How to configure BGP Graceful Shutdown using gshut community
7842
Created On 07/02/20 23:10 PM - Last Modified 10/02/24 21:35 PM
Objective
- BGP packets/traffic can be blackholed during a maintenance window when a peer is being reloaded.
- The scale of outage could be disruptive depending on the number of BGP routes/prefixes being advertised.
- The article provides how to configure Palo Alto to accept the "gshut" community to ensure graceful shutdown of neighbor.
Environment
- Palo Alto Firewalls
- Supported PAN-OS
- BGP
- Well-known gshut community
Procedure
The firewall can accept gshut community values from BGP speakers; it can then be configured to reconverge when it receives the well-known community.
- Verify if the BGP Peer is sending the "GSHUT" community.
- In the example below the Firewall is Peering with a router "BGP_AS100".
- This Peer "BGP_AS100" is sending the GSHUT community to the firewall (65535:0) signaling the firewall that it is shutting down:
admin@PA-VM> show routing protocol bgp loc-rib-detail
VIRTUAL ROUTER: default (id 1)
==========
Prefix: 10.10.10.0/24 * <<====
Nexthop: 192.168.122.168
Received from: Peer BGP_AS100 (id 5)
Originator ID: 0.0.0.0
AS Path: 100
Origin: IGP
MED: 0
Local Preference: 100
Atomic aggregate: no
Aggregator AS: 0
Aggregator ID: 0.0.0.0
Weight: 0
Flap: value 0.00, count 0
Community: 65535:0 <<====
----------
Prefix: 10.10.10.0/24
Nexthop: 192.168.122.103
Originator ID: 0.0.0.0
AS Path: 200,100
Origin: IGP
MED: 0
Local Preference: 100
Atomic aggregate: no
Aggregator AS: 0
Aggregator ID: 0.0.0.0
Weight: 0
Flap: value 0.00, count 0
total routes shown: 2
- Configure The firewall to set its local preference to zero for prefixes it receives with this community:
GUI: Network > Virtual Routers > BGP > Import > Add :
- Commit the configuration change. BGP should reconverge:
admin@PA-VM> show routing protocol bgp loc-rib-detail
VIRTUAL ROUTER: default (id 1)
==========
----------
Prefix: 10.10.10.0/24
Nexthop: 192.168.122.168
Received from: Peer BGP_AS100 (id 5)
Originator ID: 0.0.0.0
AS Path: 100
Origin: N/A
MED: 0
Local Preference: 0
Atomic aggregate: no
Aggregator AS: 0
Aggregator ID: 0.0.0.0
Weight: 0
Flap: value 0.00, count 0
Community: 65535:0
----------
Prefix: 10.10.10.0/24 * <<====
Nexthop: 192.168.122.103
Originator ID: 0.0.0.0
AS Path: 200,100
Origin: IGP
MED: 0
Local Preference: 100
Atomic aggregate: no
Aggregator AS: 0
Aggregator ID: 0.0.0.0
Weight: 0
Flap: value 0.00, count 0
total routes shown: 2
- After reconvergence, the peer device "BGP_AS100" may be shut down for maintenance without disruption to the BGP environment.
Additional Information
- In the event of a shutdown or reload on the firewall during a maintenance window, the firewall can also be configured to send this community value to its peers using an export rule.
- While PAN-OS displays the gshut community in dotted notation; other vendors may display the community by its name. Take for example, the output on Cisco IOS:
Router#show bgp 10.10.10.10
BGP routing table entry for 10.10.10.0/24, version 2
Paths: (2 available, best #2, table default)
Advertised to update-groups:
5
Refresh Epoch 1
300 100
192.168.122.175 from 192.168.122.175 (1.1.1.1)
Origin IGP, localpref 100, valid, external
Community: gshut <<====
rx pathid: 0, tx pathid: 0
Refresh Epoch 1
100
192.168.122.168 from 192.168.122.168 (2.2.2.2)
Origin IGP, metric 0, localpref 100, valid, external, best
Community: gshut <<====
rx pathid: 0, tx pathid: 0x0