In this post, I wanted to go over a typical dual isp topology with default routes learned via BGP, utilizing a Palo Alto gateway as an edge device.
Referencing the topology below, we have our 2 ISPs. Each ISP will send our firewall a default route via an eBGP peering. ISP1 will be our preferred path out, so we will want to make this route more attractive.
We can do this with Local Preference.
Remember the BGP path selection hierarchy. Weight is a Cisco only criteria (mostly – Palo does support it) but Local Presence is more suitable here.
This first thing I want to do is disable the injected default route I had setup on the Palo, and exported to CS1, as there will be no need for this now. I’ll just got to Default Router -BGP – Redist Rules and disable the rule.
We will configure the ISP 1 and 2 routers to export their default routes to the Palo, then create import policies on the Palo to change the local preference on those routes. The route with the higher preference will be used as the egress route.
ISP1-1 pertinent config lines:
Default-originate injects the default route for that specific neighbor (the Palo)- routes are scoped with a prefix list, which is refenced in a route-map. The route-map is used in the neighbor statement and applied to outbound routes. And, I added in the 5.5.5.5 route and applied a metric of 11 to it, just to illustrate how that is done also.
router bgp 1
bgp log-neighbor-changes
redistribute connected
redistribute static
neighbor 1.1.1.2 remote-as 5
neighbor 1.1.1.2 soft-reconfiguration inbound
neighbor 1.1.1.10 remote-as 65111
neighbor 1.1.1.10 description "ISP1-to-Palo-send default only-5.x route w metric of 11"
neighbor 1.1.1.10 default-originate
neighbor 1.1.1.10 route-map DEFAULT-ONLY out
!
ip prefix-list DEFAULT-ROUTE seq 5 permit 0.0.0.0/0
ip prefix-list DEFAULT-ROUTE seq 7 permit 5.5.5.5/32
ip prefix-list DEFAULT-ROUTE seq 10 deny 0.0.0.0/0 le 32
!
route-map DEFAULT-ONLY permit 5
match ip address prefix-list DEFAULT-ROUTE
set metric 11
ISP1-2 pertinent config lines:
Same config here – just a different specific route
router bgp 11
bgp log-neighbor-changes
redistribute connected
redistribute static
neighbor 11.11.11.2 remote-as 55
neighbor 11.11.11.2 soft-reconfiguration inbound
neighbor 11.11.11.10 remote-as 65111
neighbor 11.11.11.10 description "ISP1-to-Palo-send default only-55.x route w metric of 11"
neighbor 11.11.11.10 default-originate
neighbor 11.11.11.10 route-map DEFAULT-ONLY out
!
ip prefix-list DEFAULT-ROUTE seq 5 permit 0.0.0.0/0
ip prefix-list DEFAULT-ROUTE seq 7 permit 55.55.55.55/32
ip prefix-list DEFAULT-ROUTE seq 10 deny 0.0.0.0/0 le 32
!
route-map DEFAULT-ONLY permit 5
match ip address prefix-list DEFAULT-ROUTE
set metric 11
You can check what routes are being advertised with a specific neighbor with the command below:
Here are the peer groups (neighbor statements per se) on the Palo side: One group for each ISP router -and one for the LAN Core switch.
Next, we create an Import policy on the Palo for each ISP router – each router will have an import rule for their respective default route and specific route (5.x \ 55.x), with a deny at the end. ISP1 will have it’s Local Preference changed to 200 – making this the better goto path.
We also want to have an Export policy for the 0.0.0.0 default route sent to CS1. Since this route is learned from an eBGP speaker (ISP routers to Palo) and then subsequently sent to an iBGP speaker (CS1\Palo), it was retaining the next hop address of 1.1.1.9 \ 11.11.11.9 – the ISP interfaces where the route was originated, and passing that onto CS1. CS1 has no idea how to get to those networks! Here you need to enable Use Self on the LAN-PEERS Peer group. This is similar to the next-hop-self directive in a neighbor statement on Cisco IOS.
Here is the Import policy for default route learned from ISP1-1 – setting the Local Pref to 200
Similarly, we will set the Local Pref for ISP1-2 to 150
Here, on the Local BGP RIB on the Palo- you can see the imported route from ISP1 – with new local pref of 200
And the Local RIB out – only the default route from ISP1 is exported at the Palo to CS1 – now with the correct next hop and 200 for local pref
Palo routing table
And, here’s the default route on CS1’s BGP table -
Now let’s test our design and fail the primary ISP1 link
Our peering is down for ISP-1!
And the Palo has now installed the default route pointing to ISP2
BGP Table
And finally, the Exported routes – RIB Out- to CS1 – w local Pref of 150
As a side note, make sure your destination interfaces are specified in your NAT/PAT rules, or else nothing past the top most rule will evaluated or used ! Since the traffic is matching via the same source and destination zones for both rules.
Hope this basic Palo Alto BGP config walk-through was helpful --- thanks for reading my blog !
No comments:
Post a Comment