Does BGP need to be on a separate virtual router ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Does BGP need to be on a separate virtual router ?

L2 Linker

I'm currently using rip in a single virtual router. I'm adding BGP for a Microsoft Express Route circuit. I have a consultant to assist in the BGP setup. He says the BGP needs to be in a separate virtual router. Is there a reason for this that anyone knows ? His answer is PaloAlto requires it. ???

PA3020.

 

TIA,

 

Greg

1 accepted solution

Accepted Solutions

It sounds like the VR is not a requirement for you then.  These would typically be used in your setup if you had only a segment of your network that would access the express route path.  This is usually a Data Center area of the network.  While the rest of the network should not see the routes or have access.

 

Importing the routes to a separate VR then makes it easy to control their redistribution on your company network to only thoese areas that need the access and nowhere else.

 

From your description it seems like this is not the case for your company.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

8 REPLIES 8

Cyber Elite
Cyber Elite

Hello,

A seoerate VR is not required to my knowledge.

 

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/networking/bgp

 

Regards,

Cyber Elite
Cyber Elite

No VR is not required for BGP.

MP

Help the community: Like helpful comments and mark solutions.

BGP runs fine with one virtual router.

What is consultants claim? That BGP in general needs seperate VR or because you have RIP already?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L7 Applicator

VR are needed when you need to isolate groups of routes that you don't want to propogate everywhere on the network.  I suspect we are missing some element of your topology and routing requirements that make putting the Azure Express Routes in an isolated instance.

 

What is the toplogy and what segments need to communicate with Azure across this connection?

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

My topology is pretty simple.  Core L3 switch with a half dozen vlans.

There is no requirement for isolation.

In fact I'm trying to figure out how this could work.

Part of what we are doing is connecting to the MS public PAS services such as Data Warehouse.

Using route filters we only get routing to the East Central region public addresses via the BGP session with Azure.

Since the BGP router has those routes, how would a workstation connected to the other VR know how to get to the Data Warehouse in East Central using the Express Route circuit.

 

There is no requirement for a separate VR other than consulant speak saying that's the way to do it.

It sounds like the VR is not a requirement for you then.  These would typically be used in your setup if you had only a segment of your network that would access the express route path.  This is usually a Data Center area of the network.  While the rest of the network should not see the routes or have access.

 

Importing the routes to a separate VR then makes it easy to control their redistribution on your company network to only thoese areas that need the access and nowhere else.

 

From your description it seems like this is not the case for your company.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L2 Linker

You do not need a separate VR unless you are learning routes in BGP that overlap with routes in your existing network. If that is the case, you will have to worry about more that just a separate VR. 

L2 Linker

Thanks eveyone.

There was no reason to have a separate VR.

We went live with the Expressroute circuit last week.

  • 1 accepted solution
  • 6309 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!