Thanks Val.  We agree with you.  However, the client wants to move BGP off the existing ISP routers. That's the scope. The customer owns /24 and needs to advertise.

Once again, what is BGP for? What exactly do you advertise and to whom? Maybe, a bit mode details about your specific use case would help to start here.

We're the PS team.  Client wants to retrofit the the CP HA pair into the current topology and remove the existing ISP routers. Currently, there are two routers doing BGP to dual-homed ISPs. The customer is advertising /24 network to the Internet via two separate ISPs. BGP is used to advertise the /24 space.

So they are advertising their own networks to ISP. From where I stand, they/you can put the same advertisement on the FW. What does it have to do with the S2S VPN? I assume VPN domains are on private segments, right? Also, VPN GW IP address is most probably fixed to one of FW external interfaces. Should not be a problem, although you do not give me too much to work with here 🙂

Currently, the firewall is behind the BGP routers in the /24 range. The firewall has only one external interface. The ISP redundancy is done by the routers via BGP. The S2S VPN peer has that single IP to peer with, but with redundant path.The challenge is that once we remove the routers and terminate the ISPs directly to the firewall, we'll lose /24 interface IP, and have two separate IP addresses instead.

The question is whether ISP redundancy and BGP config are compatible. My understanding is ISP redundancy overrides the routing table, so BGP routing may be ignored. Since we have redundant paths for S2S VPN today, the client would want to continue to have VPN redundancy after the topology change, but I'm not sure how that works with BGP. Sorry, I don't have more information than that (not my existing client). I don't want to promise something I can't deliver if you know what I mean.

Maybe someone more familiar with BGP than myself can confirm this, but I dont believe ISP redundancy would override the routing table, but its possible Im wrong. Are you saying that BGP routes would have to change after the topology change as that /24 subnet would be "broken down" into 2 say /25 subnets (just an example)?

@Heather_Lewis as @the_rock said, should not be a problem to run BGP for announcing customer's segments to internet. Redundant VPN should also not be a problem, and you do not need BGP for that, MEP config would do. 

ISP redundancy in LS mode would be an alternative, but with dynamic routing you do not need that either, I think. 

All in all, this sounds doable, but the final design requires much more detailed use case.