Palo Alto – BGP Load sharing, dual-homed to single ISP

This post details the Palo Alto firewall configuration required when connecting it to multiple routers belonging to a single ISP. It will cover BGP prefix attributes that can be modified to affect path selection. It was inspired by this post on the Palo Alto Livecommunity.

PrefixConnected to
30.30.1.0/24Palo Alto
100.100.51.0/24ISP01
100.100.52.0/24ISP02

Note that all BGP path attributes being equal the Palo Alto prefers ISP01 for both of the AS64513 prefixes. Interestingly this is at odds with Step 10 of Ciscos BGP Best Path Selection Algorithm, so even though the peering to ISP02 is older, ISP01 is preferred meaning that the selection must be based on the lowest neighbour address (Step 13).

We can see that both ISP routers prefer eBGP path to the 30.30.1.0/24 prefix.

ISP01#sh ip bgp ipv4 unicast
BGP table version is 16, local router ID is 100.100.100.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  30.30.1.0/24     100.100.1.1                            0 64512 ?
 * i                  100.100.2.1              0    100      0 64512 ?
 *>  100.100.51.0/24  0.0.0.0                  0         32768 i
 *>i 100.100.52.0/24  100.100.100.2            0    100      0 i
ISP02#sh ip bgp ipv4 unicast 
BGP table version is 13, local router ID is 100.100.100.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 * i 30.30.1.0/24     100.100.1.1              0    100      0 64512 ?
 *>                   100.100.2.1                            0 64512 ?
 *>i 100.100.51.0/24  100.100.100.1            0    100      0 i
 *>  100.100.52.0/24  0.0.0.0                  0         32768 i

Now lets look at affecting the BGP path selection for traffic egressing the Palo Alto and make it prefer the path to the ISP02 router. To do this we will create a BGP Import policy which will give prefixes received from PeerGrp02 a higher Local Preference.

Once the Export Poicy has been committed, check the BGP Local RIB and observe that the preferred next-hop for both ISP prefixes (100.100.51.0/24 and 100.100.52.0/24) is the ISP02 router.

To influence the path taken by routers in AS64513 we choose MED. A prefix with a lower MED value is preferred. To set the MED value we use two BGP Export rules. The first is used against PeerGrp02 and a MED value of 0 is advertised with all BGP prefixes. A second BGP Export rule selected PeerGrp02 and sets a MED value of 100.

Once the Export Polices have been committed check the BGP RIB Out to confirm the MED values are being correctly advertised to the ISP routers.

Now take a look at the ISP routers:

ISP01#sh ip bgp ipv4 unicast 
BGP table version is 4, local router ID is 100.100.100.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 * i 30.30.1.0/24     100.100.2.1              0    100      0 64512 ?
 *>                   100.100.1.1            100             0 64512 ?
 *>  100.100.51.0/24  0.0.0.0                  0         32768 i
 *>i 100.100.52.0/24  100.100.100.2            0    100      0 i
ISP02#sh ip bgp ipv4 unicast 
BGP table version is 4, local router ID is 100.100.100.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  30.30.1.0/24     100.100.2.1              0             0 64512 ?
 * i                  100.100.1.1            100    100      0 64512 ?
 *>i 100.100.51.0/24  100.100.100.1            0    100      0 i
 *>  100.100.52.0/24  0.0.0.0                  0         32768 i

OK, so we can see that MED value is being advertised between the iBGP peers, but the path via eBGP peer is still preferred as per the BGP Path Selection process. However if we take a look at the ISP03 router we can see that the MED value is having a positive effect and selecting ISP02 as the next hop towards the Palo Alto.

ISP03>sh ip bgp ipv4 unicast 
BGP table version is 5, local router ID is 100.100.100.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 * i 30.30.1.0/24     100.100.100.1          100    100      0 64512 ?
 *>i                  100.100.100.2            0    100      0 64512 ?
 *>i 100.100.51.0/24  100.100.100.1            0    100      0 i
 *>i 100.100.52.0/24  100.100.100.2            0    100      0 i

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: