Hello everyone and thank you for your answers, I would like to implement segmentation in the data center, we will create VRFs in a Cisco Nexus Core switch and each VRF will have its own OSPF process to peer with a Palo Alto Firewall, all VRF traffic needs to go through the Palos for policy and routing, the question is:
-Should we create multiple virtual routers in the Palos so each can peer with each of the “cisco VRF OSPF” processes? Or a single virtual router in the Palo is ok to peer with all of the VRF OSPF peers? networks need to reach each other through Palos and also all networks need to reach the internet from an upstream router.
This is really more of a design question and what you and any others working on the firewall are most comfortable with. Some like to stick different 'networks' in their own VR while others with simply utilize one.
Personally it sounds like you are simply utilizing VRFs to force the traffic through the firewall for inspection, and that theese networks aren't really 'seperate' but rather different logical zones in your network. In that case, I would keep the configuration simple and only utilize a single VR and simply seperate the VRFs by dropping them into their own zone. This simplifies management a bit.
Thank you! you are correct assuming only goal is to push VRF traffic through the firewall for inspection, we dont need to worry about securing separate routing tables hence I thought multiple VRs would only add complexity.
Wondering if anyone has seen any issues with OSPF redist, between multiple VRs.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!