| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| paloaltonetworks:configuration:dynamic_routing_example [2020/07/14 22:57] – bstafford | paloaltonetworks:configuration:dynamic_routing_example [2022/11/23 12:49] (current) – external edit 127.0.0.1 |
|---|
| ====== Dynamic Routing Example ====== | ====== Dynamic Routing Example ====== |
| This page describes how to configure dynamic routing between an end user and two data centres. The scenario involves going through a pair of external firewalls and then a pair of internal firewalls at each location. In practice, I would suggest that merging the external firewalls into the internal firewalls and then making the two firewalls in each data centre an active/passive HA pair will drastically simplify what can be seen as an over complicated design. Still, it is a good learning opportunity for dynamic routing. | This page describes how to configure dynamic routing between an end user and two data centres. The scenario involves going through a pair of external firewalls and then a pair of internal firewalls at each location. In practice, I would suggest that merging the external firewalls into the internal firewalls and then making the two firewalls in each data centre an active/passive HA pair will drastically simplify what can be seen as an over complicated design. Still, it is a good learning opportunity for dynamic routing. |
| | |
| | In this scenario, we have no visibility or control over the MPLS routers and we rely on the MPLS router provider to correctly configure the MPLS routers to accurately import and export routes with respect to various metric, priorities, AS paths, AS path pre-pending, etc. |
| |
| ===== Scenario Overview ===== | ===== Scenario Overview ===== |
| ===== External Firewalls - BGP ===== | ===== External Firewalls - BGP ===== |
| We establish a eBGP relationship from the primary and secondary external firewalls to the primary and secondary MPLS routers. The MPLS routers share an AS number which is different from the AS number that the external firewalls share. The AS number of the MPLS routers in DC1 is different from the MPLS routers in DC2. The AS number of the external firewalls in DC1 is different from the AS number in DC2. | We establish a eBGP relationship from the primary and secondary external firewalls to the primary and secondary MPLS routers. The MPLS routers share an AS number which is different from the AS number that the external firewalls share. The AS number of the MPLS routers in DC1 is different from the MPLS routers in DC2. The AS number of the external firewalls in DC1 is different from the AS number in DC2. |
| The primary firewall peers to the primary MPLS router with aggregate confed AS Path:enabled, soft reset with stored info: disabled, type:ebgp, import next hop:use peer, export next hop:use self, Remove Private AS:enabled. We also have an import rule for each MPLS router peer with nothing special. YOu can specify in import match filter for address prefix if you want. We rely on the MPLS router adding path prepending from the secondary router. More specifically, both MPLS routers in DC1 and both MPLS routers in DC2 advertise 10.30.0.0/16 to the external firewalls. However, The primary MPLS to primary firewall is advertised by the MPLS router with AS path prepended once, from primary MPLS to secondary firewall is prepended twice, from the secondary MPLS router to the primary firewall is prepended three times and the secondary MPLS router to the secondary external firewall is prepended four times. This specifies that the internal firewalls will always prefer the primary external firewall unless the primary external firewall looses access to both MPLS routers (of unless the primary external goes offline). Do the same for the external firewalls in DC2. | ==== Peering ==== |
| | Each external firewall peers to both of the MPLS routers with the following settings in the Peer Group (one connection per peer group - i.g each external firewall has two peer groups with one peering in each.). |
| | * Aggregated Confed AS Path ''enabled'' |
| | * Soft Reset With Stored Info ''disabled'' |
| | * Type ''EBGP'' |
| | * Import Next Hop ''Use Peer'' |
| | * Export Next Hop ''Use Self'' |
| | * Remove Private AS ''enabled'' |
| | ==== BGP Import Rules ==== |
| | Each external firewall needs to have two import rules - one for each MPLS router. It may be possible to merge them into a single import rules that is used by both peering groups. I specified an import filter of 0.0.0.0/0 with "explicit" NOT enabled so we import everything from the MPLS routers. Note that this requires us to put a lot of trust in the administrators of the MPLS routers. You may want to add filtering to prevent the MPLS administrators from being allowed to advertise any old route into the data centre networks. |
| |
