topic BGP routing question. in General Topics

BGP routing question.

inderjit21 — Tue, 28 Feb 2017 07:26:57 GMT

I have multiple sites (50+ tunnels) doing ebgp with palo alto(VM-100). So PA is learning smaller subnets from all sites which are known to each other by bgp.

Additionally connected aws doing ebgp which is all good. But number of bgp routes advertised to aws goes above 100 bgp drops( aws can’t accept more than 100 routes).

aws can’t accept default route as they don’t want to come to fw for everything, few things needs to take different route.

I have tried export tab using option to be used by aws only but still (10.48.0.0/12) routes goes above 100. I have tried summarizing routes but then PA will advertise summaries to all the bgp peers which will break routing.

In theory I should be able to summarize 10.48.0.0/12 and send summary to only aws and not to any other peer

Re: BGP routing question.

Tyler_C — Wed, 01 Mar 2017 19:13:10 GMT

Use the BGP Aggregate Address functionality.

Under your Virtual-Router > BGP > Aggregate > Create an aggregate prefix and set as Summary.

Under Export, create a deny rule at the top of the list, and apply it to all peer groups except AWS (Make sure AWS is set up as its own Peer group) match against the prefix that you specified as an aggregate (check exact match).

Create another export rule at the bottom of the list (assuming you don't have any other deny rules), that is applied to your AWS peer group, with a match object of the aggregate prefix, and action allow.

Edit: In case it wasn't clear, you don't want any other export policies to match your AWS peer group. Configure your export policies as such that the only rule that matches AWS is the allow rule for the aggregate prefix.