Understand aggregate tab in BGP with summary, suppress filter and advertise filter
579
Created On 12/07/22 15:09 PM - Last Modified 09/19/25 02:18 AM
Objective
- Understand how the "aggregate" tab in BGP works with or without the "summary" option enabled.
- Understand how the "suppress filters" and "advertise filters" work in conjunction with the summary option enable/disable.
Environment
- Palo Alto Firewalls
- PAN-OS 9.1, 10.1
- BGP
Procedure
- "Enable" option on the aggregated tab will generate an aggregate route if there are prefixes inside the network, these prefixes are usually named "contributors". With this option, only an aggregate route is generated and the contributors and the aggregated are advertised.
- "Summary" option enabled on the aggregated tab will filter every "contributor" prefix, therefore, the firewall will only send the aggregate route to the peers.
- "Advertise Filters" option enabled with certain contributor prefixes, the firewall will advertise these prefixes to the peer.
- "Suppress filters" option enabled with certain contributor prefixes, the firewall will not advertise the prefixes to the peer.
Possible combinations of the above features:
- "Enabled" + "Advertise Filters": This option does not make sense, every contributor and the aggregated will be advertised. Without "Summary" option, the behavior is like "advertise all", therefore, the advertise filter will not add any effect.
- "Enabled" + "Summary" + "Suppress Filters": This combination does not make sense, "Summary" option is working like "Suppress all, only advertise the aggregated", therefore, the suppress filter will not add any effect.
- "Enabled" + "Suppress Filters": This combination will provide the ability to "filter" the contributor prefixes advertisement, the prefixes indicated in the "Suppress Filters" will not be advertised to the peers, advertising the aggregated and the rest of the contributors.
- "Enabled" + "Summary" + "Advertise Filters": This combination will provide the ability to "Suppress all" contributor prefixes with the summary and later, advertise certain specific prefixes added in "Advertise Filters" in addition to the aggregated prefix.
Additional Information
Below are some examples illustrating the explanations:
- Prefixes installed in the routing table:
PA-VM> show routing route | match 80.
80.0.0.0/8 discard A B 9621 0
80.80.80.0/29 172.160.1.3 10 A S ethernet1/8
80.80.80.1/32 0.0.0.0 10 A S ethernet1/7
80.80.80.2/32 0.0.0.0 10 A S ethernet1/7
- Option "Enabled": Aggregated + contributors advertised in rib-out
PA-VM> show routing protocol bgp rib-out | match 80.
80.0.0.0/8 172.160.1.1 ECMP-peer-1 0.0.0.0 advertised aggregate route 65301
80.80.80.0/29 172.160.1.3 ECMP-peer-1 0.0.0.0 advertised not suppressed 65301
80.80.80.1/32 172.160.1.1 ECMP-peer-1 0.0.0.0 advertised not suppressed 65301
80.80.80.2/32 172.160.1.1 ECMP-peer-1 0.0.0.0 advertised not suppressed 65301
- Option "Enabled" + "Suppress Filters": Suppress prefix 80.80.80.1/32 and 80.80.80.2/32
PA-VM> show routing protocol bgp rib-out | match 80.
80.0.0.0/8 172.160.1.1 ECMP-peer-1 0.0.0.0 advertised aggregate route 65301
80.80.80.0/29 172.160.1.3 ECMP-peer-1 0.0.0.0 advertised not suppressed 65301
- Option "Enabled" + "Summary": Only aggregated advertised
PA-VM> show routing protocol bgp rib-out | match 80.
80.0.0.0/8 172.160.1.1 ECMP-peer-1 0.0.0.0 advertised aggregate route 65301
- Option "Enabled" + "Summary" + "Advertise Filters": Advertise prefixes 80.80.80.1/32, 80.80.80.2/32 and aggregate route
PA-VM> show routing protocol bgp rib-out | match 80.
80.0.0.0/8 172.160.1.1 ECMP-peer-1 0.0.0.0 advertised aggregate route 65301
80.80.80.1/32 172.160.1.1 ECMP-peer-1 0.0.0.0 advertised no aggregation 65301
80.80.80.2/32 172.160.1.1 ECMP-peer-1 0.0.0.0 advertised no aggregation 65301
*The article supposes that export, import, and redistribution profiles are correctly configured.