How to filter routes being exported to BGP neighbor?
49009
Created On 10/02/19 03:11 AM - Last Modified 03/25/24 15:30 PM
Objective
- Limit sending BGP routes to a downstream Peer by keeping the routes locally in the routing table.
- In the example below the Firewall FW is sending routes of 180.10.x.x and 190.10.x.x to the neighbor R3. The export filter configured on Firewall FW will only allow 180.10.x.x routes to be advertised to neighbor R3.
- The local route table of Firewall FW is not affected, both 180.10.x.x and 190.10.x.x routes remain in the route table.
Environment
- PAN-OS 7.1, 8.0, 8.1 and 9.0.
- Any Palo Alto Firewall.
- BGP configured.
Procedure
- From the WebGUI of Firewall FW, select Network > Virtual Routers > Default => Replace the virtual router to the appropriate configured one
- Select BGP > Export and click Add to create Export rule.
- In the General Tab, type in a name and click Add under Used by window. Select the neighbor to which routes need to be filtered Make sure Enable is checked. In this example Export filter is filtering routes that are being sent to PEER-IBGP which is R3.
- Click on Match and add the prefix which need to be advertised in the Address Prefix window. In this example 180.10.0.0/16 is selected to only send 180.10.x.x routes.
- Click on the Action Column and select Allow under Action and click OK.
- Click on OK and Commit the configuration. Only 180.10.x.x routes are now advertised to the neighbor PEER-IBGP.
Additional Information
To verify check the rib-out on the local Firewall FW using GUI: Network > Virtual Routers > Default > More Runtime Stats > Bgp > RIB Out. Only 180.10.x.x routes are being seen in the local RIB out.
Similarly the Local RIB of the peer router (PEER-IBGP / R3 ) displays only 180.10.x.x networks.
The route table of the peer router (PEER-IBGP / R3 ) has only 180.10.x.x networks.
This is the RIB out table on Firewall FW prior configuring filter which displays both 180.10.x.x and 190.10.x.x network in the table.