BGP Multiple ISP VR Requirements

Showing results for 
Show  only  | Search instead for 
Did you mean: 

BGP Multiple ISP VR Requirements

L2 Linker

I'm attempting to wrap my head around a very critical piece of setting up BGP between 2 ISP's concerning how many Virtual Routers are required.


I currently have 1 ISP (A) up and running on BGP just fine and my other ISP (B) will be converted to BGP on Monday.  Both will be advertising my public IP space from ARIN.


So my question is, do I put both ISP A's and ISP B's interfaces on the same VR or do they need to be on their own separate VR's?


I'm receiving a few conflicted answers to this question, so I'm looking for real world experience.


Currently I'm still a strong believer in that I need to just add my ISP B as its own Peer Group to my current primary Virtual Router, add ISP B's own subinterface to the Resdistribution Profile along with ISP A's subinterface, configure a new Import Rule for ISP B plus an Export Rule with a Prepend of 2 if I choose to, and finally check ECMP for "load balancing".


All this sounded great until I was told the following from a Palo rep: "Two interfaces ( belonging to same VR ) cannot have IP addresses from the same subnet. x.x.x.x/24"


That threw a wrench into my whole thought process because both ISP's are advertising my /24 from ARIN, but are physically connected with 2 different /30's to each ISP's switch.


@KyleFreise wrote:

I tied each ISP's BGP link into one VR and what I was originally confused about was how to tie our /24 ARIN space in with these links.


In short I didn't realize you can apply the /24 public space to any interface and just advertise it out with the Redistribution Profile.  I was thinking it had to be applied to both external ethernet ports.


Not the case, just tie the /24 to one of the external facing ports as subinterfaces and then I put a simple /32 on the other ISP's subinterface for ping testing.  Not really necessary, but I was playing around.



What happens if the physical interface goes down? Will the sub-interface go down as well?

Yes if the primary interface (say ethernet1/18) goes down, then the subinterface (ethernet1/18.1) will go down as well.


I've yet had that happen on the BGP links as my issues stem from downstream routing issues during maintenance or routing equipment failure down one of the pipes.

This is currently the approach I am using. I was just wondering if there was a better way. Thanks for the reply.

Can you explain a little more how you use a redistribution profile to advertise prefixes with BGP to your ISP? I have BGP running on many PAs and just use standard BGP with export rules and redistribution rules, no subinterfaces in use.

My redistribution profile is using Source Type "connect" and the interfaces are the main untrust facing interfaces as well as their respective sub-interfaces.


The import rule is simply matching and allowing, while the export rule is matching the ARIN space we have.  Then the redistribution profile is referenced within the 'Redist Rules' tab for the BGP configuration.


Again, I'm only redistributing outward facing interfaces (including the subs).

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!