Cisco BGP neighbor x.x.x.x local-as yyyy feature on Palo Alto

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cisco BGP neighbor x.x.x.x local-as yyyy feature on Palo Alto

L1 Bithead

Hi,

 

Does Palo Alto support Cisco BGP neighbor x.x.x.x local-as yyyy feature? or there is any way to achieve the same (Palo Alto FW has a local ASN, but it uses another local ASN just for a specific neighbor)

 

Thanks!

11 REPLIES 11

Cyber Elite
Cyber Elite

@banksants 

 

Are you looking for some CLI command like below ?

 

t network virtual-router NetGear protocol bgp 

+ allow-redist-default-route   allow redistribute default route to BGP

+ ecmp-multi-as                Support multiple AS in ECMP

+ enable                       enable 

+ enforce-first-as             Enforce First AS for EBGP

+ install-route                Populate BGP learned route to global route table

+ local-as                     local AS number

+ reject-default-route         do not learn default route from BGP

+ router-id                    router id of this BGP instance

> auth-profile                 BGP authentication profiles

> dampening-profile            route flap dampening profiles

> peer-group                   peer group configuration

> policy                       BGP routing policy configuration

> redist-rules                 redistribution rules for export through BGP

> routing-options              routing instance options

  <Enter>                      Finish input

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

Hi MP18,

 

thanks for the message.

 

No, I was looking for a feature support, but I have done a workaround as it seems unsupported.

 

Thanks.

 

Banksants

Could you suggest what workaround you did  on palo alto firewall to achieve local as thing.

SD-WAN | Cloud Networking | PCNSE | ICSI CNSS | MCNA | | CCNP | CCSA | SPSP | SPSX | F5-101 |

L0 Member

anyone who was able to achieve this local-as config through panorama

Cyber Elite
Cyber Elite

EDIT:  This post is wrong.  Please ignore.

 

Hi all,

 

This feature is available with the Advanced Routing Engine, but that is a big change to make.

 

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-networking-admin/advanced-routing/configure-bgp...

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

By the way,

 

You should be able to have multiple local ASNs with virtual routers (VRs).  You can then enable BGP between the VRs.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIpCAK

 

I am going to do this with a customer and report back.  EDIT:  This worked great.  The one neighbor that required a different ASN is peered on a new VR.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

No it's not.  This is not the same as defining your local ASN at the base level of your BGP instance.  The "Local-AS" feature is essentially a way to masquerade your instance ASN as another ASN.  For example, if your instance's ASN is 65100 and you need to peer with someone that is using 65100 for another peering they have, or they require using a non-private ASN, you can use the "Local-AS" feature to alter your ASN specifically for that peering without changing your instance ASN and breaking any other peerings you have.  Palo Alto PAN-OS does not support this feature.

Cyber Elite
Cyber Elite

Hi @JessePeden ,

 

Palo Alto PAN-OS does not support this feature.

 

Did you see the URL I posted above?  It should be supported in the Advanced Routing Engine.

 

No it's not.  This is not the same as defining your local ASN at the base level of your BGP instance.  

 

I know what local-as means and what it does.  Creating a new VR with a new BGP ASN will allow you to configure the new peering with the neighbor that requires the different ASN.  All the original neighbors remain on the old VR.  This is an effective workaround.  I just did it with a customer.  You can enable BGP between the VRs to facilitate routing.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Did you see the URL I posted above?  It should be supported in the Advanced Routing Engine.

 

I'm aware of the Advanced Routing Engine and have it enabled on every PA setup I manage right out of the gate.  The feature is not there, and I'm not sure where you're getting the info as it's not mentioned in the article you linked (unless I missed it somehow - maybe you can share the exact line mentioning it).

 

Creating a new VR with a new BGP ASN will allow you to configure the new peering with the neighbor that requires the different ASN.  All the original neighbors remain on the old VR.  This is an effective workaround.  I just did it with a customer.  You can enable BGP between the VRs to facilitate routing.

 

I'm sure that works fine as a workaround, and I had made no mention of it in my original response - only that of the "local-as" feature being non-existent in PAN-OS (in both the LRE and ARE).  I'm in a situation where I'll either need to look into doing the same thing, though, or do my peering on the Cisco switches instead of the PA units if I can't get BGP working in a separate logical router.

Cyber Elite
Cyber Elite

Hi @JessePeden ,

 

You are right.  It is not in the URL, and therefore not supported by Palo Alto.  I thought I saw it there but was mistaken.  I will delete that post if I can.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Dang.  I was hoping that I was the one that was wrong, truthfully, as there's zero reason (in my book) for Palo Alto not to support that feature.

  • 6818 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!