Friday, November 8, 2024

Originating a default route via BGP from Cisco router - Advertise to Palo

My goal here is to have IPS1 peer with the Palo, send it only a default route (or any other more specific route specified)…with a preconfigured metric

Here’s some background on generating default routes: https://community.cisco.com/t5/routing/difference-between-default-originate-and-network-0-0-0-0-in-bgp/td-p/1780201

Referring to the topology below: ISP-1 is peered with the Palo via eBGP – ASN 1 \ ASN 65111

A screenshot of a computer Description automatically generated

Firstly … on the ISP-1 router, you inject the default into BGP… you can do it like this… at the neighbor statement – note that this route is NOT in the routing table previously, but “artificially” injected

neighbor 1.1.1.10 default-originate

Next create a prefix list to identify the routes you want to send to the neighbor, and block the rest – here, I’m permitting the 0.0.0.0 default roue, and the 5.5.5.5, then denying all subnets with a mask LESS than (le) 32…which is everything

ip prefix-list DEFAULT-ROUTE seq 5 permit 0.0.0.0/0

ip prefix-list DEFAULT-ROUTE seq 7 permit 5.5.5.5/32

ip prefix-list DEFAULT-ROUTE seq 10 deny 0.0.0.0/0 le 32

Next, create a route map and reference the prefix-list you just created I also wanted to set the metric here – presumably for both allowed routes, to 11

route-map DEFAULT-ONLY permit 5

match ip address prefix-list DEFAULT-ROUTE

set metric 11

Now, you reference the route-map in a neighbor statement that will filter the outbound routes to this particular neighbor, in this case, the Palo.

neighbor 1.1.1.10 route-map DEFAULT-ONLY out

You can use this command to force the updates outbound to the neighbor (Palo) without tearing down the established peering.

clear ip bgp 1.1.1.10 soft out

A screenshot of a computer Description automatically generated

You can see above on the Palo-routes from the ISP-1 router, that the 5.5.5.5 route WILL have it's metric set- the default route included in the same prefix list will not- seems because it's a default-originate route and NOT really in the routing table, so it behaves differently. (??)

From the perspective of the ISP-1 router (the sending router)

show ip bgp neighbors 1.1.1.10 advertised-routes

A screenshot of a computer program Description automatically generated

Next time, I’ll dive into how we can further manipulate this default route, making it more or less preferred for traffic headed out of our AS towards the internet.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)