05-07-2024 02:24 AM
If I have Site A and Site B:
Site A has Border switch that sending prefixes over eBGP peering and multiple eBGP peerings for separate VRFs to the Cisco Routers and that Cisco Router connected via dark fiber with Site B FW (lets say palo alto)
What will be the approach to send all site A prefixes to Site B FW over the BGP with IPsec and making sure that FW will receive VRF prefixes as well, do we need to create a separate Tunnel for each VRF or we can use one Tunnel and send all VRF prefixes to FW by leaking them into the global routing table of Cisco route at site A ?
05-07-2024 02:57 AM
Hello!
I would configure MP-BGP which will enable you to forward multiple VRFs. Take a look into this.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/bgp/mp-bgp
BR
05-07-2024 02:59 AM
You would need one tunnel per VRF, leaking everything into global routing for this is not a good solution. An alternative would be to do something like MPLS over GRE but this is not likely to be supported on your firewall: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_l3_vpns/configuration/xe-17/mp-l3-vpns-xe-17-book/mpls-vpn-l3vpn-over-gre.html#concept_61CDDF029C684AD29F6F059568B1EA54
05-07-2024 05:12 AM
Does it need be global routing table on the Cisco? How about a FW-VRF on the Cisco that imports all exportable routes and does dynamic routing to PA?
05-10-2024 12:19 AM
I need to create an IPsec tunnels, so I need to understand the approach if I need to create a separate tunnels for each VRF BGP peering or I can use some kind of universal tunnel between sites and exchange that VRF prefixes over it
In my scenario I will receive only default route from site B Firewall
05-07-2024 06:47 AM - edited 05-07-2024 02:08 PM
VPNv4 is solution if you multi VRF
note:- VPNv4 config in global not in any VRF
MHM
05-10-2024 12:18 AM
Does it mean I need create an IPsec tunnel for each VRF BGP peering between Site A and Site B ?
05-13-2024 11:21 PM
Sorry I was busy'
Can you confirm if this issue solve or not?
I want to run lab for you but if it already solved so no need to do that.
MHM
05-13-2024 11:48 PM
No, not through the one Tunnel, I assume I will need to do it with multiple Tunnels for each VRF between Site A and Site B
05-13-2024 11:54 PM
I run lab and I success advertise the prefix between vrf but I face issue in label.
My failed lab was
tunnel in global and run mpls in tunnel
VPNv4 run between tunnel IP in global' and do vrf target import/export'
Just want to solve mpls label.
MHM
05-10-2024 02:18 AM
Hello
can you post a topology diagram
05-19-2024 11:31 PM
So basically between Borders there is iBGP, between Borders and Fusion eBGP, between Fusion's iBGP, between Fusion routers and Palo Alto - eBGP, I have tunnel IPsec and BGP over it between Fusion routers and Palo in Global RIB, there is also VRF's stretched from Borders to Fusion and from Fusion routers to Palo, on Palo side its one Virtual router (i.e on VRF) and its getting prefixes per global table and per VRF, so I wonder I can export VRF prefixes on Fusion router to Global table and from there export it to Palo Alto through my BGP IPsec peering, is it best approach or I need to create separate VRF IPsec BGP peerings from Fusion routers to Palo for each VRF and send prefixes separately ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide