📘 PCNSE BGP Route Selection and Traffic Engineering

1. BGP Route Selection Process in PAN-OS

Palo Alto Networks firewalls follow a specific sequence to select the best BGP route:

1. Next-Hop Reachability: If the next-hop is reachable and it's the only path, select this route.
2. Weight: Prefer the path with the highest weight.
3. Local Preference: If weights are equal, prefer the path with the highest local preference.
4. Originated Routes: Prefer routes originated by the local router.
5. AS Path Length: Prefer the path with the shortest AS path.
6. Origin Type: Prefer routes with the lowest origin type (IGP < EGP < Incomplete).
7. MED: Prefer the path with the lowest Multi-Exit Discriminator (MED).
8. eBGP over iBGP: Prefer external BGP routes over internal ones.
9. IGP Metric to Next Hop: Prefer the path with the lowest IGP metric to the BGP next hop.
10. Router ID: Prefer the path with the lowest BGP router ID.

For a detailed explanation, refer to the Palo Alto Networks Knowledge Base article: What is the BGP Best Path Selection Process?

2. Influencing BGP Route Selection

Administrators can manipulate BGP attributes to influence route selection:

• Weight: Locally significant; higher weight is preferred.
• Local Preference: Higher value is preferred; used to influence outbound traffic.
• AS Path Prepending: Add multiple instances of your AS number to make a path less attractive to others.
• MED: Suggest to external neighbors which path to prefer; lower MED is preferred.
• Route Maps: Apply policies to modify attributes based on match conditions.

3. BGP Communities for Traffic Engineering

BGP communities are tags that can be attached to routes to signal routing preferences to peers:

• Standard Communities: 32-bit values used to group routes for policy decisions.
• Well-Known Communities:
  • no-export : Do not advertise to eBGP peers.
  • no-advertise : Do not advertise to any peer.
  • local-as : Do not advertise outside the local AS.
• Custom Communities: ISPs may define communities to allow customers to influence routing, such as setting local preference or controlling route propagation.

By tagging routes with specific communities, administrators can influence how upstream providers handle their traffic, affecting both inbound and outbound routing decisions.

4. Configuring BGP Communities in PAN-OS

To configure BGP communities in Palo Alto Networks firewalls:

1. Navigate to Network > Virtual Routers and select your virtual router.
2. Under BGP , configure the necessary Import and Export rules.
3. In the Export rule, under the Action tab, set the desired community attributes.
4. To add multiple community attributes to routes being redistributed into BGP from other routing protocols, configure a redistribution profile and specify the communities under the Set Community section.

Note: Multiple community attributes can be added only to routes that are being redistributed into BGP from other routing protocols. For more details, refer to the Knowledge Base article: Add Multiple Community Attribute to BGP routes

5. Filtering BGP Routes Using Communities

To filter BGP routes based on community attributes:

1. Navigate to Network > Routing > Routing Profiles > Filters and select Community Lists .
2. Create a new community list by specifying the name, type (Regular or Extended), and the community values to match.
3. Apply the community list in a route map to permit or deny routes based on the matched communities.

For detailed steps, refer to the documentation: Configure a Filter Community List

6. Additional Resources

• Configure BGP – Palo Alto Networks
• Configure BGP on an Advanced Routing Engine – Palo Alto Networks
• Add Multiple Community Attribute to BGP Routes – Palo Alto Networks Knowledge Base
• Configure a Filter Community List – Palo Alto Networks
• How to Implement BGP and eBGP on Palo Alto Networks – LIVEcommunity
• BGP Communities in Palo Alto Firewall – LIVEcommunity
• BFD for Dynamic Routing Protocols – Palo Alto Networks