Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Conditional Default route advertisement

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Conditional Default route advertisement

L1 Bithead

All - I have 2 systems at two different locations connecting to the same BGP AS and I am accepting an advertised default route.

 

On the LAN side, I have a basic OSPF area0 which has a fiber-optic connection between the two locations configured as a P2P OSPF link.

 

I need access to the internet to fail over dynamically between these sites.  To that end, I attempted to configure the PA systems to "Allow advertise default route" for their OSPF process. This did NOT work even though the learned BGP default route was installed in the routing table.  OSPF did not start originating the default route until I specifically configured an export rule for 0.0.0.0/0.

 

The problem this creates is  that when either router loses their BGP connection and the BGP learned default route is no longer in the table, the export rule ensures the firewall that can not forward to the internet is still advertising a default route via OSPF.  That means that the networks transported through the down PA can't reach the internet unless I manually log in and stop OSPF on PA site A.

 

The LAN routers are Cisco which means I can do static route tracking or eem scripts or a few other things, but life would be much, much easier if the PA's handled default route advertising from OSPF in the way that Cisco does:  'default information originate' will advertise a default route via OSPF only if there's one in the route table, 'default information originate always' will result in the behavior the PA's are showing me now.

 

They won't advertise a default route *unless* an export rule for 0.0.0.0/0 is configured. Remove that rule, and it stops advertising.  Can someone please help me determine if Pan OS is capable of only advertising a default route if there's one in the Global routing table, or if it's on/off with nothing in between?

 

the connectivity could not be more basic, I'm uploading a paint diagram of the scenario.

 

BGP.png

 

I actually think I need to redistribute that default route from BGP into OSPF, but when I use the 0.0.0.0/0 "filter" for the redistribution profile, it redistributes everything in the BGP table. I guess I'll try 0.0.0.0/32, but the default route origination documentation is terrible. It doesn't work as documented (In my attempts to set this up, it would NOT send the default route with out an export rule, which is NOT outlined in the document).

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkmCAC  <-- Not 100% correct.

3 REPLIES 3

L1 Bithead

So I just checked the 0.0.0.0/32 idea.

 

I get nothing. 

 

So I either get the whole BGP routing table, or nothing - I can' seem to limit it to the defaults.  I have to believe I'm not getting the syntax, it can't truly be like this. I'm going to manipulate this redistribution profile to inject specific routes into OSPF and see what happens, but I don't understand why an exact match like /32 won't get it done (/31 doesn't seem to work either), but "everybody" (/0) works just fine.

You need to have redistribution to get the default between routing protocols. Are you taking full tables from the ISP? What are the other prefixes?

Cyber Elite
Cyber Elite

Hi @treysgrun ,

 

Thank you for your excellent summary!  I found this article because I ran into a similar problem.  I was curious is 0/32 would work also, and you saved me that step.

 

The solution is found here -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClfnCAC.  The key sentence (4th line from top) is "When you use 'Destination' as one of the filtering/matching criteria in Redistribution Profile, you should read the destination prefix as 'OR LONGER' and not 'EXACT'."

 

Scenario #1 worked for me with the following values:

  1. Deny 0.0.0.0/1 priority 1.
  2. Deny 128.0.0.0/1 priority 1.
  3. Allow 0.0.0.0/0 priority 2.

Only the default prefix is redistributed and all longer prefixes are not.

 

Thanks!

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 4808 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!