How to Set the BGP Next Hop to self" When Reflecting a Route"

How to Set the BGP Next Hop to self" When Reflecting a Route"

29442
Created On 09/26/18 13:49 PM - Last Modified 06/09/23 03:20 AM


Resolution


Overview

This document describes how to configure BGP next hop and set it to the router ID of the route reflector, when a route is reflected (learned from an iBGP peer and advertised to iBGP route reflector clients).

 

Details

RFC 4456, BGP Route Reflection: An Alternative to Full Mesh Internal BGP (IBGP), advises against modifying the NEXT_HOP, among other attributes, when reflecting a route:

10.  Implementation Considerations

 

[...]

 

In addition, when a RR reflects a route, it SHOULD NOT modify the

following path attributes: NEXT_HOP, AS_PATH, LOCAL_PREF, and MED.

Their modification could potentially result in routing loops.

 

 

PAN-OS 5.0:

In PAN-OS 5.0, setting the BGP next hop to "self", when reflecting a route, is performed by setting the configuration option "Export Next Hop" to "Use Self" on the "Virtual Router - BGP - Peer Group/Peer" configuration page.

In the screenshot below, the iBGP peer 192.168.200.13 is configured as a route reflector client to the local firewall, 192.168.200.11. BGP parameters of the route reflector client

Capture-2-edited.png

 

In the screenshot below, "Export Next Hop" is set to "Use Self". This forces the local firewall to set the NEXT_HOP BGP attribute to its own IP address (BGP router ID) for all routes advertised to the members of the BGP peer group. This action has effect for both reflected and non-reflected (learned from eBGP) routes.

Capture-1-edited.png

 

PAN-OS 6.0 and above:

When "Export Next Hop" is set to "Use Self" on the "Virtual Router - BGP - Peer Group/Peer" configuration page (as in the screenshot above), then this configuration option only has an effect on the non-reflected routes. Reflected routes (routes learned from other iBGP peers and advertised to BGP route reflector clients) are advertised with their original values of the NEXT_HOP attribute.

 

In order to modify the BGP NEXT_HOP attribute for the reflected routes, an export rule should be used, as shown below:

Capture-3-edited.png

In the screenshot above, an example of an export rule used to modify the NEXT_HOP attribute is shown. In that example, the NEXT_HOP is set to the router ID of the local firewall. The peer group to which this rule applies consists of iBGP route reflector clients. Additionally, this rule is applied only for the prefixes learned from one specific peer, VM-0. The last item is not necessary, but it may be a good practice to control the prefixes to which this change of NEXT_HOP is applied.

 

owner: ncackov
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClqoCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language