Sunday, November 24, 2019

Is there a reason to use multiple VRs/VRFs on my Palo Alto edge firewalls, given our network design?

I'm in the final stages of cleaning up a mess I inherited about a year and a half ago, and I'm wondering if there's still any reason for me to be maintaining two different VRs on my PA-3020 edge firewall.

Background: ~300 users, mostly in one site, Palo Alto firewalls, Cisco switches, Meraki WAPs, Windows desktop/servers. Two internet connections, no BGP peering with the ISPs.

Here's a quick shot of our network from an L3 perspective

My understanding is that when my predecesor put these firewalls in on PAN-OS 7.0, using dual VRFs combined with Policy-Based Forwarding was the recommended method of accomplishing internet connection failover. However with PAN-OS 8.0 we got link state monitoring, and I've since transitioned us to that for our ISP failover.

So given that I'm not doing the PBR/VR method of ISP failover, is there any reason to continue dealing with two VRs? Can I just move all of the interfaces over to VR-ISP1 to make everything simpler and allow OSPF to deal with everything in my network? (you can't form neighbor relationships between VRs, so there's an ugly mix of static routes holding them together for now)



No comments:

Post a Comment