cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4780
Views
10
Helpful
10
Replies

Firepower 6.4 BGP extended community

Heino Human
Level 1
Level 1

Hi legends, 

 

I have been asked to replace my clients internet facing Palo Altos with Firepower. I have a couple 9300 FTDs and a 4600 FMC to achieve this. 

 

The client has a PE attached to their Palo Alto firewall with sub interfaces and each in its own VRF. The Palo's are configured to import the extended communities per interface via hexadecimal values. 

 

I have looked everywhere and can't find any documentation stating that firepower can support extended communities to import the routes. Has anyone been able to find anything or has come across something similar? 

 

On side note, there are currently two virtual routers on the PANs, one for internet traffic and the other work as a firewall on a stick. I am combining the two to provide a default route and then also the firewall on a stick feature. This is to manage rules between different areas. 

 

The only thing I think I can possibly do is utilize the multi tenancy feature. 

 

I hope this makes sense. Any direction will be greatly appreciated. 

 

 

1 Accepted Solution

Accepted Solutions

Hi guys, 

 

Thank you for the input, though i'm still stuck, maybe this will be more clear. The path is as follows:

 

internet router <-> FTD (CE) <-> PE router <-> MPLS <-> PE router <-> CE routers

 

All, but the FTDs, CE routers are remote multi story buildings. 

We will be using the FTD as a CE and FUSION router between zones. 

I have an output below. The firewall is 10.1.1.202 for VRF STAFF and the output below is from the PE router attached. The PE router uses MPBGP as expected over the MPLS to all other PE routers and then remote CE routers. 

 

In our current PAN firewalls, we can import extended communities for each VRF under different interfaces. Cisco FTD do not support extended communities as mentioned before. I am able to learn routes by matching the extended communities and then setting them as standard communities (not sure if this is actually the correct way). The FTD is learning the routes associated to the extended communities, but traffic from the far CE's can only reach the PE router attached to the FTD, why is this? and how can i fix this? 

 

EVE_VPE-17-231#sh ip bgp vpnv4 vrf STAFF neighbors 10.1.1.202 adv
BGP table version is 83, local router ID is 10.0.4.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 65000:1005 (default for vrf STAFF)
*> 10.1.1.200/30 0.0.0.0 0 32768 i
*>i 10.1.14.112/30 10.0.4.26 0 100 0 ?
*> 10.5.5.0/24 0.0.0.0 0 32768 i
*>i 10.8.74.0/24 10.0.4.26 0 100 0 65020 i
*> 10.8.176.0/20 0.0.0.0 0 32768 i
*>i 10.15.15.0/24 10.0.4.26 0 100 0 i
*>i 10.18.18.0/24 10.0.4.26 0 100 0 i
*>i 10.20.0.0/24 10.0.4.26 0 100 0 i
*> 10.25.64.0/23 0.0.0.0 0 32768 i
*>i 10.27.0.0/24 10.0.4.26 0 100 0 i
*>i 10.28.0.0/24 10.0.4.26 0 100 0 i
*> 10.99.99.1/32 0.0.0.0 0 32768 i

Total number of prefixes 12
EVE_VPE-17-231#sh ip bgp vpnv4 vrf STAFF 10.8.74.1
BGP routing table entry for 65000:1005:10.8.74.0/24, version 75
Paths: (1 available, best #1, table STAFF)
Multipath: iBGP
Advertised to update-groups:
6
Refresh Epoch 2
65020, imported path from 65000:1026:10.8.74.0/24 (global)
10.0.4.26 (metric 21) from 10.0.0.100 (10.0.0.100)
Origin IGP, metric 0, localpref 100, valid, internal, best
Extended Community: RT:65000:1000 RT:65000:1026 <--these are the extended communities from the import/export maps)--
Originator: 10.0.4.26, Cluster list: 10.0.0.100
Connector Attribute: count=1
type 1 len 12 value 65000:1026:10.0.4.26
mpls labels in/out nolabel/47
rx pathid: 0, tx pathid: 0x0
EVE_VPE-17-231#

 

I hope this make sense :) 

 

I have gone bold in the past few weeks just from this one project.....

 

Thank you

 

View solution in original post

10 Replies 10

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

   I guess you speak about BGP Large Communities (96bit) defined in RFC8092, which Palo Alto does not support either, as far as i know. Palo Alto does support extended communities (64bit) defined in RFC4360, however most of these are used for VPNv4/VPNv6 prefixes.

  FTD support communities, from GUI, unfortunately in a simple decimal format. Make use of Smart CLI and/or FlexConfig, and you will be able to specify standard communities in the format of (AS:value).

   What is the exact reason you need/have to use large communities as opposed to regular communities? This is mainly a commodity, not a technical reason.

 

Regards,

Cristian Matei.

Hi Cristian, 

 

Thank you for your message and reply. 

 

You are correct, thePAN-OS only supports BGP filtering using extended communities with hexadecimal values. 

 

I'm trying to complete something similar as the firewalls will be attached to the VPNv4 PE for the CAMPUS network with multiple VRFs. This is where my question is can the FTD do route filtering/import via extended communities using AS:NN?

 

I will have a look around flexconfig and smartlcli. Documentation around firepower is very slim, even worse for training material. 

I have not worked on Firepower before, but been asked to replace the PANs in a very short period as they go out of support soon. 

 

Thank you for the help. 

 

Regards, 

Heino 

Hi,

  

   AS:NN does not necessarily mean extended-communities. You can configure community-lists and filter based on that, or set communities to prefixes. From GUI, you can only configure the community in the format of a number, like XXX. Try via FlexConfig or smartCLI to set it as AS:NN.