| Now we have to configure eBGP export rules for the external firewalls in DC1. | We rely on the MPLS router adding path pre-pending from the secondary router in each data centre. More specifically, both MPLS routers in DC1 and both MPLS routers in DC2 advertise 10.30.0.0/16 to the external firewalls. However, The primary MPLS (in both data centres) to primary firewall (in both data centres) is advertised by the MPLS router with AS path pre-pended once, from primary MPLS to secondary firewall is pre-pended twice, from the secondary MPLS router to the primary firewall is pre-pended three times and the secondary MPLS router to the secondary external firewall is pre-pended four times. This specifies that the internal firewalls will always prefer the primary external firewall unless the primary external firewall looses access to both MPLS routers (of unless the primary external goes offline). Do the same for the external firewalls in DC2. |
| 1 We have an export rule for the primary external firewall to the primary MPLS router that exports 10.10.0.0/16 exactly (match criteria). Under the action tab, we set the community type to "Append" and Append field to "<dc1_external_fw_as>:1". | |
| 2 We have (the same) export rule for the primary external firewall to the secondary MPLS router that exports 10.10.0.0/16 exactly (match criteria). Under the action tab, we set the community type to "Append" and Append field to "<dc1_external_fw_as>:1". | |
| 3 We have an export rule for the primary external firewall to the primary MPLS router that exports 10.20.0.0/16 exactly (match criteria). Under the action tab, we set the community type to "Append" and Append field to "<dc1_external_fw_as>:2". | |
| 4 We have (the same) export rule for the primary external firewall to the secondary MPLS router that exports 10.20.0.0/16 exactly (match criteria). Under the action tab, we set the community type to "Append" and Append field to "<dc1_external_fw_as>:2". | |
| -> Notice how the firewalls in DC1 are exporting the routes of DC2 but with ":2" on the append field. This means that the end user will prefer the DC2 firewalls when accessing DC2 unless access through BGP to the external firewalls is lost. We rely on the BGP routers using the :1 or :2 append fields to control how it then relays routing preferences to the end user. | |
| -> We do the same in DC2 except that they export 10.20.0.0/16 with a :1 and 10.10.0.0/16 with a :2. | |
| |
| ===== External Firewalls - OSPF ===== | This also means that the internal network in DC1 will route to the internal firewalls in DC1 for 10.30.0.0/16 unless the route through DC1 is broken. Then they will route over to the internal network in DC2 and access 10.30.0.0/16 through the DC2 firewalls. |
| | |
| | This also means that the internal network in DC2 will route to the internal firewalls in DC2 for 10.30.0.0/16 unless the route through DC2 is broken. Then they will route over to the internal network in DC1 and access 10.30.0.0/16 through the DC1 firewalls. |
| | |
| | ==== BGP Export Rules ==== |
| | Now we have to configure eBGP export rules for the external firewalls in DC1 to the MPLS routers in DC1. |
| | - We have an export rule for the primary external firewall to the primary MPLS router that exports 10.10.0.0/16 exactly (match criteria). Under the action tab, we set the community type to "Append" and Append field to "<dc1_external_fw_as>:1". |
| | - We have (the same) export rule for the primary external firewall to the secondary MPLS router that exports 10.10.0.0/16 exactly (match criteria). Under the action tab, we set the community type to "Append" and Append field to "<dc1_external_fw_as>:1". |
| | - We have an export rule for the primary external firewall to the primary MPLS router that exports 10.20.0.0/16 exactly (match criteria). Under the action tab, we set the community type to "Append" and Append field to "<dc1_external_fw_as>:2". |
| | - We have (the same) export rule for the primary external firewall to the secondary MPLS router that exports 10.20.0.0/16 exactly (match criteria). Under the action tab, we set the community type to "Append" and Append field to "<dc1_external_fw_as>:2". |
| | * We could probably merge rules 1 and 2 together and merge rules 3 and 4 together. |
| | * Notice how the firewalls in DC1 are exporting the routes of DC2 but with ":2" on the append field. This means that the end user will prefer the DC2 firewalls when accessing DC2 unless access through BGP to the external firewalls is lost. We rely on the MPLS routers using the :1 or :2 append fields to control how it then relays routing preferences to the end user. Specifically, if the MPLS routers redistribute these eBGP routes into OSPF, OSPF should prefer the :1 routes. |
| | * We do the same in DC2 except that they export 10.20.0.0/16 with a :1 and 10.10.0.0/16 with a :2. |
