Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1032
Views
0
Helpful
6
Replies

BGP Route Reflector postion

Yangjp715
Level 2
Level 2

‎10-17-2017 01:09 PM - edited ‎03-08-2019 12:24 PM

Hi All,

 

We are planning to put a Palo Alto firewall in datacenter between the edge router ASR and two Nexus 9Ks. the existing BGP route reflector is 2911. i was wondering do i need to configure Firewall as RR or i can use the existing RR 2911?

 

Thanks in advance!diagram.png

 

Eric

Labels:
0 Helpful
6 Replies 6

Julio E. Moisa
VIP
VIP

‎10-17-2017 02:02 PM - edited ‎10-17-2017 02:15 PM

Hi,

You could keep the 2911 as RR but if the ASR will use BGP as well you need to allow the TCP port 179 on the firewall in order to allow the BGP communication between routers. Do you have just a RR as router? it could be a point of failure, you could connect the 2911 with the next Router (right) to be RR as well with different cluster-id. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Yangjp715
Level 2
Level 2
In response to Julio E. Moisa

‎10-18-2017 07:17 AM

Hi Julio,

 

Thanks for the quick reply.

 

I have the following questions:

1. Where is the best position to put RR. Is it must be the second node in IBGP? eBGP <-> eBGP/iBGP <-> iBGP/RR <-> Clients? If so, in our network. The ASR is the first node. N9k must be the RR? Is that correct?

 

2. Right now the FW is connected to two N9Ks. ASR is connected two N9Ks as well. We are planning to let all traffic pass through the FW for security reason. Can i keep the current design to get this requirement?

2017-10-18 08_02_25-Microsoft Visio.png

 

We have two datacenter in the AS 200. Another 2911 is RR as well in the second datacenter.

 

Thanks,

 

Eric

0 Helpful

Yangjp715
Level 2
Level 2
In response to Yangjp715

‎10-18-2017 09:42 AM

Hi all,

Is there anyone who can answer my above questions? Can i configure the FW as RR client?

Thanks in advance,

Eric
0 Helpful

Julio E. Moisa
VIP
VIP
In response to Yangjp715

‎10-18-2017 09:50 AM

Hi

Im not really sure if the FW can be executed as RR and it could overload the device, if it is a perimeter FW, it could be installed between the ASR and the routers over the AS100.

 

 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Yangjp715
Level 2
Level 2
In response to Julio E. Moisa

‎10-18-2017 12:59 PM

Hi Julio,

We have two FWs in each datacenter for redundancy. Now we are planning to get all traffic pass through the FW. ASR is the edge router connected to several SP and other sites. Yes, the FW is perimeter FW. Compare to the FW between the ASR and two N9Ks, what is different if the FW is between the ASR and AS 100?

Additionally, where is the best position to put RR, is it the second node in IBGP?

Thanks a lot.
Eric
0 Helpful

Yangjp715
Level 2
Level 2
In response to Yangjp715

‎10-25-2017 08:39 AM

Hi All,

 

Is there anyone who knows the scenario for how to get all traffic pass through the FW based on the above diagram?

 

Thanks in advance!

 

Eric

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card