BGP filter route only for /32 prefix

rahul.k — Sun, 22 Aug 2021 08:28:37 GMT

Hi Experts,

My question is, my Cisco switches advertise host routes to FW from many VLANs/VRFs together with other network routes, we want the firewall Not to accept the any routes with subnet mask /32 but accept anything else, can you help to see if the firewall can do this kind of route mapping? Which can be easily achieved in Cisco router by prefix-list 0.0.0.0/0 ge 32.

Thanks!

Re: BGP filter route only for /32 prefix

SebRupik — Mon, 23 Aug 2021 23:09:38 GMT

Hi there,

you cannot create an equivalent prefix-list / route-map combination in PANOS. Your best option would be to tag the host routes with a particular community string and use an import policy on the firewall to deny those prefixes.

! ip prefix-list FOO-OUT seq 10 permit 0.0.0.0/0 ge 32 ! route-map PA01 permit 10 match ip address prefix-list FOO-OUT set community 65000:999 ! route-map PA01 permit 20 set community 65000:1 ! router bgp 65000 bgp log-neighbor-changes neighbor 192.168.100.1 remote-as 65001 ! address-family ipv4 network 100.0.0.1 mask 255.255.255.255 network 192.168.101.0 mask 255.255.255.252 neighbor 192.168.100.1 activate neighbor 192.168.100.1 send-community neighbor 192.168.100.1 route-map PA01 out exit-address-family !

Now under normal circumstances we can see both prefixes on the Palo, with the different community strings:

admin@PA-VM> show routing protocol bgp loc-rib-detail VIRTUAL ROUTER: WAN (id 2) ========== ---------- Prefix: 100.0.0.1/32 * Nexthop: 192.168.100.2 Received from: Peer ISP01 (id 1) Originator ID: 0.0.0.0 AS Path: 65000 Origin: IGP MED: 0 Local Preference: 100 Atomic aggregate: no Aggregator AS: 0 Aggregator ID: 0.0.0.0 Weight: 0 Flap: value 0.00, count 0 Community: 65000:999 ---------- Prefix: 192.168.101.0/30 * Nexthop: 192.168.100.2 Received from: Peer ISP01 (id 1) Originator ID: 0.0.0.0 AS Path: 65000 Origin: IGP MED: 0 Local Preference: 100 Atomic aggregate: no Aggregator AS: 0 Aggregator ID: 0.0.0.0 Weight: 0 Flap: value 0.00, count 0 Community: 65000:1

So now we create an import policy, two parts, first to drop prefixes with community 65000:999 and the second to allow everything else:

set network virtual-router WAN protocol bgp policy import rules drop_65000_999 action deny set network virtual-router WAN protocol bgp policy import rules drop_65000_999 match community regex 65000.999 set network virtual-router WAN protocol bgp policy import rules drop_65000_999 match route-table unicast set network virtual-router WAN protocol bgp policy import rules drop_65000_999 used-by ISP set network virtual-router WAN protocol bgp policy import rules drop_65000_999 enable yes set network virtual-router WAN protocol bgp policy import rules everything_else action allow update as-path none set network virtual-router WAN protocol bgp policy import rules everything_else action allow update community none set network virtual-router WAN protocol bgp policy import rules everything_else action allow update extended-community none set network virtual-router WAN protocol bgp policy import rules everything_else match route-table unicast set network virtual-router WAN protocol bgp policy import rules everything_else used-by ISP set network virtual-router WAN protocol bgp policy import rules everything_else enable yes

Commit the config and check to the local RIB:

admin@PA-VM> show routing protocol bgp loc-rib-detail VIRTUAL ROUTER: WAN (id 2) ========== ---------- Prefix: 192.168.101.0/30 * Nexthop: 192.168.100.2 Received from: Peer ISP01 (id 1) Originator ID: 0.0.0.0 AS Path: 65000 Origin: IGP MED: 0 Local Preference: 100 Atomic aggregate: no Aggregator AS: 0 Aggregator ID: 0.0.0.0 Weight: 0 Flap: value 0.00, count 0 Community: 65000:1

Hope that helps.

cheers,

Seb.

topic BGP filter route only for /32 prefix in General Topics

BGP filter route only for /32 prefix

Re: BGP filter route only for /32 prefix