| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| paloaltonetworks:configuration:dynamic_routing_example [2020/07/14 23:34] – bstafford | paloaltonetworks:configuration:dynamic_routing_example [2022/11/23 12:49] (current) – external edit 127.0.0.1 |
|---|
| |
| ==== BGP Export Rules ==== | ==== BGP Export Rules ==== |
| Now we have to configure eBGP export rules for the external firewalls in DC1. | Now we have to configure eBGP export rules for the external firewalls in DC1 to the MPLS routers in DC1. |
| 1 We have an export rule for the primary external firewall to the primary MPLS router that exports 10.10.0.0/16 exactly (match criteria). Under the action tab, we set the community type to "Append" and Append field to "<dc1_external_fw_as>:1". | - We have an export rule for the primary external firewall to the primary MPLS router that exports 10.10.0.0/16 exactly (match criteria). Under the action tab, we set the community type to "Append" and Append field to "<dc1_external_fw_as>:1". |
| 2 We have (the same) export rule for the primary external firewall to the secondary MPLS router that exports 10.10.0.0/16 exactly (match criteria). Under the action tab, we set the community type to "Append" and Append field to "<dc1_external_fw_as>:1". | - We have (the same) export rule for the primary external firewall to the secondary MPLS router that exports 10.10.0.0/16 exactly (match criteria). Under the action tab, we set the community type to "Append" and Append field to "<dc1_external_fw_as>:1". |
| 3 We have an export rule for the primary external firewall to the primary MPLS router that exports 10.20.0.0/16 exactly (match criteria). Under the action tab, we set the community type to "Append" and Append field to "<dc1_external_fw_as>:2". | - We have an export rule for the primary external firewall to the primary MPLS router that exports 10.20.0.0/16 exactly (match criteria). Under the action tab, we set the community type to "Append" and Append field to "<dc1_external_fw_as>:2". |
| 4 We have (the same) export rule for the primary external firewall to the secondary MPLS router that exports 10.20.0.0/16 exactly (match criteria). Under the action tab, we set the community type to "Append" and Append field to "<dc1_external_fw_as>:2". | - We have (the same) export rule for the primary external firewall to the secondary MPLS router that exports 10.20.0.0/16 exactly (match criteria). Under the action tab, we set the community type to "Append" and Append field to "<dc1_external_fw_as>:2". |
| -> Notice how the firewalls in DC1 are exporting the routes of DC2 but with ":2" on the append field. This means that the end user will prefer the DC2 firewalls when accessing DC2 unless access through BGP to the external firewalls is lost. We rely on the BGP routers using the :1 or :2 append fields to control how it then relays routing preferences to the end user. | * We could probably merge rules 1 and 2 together and merge rules 3 and 4 together. |
| -> We do the same in DC2 except that they export 10.20.0.0/16 with a :1 and 10.10.0.0/16 with a :2. | * Notice how the firewalls in DC1 are exporting the routes of DC2 but with ":2" on the append field. This means that the end user will prefer the DC2 firewalls when accessing DC2 unless access through BGP to the external firewalls is lost. We rely on the MPLS routers using the :1 or :2 append fields to control how it then relays routing preferences to the end user. Specifically, if the MPLS routers redistribute these eBGP routes into OSPF, OSPF should prefer the :1 routes. |
| | * We do the same in DC2 except that they export 10.20.0.0/16 with a :1 and 10.10.0.0/16 with a :2. |
| |
| ==== BGP Redistribution Rules ==== | ==== BGP Redistribution Rules ==== |
| |
| ===== External Firewalls - OSPF ===== | ===== External Firewalls - OSPF ===== |
| For the external firewalls, we now configure OSPF. The DC1 external firewalls need to be configured as area 0.0.0.1, DC2 firewalls need to be configured as area 0.0.0.2. This is because the internal firewalls summarise routes and that can only happen between different areas. If it were not for the route summaries, we could put both sets of external firewalls into area 0.0.0.0 and then let the MPLS routers summarise routes. While this example doesn't really cover it, imagine that the core switches are exchanging a load of smaller subnets that can be summarised by 10.10.0.0/16 and 10.20.0.0/16. | For the external firewalls, we now configure OSPF. |
| |
| You will need to create a redistribution profile for BGP routes and one for static routes like we did for OSPF. We then create two export rules on each external firewall: one for BGP and one for Connected (connected is needed if the internal firewalls and dc networks need to know about the network links between the MPLS routers and the external firewalls - may not be the case but you never know - e.g. for ping/traceroute from dc to MPLS router). Set the path type as ext-2 and the metric to 41 (in this example, I picked 41 out of thin air, make your own up). It is important that the metric used is the same on both the primary and the secondary firewalls. What is important here is the area configuration. Under area 0.0.0.1, set the interace to be the external firewall's "internal" interface. In OSPF, set the interface metric to 10 and the priority to 1. This last bit is very important. For the primary external firewall, the priority should be 1. The secondary firewall should have the priority set to 2. It is this priority that will tell the internal firewalls to prefer the external primary and use the external secondary as a failover option. The metric (10) should be the same on both the external primary and the external secondary. | The DC1 external firewalls need to be configured as area 0.0.0.1. The DC2 firewalls need to be configured as area 0.0.0.2. This is because the internal firewalls summarise routes from the core network when announcing them to the external firewalls and that can only happen between different areas. If it were not for the route summaries, we could put both sets of external firewalls into area 0.0.0.0 and then let the MPLS routers summarise routes. While this example doesn't really cover it, imagine that the core switches are exchanging a load of smaller subnets that can be summarised by 10.10.0.0/16 and 10.20.0.0/16. |
| | |
| | You will need to create a redistribution profile for BGP routes and one for static routes like we did for OSPF earlier. We then create two export rules on each external firewall: one for BGP and one for Connected (connected is needed if the internal firewalls and dc networks need to know about the network links between the MPLS routers and the external firewalls - may not be the case but you never know - e.g. for ping/traceroute from dc to MPLS router). Set the path type as ext-2 and the metric to 41 (in this example, I picked 41 out of thin air, make your own up). It is important that the metric used is the same on both the primary and the secondary firewalls. What is important here is the area configuration. Under area 0.0.0.1, set the interace to be the external firewall's "internal" interface. In OSPF, set the interface metric to 10 and the priority to 1. This last bit is very important. For the primary external firewall, the priority should be 1. The secondary firewall should have the priority set to 2. It is this priority that will tell the internal firewalls to prefer the external primary and use the external secondary as a failover option. The metric (10) should be the same on both the external primary and the external secondary. |
| |
| |
