With PAN-OS 10.2, Palo Alto Networks has introduced the “Advanced Routing Engine” (ARE) with its “Logical Routers” (LR) rather than the legacy “Virtual Routers” (VR).
The Advanced Routing Engine simplifies operations with a standards-based configuration, which reduces your learning curve since it is similar to that of other router vendors.
The neat thing, as always: You can configure everything through the GUI. Here’s a basic example of how I’m using a prefix list to filter incoming BGP routes:
Lab Notes
- PA-440 with PAN-OS 11.2.0, “Advanced Routing” enabled, AS 64512
- A (fairly old but still working) Cisco 2811 router with IOS 15.1(4)M12a, AS 64513
- transfer networks 2a00:6020:ad0b:8370::/64 respectively 10.0.70.0/30
- eBGP between those two guys
- IPv6 neighbouring for IPv6 routes
- IPv4 neighbouring for IPv4 routes
- four IPv6 networks announced by the Cisco router (I hate their upper case notations)
network 2A00:6020:AD0B:8310::/64 network 2A00:6020:AD0B:8312::/63 network 2A00:6020:AD0B:8320::/64 network 2A00:6020:AD0B:8322::/63
- four IPv4 networks are announced as well
network 10.10.10.0 mask 255.255.255.192 network 10.10.20.0 mask 255.255.255.128 network 10.20.30.0 mask 255.255.255.192 network 10.20.40.0 mask 255.255.255.128
Initial Config
Straightforward, quick and dirty, using the “default” (read-only) BGP Address Family Profile for IPv4 and a similar one for IPv6:
Cisco router config for the sake of completeness. The /63 IPv6 routes are cosmetically done through null routes:
interface FastEthernet0/0 ip address 10.0.70.2 255.255.255.252 duplex auto speed auto ipv6 address 2A00:6020:AD0B:8370::2/64 ipv6 nd ra suppress ! interface FastEthernet0/1 no ip address duplex auto speed auto ! interface FastEthernet0/1.71 encapsulation dot1Q 71 ip address 10.10.10.1 255.255.255.192 ipv6 address 2A00:6020:AD0B:8310::1/64 ! interface FastEthernet0/1.72 encapsulation dot1Q 72 ip address 10.10.20.1 255.255.255.128 ipv6 address 2A00:6020:AD0B:8312::1/64 ! interface FastEthernet0/1.73 encapsulation dot1Q 73 ip address 10.20.30.1 255.255.255.192 ipv6 address 2A00:6020:AD0B:8320::1/64 ! interface FastEthernet0/1.74 encapsulation dot1Q 74 ip address 10.20.40.1 255.255.255.128 ipv6 address 2A00:6020:AD0B:8322::1/64 ! router bgp 64513 bgp router-id 10.0.0.3 bgp log-neighbor-changes no bgp default ipv4-unicast neighbor 10.0.70.1 remote-as 64512 neighbor 2A00:6020:AD0B:8370::1 remote-as 64512 ! address-family ipv4 network 10.10.10.0 mask 255.255.255.192 network 10.10.20.0 mask 255.255.255.128 network 10.20.30.0 mask 255.255.255.192 network 10.20.40.0 mask 255.255.255.128 neighbor 10.0.70.1 activate exit-address-family ! address-family ipv6 network 2A00:6020:AD0B:8310::/64 network 2A00:6020:AD0B:8312::/63 network 2A00:6020:AD0B:8320::/64 network 2A00:6020:AD0B:8322::/63 neighbor 2A00:6020:AD0B:8370::1 activate exit-address-family ! ipv6 route 2A00:6020:AD0B:8312::/63 Null0 ipv6 route 2A00:6020:AD0B:8322::/63 Null0
More Runtime Stats: (Note the BGP -> Routes section in which all IPv6 prefixes are listed twice, one with a next hop of the GUA and another one with the LL IPv6 address of the router, while the final route-/forwarding tables only list the LL ones.)
