Overview
This document describes how to configure BGP next hop and set it to the router ID of the route reflector, when a route is reflected (learned from an iBGP peer and advertised to iBGP route reflector clients).
Details
RFC 4456, BGP Route Reflection: An Alternative to Full Mesh Internal BGP (IBGP), advises against modifying the NEXT_HOP, among other attributes, when reflecting a route:
10. Implementation Considerations
[...]
In addition, when a RR reflects a route, it SHOULD NOT modify the
following path attributes: NEXT_HOP, AS_PATH, LOCAL_PREF, and MED.
Their modification could potentially result in routing loops.
PAN-OS 5.0:
In PAN-OS 5.0, setting the BGP next hop to "self", when reflecting a route, is performed by setting the configuration option "Export Next Hop" to "Use Self" on the "Virtual Router - BGP - Peer Group/Peer" configuration page.
In the screenshot below, the iBGP peer 192.168.200.13 is configured as a route reflector client to the local firewall, 192.168.200.11. BGP parameters of the route reflector client
In the screenshot below, "Export Next Hop" is set to "Use Self". This forces the local firewall to set the NEXT_HOP BGP attribute to its own IP address (BGP router ID) for all routes advertised to the members of the BGP peer group. This action has effect for both reflected and non-reflected (learned from eBGP) routes.
PAN-OS 6.0 and above:
When "Export Next Hop" is set to "Use Self" on the "Virtual Router - BGP - Peer Group/Peer" configuration page (as in the screenshot above), then this configuration option only has an effect on the non-reflected routes. Reflected routes (routes learned from other iBGP peers and advertised to BGP route reflector clients) are advertised with their original values of the NEXT_HOP attribute.
In order to modify the BGP NEXT_HOP attribute for the reflected routes, an export rule should be used, as shown below:
In the screenshot above, an example of an export rule used to modify the NEXT_HOP attribute is shown. In that example, the NEXT_HOP is set to the router ID of the local firewall. The peer group to which this rule applies consists of iBGP route reflector clients. Additionally, this rule is applied only for the prefixes learned from one specific peer, VM-0. The last item is not necessary, but it may be a good practice to control the prefixes to which this change of NEXT_HOP is applied.
owner: ncackov