How to Prefer a BGP Peer for Installing a Received Prefix in the Local Routing Table & Leverage BGP for Route Failover

How to Prefer a BGP Peer for Installing a Received Prefix in the Local Routing Table & Leverage BGP for Route Failover

54327
Created On 09/25/18 17:52 PM - Last Modified 06/13/23 04:52 AM


Resolution


Overview

This document describes how to:

  1. Configure a Palo Alto Networks Firewall running PAN-OS 5.0.x to establish eBGP peering with two ISPs sending the same prefix.
  2. Configure the firewall to prefer one ISP for installing the received prefix in the local routing table and having the prefix received from the second ISP as backup by tuning the BGP attribute 'local preference'.

Details

Please refer to the following diagram for the topology. The configuration focus will be on the 'PAN Firewall (.92)' device. Both ISP routers will be advertising a prefix 40.40.40.0/24. Configuration will be done on the 'PAN Firewall (.92)' device to prefer the prefix advertised by ISP1 using 'Local Preference' attribute. (For simplicity, assume that PAN's external interface is on the same broadcast domains as the 2 ISP's links. Ideally, there would be point-to-point links between PAN & each ISP.) :

topology.PNG

Steps

  1. Establish eBGP peering from the PAN Firewall (.92) to both ISP routers. Both ISP routers need to be added in separate peer groups since specific import rules will be written for ISP1.

    Peer group configuration on 'PAN Firewall (.92)' for ISP1 (.39):

    peer39.PNG

    Peer group configuration on 'PAN Firewall (.92)' for ISP2 (.41):

    peer41.PNG

  2. An import rule needs to be added that will match (exact) on the prefix 40.40.40.0/24 received from 'ISP1 (.39)' and the local preference of '200' will be set on import (The default local preference is 100). BGP prefers a prefix received with higher local preference & inserts it into the routing table.

    Here is the import rule setup:

    import_1.PNG

    import_2.PNG

    import_3.PNG

Verification

Once the configuration is committed, the local RIB table of the 'PAN firewall (.92)' is inspected to confirm that the prefix 40.40.40.0/24 is being received from both peers. To do so, click on Virtual Router > More Runtime Stats > BGP > Local RIB

It is seen that the prefix learned via ISP1 has a Local Pref. of 200 and a * Flag indicating that this peer is preferred:

local_rib.PNG

To confirm that the routing table has this entry:

routing_table.PNG

To perform failover testing, if we bring down the eBGP peering with ISP1, we see that the prefix from ISP2 is now preferred and installed in the routing table:

failover.PNG

owner: achitwadgi
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClLdCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language