BGP over IPsec between Cisco and Palo Alto (Multiple VRF's)

Kamran Mustafayev · ‎05-07-2024

If I have Site A and Site B:

Site A has Border switch that sending prefixes over eBGP peering and multiple eBGP peerings for separate VRFs to the Cisco Routers and that Cisco Router connected via dark fiber with Site B FW (lets say palo alto)

What will be the approach to send all site A prefixes to Site B FW over the BGP with IPsec and making sure that FW will receive VRF prefixes as well, do we need to create a separate Tunnel for each VRF or we can use one Tunnel and send all VRF prefixes to FW by leaking them into the global routing table of Cisco route at site A ?

DanielP211 · ‎05-07-2024

Hello!

I would configure MP-BGP which will enable you to forward multiple VRFs. Take a look into this.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/bgp/mp-bgp

BR

****Kindly rate all useful posts*****

Torbjørn · ‎05-07-2024

You would need one tunnel per VRF, leaking everything into global routing for this is not a good solution. An alternative would be to do something like MPLS over GRE but this is not likely to be supported on your firewall: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_l3_vpns/configuration/xe-17/mp-l3-vpns-xe-17-book/mpls-vpn-l3vpn-over-gre.html#concept_61CDDF029C684AD29F6F059568B1EA54

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

rais · ‎05-07-2024

Does it need be global routing table on the Cisco? How about a FW-VRF on the Cisco that imports all exportable routes and does dynamic routing to PA?

Kamran Mustafayev · ‎05-10-2024

I need to create an IPsec tunnels, so I need to understand the approach if I need to create a separate tunnels for each VRF BGP peering or I can use some kind of universal tunnel between sites and exchange that VRF prefixes over it

In my scenario I will receive only default route from site B Firewall

MHM Cisco World · ‎05-07-2024

VPNv4 is solution if you multi VRF

note:- VPNv4 config in global not in any VRF

MHM

Kamran Mustafayev · ‎05-10-2024

Does it mean I need create an IPsec tunnel for each VRF BGP peering between Site A and Site B ?

MHM Cisco World · ‎05-13-2024

Sorry I was busy'

Can you confirm if this issue solve or not?

I want to run lab for you but if it already solved so no need to do that.

MHM

Kamran Mustafayev · ‎05-13-2024

No, not through the one Tunnel, I assume I will need to do it with multiple Tunnels for each VRF between Site A and Site B

MHM Cisco World · ‎05-13-2024

I run lab and I success advertise the prefix between vrf but I face issue in label.

My failed lab was

tunnel in global and run mpls in tunnel

VPNv4 run between tunnel IP in global' and do vrf target import/export'

Just want to solve mpls label.

MHM

paul driver · ‎05-10-2024

Hello
can you post a topology diagram

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Kamran Mustafayev · ‎05-19-2024

So basically between Borders there is iBGP, between Borders and Fusion eBGP, between Fusion's iBGP, between Fusion routers and Palo Alto - eBGP, I have tunnel IPsec and BGP over it between Fusion routers and Palo in Global RIB, there is also VRF's stretched from Borders to Fusion and from Fusion routers to Palo, on Palo side its one Virtual router (i.e on VRF) and its getting prefixes per global table and per VRF, so I wonder I can export VRF prefixes on Fusion router to Global table and from there export it to Palo Alto through my BGP IPsec peering, is it best approach or I need to create separate VRF IPsec BGP peerings from Fusion routers to Palo for each VRF and send prefixes separately ?