Discard Route With BGP Aggregation
10548
Created On 02/10/22 23:18 PM - Last Modified 02/10/22 23:41 PM
Symptom
When BGP aggregation is configured on PANOS, a discard route is automatically inserted into the routing table. Other vendors use a different terminology such as null route but the concept is essentially the same.
In the following example, the firewall is aggregating 10.10.0.0/16 and advertising it on to its peers:
admin@PA-VM> show routing protocol bgp rib-out | match "aggregate route" 10.10.0.0/16 10.0.0.2 AS118 0.0.0.0 advertised aggregate route 131 10.10.0.0/16 172.16.202.1 Peer151 0.0.0.0 advertised aggregate route 131
Consequently a discard route is inserted into the routing table:
admin@PA-VM> show routing route | match discard 10.10.0.0/16 discard A B 165 0
Environment
- All versions of PANOS
- BGP
- Hardware/VM-Series NGFW
Cause
The discard route is inserted as an efficiency mechanism to prevent route lookups and/or route forwarding via the default route for prefixes that have no specific or longer-prefix match on the routing table. In this illustration, the firewall is learning about the prefix 10.10.0.0/24 from one of its BGP peers and, in turn, it is aggregating that prefix to 10.10.0.0/16 which it then advertises to its peers.
When the device receives traffic destined to an IP address within the aggregate range but outside the parent subnet(s), the firewall simply drops the traffic. For example, traffic destined to 10.10.1.25, which overlaps with the aggregate, is dropped because it is outside the subnet 10.10.0.0/24. The only exception is if this address matches an existing [BGP] subnet on the routing table such as 10.10.0.0/17, etc.
Resolution
Discard route is automatically inserted in the routing table for BGP aggregate routes.
Additional Information
This article assumes the reader is familiar with how to configure BGP/route aggregation.