Understanding Redistribution Profile Behavior if using Destination Filter

Redistribution profiles are used to redistribute routes learned from one protocol to another protocol. Please use the following articles for help in configuring Route Redistribution on Palo Alto Firewall:

Understanding Route Redistribution and Filtering

OSPF Route Summarization and Suppression on a Palo Alto Networks Firewall

When you use "Destination" as one of the filtering/matching criteria in Redistribution Profile, you should read the destination prefix as 'OR LONGER' and not 'EXACT'.

 

Scenario 1: Redistributing smaller prefix instead of longer prefix in OSPF:

You have the following static routes:

 

You wish to advertise the 10.10.0.0/16 route but not the 10.10.1.0/24, 10.10.2.0/24 and 10.10.3.0/24.

 

If you just create a redistribution profile as under:

 

 

Then you will end up redistributing even 10.10.1.0/24, 10.10.2.0/24, 10.10.3.0/24 as well:

 

admin@PA-200> show routing protocol ospf lsdb
VIRTUAL ROUTER: default (id 1)
  ==========
 VR Area ID         Orig RTR ID     LS ID              LSA Type             Seq Number CheckSum     Age  Size
  1 0.0.0.0         1.1.1.1         1.1.1.1            type-1 (Router)      0x80000003 0x00008B8D   497    36 
  1 0.0.0.0         2.2.2.2         2.2.2.2            type-1 (Router)      0x80000004 0x00004DA2  2302    36 
  1 0.0.0.0         2.2.2.2         10.1.1.12/24       type-2 (Network)     0x80000001 0x0000C746  2302    32 
  1                 1.1.1.1         10.10.0.0/16       type-5 (External)    0x80000001 0x0000D3E5   123       
  1                 1.1.1.1         10.10.1.0/24       type-5 (External)    0x80000003 0x0000C4F1   123       
  1                 1.1.1.1         10.10.2.0/24       type-5 (External)    0x80000003 0x0000B9FB   123       
  1                 1.1.1.1         10.10.3.0/24       type-5 (External)    0x80000003 0x0000AE06   123  

 

Rather use two profiles, the first for not redistributing specific routes and a second for redistributing a larger route. Use it under export rules in OSPF as under: (Notice the priority value in the two profiles)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Now you will see that the OSPF will only advertise 10.10.0.0/16 network:

 

admin@PA-200> show routing protocol ospf lsdb
admin@PA-200> show routing protocol ospf lsdb
VIRTUAL ROUTER: default (id 1)
  ==========
 VR Area ID         Orig RTR ID     LS ID              LSA Type             Seq Number CheckSum     Age  Size
  1 0.0.0.0         1.1.1.1         1.1.1.1            type-1 (Router)      0x80000004 0x0000898E   252    36 
  1 0.0.0.0         2.2.2.2         2.2.2.2            type-1 (Router)      0x80000005 0x00004BA3   858    36 
  1 0.0.0.0         2.2.2.2         10.1.1.12/24       type-2 (Network)     0x80000002 0x0000C547   858    32 
  1                 1.1.1.1         10.10.0.0/16       type-5 (External)    0x80000002 0x0000D1E6  1312       

 

 Important!  Route Suppression will not work in this case, since the route is being advertised from another protocol to OSPF. Route suppression works when advertising routes learned from one area to another.

 

 

Scenario 2: Redistributing smaller prefix instead of longer prefix in OSPF

 

if you want to do the same as above in BGP, there are two options:

 

1. You can include both these redistribution profiles under BGP > Redist Rules

    

2. Put the subnet which you want to advertise with the “Exact” checkbox selected under BGP > Export

    

End result:

 

admin@PA-200> show routing protocol bgp rib-out
VIRTUAL ROUTER: default (id 1)
   ==========
 Prefix            Nexthop          Peer       Originator       Adv Status  Aggr Status     AS-Path
 10.10.0.0/16      10.1.1.1         Peer1      0.0.0.0          advertised  no aggregation  65000

total routes shown: 1