| | |
| | ==== BGP Redistribution Rules ==== |
| We also have to create an OSPF redistribution profile on each external firewall to allow OSPF routes to be redistributed into BGP. Just create the redistribution profile, tick OSPF as the source type. Priority doesn't really matter here as that is for another scenario. Endure you click the "redist" radio button. Under the BGP configuration, add OSPF to the list of redistribution rules and enable it. Set origin can be incomplete and nothing else needs to be specified. | We also have to create an OSPF redistribution profile on each external firewall to allow OSPF routes to be redistributed into BGP. Just create the redistribution profile, tick OSPF as the source type. Priority doesn't really matter here as that is for another scenario. Endure you click the "redist" radio button. Under the BGP configuration, add OSPF to the list of redistribution rules and enable it. Set origin can be incomplete and nothing else needs to be specified. |
| |
| For the external firewalls, we now configure OSPF. The DC1 external firewalls need to be configured as area 0.0.0.1, DC2 firewalls need to be configured as area 0.0.0.2. This is because the internal firewalls summarise routes and that can only happen between different areas. If it were not for the route summaries, we could put both sets of external firewalls into area 0.0.0.0 and then let the MPLS routers summarise routes. While this example doesn't really cover it, imagine that the core switches are exchanging a load of smaller subnets that can be summarised by 10.10.0.0/16 and 10.20.0.0/16. | ===== External Firewalls - OSPF ===== |
| | For the external firewalls, we now configure OSPF. |
| | |
| | The DC1 external firewalls need to be configured as area 0.0.0.1. The DC2 firewalls need to be configured as area 0.0.0.2. This is because the internal firewalls summarise routes from the core network when announcing them to the external firewalls and that can only happen between different areas. If it were not for the route summaries, we could put both sets of external firewalls into area 0.0.0.0 and then let the MPLS routers summarise routes. While this example doesn't really cover it, imagine that the core switches are exchanging a load of smaller subnets that can be summarised by 10.10.0.0/16 and 10.20.0.0/16. |
| |
| You will need to create a redistribution profile for BGP routes and one for static routes like we did for OSPF. We then create two export rules on each external firewall: one for BGP and one for Connected (connected is needed if the internal firewalls and dc networks need to know about the network links between the MPLS routers and the external firewalls - may not be the case but you never know - e.g. for ping/traceroute from dc to MPLS router). Set the path type as ext-2 and the metric to 41 (in this example, I picked 41 out of thin air, make your own up). It is important that the metric used is the same on both the primary and the secondary firewalls. What is important here is the area configuration. Under area 0.0.0.1, set the interace to be the external firewall's "internal" interface. In OSPF, set the interface metric to 10 and the priority to 1. This last bit is very important. For the primary external firewall, the priority should be 1. The secondary firewall should have the priority set to 2. It is this priority that will tell the internal firewalls to prefer the external primary and use the external secondary as a failover option. The metric (10) should be the same on both the external primary and the external secondary. | You will need to create a redistribution profile for BGP routes and one for static routes like we did for OSPF earlier. We then create two export rules on each external firewall: one for BGP and one for Connected (connected is needed if the internal firewalls and dc networks need to know about the network links between the MPLS routers and the external firewalls - may not be the case but you never know - e.g. for ping/traceroute from dc to MPLS router). Set the path type as ext-2 and the metric to 41 (in this example, I picked 41 out of thin air, make your own up). It is important that the metric used is the same on both the primary and the secondary firewalls. What is important here is the area configuration. Under area 0.0.0.1, set the interace to be the external firewall's "internal" interface. In OSPF, set the interface metric to 10 and the priority to 1. This last bit is very important. For the primary external firewall, the priority should be 1. The secondary firewall should have the priority set to 2. It is this priority that will tell the internal firewalls to prefer the external primary and use the external secondary as a failover option. The metric (10) should be the same on both the external primary and the external secondary. |
| |
| |
