09-18-2024 10:28 AM
Hi Guys.
We're deploying SDWAN in a customer who already has two ISPs connected in his hub, and talking BGP ECMP with them, using his public ASN and his own prefixes.
According to documentation, the SDWAN plugin requires the same BGP Router ID and ASN when declaring the hub in devices, but it won't allow to use the public ASN here.
So, my question is, do you need to create another VR in order to run a separate BGP process for the SDWAN side of things? Or there's a workaround to directly use the public ASN?. The closest scenario I could find is this one, https://docs.paloaltonetworks.com/sd-wan/3-0/sd-wan-admin/configure-sd-wan/configure-multi-vr-on-sd-.... The main difference is I wouldn't need a VR2, but I'm strugging to understand what interfaces need to be attached to VR1, and how the traffic needs to be forwarded between VRs. If that's the case, I would need to set up and maintain a lot of static routes there right?
Many Thanks.
09-18-2024 11:21 AM
Hello,
You shouldn't need two VR's.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLL8CAO
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClElCAK
Regards,
09-18-2024 11:26 AM
Thanks for the reply. But the problem isn't at the internet side of the firewall. It's on the SDWAN plugin, and it's limitation to only accept private ASNs for its internal BGP routing. On my default virtual router (the one that's similar to the DIA one in the example from my posted link), I'm using the public ASN, because it's not possible to end the AS-Path with a private number. So, to sum it up, ISP faced side cannot use private ASN, and SDWAN plugin doesn't accept public ASNs.
09-18-2024 11:32 AM
Hello,
Sorry I misread you initial question. I think you might need the two VR's. One internal and one external. However I do not use the SDWAN feature.
Regards,
09-23-2024 11:49 AM - edited 09-23-2024 12:15 PM
Hello,
I'm encountering a similar scenario.
In an environment with BGP configured (Public AS), is there any way to use this Public AS in the automation of the SD-WAN plugin within the BGP settings?
I have the following topology:
When I try to insert the BGP configurations for automated tunnel creation, I receive a failure notification when inputting this information:
According to the documentation, it should be possible to use BGP in this context, but it doesn’t specify if there are any issues related to using a Public vs. Private AS.
The versions I am using are:
SD-WAN plugin: 3.2.1
VM-50 device: 11.1.2-h3
Panorama: 11.1.2-h3
Update:
The firewall's direct documentation states that Palo Alto's SD-WAN only supports private BGP. 😞
https://docs.paloaltonetworks.com/plugins/sd-wan/2-1/panorama-sd-wan-plugin-help/panorama-sd-wan-plu...
However, in my humble opinion, using multi-VR doesn’t solve the scenario, as it’s not possible to add the same device in the SD-WAN automation while needing to use both VRs.
09-23-2024 12:40 PM
Hello,
That is beyond my expertise. I would suggest reaching out to your sales engineer, they can message other sales engineers and might be able to answer it for you. However if its preventing you from doing so, there could be a reason why.
Regards,
09-24-2024 09:26 AM
Hi, I couldn't find a solution yet. Using a second VR might fix this problem, but I'm thinking that in the hub, I would need to assign 2 interfaces (loopbacks maybe?) in the upstream NAT section of the plugin. Then NAT and forward traffic from the internet directed to the assigned IP address. In my case would require 2 loopbacks, one for each ISP on the default VR. Such a complication, it would be so much easier to allow public ASNs in the plugin....
09-25-2024 11:00 AM
Hi, haven't tried yet. But I think we might have something here.
In the step 6, says:
Select the Virtual Router Name to use for routing between the SD-WAN hub and branches. By default, an sdwan-default virtual router is created and enables Panorama to automatically push router configurations.
10-04-2024 07:10 AM
- Multi-VR will only work on HUB;
- And if you want to use both, it`s not possible. It only allows to use one VR in SD-WAN;
- Loopbacks might be an issue on Global Protect with SD-WAN.
In
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
