10-17-2017 01:09 PM - edited 03-08-2019 12:24 PM
Hi All,
We are planning to put a Palo Alto firewall in datacenter between the edge router ASR and two Nexus 9Ks. the existing BGP route reflector is 2911. i was wondering do i need to configure Firewall as RR or i can use the existing RR 2911?
Thanks in advance!
Eric
10-17-2017 02:02 PM - edited 10-17-2017 02:15 PM
Hi,
You could keep the 2911 as RR but if the ASR will use BGP as well you need to allow the TCP port 179 on the firewall in order to allow the BGP communication between routers. Do you have just a RR as router? it could be a point of failure, you could connect the 2911 with the next Router (right) to be RR as well with different cluster-id.
10-18-2017 07:17 AM
Hi Julio,
Thanks for the quick reply.
I have the following questions:
1. Where is the best position to put RR. Is it must be the second node in IBGP? eBGP <-> eBGP/iBGP <-> iBGP/RR <-> Clients? If so, in our network. The ASR is the first node. N9k must be the RR? Is that correct?
2. Right now the FW is connected to two N9Ks. ASR is connected two N9Ks as well. We are planning to let all traffic pass through the FW for security reason. Can i keep the current design to get this requirement?
We have two datacenter in the AS 200. Another 2911 is RR as well in the second datacenter.
Thanks,
Eric
10-18-2017 09:42 AM
10-18-2017 09:50 AM
Hi
Im not really sure if the FW can be executed as RR and it could overload the device, if it is a perimeter FW, it could be installed between the ASR and the routers over the AS100.
10-18-2017 12:59 PM
10-25-2017 08:39 AM
Hi All,
Is there anyone who knows the scenario for how to get all traffic pass through the FW based on the above diagram?
Thanks in advance!
Eric
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide