Using AS-Path Prepending for BGP to Make Routes Less Preferred
Resolution
Issue
The Palo Alto Networks firewall is configured to advertise networks/prefixes to a BGP neighbor. The BGP neighbor is also learning the same routes from another router/firewall. The neighbor installs these routes from the Palo Alto Networks firewall into the routing table, although it prefers to learn these routes from the other router/firewall.
Cause
If no other BGP attributes have been specified, BGP acts as a distance vector protocol and the BGP Best Path Algorithm decides how the best path to an autonomous system (AS) is selected. When two or more routes exist to reach a particular prefix, the default in BGP is to prefer the route with the shortest AS Path length. If the shortest AS length to the prefix is learned from the Palo Alto Networks firewall, the BGP Neighbor chooses to use this route over the other peer.
Resolution
Use AS path prepending to influence inbound routing into the peer's autonomous system. When using AS Path prepending, the Palo Alto Networks firewall artificially lengthens the AS path that it advertises to the neighbor, making them view the path as much longer than it actually is.
Configure AS path prepending from the PAN-OS web UI by going to: Network > Virtual Routers > BGP > Export.
Click on the “Add” button to bring up a new “Export Rule” window. Under the “General” tab, select the peer group for which the AS Path Prepending should be applied for.
On the “Match” tab, configure the AS# that has to be pre-pended under the "AS Path Regular Expression" box and also the prefixes for which the AS path should be prepended for. You can also configure the Next hop and/or the peer from which the prefix was learnt, and also the other BGP attributes associated to this prefix ( community regular expression, the Extended Community Regular Expression and MED ).
On the Action tab, select "Allow" for the Action. Under the AS Path section, select "Prepend" for Type and enter a number which defines the number of times that the Palo Alto Networks firewall will prepend its AS number to the prefix before exporting to the neighbor.
The Palo Alto Networks firewall can also remove the AS number before advertising the prefix, by using setting the Type under AS Path to “Remove”. The “Remove and Prepend” type selection removes the specified number of latest AS numbers added to the prefix and prepends the firewall's AS the same number of times.
owner: kprakash