cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
537
Views
2
Helpful
11
Replies

BGP advertisement with Neighbour as Palo Alto firewall

Yuvi1983
Level 1
Level 1

Hi Community, 

Hi Community,

I have following situation on ASR1001

I created following BGP configuration and Neighbour is Checkpoint firewall.

ip vrf 250

interface Port-channel1.250
encapsulation dot1Q 250
ip vrf forwarding 250
ip address 169.254.0.11 255.255.255.248
end


router bgp 65133
bgp router-id 10.254.0.2
bgp log-neighbor-changes

address-family ipv4 vrf 250
redistribute connected
neighbor 169.254.0.9 remote-as 397013
neighbor 169.254.0.9 local-as 4200000004 no-prepend
neighbor 169.254.0.9 description firewall
neighbor 169.254.0.9 activate
neighbor 169.254.0.9 soft-reconfiguration inbound
neighbor 169.254.0.9 route-map asr1001 out
exit-address-family


BGP Establised
ASR1001# show bgp vpnv4 unicast vrf 250 summary
BGP router identifier 10.254.0.2, local AS number 65133
BGP table version is 34, main routing table version 34
7 network entries using 1792 bytes of memory
7 path entries using 840 bytes of memory
3/3 BGP path/bestpath attribute entries using 768 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
1 BGP community entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 3448 total bytes of memory
BGP activity 371/336 prefixes, 458/423 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
169.254.0.9 4 397013 9020 8555 34 0 0 2d17h 4
core1-rt-and#


#What configuration required to advertise the existing SVI to Firewall please?

ASR1001 currently having SVI on it

Ex.
interface Port-channel1.184
encapsulation dot1Q 184
ip address 192.168.0.3 255.255.255.0
standby 1 ip 192.168.0.1
ip ospf 1 area 0
end

 

2 Accepted Solutions

Accepted Solutions

seq 5 permit 192.168.0.22/32 <<- same for this prefix check it mask

MHM

View solution in original post

11 Replies 11

https://www.cisco.com/c/en/us/support/docs/ip/ip-routing/216541-vrf-configuration-examples-on-ios-xe.html

Check this 

Vrf leaking from global to vrf 

Also vrf you config need RD 

MHM

router bgp 65133

Redistrubte connect <<- since SVI in global we will redistrubte it into global bgp' and bgp will import these prefix into vrf 250

address-family ipv4 vrf 250
redistribute connected route-map VRF-Global-to-VRF-250 <<- no need this we use import map for global to vrf

 

You will face other issue which is from svi to any prefix learn from vrf 250' this solve by 

Ip route vrf x.x.x.x/× <next-hop> global 

Try above and check

MHM

Thank you so much ,

The situation getting improve  

Added the following config 

ip vrf 250
rd 200:25
!
!
interface TenGigabitEthernet0/0/0
no ip address
cdp enable
!
interface TenGigabitEthernet0/0/0.250
encapsulation dot1Q 250
ip vrf forwarding 250
ip address 169.254.0.10 255.255.255.248
!
interface TenGigabitEthernet0/0/0.500
encapsulation dot1Q 500
ip vrf forwarding 250
ip address 10.50.120.2 255.255.255.0
standby 1 ip 10.50.120.1
standby 1 priority 105
!
router bgp 394566
!
address-family ipv4 vrf 250
redistribute connected
neighbor 169.254.0.9 remote-as 397013
neighbor 169.254.0.9 local-as 4200000001 no-prepend
neighbor 169.254.0.9 description firewall
neighbor 169.254.0.9 activate
neighbor 169.254.0.9 soft-reconfiguration inbound
exit-address-family
!
ip route vrf 250 10.53.120.0 255.255.255.0 169.254.0.9 global
end

ASR1001#$nv4 unicast vrf 250 neighbors 169.254.0.9 advertised-routes
BGP table version is 44, local router ID is 10.254.0.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 200:25 (default for vrf 250)
*> 10.50.120.0/24 0.0.0.0 0 32768 ?
*> 169.254.0.8/29 0.0.0.0 0 32768 ?

Total number of prefixes 2

-----------------------------------------------------------------------------------------------

I am facing the other problem for communication between SVIs on same router now, 

SVI with vrf 250 directly connected on asr1001

SVI without vrf directly connected on same asr1001

Any suggestion please how I can make them communicate each other? 

As both are directly connected SVI's 

What will be the import config under vrf & bgp config please ? 

