How to Prefer a BGP Peer for Installing a Received Prefix in the Local Routing Table & Leverage BGP for Route Failover
This document describes how to:
- Configure a Palo Alto Networks Firewall running PAN-OS 5.0.x to establish eBGP peering with two ISPs sending the same prefix.
- Configure the firewall to prefer one ISP for installing the received prefix in the local routing table and having the prefix received from the second ISP as backup by tuning the BGP attribute 'local preference'.
Please refer to the following diagram for the topology. The configuration focus will be on the 'PAN Firewall (.92)' device. Both ISP routers will be advertising a prefix 184.108.40.206/24. Configuration will be done on the 'PAN Firewall (.92)' device to prefer the prefix advertised by ISP1 using 'Local Preference' attribute. (For simplicity, assume that PAN's external interface is on the same broadcast domains as the 2 ISP's links. Ideally, there would be point-to-point links between PAN & each ISP.) :
Establish eBGP peering from the PAN Firewall (.92) to both ISP routers. Both ISP routers need to be added in separate peer groups since specific import rules will be written for ISP1.
Peer group configuration on 'PAN Firewall (.92)' for ISP1 (.39):
Peer group configuration on 'PAN Firewall (.92)' for ISP2 (.41):
An import rule needs to be added that will match (exact) on the prefix 220.127.116.11/24 received from 'ISP1 (.39)' and the local preference of '200' will be set on import (The default local preference is 100). BGP prefers a prefix received with higher local preference & inserts it into the routing table.
Here is the import rule setup:
Once the configuration is committed, the local RIB table of the 'PAN firewall (.92)' is inspected to confirm that the prefix 18.104.22.168/24 is being received from both peers. To do so, click on Virtual Router > More Runtime Stats > BGP > Local RIB
It is seen that the prefix learned via ISP1 has a Local Pref. of 200 and a * Flag indicating that this peer is preferred:
To confirm that the routing table has this entry:
To perform failover testing, if we bring down the eBGP peering with ISP1, we see that the prefix from ISP2 is now preferred and installed in the routing table: