How to Influence BGP Routes with Origin and MED Metrics

How to Influence BGP Routes with Origin and MED Metrics

47318
Created On 09/25/18 19:25 PM - Last Modified 06/05/23 08:57 AM


Resolution


Overview

This document describes the Origin and the MED attributes and how the Palo Alto Networks Firewall uses these attributes to influence BGP route selection.

 

Details

Origin Attribute:

Origin is a transitive mandatory attribute that describes how a route was learned at the origin (at which stage that the route was injected into BGP).

A route can have one of these 3 origin values:

  • IGP - Indicates that the route originated on a BGP router. This route type includes any route that originated from the BGP process on a BGP-speaking router. The NLRI (Network Layer Reachability Information) is interior to the originating AS.
  • EGP - Indicates that the route originated from an EGP session. The NLRI is learned via EGP ( not E-BGP ). Since EGP was a predecessor of BGP, we rarely find origin of egp being used.
  • Incomplete - Indicates that the NLRI was learned through some other means other than BGP, such as, redistributing the routes into BGP.

 

The order of preference for these routes is: IGP > EGP > Incomplete.

 

The Palo Alto Networks firewall has the flexibility of modifying the origin of these routes, while advertising these routes to the neighbor. Configuration from the web UI is done at:

Network > Virtual Routers > BGP > Export > (export rule) > Action > Origin

Origin.JPG.jpg

 

 

MED ( Mutli-exit Descriminator ) Attribute:

MED is a non-transitive, non-mandatory attribute, used to advertise to the neighbors of an adjacent AS about how they should enter the AS of the Palo Alto Networks firewall. It is generally used to influence inbound routes when there are redundant connections (multiple entry points) from the firewall to the neighbors of the adjacent AS.

 

MED is exchanged just between autonomous systems, and is propagated to all routers within the neighboring AS. MED is not passed along any other autonomous systems. When there are redundant BGP connections between the autonomous systems, the route with the lower advertised MED is selected by the neighboring AS routers to send the traffic to the Palo Alto Networks firewall.

 

On the Palo Alto Networks firewall, the MED is advertised to the adjacent peers, by navigating to:

Network > Virtual Routers > BGP > Export > (export rule) > Action > MED

MED.JPG.jpg

 

owner: kprakash
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000ClYH&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcSArticleDetail

Choose Language