02-28-2017 03:40 PM - edited 02-28-2017 03:44 PM
I'm working on a VRF-centric DC model that utilizes a PA as the firewall platform between VRFs. One of the snags I'm hitting is that if a route is learned from R1 on an AS (say 65001), and is advertised via eBGP to the PA (AS 65002), the PA won't even attempt to advertise it to R2 (Really R1, in VRF AF - AS 65001). I can work around this by spoofing my AS number to the PA, but I'd rather not add more complexity than necessary.
I understand the behavior is documented below, however this goes against the RFC, where eBGP uses the AS path as loop prevention. The PA is not in AS 65001, and should not be making this decision on behalf of R1 and R2.
Expected behavior per RFC is that the device receiving the Prefix Advertisement will make the decision.
https://tools.ietf.org/html/rfc4271
"If the AS_PATH attribute of a BGP route contains an AS loop, the BGP route should be excluded from the Phase 2 decision function. AS loop detection is done by scanning the full AS path (as specified in the AS_PATH attribute), and checking that the autonomous system number of the local system does not appear in the AS path. Operations of a BGP speaker that is configured to accept routes with its own autonomous system number in the AS path are outside the scope of this document."
05-07-2024 02:46 AM
Hi,
The behaviour and workaround can be found in the below KB article.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UtVCAU
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
