You have the correct idea. If you are new to BGP, it sounds like you are needing to set up a multihomed ISP edge. 'Kbrazil' put together a really good PDF on the different designs that are possible. Please reference this post: Your main job to deploying the edge is to correctly route your company's public traffic to and from your ASN: a) Announce your ASN to the Internet via one or more BGP-peered ISPs. (This is so that external, ingress traffic knows how to reach services that you'll publish on your ASN, that is, your allocated public /24 subnet) b) Peer to one or more ISPs and receive BGP tables (routes). (This is so that internal, egress traffic can route to the correct Internet destination via the best AS path) So to answer your original post, the BGP edge design you choose will dictate how the interfaces will be configured on the PANs, since there are a bunch of different ways depending on what you're trying to accomplish. The main questions that you need to answer: a) how many ISPs you want to peer to (via BGP, we assume) b) if you have a single or pair of PAN firewall(s) c) active/passive or active/active cluster configuration (if a pair) d) BGP tables passed to you from each ISP: You will need to collaborate with your ISPs to provide one of the following BGP table options (the same option for all ISPs) i) Full Internet tables (you'll need to verify your PANs support this, and your BGP speakers (the PANs) cannot flap -unless the ISPs configure hold down timers (dampening) on your AS announcement to prevent flapping BGP propagation) ii) Partial tables with a default route (best method) iii) Default route only Once you've identified the above questions, post them here and we can define how you'll configure the various public and private networks on the PAN interfaces. As a summary, your ISPs will each mostly likely give you a /30 public subnet that you will peer to them via BGP using 'external' interfaces. Then you will place your public AS /24 subnet on your PAN routing table, either with a static route, or locally connected on a interface (or preferably both-using metrics- for stability). Finally, you'll configure BGP to announce your ASN to each peer and implement BGP filter/export lists applied outbound toward each ISP to prevent transient routing between your ISPs (and so will they). You'll also need a metric of some type that will default or load balance internal, egress traffic, for example a filter/import list that applies a higher weight to one of the ISPs default route. The rest of your private networks can be configured on 'internal' interfaces, and your publicly published services (www, dns, mail etc) from those interface(s), (DMZ etc) can be NAT published to the public AS /24 subnet, which will then require a matching public DNS record to resolve each NAT'd service to the corresponding public IP.
... View more