DSCP Marking for BGP Keepalive Packet

Overview

Palo Alto Networks firewall is capable of setting the DSCP value to a BGP keepalive packet sent/exchanged with its BGP neighbor. The keepalive packet is initiated by the Palo Alto Networks firewall participating in BGP with other L3 devices.

The IP DSCP value can be selected under the Other Settings section of the Security Profile > Actions tab. The following example shows how Assured Forwarding 12(001100) for class1 is guaranteed:

A screenshot of a computer AI-generated content may be incorrect.

A security policy must be configured to match the BGP traffic, and then set the DSCP information in the policy options. The BGP peering is established between 1.1.1.1 and 1.1.1.2 with 1.1.1.2 being the remote peer.

Other Important Information

Importance of DSCP Marking for BGP Keepalives

Border Gateway Protocol (BGP) keepalive packets are essential for maintaining the stability of BGP peering sessions. If these packets are delayed or dropped, especially during periods of network congestion, BGP sessions can flap. This leads to:

Route withdrawals and re-advertisements.
Routing table recalculations across autonomous systems.
Potential network instability and traffic disruption.

By marking BGP keepalive packets with an appropriate Differentiated Services Code Point (DSCP) value, network administrators can instruct Quality of Service (QoS) mechanisms on all network devices along the path to prioritize this critical control plane traffic. This helps ensure timely delivery and reduces the likelihood of session failure due to congestion.

Common DSCP Values for Routing Protocols

While the specific DSCP value can vary based on an organization's QoS policy, common practice for network control traffic, including BGP, is to use high-priority markings.

CS6 (Class Selector 6; binary 110000, decimal 48): This value is often recommended for network control traffic as per RFC 2474, typically mapping to the highest priority queue.
Assured Forwarding (AF) classes: Values like AF41 (binary 100010, decimal 34) or other AF classes might be used if more granular differentiation within control traffic or high-priority data is needed. The example in the content uses AF12 (binary 001100), which represents Class 1 with medium drop precedence. The choice depends on the overall QoS design.

It's crucial that the DSCP markings applied by the Palo Alto Networks firewall are recognized and honored by downstream devices in the network path for the QoS policy to be effective.