Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
09-23-2020 02:50 PM
We are about to implement EBGP for the first time. The EBGP will have two peers. The ISP wants it to be used as a primary/secondary rather than equal split. We currently have two ISPs that will be going away. We are a 24/7 shop so we need a strategy to test EBGP without interfering with existing traffic.
Does it make sense to create a new VR strictly for the BGP connection and then point the Default VR to it when we are ready?
09-23-2020 06:55 PM
That's adding some complexity that really wouldn't be needed. You could configure this in a completely separate untrust zone and use PBF to actually verify that the route is functional prior to actually cutting over.
09-24-2020 11:01 AM
Thank you for your reply.
When we switched to PaloAlto several years ago we contracted the installation. PBF never worked so we removed it entirely in preparation for BGP.
Would we do the following?
Am I correct in thinking it would do the following?
Thanks again for your help.
09-24-2020 02:45 PM
Hi @Charles-SFG ,?
Can you clarify what is your concern? Did I understand you correctly that you asking how to configure the BGP without actually using the bgp routes and during maintenance window to switch to the BGP routing?
Another question - the two peers, are they both external for your firewall? Am I guessing correctly that the two peers are just for resilience and you will receive the same routes from both and you need to advertise same routes to both (but with different metric)?
When you are configuring the BGP you can leave the option "Install Routes" unchecked (I believe this is off by default) - As you can see from this document when this option is not checked FW will bring the BGP peering up, it will receive and advertise any routes from peers, but the received routes are not installed in the RIB.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleoCAC
Which effectively allow you to test the BGP peering and what is received from the peers, without affecting the current routing and using the old path.
Depending of your setup it is good idea to create bgp export rule and deny all prefix to be advertised to the peers. I would suggest to configure deny import policy on the peers, so that way you can test the firewall configuration to ensure that correct routes are advertised and still not affecting current traffic, but it is up to you and the ISP.
09-25-2020 06:58 AM
Alexander,
Thank you for your response.
“Can you clarify what is your concern? Did I understand you correctly that you asking how to configure the BGP without actually using the bgp routes and during maintenance window to switch to the BGP routing?”
My concern is migrating to our new EBGP and new IP space without any downtime. So we need to be able to verify test traffic passes through the BGP before migrating production traffic to it. For inbound traffic both the old IPs and new IPs will need to be accessible while DNS propagates. Some business partners may also have hardcoded or host entries for our IP for their API requests, even though they shouldn’t. I understand that enabling ECMP restarts the router so ECMP will need to be done during a maintenance window.
Having never done this before and not finding any documentation that matches what we plan to do makes it harder to plan.
“Another question - the two peers, are they both external for your firewall? Am I guessing correctly that the two peers are just for resilience and you will receive the same routes from both and you need to advertise same routes to both (but with different metric)?”
Yes, the two peers are to the same ISP via different fiber paths for resilience.
“When you are configuring the BGP you can leave the option "Install Routes" unchecked (I believe this is off by default) - As you can see from this document when this option is not checked FW will bring the BGP peering up, it will receive and advertise any routes from peers, but the received routes are not installed in the RIB.” and “Which effectively allow you to test the BGP peering and what is received from the peers, without affecting the current routing and using the old path.”
This sounds like a good first step to verify the peers are configured properly. After that we will need to send some test traffic over it. Thanks for the link.
Thank you,
Charles
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
