How to Prefer a BGP Peer for Installing a Received Prefix in the Local Routing Table & Leverage BGP for Route Failover

Overview

This document describes how to:

  1. Configure a Palo Alto Networks Firewall running PAN-OS 5.0.x to establish eBGP peering with two ISPs sending the same prefix.

  2. Configure the firewall to prefer one ISP for installing the received prefix in the local routing table and having the prefix received from the second ISP as backup by tuning the BGP attribute 'local preference'.

Details

Please refer to the following diagram for the topology. The configuration focus will be on the 'PAN Firewall (.92)' device. Both ISP routers will be advertising a prefix 40.40.40.0/24. Configuration will be done on the 'PAN Firewall (.92)' device to prefer the prefix advertised by ISP1 using 'Local Preference' attribute. (For simplicity, assume that PAN's external interface is on the same broadcast domains as the 2 ISP's links. Ideally, there would be point-to-point links between PAN & each ISP.) :

A diagram of a network AI-generated content may be incorrect.

Steps

  1. Establish eBGP peering from the PAN Firewall (.92) to both ISP routers. Both ISP routers need to be added in separate peer groups since specific import rules will be written for ISP1.

Peer group configuration on 'PAN Firewall (.92)' for ISP1 (.39):

A screenshot of a computer AI-generated content may be incorrect.

Peer group configuration on 'PAN Firewall (.92)' for ISP2 (.41):

A screenshot of a computer AI-generated content may be incorrect.

  1. An import rule needs to be added that will match (exact) on the prefix 40.40.40.0/24 received from 'ISP1 (.39)' and the local preference of '200' will be set on import (The default local preference is 100). BGP prefers a prefix received with higher local preference & inserts it into the routing table.

Here is the import rule setup:

A screenshot of a computer AI-generated content may be incorrect.

A screenshot of a computer AI-generated content may be incorrect.

A screenshot of a computer AI-generated content may be incorrect.

Verification

Once the configuration is committed, the local RIB table of the 'PAN firewall (.92)' is inspected to confirm that the prefix 40.40.40.0/24 is being received from both peers. To do so, click on Virtual Router > More Runtime Stats > BGP > Local RIB

It is seen that the prefix learned via ISP1 has a Local Pref. of 200 and a * Flag indicating that this peer is preferred:

A screenshot of a computer AI-generated content may be incorrect.

To confirm that the routing table has this entry:

A screenshot of a computer AI-generated content may be incorrect.

To perform failover testing, if we bring down the eBGP peering with ISP1, we see that the prefix from ISP2 is now preferred and installed in the routing table:

A screenshot of a computer AI-generated content may be incorrect.