SDWAN BGP over pre-existing BGP internet.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SDWAN BGP over pre-existing BGP internet.

L1 Bithead

Hi Guys. 

We're deploying SDWAN in a customer who already has two ISPs connected in his hub, and talking BGP ECMP with them, using his public ASN and his own prefixes.

According to documentation, the SDWAN plugin requires the same BGP Router ID and ASN when declaring the hub in devices, but it won't allow to use the public ASN here. 

 

So, my question is, do you need to create another VR in order to run a separate BGP process for the SDWAN side of things? Or there's a workaround to directly use the public ASN?. The closest scenario I could find is this one, https://docs.paloaltonetworks.com/sd-wan/3-0/sd-wan-admin/configure-sd-wan/configure-multi-vr-on-sd-.... The main difference is I wouldn't need a VR2, but I'm strugging to understand what interfaces need to be attached to VR1, and how the traffic needs to be forwarded between VRs. If that's the case, I would need to set up and maintain a lot of static routes there right?

 

Many Thanks.

8 REPLIES 8

Cyber Elite
Cyber Elite

Thanks for the reply. But the problem isn't at the internet side of the firewall. It's on the SDWAN plugin, and it's limitation to only accept private ASNs for its internal BGP routing. On my default virtual router (the one that's similar to the DIA one in the example from my posted link), I'm using the public ASN, because it's not possible to end the AS-Path with a private number. So, to sum it up, ISP faced side cannot use private ASN, and SDWAN plugin doesn't accept public ASNs. 

Cyber Elite
Cyber Elite

Hello,

Sorry I misread you initial question. I think you might need the two VR's. One internal and one external. However I do not use the SDWAN feature. 

Regards,

L0 Member

Hello,


I'm encountering a similar scenario.

In an environment with BGP configured (Public AS), is there any way to use this Public AS in the automation of the SD-WAN plugin within the BGP settings?

 

I have the following topology:

Kenya_Vieira_0-1727114860486.png

 

When I try to insert the BGP configurations for automated tunnel creation, I receive a failure notification when inputting this information:

Kenya_Vieira_0-1727117137100.pngKenya_Vieira_1-1727117327673.png

 

According to the documentation, it should be possible to use BGP in this context, but it doesn’t specify if there are any issues related to using a Public vs. Private AS.

 

The versions I am using are:
SD-WAN plugin: 3.2.1
VM-50 device: 11.1.2-h3
Panorama: 11.1.2-h3

Update:
The firewall's direct documentation states that Palo Alto's SD-WAN only supports private BGP. 😞

Kenya_Vieira_0-1727118132595.png

https://docs.paloaltonetworks.com/plugins/sd-wan/2-1/panorama-sd-wan-plugin-help/panorama-sd-wan-plu...

However, in my humble opinion, using multi-VR doesn’t solve the scenario, as it’s not possible to add the same device in the SD-WAN automation while needing to use both VRs.

Cyber Elite
Cyber Elite

Hello,

That is beyond my expertise. I would suggest reaching out to your sales engineer, they can message other sales engineers and might be able to answer it for you. However if its preventing you from doing so, there could be a reason why.

 

Regards,

Hi, I couldn't find a solution yet. Using a second VR might fix this problem, but I'm thinking that in the hub, I would need to assign 2 interfaces (loopbacks maybe?) in the upstream NAT section of the plugin. Then NAT and forward traffic from the internet directed to the assigned IP address. In my case would require 2 loopbacks, one for each ISP on the default VR. Such a complication, it would be so much easier to allow public ASNs in the plugin....

Hi, haven't tried yet. But I think we might have something here.

 

https://docs.paloaltonetworks.com/sd-wan/3-0/sd-wan-admin/configure-sd-wan/add-sd-wan-devices-to-pan...

 

In the step 6, says:

 

Select the Virtual Router Name to use for routing between the SD-WAN hub and branches. By default, an sdwan-default virtual router is created and enables Panorama to automatically push router configurations.

(PAN-OS 10.2.8 and later 10.2 releases, and SD-WAN Plugin 3.0.7 and later 3.0 releases) When multiple virtual router (Enable Multi-VR Support) is enabled, select DIA virtual router for the Virtual Router Name.
 
So, if I'm right, just by ticking that multi VR support box, it should generate that sdwan-default VR just for exchanging sdwan BGP routes over the links.
 
I won't be able to test it in a few days. If you can check it out, please share your findings.
 
Thanks

- Multi-VR will only work on HUB;
- And if you want to use both, it`s not possible. It only allows to use one VR in SD-WAN;
- Loopbacks might be an issue on Global Protect with SD-WAN.

In 

  • 1024 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!