I thought to blog down some basic BGP peering configs between a Palo device and Cisco routers in my lab for reference, starting with default route advertising, and focusing more on the Palo side.
Refer to the network topology below:
CS1 and the Palo are peered via ASN 65111 (iBGP) across the 10.1.1.0/29 subnet
My goal here is to send a default route to the CS-1 switch from the Palo – no static routes – just dealing with Site 1 for now – and a single Virtual router
So in Palo- you can inject a default route into BGP despite not having that route in the routing table as normal – kind of like the “neighbor x.x.x.x default-originate” in Cisco.
https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000PNt2
You do that here under BGP – Distribution rules – I set a metric of 10 here
Now, you can scope the route to a particular neighbor (if desired) – I just want the default route to pass to the core switch neighbor (CS1) on the LAN side. For this, you create an export policy, that allows the routes you want (this case- the default) – and specify the peer group. Peer groups are how you configure and group your bgp neighborships – akin to BGP neighbor statements in cisco ie neighbor 1.1.1.1 remote-as 65111
Two peer groups here – one for the Lan side (CS-1) and one for the ISP\WAN routers. I did have to create deny rules for the WAN peers- if not- they would get the default route as well- which I don’t want
You can check your outbound routes in BGP – RIB Out – here you see the 0.0.0.0/0 route advertised to CS1 – with a MED of 10 – set in the redistribution rule above
Route received at the CS1 router from the Palo
I hope to have a lot more Palo based labs planned for the future ---thanks for reading!
No comments:
Post a Comment