BGP, Community settings for Prisma

Reply
CharlesKoh
L1 Bithead

BGP, Community settings for Prisma

Hi all,

 

i have some questions regarding community settings because we use this in our org to influence routes selection.

Based on this document "https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prepare-the-pris..."

 

1) Are the communities referred in it "65534:X " "65534:Y " "65534:Z " refers to the prisma mobile users IP pools allocation setting per region?

 

2) When we clicked on the BGP status, network detailed of the service connections, the community number shown in it refers to what? The X Y Z which i mentioned in point 1 above? I have 3 service connections (2 in US and 1 in EU and none in Asia).. these 3 service connections gave me different community numbers, so which is which region?

3) The document only mentioned about mobile users IP prefixes.. I also uses Remote Network (traditional IPSEC) into Prisma.. i like to control the return routes of which service connection to be use based on community.. how do we do what community is being set based on the Prisma Access Locations? Is there a list published somewhere on the community numbers? If i checked on the IP prefix of the remote site specifically, i do see a community tag to it... searching all the BGP Ip prefix will be a big chore, will be good if the community numbers tagging is published somewhere.

 

 

Tags (3)
wprice
L1 Bithead

Hi Charles, 

 

Here are replies inline to your questions: 

 

1) Are the communities referred in it "65534:X " "65534:Y " "65534:Z " refers to the prisma mobile users IP pools allocation setting per region?

 

The routes are Mobile User User pool addresses you have onboarded in certain regions. We will split up those larger pools into /24 blocks and tag then with the Prisma Access AS number /Community Strings  (65534:x). The X/Y/Z is per Service Connection. You can say "regional" yes. 

 

2) When we clicked on the BGP status, network detailed of the service connections, the community number shown in it refers to what? The X Y Z which i mentioned in point 1 above? I have 3 service connections (2 in US and 1 in EU and none in Asia).. these 3 service connections gave me different community numbers, so which is which region?

 

The community string tag it is using is an ID of the active FW for the original active Service Connection Firewall. 


3) The document only mentioned about mobile users IP prefixes.. I also uses Remote Network (traditional IPSEC) into Prisma.. i like to control the return routes of which service connection to be use based on community.. how do we do what community is being set based on the Prisma Access Locations? Is there a list published somewhere on the community numbers? If i checked on the IP prefix of the remote site specifically, i do see a community tag to it... searching all the BGP Ip prefix will be a big chore, will be good if the community numbers tagging is published somewhere.

 

You can see the ID's in Panorama Managed Prisma Access GUI page: 

 

Panorama >>> Cloud Services >>>Status >>> Network Details >>> Service Connection >>> Show BGP Status
(Look at the Community field) 
 
The community tags should be mostly static, so once you have mapped them out they should stay consistent unless you re-onboard the SC. 
 
I hope this helps!
 
Wade
CharlesKoh
L1 Bithead

Hi Wade,

 

Thanks for replying.

 

Just further question on the point 3 with regards to Remote Network sites. I do see the community setting based on the BGP status of the remote network. But on my CPE peering with service connections, i checked the BGP prefixes advertised by these remote sites, i do not see the community tag on it like what i've seen on the mobile user prefixes.

 

Is that the case it should be?

wprice
L1 Bithead

Hi Charles, 

 

We do not tag the Remote Network prefixes with a community string, because we fully mesh the RNs to each Service connection. If all you want to do is identify which routes are RN's you can tag them by advertising them from the branch with a global or regional community string tag and we will advertise / preserve them to the SC with those Community value tags. If you want to identify which regions are which routes, you can advertise specific community tags for specific "regions" or "Geos". 

 

I hope this helps. 

 

Thanks,

Wade

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!