Show commands on the Palo. Note the show advanced-routing statements rather than the legacy show routing ones.
weberjoh@pa-home> show advanced-routing bgp route
Status codes: R removed, d damped, * valid, r ribFailure, S stale, = multipath,
s suppressed, i internal, > best, h history
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes: e egp, i igp, ? incomplete
Logical router: service-provider
BGP table version is 72, local router ID is 10.0.0.102, vrf ID 0
Default local pref 100, local AS 64512
----------------------------------------------------------------------------------
Network Next Hop Metric LocPrf Weight Path
*> 10.10.10.0/26 10.0.70.2 0 100 0 64513 i
*> 10.10.20.0/25 10.0.70.2 0 100 0 64513 i
*> 10.20.30.0/26 10.0.70.2 0 100 0 64513 i
*> 10.20.40.0/25 10.0.70.2 0 100 0 64513 i
----------------------------------------------------------------------------------
Displayed 4 route(s) 4 path(s)
Logical router: service-provider
BGP table version is 18, local router ID is 10.0.0.102, vrf ID 0
Default local pref 100, local AS 64512
----------------------------------------------------------------------------------
Network Next Hop Metric LocPrf Weight Path
*> 2a00:6020:ad0b:8310::/64 2a00:6020:ad0b:8370::2 0 100 0 64513 i
*> 2a00:6020:ad0b:8312::/63 2a00:6020:ad0b:8370::2 0 100 0 64513 i
*> 2a00:6020:ad0b:8320::/64 2a00:6020:ad0b:8370::2 0 100 0 64513 i
*> 2a00:6020:ad0b:8322::/63 2a00:6020:ad0b:8370::2 0 100 0 64513 i
----------------------------------------------------------------------------------
Displayed 4 route(s) 4 path(s)
weberjoh@pa-home>
weberjoh@pa-home>
weberjoh@pa-home> show advanced-routing route type bgp logical-router service-provider
Logical Router: service-provider
==========================
flags: A:active, E:ecmp, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext 1, O2:ospf ext 2
destination protocol nexthop distance metric flag tag age interface
10.10.10.0/26 bgp 10.0.70.2 20 0 A 02:03:17 ae1.70
10.10.20.0/25 bgp 10.0.70.2 20 0 A 02:03:17 ae1.70
10.20.30.0/26 bgp 10.0.70.2 20 0 A 02:03:17 ae1.70
10.20.40.0/25 bgp 10.0.70.2 20 0 A 02:03:17 ae1.70
2a00:6020:ad0b:8310::/64 bgp fe80::214:69ff:fe9e:1140 20 0 A 02:03:16 ae1.70
2a00:6020:ad0b:8312::/63 bgp fe80::214:69ff:fe9e:1140 20 0 A 01:56:11 ae1.70
2a00:6020:ad0b:8320::/64 bgp fe80::214:69ff:fe9e:1140 20 0 A 01:53:49 ae1.70
2a00:6020:ad0b:8322::/63 bgp fe80::214:69ff:fe9e:1140 20 0 A 01:55:40 ae1.70
total route shown: 8
weberjoh@pa-home>
Route Filtering w/ Prefix Lists
The goal is to filter incoming routes against the following criteria:
- only IPv6 routes out of the 2a00:6020:ad0b:8310::/60 range, only /64 networks
- only IPv4 routes out of the 10.10.0.0/16 range, only /26 networks
That is: per Internet Protocol, only 1 out of the 4 incoming routes should be accepted since the others are either sent with a wrong network size or belong to an incorrect range. These are the configuration steps:
- Routing -> Routing Profiles -> Filters -> Prefix List: for each Internet Protocol, add an appropriate list. The “network/mask” section defines the overall range while the “prefix length” columns define the lower/upper boundaries of the network sizes. Note that the list has an “implicit deny any” at the end.
- Routing -> Routing Profiles -> BGP -> Filtering Profiles: for each IP, add a profile which references the just added prefix list as an inbound network filter.
- Now, for both neighbour/peer statements within the BGP section in the logical router, select these filtering profiles.
