Is it possible to run OSPF between 2 virtual routers on a single PaloAlto device?
Since you need to have an interconnecting interface, I guess you need to have the traffic physically leave the firewall and come back in on another port in the other vr; and then use that interface as routing subnet to talk OSPF.
But I was wondering of it is also possible to do this internally? Just between the two VRs.
I found a related article for BGP pering using loopback Ips: BGP-Peering-Between-Virtual-Routers
But this does not seems to work with OSPF (ERROR: In virtual-router IPS1-vr, only OSPFv2 passive mode can be supported on interface loopback.1 in area 0.0.0.0).
Anybody have any experience with this, or any ways around this?
I've done this a few time with both BGP and OSPF, but always with having the traffic physically leaving the firewall like you say.
It's usually been scenarios with multiple vsys, with OSPF/BGP needed between VRs in different vsys's. This has been stable and worked as expected. With a multi-vsys environment, I think it makes sense to have the traffic leave the device, as there are some throughput limitations on inter-vsys routing, and you would have one session pr vsys for each "session" anyway.
Never tried exactly the same scenario as you are describing though. Not sure if I would trust the routing functionally in Palo Alto enough to do that anyway. Have seen some strange bugs related to ospf in previous releases. But if you manage to get it working, it would be nice to know how :)
I've done it with BGP. I use a physical interface IP (or subinterface IP) on each virtual router and peer between the two. This way the traffic does not leave the firewall.
interface e 1/1 has IP 10.10.10.1/30 in VR1
interface e 1/2 has IP 10.10.11.1/30 in VR2
In VR1, set a static route pointing 10.10.11.1/30 to "next vr" VR2. In VR2 do the same with a static route pointing 10.10.10.1/30 to "next vr" VR1.
After that you can configure the BGP peering. Make sure to use iBGP and the "export next hop" as "use self". You'll have to set import and export rules up. Export rules in VR1 to set what gets advertised to VR2, and then a matching import rule in VR2 to accept only those exports from VR1. And the other way around to get a two-way route exchange.
Going from zone to zone you're going to need a gateway protocol. I don't think OSPF will work like this.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!