First time BGP setup VR question

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

First time BGP setup VR question

We are about to implement EBGP for the first time. The EBGP will have two peers. The ISP wants it to be used as a primary/secondary rather than equal split. We currently have two ISPs that will be going away. We are a 24/7 shop so we need a strategy to test EBGP without interfering with existing traffic.

Does it make sense to create a new VR strictly for the BGP connection and then point the Default VR to it when we are ready? 

Highlighted
Cyber Elite

@Charles-SFG,

That's adding some complexity that really wouldn't be needed. You could configure this in a completely separate untrust zone and use PBF to actually verify that the route is functional prior to actually cutting over. 

Highlighted
L1 Bithead

Thank you for your reply.

 

When we switched to PaloAlto several years ago we contracted the installation. PBF never worked so we removed it entirely in preparation for BGP.

 

Would we do the following?

  • add the BGP interface routes to the VR with a high metric so normal traffic will never hit it
  • create a PBF rule with one internal IP (Test System) as the source and egress on one of the new BGP interfaces
  • create a Policy Rule from the Test System to any IP in the BGP zone 

Am I correct in thinking it would do the following?

  • the PBF would force traffic from the Test System to use the route for the BGP interface in the VR
  • the BGP interface is in the BGP zone so
  • it would match the new Polcy Rule because it matched the Test System, BGP zone and destination

Thanks again for your help.

Highlighted
L4 Transporter

Hi @Charles-SFG ,?

 

Can you clarify what is your concern? Did I understand you correctly that you asking how to configure the BGP without actually using the bgp routes and during maintenance window to switch to the BGP routing?

 

Another question - the two peers, are they both external for your firewall? Am I guessing correctly that the two peers are just for resilience and you will receive the same routes from both and you need to advertise same routes to both (but with different metric)?

 

When you are configuring the BGP you can leave the option "Install Routes" unchecked (I believe this is off by default) - As you can see from this document when this option is not checked FW will bring the BGP peering up, it will receive and advertise any routes from peers, but the received routes are not installed in the RIB.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleoCAC

Which effectively allow you to test the BGP peering and what is received from the peers, without affecting the current routing and using the old path.

Depending of your setup it is good idea to create bgp export rule and deny all prefix to be advertised to the peers. I would suggest to configure deny import policy on the peers, so that way you can test the firewall configuration to ensure that correct routes are advertised and still not affecting current traffic, but it is up to you and the ISP.

Highlighted
L1 Bithead

Alexander,

 

Thank you for your response. 

 

“Can you clarify what is your concern? Did I understand you correctly that you asking how to configure the BGP without actually using the bgp routes and during maintenance window to switch to the BGP routing?”

 

My concern is migrating to our new EBGP and new IP space without any downtime. So we need to be able to verify test traffic passes through the BGP before migrating production traffic to it. For inbound traffic both the old IPs and new IPs will need to be accessible while DNS propagates. Some business partners may also have hardcoded or host entries for our IP for their API requests, even though they shouldn’t. I understand that enabling ECMP restarts the router so ECMP will need to be done during a maintenance window.

 

Having never done this before and not finding any documentation that matches what we plan to do makes it harder to plan.

 

“Another question - the two peers, are they both external for your firewall? Am I guessing correctly that the two peers are just for resilience and you will receive the same routes from both and you need to advertise same routes to both (but with different metric)?”

 

Yes, the two peers are to the same ISP via different fiber paths for resilience.

 

“When you are configuring the BGP you can leave the option "Install Routes" unchecked (I believe this is off by default) - As you can see from this document when this option is not checked FW will bring the BGP peering up, it will receive and advertise any routes from peers, but the received routes are not installed in the RIB.” and “Which effectively allow you to test the BGP peering and what is received from the peers, without affecting the current routing and using the old path.”

 

This sounds like a good first step to verify the peers are configured properly. After that we will need to send some test traffic over it. Thanks for the link.


Thank you,

Charles

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!