From now on, the routing table only lists the correct/wanted routes:
So does the CLI, of course:
weberjoh@pa-home> show advanced-routing bgp route
Status codes: R removed, d damped, * valid, r ribFailure, S stale, = multipath,
s suppressed, i internal, > best, h history
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes: e egp, i igp, ? incomplete
Logical router: service-provider
BGP table version is 77, local router ID is 10.0.0.102, vrf ID 0
Default local pref 100, local AS 64512
----------------------------------------------------------------------------------
Network Next Hop Metric LocPrf Weight Path
*> 10.10.10.0/26 10.0.70.2 0 100 0 64513 i
----------------------------------------------------------------------------------
Displayed 1 route(s) 1 path(s)
Logical router: service-provider
BGP table version is 23, local router ID is 10.0.0.102, vrf ID 0
Default local pref 100, local AS 64512
----------------------------------------------------------------------------------
Network Next Hop Metric LocPrf Weight Path
*> 2a00:6020:ad0b:8310::/64 2a00:6020:ad0b:8370::2 0 100 0 64513 i
----------------------------------------------------------------------------------
Displayed 1 route(s) 1 path(s)
weberjoh@pa-home>
weberjoh@pa-home>
weberjoh@pa-home> show advanced-routing route type bgp logical-router service-provider
Logical Router: service-provider
==========================
flags: A:active, E:ecmp, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext 1, O2:ospf ext 2
destination protocol nexthop distance metric flag tag age interface
10.10.10.0/26 bgp 10.0.70.2 20 0 A 00:21:56 ae1.70
2a00:6020:ad0b:8310::/64 bgp fe80::214:69ff:fe9e:1140 20 0 A 00:21:56 ae1.70
total route shown: 2
weberjoh@pa-home>While the following command reveals that all routes are still sent by the BGP peer and received by the Palo:
weberjoh@pa-home> show advanced-routing bgp loc-rib-detail Logical Router: service-provider ============== Prefix: 10.10.10.0/26 Nexthop: 10.0.70.2 Received From: R3-v4 Originator ID: 0.0.0.0 AS Path: 64513 Origin: i MED: 0 Local Preference: 100 Atomic Aggregate: False Aggregator AS: 0 Aggregator ID: 0.0.0.0 Weight: 0 Flap: False Community: none Large Community: none Extended Community: none Best Path: True ---------- Prefix: 10.10.20.0/25 Nexthop: 10.0.70.2 Received From: R3-v4 Originator ID: 0.0.0.0 AS Path: 64513 Origin: i MED: 0 Local Preference: 100 Atomic Aggregate: False Aggregator AS: 0 Aggregator ID: 0.0.0.0 Weight: 0 Flap: False Community: none Large Community: none Extended Community: none Best Path: False ---------- Prefix: 10.20.30.0/26 Nexthop: 10.0.70.2 Received From: R3-v4 Originator ID: 0.0.0.0 AS Path: 64513 Origin: i MED: 0 Local Preference: 100 Atomic Aggregate: False Aggregator AS: 0 Aggregator ID: 0.0.0.0 Weight: 0 Flap: False Community: none Large Community: none Extended Community: none Best Path: False ---------- Prefix: 10.20.40.0/25 Nexthop: 10.0.70.2 Received From: R3-v4 Originator ID: 0.0.0.0 AS Path: 64513 Origin: i MED: 0 Local Preference: 100 Atomic Aggregate: False Aggregator AS: 0 Aggregator ID: 0.0.0.0 Weight: 0 Flap: False Community: none Large Community: none Extended Community: none Best Path: False ---------- Prefix: 2a00:6020:ad0b:8310::/64 Nexthop: 2a00:6020:ad0b:8370::2 Received From: R3-v6 Originator ID: 0.0.0.0 AS Path: 64513 Origin: i MED: 0 Local Preference: 100 Atomic Aggregate: False Aggregator AS: 0 Aggregator ID: 0.0.0.0 Weight: 0 Flap: False Community: none Large Community: none Extended Community: none Best Path: True ---------- Prefix: 2a00:6020:ad0b:8312::/63 Nexthop: 2a00:6020:ad0b:8370::2 Received From: R3-v6 Originator ID: 0.0.0.0 AS Path: 64513 Origin: i MED: 0 Local Preference: 100 Atomic Aggregate: False Aggregator AS: 0 Aggregator ID: 0.0.0.0 Weight: 0 Flap: False Community: none Large Community: none Extended Community: none Best Path: False ---------- Prefix: 2a00:6020:ad0b:8320::/64 Nexthop: 2a00:6020:ad0b:8370::2 Received From: R3-v6 Originator ID: 0.0.0.0 AS Path: 64513 Origin: i MED: 0 Local Preference: 100 Atomic Aggregate: False Aggregator AS: 0 Aggregator ID: 0.0.0.0 Weight: 0 Flap: False Community: none Large Community: none Extended Community: none Best Path: False ---------- Prefix: 2a00:6020:ad0b:8322::/63 Nexthop: 2a00:6020:ad0b:8370::2 Received From: R3-v6 Originator ID: 0.0.0.0 AS Path: 64513 Origin: i MED: 0 Local Preference: 100 Atomic Aggregate: False Aggregator AS: 0 Aggregator ID: 0.0.0.0 Weight: 0 Flap: False Community: none Large Community: none Extended Community: none Best Path: False ---------- total route shown: 8 weberjoh@pa-home>
Q.E.D. ✅
Soli Deo Gloria!
Photo by Jakub Kapusnak on Unsplash.