BGP filter route only for /32 prefix

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

BGP filter route only for /32 prefix

L0 Member

Hi Experts,

 

My question is, my Cisco switches advertise host routes to FW from many VLANs/VRFs together with other network routes, we want the firewall Not to accept the any routes with subnet mask /32 but accept anything else, can you help to see if the firewall can do this kind of route mapping? Which can be easily achieved in Cisco router by prefix-list 0.0.0.0/0 ge 32.

 

Thanks!

1 REPLY 1

L3 Networker

Hi there,

you cannot create an equivalent prefix-list / route-map combination in PANOS. Your best option would be to tag the host routes with a particular community string and use an import policy on the firewall to deny those prefixes.

 

!
ip prefix-list FOO-OUT seq 10 permit 0.0.0.0/0 ge 32
!
route-map PA01 permit 10
 match ip address prefix-list FOO-OUT
 set community 65000:999
!
route-map PA01 permit 20
 set community 65000:1
!
router bgp 65000
 bgp log-neighbor-changes
 neighbor 192.168.100.1 remote-as 65001
 !
 address-family ipv4
  network 100.0.0.1 mask 255.255.255.255
  network 192.168.101.0 mask 255.255.255.252
  neighbor 192.168.100.1 activate
  neighbor 192.168.100.1 send-community
  neighbor 192.168.100.1 route-map PA01 out
 exit-address-family
!

 

Now under normal circumstances we can see both prefixes on the Palo, with the different community strings:

admin@PA-VM> show routing protocol bgp loc-rib-detail

  
VIRTUAL ROUTER: WAN (id 2)
  ==========
  ----------
  Prefix:                        100.0.0.1/32 *
  Nexthop:                       192.168.100.2
  Received from:                 Peer ISP01 (id 1)
  Originator ID:                 0.0.0.0
  AS Path:                       65000
  Origin:                        IGP
  MED:                           0
  Local Preference:              100
  Atomic aggregate:              no
  Aggregator AS:                 0
  Aggregator ID:                 0.0.0.0
  Weight:                        0
  Flap:                          value 0.00, count 0
  Community:                     65000:999 
  ----------
  Prefix:                        192.168.101.0/30 *
  Nexthop:                       192.168.100.2
  Received from:                 Peer ISP01 (id 1)
  Originator ID:                 0.0.0.0
  AS Path:                       65000
  Origin:                        IGP
  MED:                           0
  Local Preference:              100
  Atomic aggregate:              no
  Aggregator AS:                 0
  Aggregator ID:                 0.0.0.0
  Weight:                        0
  Flap:                          value 0.00, count 0
  Community:                     65000:1 

 

So now we create an import policy, two parts, first to drop prefixes with community 65000:999 and the second to allow everything else:

set network virtual-router WAN protocol bgp policy import rules drop_65000_999 action deny 
set network virtual-router WAN protocol bgp policy import rules drop_65000_999 match community regex 65000.999
set network virtual-router WAN protocol bgp policy import rules drop_65000_999 match route-table unicast
set network virtual-router WAN protocol bgp policy import rules drop_65000_999 used-by ISP
set network virtual-router WAN protocol bgp policy import rules drop_65000_999 enable yes
set network virtual-router WAN protocol bgp policy import rules everything_else action allow update as-path none 
set network virtual-router WAN protocol bgp policy import rules everything_else action allow update community none 
set network virtual-router WAN protocol bgp policy import rules everything_else action allow update extended-community none 
set network virtual-router WAN protocol bgp policy import rules everything_else match route-table unicast
set network virtual-router WAN protocol bgp policy import rules everything_else used-by ISP
set network virtual-router WAN protocol bgp policy import rules everything_else enable yes

 

Commit the config and check to the local RIB:

admin@PA-VM> show routing protocol bgp loc-rib-detail

  
VIRTUAL ROUTER: WAN (id 2)
  ==========
  ----------
  Prefix:                        192.168.101.0/30 *
  Nexthop:                       192.168.100.2
  Received from:                 Peer ISP01 (id 1)
  Originator ID:                 0.0.0.0
  AS Path:                       65000
  Origin:                        IGP
  MED:                           0
  Local Preference:              100
  Atomic aggregate:              no
  Aggregator AS:                 0
  Aggregator ID:                 0.0.0.0
  Weight:                        0
  Flap:                          value 0.00, count 0
  Community:                     65000:1 

 

Hope that helps.

 

cheers,

Seb.

 

 

  • 2984 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!