How to configure BGP route filtering using Route-map and Prefix-list on the Advanced Routing Engine

Using the network diagram shown below, the goal is to establish specific routing policies:

• Ensure the default route (0.0.0.0/0) from both ISPs is installed in the routing table for redundancy.
• Traffic destined for the 192.168.0.0/16 network must exit through ISP1.
• Traffic destined for the 10.0.0.0/8 network must exit through ISP2.
• Filter all routes advertised for the 172.16.0.0/12 network from being installed in the routing table.
• Configure the NGFW to increase its maximum prefix limit to prevent it from dropping routes.
• This will resolve the current issue shown in the logs (e.g., "Maximum prefix limit being hit").

10:57:11 BGP: [MCWSV-FHNYK] %MAXPFX: No. of IPv4 Unicast prefix received from neighbor vm100-2(192.168.1.2) reaches 1, max 7
10:57:11 BGP: [QAZ2C-BZRW5] %MAXPFXEXCEED: No. of IPv4 Unicast prefix received from neighbor vm100-2(192.168.1.2) 8 exceed, limit 7
10:57:11 BGP: [HZN6M-XRM1G] %NOTIFICATION(Hard Reset): sent to neighbor vm100-2 6/1 (Cease/Maximum Number of Prefixes Reached) 7 bytes 00 01

• Advanced Routing Engine
• Logical Router
• BGP
• Prefix-list
• Route-map
• PAN-OS version
• Routing table prior to implementation of solution
  • Default Route

• 192.168.0.0/16

• 10.0.0.0/8

• 172.16.0.0/12

I. Configurating Prefix-List

A. Create filters for ISP1:

1. Define the name of the prefix-list filter by going to Network > Routing > Routing Profiles > Filters > Filters Prefix List > Add > Name, in this sample we'll be using 2_ISP1

2. Allow the default route from ISP1 to be installed in BGP's RIB table, as highlighted above click Add and use the following parameters:
3. 1. Seq: 10
   2. Action: Permit
   3. Prefix: Network
   4. Network: 0.0.0.0/0

Note: Since we are trying to match just the default route, we don't need to use the Greater Than Or Equal or Less Than Or Equal Options.

3. Click OK to save
4. Allow routes for 192.168.0.0/16 that have a subnet of /24 and its supernetworks , click Add once again under Filter Prefix List 2_ISP1, and use the following values:
   1. Seq: 20
   2. Action: Permit
   3. Prefix: Network
   4. Network: 192.168.0.0/16
   5. Les Than Or Equal: 24

Note: We don't need to use the Greater Than or Equal option to prevent any networks that are part of 192.168.0.0/16 from having a subnet smaller than /24 accepted by BGP.

5. Click OK to save
6. As a result, at this point we should have something like the following:

7. Click OK to save

B. Create filters for ISP2

1. Define the name of the prefix-list filter by going to Network > Routing > Routing Profiles > Filters > Filters Prefix List > Add > Name, in this sample we'll be using 2_ISP2

2. Allow the default route from ISP2 to be installed in BGP's RIB table, as highlighted above click Add and use the following parameters:
   1. Seq: 10
   2. Action: Permit
   3. Prefix: Network
   4. Network: 0.0.0.0/0

3. Click OK to save
4. Allow routes for 10.0.0.0/8 that have a subnet of /16 and its supernetworks , click Add once again under Filter Prefix List 2_ISP2, and use the following values:
   1. Seq: 20
   2. Action: Permit
   3. Prefix: Network
   4. Network: 10.0.0.0/8
   5. Les Than Or Equal: 16

Note: We don't need to use the Greater Than or Equal option to prevent any networks that are part of 10.0.0.0/8 from having a subnet smaller than /16 accepted by BGP.

5. Click OK to save
6. As a result, at this point we should have something like the following:

7. Click OK to save

II. Configuring Route-map

1. Define the name of the route-map filter by going to Network > Routing > Routing Profiles > Filters > Filters Route Maps BGP >  Add > Name, in this sample we'll be using My_BGP_Route_Map

2. Assign the Prefix-list created for ISP1 to the route-map by clicking Add as highlighted above, and use the following parameters
   1. Entry (tab):
      1. Seq: 10
      2. Action: Permit

2. Match (tab):
   1. Peer: ISP1
   2. Prefix List: 2_IPS1

3. Click OK to save
4. Assign the Prefix-list created for ISP2 to the route-map by clicking Add as highlighted above (Step II.1), and use the following parameters
   1. Entry (tab):
      1. Seq: 20
      2. Action: Permit

2. Match (tab):
   1. Peer: ISP2
   2. Prefix List: 2_IPS2

5. Click OK to save
6. Result, at this point we should have something like the below:

7. Click OK to save

III. Configuring BGP Filtering Profile

1. Apply the above Route-map filter to the BGP Filtering Profile by going to Network > Routing > Routing Profiles > BGP > BGP Filtering Profile > Add, and use the following parameters:
   1. Name: My_BGP_Filtering_Profile
   2. Inbound Route Map: My_BGP_Route_Map

2. Click OK to save

1V. Applying the BGP Filtering Profile to the Logical Router

1. Implement the BGP filter Profile by going to Network > Routing > Logical Router > [Logical_Router_Name] > BGP > Peer Group > [Peer_Group_Name] > IPv4 Filtering Profile > My_BGP_Filtering_Profile

2. Click OK twice then Commit to save

V. Viewing the results from the Routing Table

To verify the routing table go to, Network > Routing > Logical Routers > More Runtime Stats

1. Default Route (First Objective)

2. 192.168.0.0/16 (Second Objective)

3. 10.0.0.0/8 (Third Objective)

4. 172.16.0.0/12 (Fourth and Fifth Objectives)

This Knowledge Based article is a build up from two previous ones which are:

• How to configure basic BGP peering using the Advanced Routing Engine
• How to configure BGP Load Balancing using the Advanced Routing Engine