 

 

 

 

I make this lab for you please make review and you are free to ask any Q 

hostname Switch

!

ip vrf 250
rd 1:250
import ipv4 unicast map Glo-to-vrf <<- this filter which prefix will import from Glo 
!
interface Ethernet0/0
no switchport
ip vrf forwarding 250 <<- this use to connect SW to FW
ip address 100.0.0.3 255.255.255.0
duplex auto
!
interface Ethernet0/1
switchport access vlan 10
duplex auto
!
interface Ethernet0/2
switchport access vlan 20
duplex auto
!
interface Ethernet0/3
duplex auto
!
interface Vlan10
ip address 10.0.0.3 255.255.255.0
!
interface Vlan20
ip address 20.0.0.3 255.255.255.0
!
router bgp 300
bgp log-neighbor-changes
redistribute connected <<- this redistribute connect VLAN10 and VLAN20 which then filter by import map 
!
address-family ipv4 vrf 250
neighbor 100.0.0.4 remote-as 400
neighbor 100.0.0.4 activate
exit-address-family
!
!
no ip http server
!
ip route 0.0.0.0 0.0.0.0 Ethernet0/0 <<- this make VLAN10 can connect to net 50.0.0.0/24
!
!
ip prefix-list 10.0.0.0 seq 5 permit 10.0.0.0/24
!
route-map Glo-to-vrf permit 10
match ip address prefix-list 10.0.0.0
!
Screenshot (728).png

Thank you so much for helping, 

Scenerio1 :  Import vlan 10 & 20 to vrf 250  ( Glo-to-vrf 250)

----------------------------------------------------------------------------------------------------------

The reason being -> I have many productions existing SVIs similar like vlan 10 & 20 on asr1001, I like to import them all in vrf 250.

What I have done the following: 

ip vrf 250
rd 200:25
import ipv4 unicast map VRF-Global-to-VRF-250

asr1001#sh route-map VRF-Global-to-VRF-250
route-map VRF-Global-to-VRF-250, permit, sequence 10
Match clauses:
ip address prefix-lists: VRF-Global
Set clauses:
Policy routing matches: 0 packets, 0 bytes
asr1001#

asr1001#sh ip prefix-list VRF-Global
ip prefix-list VRF-Global: 1 entries
seq 5 permit 192.168.0.0/24

asr1001# sh ip ro vrf 250

NO SEEN THE 192.168.0.0/24 

 

 

        

 

                              

 

under the bgp only redistribute connect and then you see it  

router bgp 300
bgp log-neighbor-changes
redistribute connected <<- this redistribute connect VLAN10 and VLAN20 which then filter by import map

ip vrf 250
rd 200:25
import ipv4 unicast map VRF-Global-to-VRF-250


interface TenGigabitEthernet0/0/0.250 ( used for bgp with firewall)
description firewall
encapsulation dot1Q 250
ip vrf forwarding 250
ip address 169.254.0.10 255.255.255.248

interface TenGigabitEthernet0/0/0.500 ( directly connected in vrf global)
description directly connected in Global vrf
encapsulation dot1Q 500
ip address 10.50.120.2 255.255.255.0
standby 1 ip 10.50.120.1
standby 1 priority 105


router bgp 394566
bgp log-neighbor-changes
address-family ipv4
redistribute connected -------------------> Redistribute connected

address-family ipv4 vrf 250
neighbor 169.254.0.9 remote-as 397013
neighbor 169.254.0.9 local-as 4200000001 no-prepend
neighbor 169.254.0.9 description paedgefw
neighbor 169.254.0.9 activate
neighbor 169.254.0.9 soft-reconfiguration inbound
exit-address-family

asr1001#sh route-map VRF-Global-to-VRF-250
route-map VRF-Global-to-VRF-250, permit, sequence 10
Match clauses:
ip address prefix-lists: VRF-Global
Set clauses:
Policy routing matches: 0 packets, 0 bytes
asr1001#sh ip prefix-list VRF-Global
ip prefix-list VRF-Global: 2 entries
seq 5 permit 192.168.0.22/32
seq 10 permit 10.50.120.0/22
asr1001#

asr1001#sh ip ro vrf 250 | i 10.50
!NO FOUND 10.50.120.0

Please validate my vrf config once...

seq 10 permit 10.50.120.0/22 <<- this need to be /24 not /22

MHM

Lovely, Thank you so much 

I see it now, any reason it not worked with /22 please?  its covering 10.50.120.0-to 10.50.123.0

 

core2-rt-and#sh ip ro vrf 250

B 10.50.120.0/24
is directly connected, 00:00:40, TenGigabitEthernet0/0/0.500
L 10.50.120.2/32 is directly connected, TenGigabitEthernet0/0/0.500

seq 5 permit 192.168.0.22/32 <<- same for this prefix check it mask

MHM

Resolved