have.  Then the redistribution profile is referenced within the 'Redist Rules' tab for the BGP configuration.

 

Again, I'm only redistributing outward facing interfaces (including the subs).

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!