BGP Multiple ISP VR Requirements

KyleFreise · ‎07-06-2016

I'm attempting to wrap my head around a very critical piece of setting up BGP between 2 ISP's concerning how many Virtual Routers are required.

I currently have 1 ISP (A) up and running on BGP just fine and my other ISP (B) will be converted to BGP on Monday. Both will be advertising my public IP space from ARIN.

So my question is, do I put both ISP A's and ISP B's interfaces on the same VR or do they need to be on their own separate VR's?

I'm receiving a few conflicted answers to this question, so I'm looking for real world experience.

Currently I'm still a strong believer in that I need to just add my ISP B as its own Peer Group to my current primary Virtual Router, add ISP B's own subinterface to the Resdistribution Profile along with ISP A's subinterface, configure a new Import Rule for ISP B plus an Export Rule with a Prepend of 2 if I choose to, and finally check ECMP for "load balancing".

All this sounded great until I was told the following from a Palo rep: "Two interfaces ( belonging to same VR ) cannot have IP addresses from the same subnet. x.x.x.x/24"

That threw a wrench into my whole thought process because both ISP's are advertising my /24 from ARIN, but are physically connected with 2 different /30's to each ISP's switch.

MatthewRaguso · ‎11-02-2016

@KyleFreise wrote:
I tied each ISP's BGP link into one VR and what I was originally confused about was how to tie our /24 ARIN space in with these links.

In short I didn't realize you can apply the /24 public space to any interface and just advertise it out with the Redistribution Profile. I was thinking it had to be applied to both external ethernet ports.

Not the case, just tie the /24 to one of the external facing ports as subinterfaces and then I put a simple /32 on the other ISP's subinterface for ping testing. Not really necessary, but I was playing around.

What happens if the physical interface goes down? Will the sub-interface go down as well?

KyleFreise · ‎11-02-2016

Yes if the primary interface (say ethernet1/18) goes down, then the subinterface (ethernet1/18.1) will go down as well.

I've yet had that happen on the BGP links as my issues stem from downstream routing issues during maintenance or routing equipment failure down one of the pipes.

MatthewRaguso · ‎11-03-2016

This is currently the approach I am using. I was just wondering if there was a better way. Thanks for the reply.

RFalconer · ‎11-04-2016

Can you explain a little more how you use a redistribution profile to advertise prefixes with BGP to your ISP? I have BGP running on many PAs and just use standard BGP with export rules and redistribution rules, no subinterfaces in use.

KyleFreise · ‎11-04-2016

My redistribution profile is using Source Type "connect" and the interfaces are the main untrust facing interfaces as well as their respective sub-interfaces.

The import rule is simply matching and allowing 0.0.0.0/0, while the export rule is matching the ARIN space we have. Then the redistribution profile is referenced within the 'Redist Rules' tab for the BGP configuration.

Again, I'm only redistributing outward facing interfaces (including the subs).

BGP Multiple ISP VR Requirements

BGP Multiple ISP VR Requirements

Show your appreciation!