Does PAN-OS Support Dynamic Routing Protocols OSPF or BGP with IPv6?

Printer Friendly Page

Before PAN-OS 6.0

Dynamic routing protocols with IPv6 is not supported.

 

PAN-OS 6.0 and 6.1

Dynamic routing protocols with IPv6 is supported for OSPFv3, with the following caveats:

  • OSPFv3 will not DHCP and PPPOE.
  • ECMP is not supported.
  • No command to clear OSPF or to clear neighbors as an operational command.
  • Only one instance ID can be configured on an OSPFv3 interface
    Note:  There could be multiple instance IDs on the link.
  • OSPFv3 does not support fast-hellos. The hello-interval is between 1 and 3600 seconds.

PAN-OS 7.0

OSPFv3 provides support for the OSPF routing protocol within an IPv6 network. As such, it provides support for IPv6 addresses and prefixes. It retains most of the structure and functions in OSPFv2 (for IPv4) with some minor changes. The following are some of the additions and changes to OSPFv3:
  • Support for multiple instances per link —With OSPFv3, you can run multiple instances of the OSPF protocol over a single link. This is accomplished by assigning an OSPFv3 instance ID number. An interface that is assigned to an instance ID drops packets that contain a different ID.
  • Protocol Processing Per-link —OSPFv3 operates per-link instead of per-IP-subnet as on OSPFv2.
  • Changes to Addressing —IPv6 addresses are not present in OSPFv3 packets, except for LSA payloads within link state update packets. Neighboring routers are identified by the Router ID.
  • Authentication Changes —OSPFv3 doesn't include any authentication capabilities. Configuring OSPFv3 on a firewall requires an authentication profile that specifies Encapsulating Security Payload (ESP) or IPv6 Authentication Header (AH).The re-keying procedure specified in RFC 4552 is not supported in this release.
  • Support for multiple instances per-link —Each instance corresponds to an instance ID contained in the OSPFv3 packet header.
  • New LSA Types —OSPFv3 supports two new LSA types: Link LSA and Intra Area Prefix LSA.
All additional changes are described in detail in RFC 5340.

 

PAN-OS 7.1

PAN-OS 7.1 does not include any new OSPF or BGP with IPv6.

 

BGP with IPv6 on PAN-OS 7.1 is not supported.

 

owner: rkim

Tags (8)
Comments

When can we except to use bgp with ipv6

Best regards

Jesper

This is the biggest reason we can't yet deploy our Palo Alto as the edge device. Even old Cisco routers support BGP with IPv6!

Why not simply let network deal with routing, and deploy PAN in L2, or better yet, vWire at the edge.  There is no reason to do dynamic routing on a security device.

I was hoping 7.1 introduced bgp with ipv6. Can we except bgp with ipv6 in next release of panos?

@JesperSandberg,

I am not able to confirm any features with any future code until that code is released. I am sorry.


As soon as this feature is added, I will be sure to update this article.

@JesperSandberg

From the Beta-Release Note 8.0:

Multiprotocol BGP

The firewall now supports Multiprotocol BGP (MP-BGP) so that a firewall enabled with BGP can advertise IPv4 multicast routes and IPv6 unicast routes (in addition to the IPv4 unicast routes it already supports) in BGP Update messages. In this way, MP-BGP provides IPv6 connectivity for your BGP networks that use either native IPv6 or dual stack IPv4 and IPv6. For example, in a service provider environment, you can offer IPv6 service to customers. In an enterprise environment, you can use IPv6 service from service providers. You can also separate your unicast and multicast traffic so they take different paths, in case you need multicast traffic to undergo less latency or take fewer hops.

Thank you for quick reply. We want to have dual stack so it sounds perfect

PAN 8.0 available for download.

And release note still mentionne the support of BGP IPv6

So will schedule test on test environment...

 

(& a lot of other new things to test for us )