BGP Reflector Route on a Palo Alto Networks Firewall

Environment

• Palo Alto Firewalls

• Supported PAN-OS

• BGP Route Reflector

Resolution

Overview

The Palo Alto Networks implementation of the RR (Route Reflector) for iBGP is based on RFC 2796/4456. The later one superseded RFC 2796.

• http://www.ietf.org/rfc/rfc2796.txt

• http://tools.ietf.org/html/rfc4456

Details

The Reflector Route types are configured in the web UI to define what the “peer” iBGP router is in relationship to the local router. The supported peer types are:

• Non-Client

  • iBGP peer must be fully meshed. When the Route Reflector sees a route from the Non-Client, it must reflect to all clients.

• Client

  • iBGP peer is only connected to the Route Reflector (not fully meshed).

  • A route seen from this client type is reflected to all the Non-Client peers and also the Client peers.

• Meshed-Client

  • iBGP peer is a reflector client and it is fully meshed with all other reflector clients.

  • Routes received from a meshed client are reflected to all neighbors except for other meshed-client iBGP peers.

A fundamental point in Route Reflector is the loop avoidance. In RR there are 2 attribute for this:

• Originator-ID

• Cluster ID

Ensure that both are configured in the BGP tab on the web UI. The Router ID field is for Originator-ID and Reflector Cluster ID is for the Cluster ID:

If the firewall is acting as the Route Reflector, make sure that the peers are defined properly by navigating to Network > Virtual-Routers. Then, click open the intended Virtual Router and go to BGP >Peer Group > Peer > Reflector Client :