This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

BGP filter route only for /32 prefix

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

BGP filter route only for /32 prefix

rahul.k
L0 Member

‎08-22-2021 01:28 AM

Hi Experts,

 

My question is, my Cisco switches advertise host routes to FW from many VLANs/VRFs together with other network routes, we want the firewall Not to accept the any routes with subnet mask /32 but accept anything else, can you help to see if the firewall can do this kind of route mapping? Which can be easily achieved in Cisco router by prefix-list 0.0.0.0/0 ge 32.

 

Thanks!

0 Likes Likes
1 REPLY 1

SebRupik
L3 Networker

‎08-23-2021 04:09 PM

Hi there,

you cannot create an equivalent prefix-list / route-map combination in PANOS. Your best option would be to tag the host routes with a particular community string and use an import policy on the firewall to deny those prefixes.

 

!
ip prefix-list FOO-OUT seq 10 permit 0.0.0.0/0 ge 32
!
route-map PA01 permit 10
 match ip address prefix-list FOO-OUT
 set community 65000:999
!
route-map PA01 permit 20
 set community 65000:1
!
router bgp 65000
 bgp log-neighbor-changes
 neighbor 192.168.100.1 remote-as 65001
 !
 address-family ipv4
  network 100.0.0.1 mask 255.255.255.255
  network 192.168.101.0 mask 255.255.255.252
  neighbor 192.168.100.1 activate
  neighbor 192.168.100.1 send-community
  neighbor 192.168.100.1 route-map PA01 out
 exit-address-family
!

 

Now under normal circumstances we can see both prefixes on the Palo, with the different community strings:

admin@PA-VM> show routing protocol bgp loc-rib-detail

  
VIRTUAL ROUTER: WAN (id 2)
  ==========
  ----------
  Prefix:                        100.0.0.1/32 *
  Nexthop:                       192.168.100.2
  Received from:                 Peer ISP01 (id 1)
  Originator ID:                 0.0.0.0
  AS Path:                       65000
  Origin:                        IGP
  MED:                           0
  Local Preference:              100
  Atomic aggregate:              no
  Aggregator AS:                 0
  Aggregator ID:                 0.0.0.0
  Weight:                        0
  Flap:                          value 0.00, count 0
  Community:                     65000:999 
  ----------
  Prefix:                        192.168.101.0/30 *
  Nexthop:                       192.168.100.2
  Received from:                 Peer ISP01 (id 1)
  Originator ID:                 0.0.0.0
  AS Path:                       65000
  Origin:                        IGP
  MED:                           0
  Local Preference:              100
  Atomic aggregate:              no
  Aggregator AS:                 0
  Aggregator ID:                 0.0.0.0
  Weight:                        0
  Flap:                          value 0.00, count 0
  Community:                     65000:1

 

So now we create an import policy, two parts, first to drop prefixes with community 65000:999 and the second to allow everything else:

set network virtual-router WAN protocol bgp policy import rules drop_65000_999 action deny 
set network virtual-router WAN protocol bgp policy import rules drop_65000_999 match community regex 65000.999
set network virtual-router WAN protocol bgp policy import rules drop_65000_999 match route-table unicast
set network virtual-router WAN protocol bgp policy import rules drop_65000_999 used-by ISP
set network virtual-router WAN protocol bgp policy import rules drop_65000_999 enable yes
set network virtual-router WAN protocol bgp policy import rules everything_else action allow update as-path none 
set network virtual-router WAN protocol bgp policy import rules everything_else action allow update community none 
set network virtual-router WAN protocol bgp policy import rules everything_else action allow update extended-community none 
set network virtual-router WAN protocol bgp policy import rules everything_else match route-table unicast
set network virtual-router WAN protocol bgp policy import rules everything_else used-by ISP
set network virtual-router WAN protocol bgp policy import rules everything_else enable yes

 

Commit the config and check to the local RIB:

admin@PA-VM> show routing protocol bgp loc-rib-detail

  
VIRTUAL ROUTER: WAN (id 2)
  ==========
  ----------
  Prefix:                        192.168.101.0/30 *
  Nexthop:                       192.168.100.2
  Received from:                 Peer ISP01 (id 1)
  Originator ID:                 0.0.0.0
  AS Path:                       65000
  Origin:                        IGP
  MED:                           0
  Local Preference:              100
  Atomic aggregate:              no
  Aggregator AS:                 0
  Aggregator ID:                 0.0.0.0
  Weight:                        0
  Flap:                          value 0.00, count 0
  Community:                     65000:1

 

Hope that helps.

 

cheers,

Seb.

 

 

(1)
  • 3657 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks