BGP "Router ID" and multiple peers

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

BGP "Router ID" and multiple peers

L3 Networker

What exactly is the "Router ID" field used for in the BGP tab of Virtual Router configuration?

I ask because I'm planning on announcing a /24 to two different ISPs/peers, and each ISP has its own /30 for the transit segment.  So, if I make the router ID the IP address for one segment, it is incorrect for the other segment... or does "Router ID" not actually get used for anything and it's just an identifier?  The documentation / help file says "Enter the IP address to assign to the virtual router," does this mean I need to use a separate VR for each BGP peer?

If so, how do I get my traffic to fail from one VR to the other?  I currently have all of my interfaces attached to a single VR using a default route to ISP A.  I'm running a BGP session with them to receive routes for an MPLS network, but not announcing anything to them yet.  I now have a publicly routable /24 from ISP B, as well as a public ASN,  but I need to announce that /24 to both providers and (ideally) unevenly weight the two connections as ISP B is a 50Mb link while ISP A is only 25Mb.

I have seen the document that explains setting up BGP with two ISPs, but it is a bit confusing since it was written for 4.0 and I am on 4.1.  Also, it assumes that I want to take the /24 and apply it to an internal interface on the PAN, which I do not.  I want any / all addresses in the /24 to be proxy ARPed by the PAN and I will NAT (1:1 or otherwise) to internal hosts.  This is simply because I don't want to have to put together another switch or VLAN and public IPs on my internal systems - it's easier to just run it all through the PAN.

(I do have an active/passive pair of PANs but that is already functional, the only thing I'm having trouble with is the BGP portion.  The HA pair has appropriate interfaces to each ISP for failover to function correctly.)

1 accepted solution

Accepted Solutions

I am Afraid if this will work.

The loopback IP address on the PANFW has to be a /32 IP address, and cannot have a /24 subnet. With that being said, even if the server 203.0.113.5/24 connects on an access port on the switch, and if the segment "VLAN 2000- Internet" is a trunk port carrying VLAN tagged traffic for the Vlan 2000, you should have a layer 2 port on the firewall  configured as an access port for vlan 2000, from where the server can reach any of the hosts behind this port and that lie in the /24 range.

I would rather move the server behind the firewall, reachable on the vlan 2000 access port, and configure a vlan interface for the vlan 2000 (203.0.113.1/24), to serve as the gateway for the hosts on vlan 2000. I can then advertise the whole /24 address.

An advantage of this setup is that you can protect your server against any forms of attacks by using a zone protection profile on the firewall. Otherwise the server is left exposed and can be subjected to attacks from the internet ( that the switch may not block )

BR,

Karthik RP

View solution in original post

14 REPLIES 14

L5 Sessionator

Hello,

The router ID is used just as an identifier. For example in the below output, you can see that the routed ids are 192.168.1.1 and 192.168.1.2 respectively. However, the PANFW establishes the BGP connectivity with peers 10.10.10.4 (local address: 10.10.10.1 ), and 192.168.1.3 (local address 192.168.1.1 ) on VR1. Similarly on VR2 the router id is 192.168.1.2, and it establishes the BGP connectivity with peers 10.10.10.3 ( local IP address 10.10.10.2 )  and 192.168.1.4 ( local IP address 192.168.1.2)

dmin@46-PA-4020> show

admin@46-PA-4020> show routing

admin@46-PA-4020> show routing protocol bgp

admin@46-PA-4020> show routing protocol bgp summary

  ==========

  router id:                     192.168.1.1

  virtual router:                vr1

  reject default route:          reject

  redist default route:          block

  Install BGP routes:            no

  Graceful Restart:              supported

  AS size:                       2

  Local AS:                      65000

  Local member AS:               0

  Cluster id:                    0.0.0.0

  Default local preference:      100

  Always compare MED:            no

  Aggregate regardless MED:      yes

  Deterministic MED processing:  yes

  Accept ORF:                    no

  Accept CISCO style prefix:     yes

  rib-out entries:               current 0, peak 0

    peer peer1.4.1:              AS 65002, Established, IP 10.10.10.4

      IPv4/unicast pfx:          Accepted pfx: 0, Advertised pfx: 0

    peer peer1.3.1:              AS 65001, Established, IP 192.168.1.3

      IPv4/unicast pfx:          Accepted pfx: 0, Advertised pfx: 0

  ==========

  router id:                     192.168.1.2

  virtual router:                vr2

  reject default route:          reject

  redist default route:          block

  Install BGP routes:            no

  Graceful Restart:              supported

  AS size:                       2

  Local AS:                      65008

  Local member AS:               0

  Cluster id:                    0.0.0.0

  Default local preference:      100

  Always compare MED:            no

  Aggregate regardless MED:      yes

  Deterministic MED processing:  yes

  Accept ORF:                    no

  Accept CISCO style prefix:     yes

  rib-out entries:               current 0, peak 0

    peer peer1.3.1-vr2:          AS 65001, Established, IP 10.10.10.3

      IPv4/unicast pfx:          Accepted pfx: 0, Advertised pfx: 0

    peer peer1.4.1-vr2:          AS 65002, Established, IP 192.168.1.4

      IPv4/unicast pfx:          Accepted pfx: 0, Advertised pfx: 0

Hope that helps,

BR,

Karthik RP

L5 Sessionator

To be more specific:

admin@46-PA-4020> show routing protocol bgp peer

admin@46-PA-4020> show routing protocol bgp peer

  ==========

  Peer:                          peer1.4.1 (id 2)

  virtual router:                vr1

  Peer router id:                192.168.1.4

  Remote AS:                     65002

  Peer group:                    peer1.4 (id 2)

  Peer status:                   Established, for 2946 seconds

  Password set:                  no

  Passive:                       no

  Multi-hop TTL:                 2

  Remote Address:                10.10.10.4:57911

  Local Address:                 10.10.10.1:179

  (R) reflector client:          not-client

  same confederation:            no

  send aggr confed as-path:      yes

  peering type:                  Unspecified

  Connect-Retry interval:        120

  Open Delay:                    0

  Idle Hold:                     15

  Prefix limit:                  5000

  Holdtime:                      90 (config 90)

  Keep-Alive interval:           30 (config 30)

  Update messages:               in        1, out        1

  Total messages:                in      115, out      115

  Last update age:               3

  Last error:                   

  Flap counts:                   1, established 1 times

  (R) ORF entries:               0

  Nexthop set to self:           no

  use 3rd party as next-hop:     yes

  override nexthop to peer:      no

  ----------

  remove private AS number:      yes

  ----------

  Capability:                    Multiprotocol Extensions(1)  value: 00010001

  Capability:                    Route Refresh(2)

  Capability:                    Graceful Restart(64)  value: 007800010100

  Capability:                    Route Refresh (Cisco)(128)

  ----------

  Prefix counter for:            IPv4 / unicast

  Incoming Prefix:               Accepted 0, Rejected 0, Total 0

  Outgoing Prefix:               0

  Advertised Prefix:             0

  ==========

  Peer:                          peer1.3.1 (id 1)

  virtual router:                vr1

  Peer router id:                192.168.1.3

  Remote AS:                     65001

  Peer group:                    peer1.3 (id 1)

  Peer status:                   Established, for 3657 seconds

  Password set:                  no

  Passive:                       no

  Multi-hop TTL:                 2

  Remote Address:                192.168.1.3:34865

  Local Address:                 192.168.1.1:179

  (R) reflector client:          not-client

  same confederation:            no

  send aggr confed as-path:      yes

  peering type:                  Unspecified

  Connect-Retry interval:        120

  Open Delay:                    0

  Idle Hold:                     15

  Prefix limit:                  5000

  Holdtime:                      90 (config 90)

  Keep-Alive interval:           30 (config 30)

  Update messages:               in        1, out        1

  Total messages:                in      143, out      143

  Last update age:               27

  Last error:                   

  Flap counts:                   1, established 1 times

  (R) ORF entries:               0

  Nexthop set to self:           no

  use 3rd party as next-hop:     yes

  override nexthop to peer:      no

  ----------

  remove private AS number:      yes

  ----------

  Capability:                    Multiprotocol Extensions(1)  value: 00010001

  Capability:                    Route Refresh(2)

  Capability:                    Graceful Restart(64)  value: 007800010100

  Capability:                    Route Refresh (Cisco)(128)

  ----------

  Prefix counter for:            IPv4 / unicast

  Incoming Prefix:               Accepted 0, Rejected 0, Total 0

  Outgoing Prefix:               0

  Advertised Prefix:             0

  ==========

  Peer:                          peer1.3.1-vr2 (id 1)

  virtual router:                vr2

  Peer router id:                192.168.1.3

  Remote AS:                     65001

  Peer group:                    peer1.3-vr2 (id 3)

  Peer status:                   Established, for 2191 seconds

  Password set:                  no

  Passive:                       no

  Multi-hop TTL:                 2

  Remote Address:                10.10.10.3:179

  Local Address:                 10.10.10.2:42688

  (R) reflector client:          not-client

  same confederation:            no

  send aggr confed as-path:      yes

  peering type:                  Unspecified

  Connect-Retry interval:        120

  Open Delay:                    0

  Idle Hold:                     15

  Prefix limit:                  5000

  Holdtime:                      90 (config 90)

  Keep-Alive interval:           30 (config 30)

  Update messages:               in        1, out        1

  Total messages:                in       87, out       87

  Last update age:               25

  Last error:                   

  Flap counts:                   0, established 1 times

  (R) ORF entries:               0

  Nexthop set to self:           no

  use 3rd party as next-hop:     yes

  override nexthop to peer:      no

  ----------

  remove private AS number:      yes

  ----------

  Capability:                    Multiprotocol Extensions(1)  value: 00010001

  Capability:                    Route Refresh(2)

  Capability:                    Graceful Restart(64)  value: 007800010100

  Capability:                    Route Refresh (Cisco)(128)

  ----------

  Prefix counter for:            IPv4 / unicast

  Incoming Prefix:               Accepted 0, Rejected 0, Total 0

  Outgoing Prefix:               0

  Advertised Prefix:             0

  ==========

  Peer:                          peer1.4.1-vr2 (id 2)

  virtual router:                vr2

  Peer router id:                192.168.1.4

  Remote AS:                     65002

  Peer group:                    peer1.3-vr2 (id 3)

  Peer status:                   Established, for 2188 seconds

  Password set:                  no

  Passive:                       no

  Multi-hop TTL:                 2

  Remote Address:                192.168.1.4:179

  Local Address:                 192.168.1.2:40043

  (R) reflector client:          not-client

  same confederation:            no

  send aggr confed as-path:      yes

  peering type:                  Unspecified

  Connect-Retry interval:        120

  Open Delay:                    0

  Idle Hold:                     15

  Prefix limit:                  5000

  Holdtime:                      90 (config 90)

  Keep-Alive interval:           30 (config 30)

  Update messages:               in        1, out        1

  Total messages:                in       86, out       88

  Last update age:               7

  Last error:                   

  Flap counts:                   0, established 1 times

  (R) ORF entries:               0

  Nexthop set to self:           no

  use 3rd party as next-hop:     yes

  override nexthop to peer:      no

  ----------

  remove private AS number:      yes

  ----------

  Capability:                    Multiprotocol Extensions(1)  value: 00010001

  Capability:                    Route Refresh(2)

  Capability:                    Graceful Restart(64)  value: 007800010100

  Capability:                    Route Refresh (Cisco)(128)

  ----------

  Prefix counter for:            IPv4 / unicast

  Incoming Prefix:               Accepted 0, Rejected 0, Total 0

  Outgoing Prefix:               0

  Advertised Prefix:             0

OK, that makes sense.  The peers won't really care if the "Router ID" doesn't actually match the interface that is connected to them.  This also explains why the "peer router ID" I'm getting from ISP B doesn't fall inside the /30 that is being used to exchange routes.

This means I should be able to establish a connection with both peers via the same VR once I get my existing setup with ISP A changed to use my public ASN.  (We were using private ASNs for them to hand me MPLS routes prior to me obtaining a public ASN.)

How can I go about weighting the two routes for load-balancing (so more traffic travels via the larger connection), rather than just failover?  I understand that in some cases I can't affect the paths because the ISPs may re-write them when they leave their border, but I'd at least like to try to set it up "correctly."  I apologize for my inexperience here, this is my first real foray into BGP, and while I have the O'Reilly BGP book, it is written with Cisco in mind and PAN behavior seems somewhat different.  Smiley Happy

L5 Sessionator

You can use just one VR itself, even  if you are multihomed with ISP 1 and ISP 2. All you need is to influence the routes using the BGP attributes ( local preference, the AS hops, or origin ). For  and I would prefer the local preference as the primary factor for the influencing the outbound routes. You can continue using the /24 addresses on the external interfaces itself, and since they are assigned to you by your ISPs ( hence being advertised too ), users have a route to reach any IP address on this /24 subnet.  You can write destination NAT rules for any IP address that fall within the /24 range and the firewall will proxy arp for these IP addresses.

Please let me know if you have any questions.

For design considerations, you can also talk to your Sales Engineer or get in touch with the Dev Centre team.

BR,

Karthik

So I can keep the /24 on the PAN and NAT for it...  but what if I need to assign one of those addresses directly to a server ("outside" the firewall)?

Here's a basic diagram of the setup (it omits the second ISP and a bunch of other irrelevant stuff) - is what I want to do in the lower right corner going to work?

PAN-WAN BGP question.png

I am Afraid if this will work.

The loopback IP address on the PANFW has to be a /32 IP address, and cannot have a /24 subnet. With that being said, even if the server 203.0.113.5/24 connects on an access port on the switch, and if the segment "VLAN 2000- Internet" is a trunk port carrying VLAN tagged traffic for the Vlan 2000, you should have a layer 2 port on the firewall  configured as an access port for vlan 2000, from where the server can reach any of the hosts behind this port and that lie in the /24 range.

