Network segmentation via routers VRFs to Palos VRs and OSPF

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Network segmentation via routers VRFs to Palos VRs and OSPF

L0 Member

Hello everyone and thank you for your answers, I would like to implement segmentation in the data center, we will create VRFs in a Cisco Nexus Core switch and each VRF will have its own OSPF process to peer with a Palo Alto Firewall, all VRF traffic needs to go through the Palos for policy and routing, the question is:

 

-Should we create multiple virtual routers in the Palos so each can peer with each of the “cisco VRF OSPF” processes? Or a single virtual router in the Palo is ok to peer with all of the VRF OSPF peers? networks need to reach each other through Palos and also all networks need to reach the internet from an upstream router.

5 REPLIES 5

Cyber Elite
Cyber Elite

@BBravo,

This is really more of a design question and what you and any others working on the firewall are most comfortable with. Some like to stick different 'networks' in their own VR while others with simply utilize one.

Personally it sounds like you are simply utilizing VRFs to force the traffic through the firewall for inspection, and that theese networks aren't really 'seperate' but rather different logical zones in your network. In that case, I would keep the configuration simple and only utilize a single VR and simply seperate the VRFs by dropping them into their own zone. This simplifies management a bit. 

Thank you! you are correct assuming only goal is to push VRF traffic through the firewall for inspection, we dont need to worry about securing separate routing tables hence I thought multiple VRs would only add complexity.

Wondering if anyone has seen any issues with OSPF redist, between multiple VRs.

Did you manage to ever get OSPF running over multiple VRF's?  Were just setting up a new PA FW and I can't get OSPF to talk to the Nexus switches over OSPF.  OSPF works fine when PA talks to our other router at a different site.  Just not with the VRF's.

 

I have support ticket in too, so hopefully it's a easy fix.

Cyber Elite
Cyber Elite

Hello,

Why not just anchor the vlan at the PAN on a specific zone or an IP subnet carved out of a zone? Personally I like to keep things simple and this should solve the same issue.

 

Regards,

We didn't want to do a re-do of the existing core so we left as is.

 

But we did end up getting OSPF working between the PAN firewall and our Cisco Nexus switches, running separate vrfs.  We just needed to have separate virtual routes for the different VRFs.

And it works as it should.

  • 10735 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!