10-25-2018 06:51 AM
I'm currently using rip in a single virtual router. I'm adding BGP for a Microsoft Express Route circuit. I have a consultant to assist in the BGP setup. He says the BGP needs to be in a separate virtual router. Is there a reason for this that anyone knows ? His answer is PaloAlto requires it. ???
PA3020.
TIA,
Greg
11-01-2018 03:02 AM
It sounds like the VR is not a requirement for you then. These would typically be used in your setup if you had only a segment of your network that would access the express route path. This is usually a Data Center area of the network. While the rest of the network should not see the routes or have access.
Importing the routes to a separate VR then makes it easy to control their redistribution on your company network to only thoese areas that need the access and nowhere else.
From your description it seems like this is not the case for your company.
10-25-2018 11:53 AM
Hello,
A seoerate VR is not required to my knowledge.
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/networking/bgp
Regards,
10-25-2018 09:59 PM
No VR is not required for BGP.
10-26-2018 12:57 PM - edited 10-26-2018 12:57 PM
BGP runs fine with one virtual router.
What is consultants claim? That BGP in general needs seperate VR or because you have RIP already?
10-27-2018 04:48 PM
VR are needed when you need to isolate groups of routes that you don't want to propogate everywhere on the network. I suspect we are missing some element of your topology and routing requirements that make putting the Azure Express Routes in an isolated instance.
What is the toplogy and what segments need to communicate with Azure across this connection?
10-29-2018 07:41 AM
My topology is pretty simple. Core L3 switch with a half dozen vlans.
There is no requirement for isolation.
In fact I'm trying to figure out how this could work.
Part of what we are doing is connecting to the MS public PAS services such as Data Warehouse.
Using route filters we only get routing to the East Central region public addresses via the BGP session with Azure.
Since the BGP router has those routes, how would a workstation connected to the other VR know how to get to the Data Warehouse in East Central using the Express Route circuit.
There is no requirement for a separate VR other than consulant speak saying that's the way to do it.
11-01-2018 03:02 AM
It sounds like the VR is not a requirement for you then. These would typically be used in your setup if you had only a segment of your network that would access the express route path. This is usually a Data Center area of the network. While the rest of the network should not see the routes or have access.
Importing the routes to a separate VR then makes it easy to control their redistribution on your company network to only thoese areas that need the access and nowhere else.
From your description it seems like this is not the case for your company.
11-01-2018 06:38 AM
You do not need a separate VR unless you are learning routes in BGP that overlap with routes in your existing network. If that is the case, you will have to worry about more that just a separate VR.
11-06-2018 09:46 AM
Thanks eveyone.
There was no reason to have a separate VR.
We went live with the Expressroute circuit last week.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