I would rather move the server behind the firewall, reachable on the vlan 2000 access port, and configure a vlan interface for the vlan 2000 (203.0.113.1/24), to serve as the gateway for the hosts on vlan 2000. I can then advertise the whole /24 address.

An advantage of this setup is that you can protect your server against any forms of attacks by using a zone protection profile on the firewall. Otherwise the server is left exposed and can be subjected to attacks from the internet ( that the switch may not block )

BR,

Karthik RP

The "server" here is actually a SIP gateway device from our VoIP provider, it is locked down and only accepts traffic from their IP block so security isn't much of a concern here.  I'm trying to keep it "outside" the PAN because I don't want any added delay in the traffic due to filtering/etc. 

If I add 203.0.113.1/24 as a secondary address on the vlan 2000 L3 port, that should work though, correct?  I can put the SIP gateway in the same VLAN, assign it 203.0.113.5/24 and have it use the PAN 203.0.113.1 as default GW, which should then route it through the routing table and out to 198.53.100.1 (the ISP) and from there the internet?

If the packet is entering and leaving the same interface and same security zone, then the firewall rules don't act on it and it should pass through as quick as a normal router would, right?

I realize that I will then have two subnets on the same VLAN but since both subnets are public and "outside" I don't really care...

My option works (just tested it).  You are correct that the loopback only takes a /32, I forgot about that.

I put .1 /24 as a secondary IP on the same VLAN 2000 L3 subif.  I was then able to put another device on the same VLAN, use .1 as the gateway and assign an IP, and pass traffic without issue.  Smiley Happy

Glad that it works! If I have been able to answer your queries, you can mark my answer as a correct answer for the benefit of other people, asking the same question in future Smiley Happy

BR,

Karthik

Rather than opening another discussion just for this...

What exactly does the "soft reset with stored info" option do on the Peer Group config screen?

The manual and help page are both less than helpful: "Select the check box to perform a soft reset of the firewall after updating the peer settings."

What exactly is a "soft reset of the firewall" in this context?  Does this mean that a change to the peer config would flush firewall states?  Or does it enable the PAN to handle Cisco-style BGP "soft resets" when the config has been changed, rather than dropping and restarting the BGP session?  (Or does a PA device *already* use soft-resets by default?  From what I've seen it looks like a config commit creates a new BGP session / causes a flap...)

Also, it seems like absent any filters for Import or Export, PanOS (at least 4.1.x) is "default permit," correct?  I was kind of surprised by this behavior because typically firewalls are "default deny" at least in terms of security rules.  OTOH, it does appear that on Cisco IOS at least, BGP is also default permit (filters have to be setup or else it takes everything), so I guess following Cisco behavior makes some amount of sense.  Again, I'm relatively new to BGP here. 

We do an "outbound soft reset", where an outbound soft reset is used to send a new set of updates to a neighbor, without flapping the existing BGP session. And unless we dont specify an export or an import filter, we advertise and learn all the routes respectively

BR,

Karthik

Another BGP/traffic question...

ISP A = 50 mbps, national ISP

ISP B = 25 mbps, local provider with peering to many other ISPs, no direct peering to ISP A as far as I'm aware

Once I have both paths active, how do I specify which link to use for outbound traffic from my announced subnet?  ISP A is giving me no inbound routes while ISP B is only giving me directly connected subnets that it is already routing back to my PAN anyway (I have two /28s and a few /30s that I'm going to get rid of once I migrate everything to this /24).  I can obviously set the default route to one side or the other, but I'd like to use both links ideally, and I'd prefer if traffic "sticks" to the link that it came in on in most cases.

I understand that I can prepend my AS on export statements to affect how inbound traffic comes to me...  but how do I load balance the outbound traffic?  Does this require policy-based routing, and can that take into account the load on a circuit?  (I only have a single PBR that is being used for a special VPN for certain LOB traffic.)

From BGPs standpoint, using local preference is the best way to influence outbound routing. However, it is impossible to configure local preference for all the routes on the internet. But if you have specific networks for which you want to use one ISP over the other, (for instance, networks for which latency is a business critical parameter ), you can use local preference to reach those networks via ISP A.

Otherwise we don't load balance all outbound traffic, but we can configure policy based forwarding for specific source subnet/subnets to prefer one of the ISP over the other. Plus PBFs on PANFWs do not operate based on a load of a circuit, rather they work depending upon the matching source subnet/subnets and the destination address/addresses.

You can use ECMP Multiple AS Support which is equivalent to  bgp multi AS path relax  command in cisco

 

Regards

Sudhakar ganapareddy

  • 1 accepted solution
  • 20520 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!