 

Regards,

Cristian Matei.

Hi Cristian, 

 

I spent all weekend, though could not find any documentation around SmartCLI and Flexconfig that covers BGP. 

 

I was able though to convert the route target to decimal values, though now I'm learning all routes from all VRF's. How would I filter that I only learn routes for each VRF on its respective RT export? 

 

Say I have a router exporting RT 65000:1000, decimal value of 4259841000 and I want to filter routes coming into the firewall to only import those routes that are tagged, and nothing else. 

 

As an example, I have a second VRF on a router with an export of RT 65000:4000, decimal value of 4259844000, but now i can see all these routes on the router. 

 

I hope this makes sense :) 

 

Thank you!

Heino 

Flexconfig documentation is a bit sparse.

However what you basically need to do is figure out the cli in the LINA (ASA) section as if you were doing it on ASA. Then enter it in your Flexconfig elements in FMC which you then apply on FTD. The BGP bits are then parsed by the LINA code.

Here's a guide to configuring BGP communities on ASA:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/general/asa-97-general-config/route-bgp.html#ID-2100-00000233

Hi,

 

    I don't think FTD supports at this point the extended communities; usually you get this kind of support for VRF aware IOS'es. Your best option would be to tag the route egress towards FTD with regular standard communities, as these are supported. Look in the configuration guide, BGP section.

 

Regards,

Cristian Matei.

Hi Cristian and Marvin, 

 

Thank you for your input. 

 

I was able to set it up to import the communities using decimal values for different VRFs. This is a lot closer than where I have been so far. Now I'm learning routes from all of the network on the firewall, yea!!! I did this using route maps pointing to the standard communities. These are then imported into BGP. 

 

I have setup the firewall to generate a default route for each VRFs, so all traffic that don't have a more specific route to any DC services or any other campus subnet, will go straight for the internet firewall. 

 

On the firewall, i also created a static default route out to the HSRP address of our internet routers. PAT has been done for outbound traffic to the internet. 

 

The only issue now is that even the firewall is learning these routes, its knows the next hop to get there, but then connectivity fails.

 

I have attached a screenshot of a lab i'm using to build this setup before deploying it. 

Red is the primary FTD

Blue is the connected VPNv4 router. From here inter VRF testing works great, ping, telnet, etc. Testing out to a 'internet' router is great with telnet, ping, ssh, http tested successfully so far. I enabled all these services on the 'internet' router. 

Dark Green is the route reflector server (Blue and light green are clients) 

Light Green at the bottom is the far VPNv4 router. My testing from here over the MPLS has full connectivity to the  far VPNv4 router and the routing table reflects this. Though testing from here through the firewall keeps failing. 

 

I have done traceroutes with 'debug ip icmp' enabled on each hop and can see the TTL decrement for the destination till it reached the firewall, where it fails. I have 'debug ip icmp trace' enabled here. 

 

Very frustrating. 

 

Any thoughts on next troubleshooting step? 

 

I will keep hammering at it till its done... 

 

Thank you

Heino 

Hi,

 

   It's not clear to me which data-plane flow fails. Traffic initiated from FTD and destined to where? Is the interconnect between FTD(CE) and your VPN router(PE) advertised via routing as well? If the FTD here plays the role of the CE, as long as routing converged end-to-end, ensue the PE-CE link are also advertised via BGP in order to have labels for these prefixes.

 

Regards,

Cristian Matei.

Hi guys, 

 

Thank you for the input, though i'm still stuck, maybe this will be more clear. The path is as follows:

 

internet router <-> FTD (CE) <-> PE router <-> MPLS <-> PE router <-> CE routers

 

All, but the FTDs, CE routers are remote multi story buildings. 

We will be using the FTD as a CE and FUSION router between zones. 

I have an output below. The firewall is 10.1.1.202 for VRF STAFF and the output below is from the PE router attached. The PE router uses MPBGP as expected over the MPLS to all other PE routers and then remote CE routers. 

 

In our current PAN firewalls, we can import extended communities for each VRF under different interfaces. Cisco FTD do not support extended communities as mentioned before. I am able to learn routes by matching the extended communities and then setting them as standard communities (not sure if this is actually the correct way). The FTD is learning the routes associated to the extended communities, but traffic from the far CE's can only reach the PE router attached to the FTD, why is this? and how can i fix this? 

 

EVE_VPE-17-231#sh ip bgp vpnv4 vrf STAFF neighbors 10.1.1.202 adv
BGP table version is 83, local router ID is 10.0.4.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 65000:1005 (default for vrf STAFF)
*> 10.1.1.200/30 0.0.0.0 0 32768 i
*>i 10.1.14.112/30 10.0.4.26 0 100 0 ?
*> 10.5.5.0/24 0.0.0.0 0 32768 i
*>i 10.8.74.0/24 10.0.4.26 0 100 0 65020 i
*> 10.8.176.0/20 0.0.0.0 0 32768 i
*>i 10.15.15.0/24 10.0.4.26 0 100 0 i
*>i 10.18.18.0/24 10.0.4.26 0 100 0 i
*>i 10.20.0.0/24 10.0.4.26 0 100 0 i
*> 10.25.64.0/23 0.0.0.0 0 32768 i
*>i 10.27.0.0/24 10.0.4.26 0 100 0 i
*>i 10.28.0.0/24 10.0.4.26 0 100 0 i
*> 10.99.99.1/32 0.0.0.0 0 32768 i

Total number of prefixes 12
EVE_VPE-17-231#sh ip bgp vpnv4 vrf STAFF 10.8.74.1
BGP routing table entry for 65000:1005:10.8.74.0/24, version 75
Paths: (1 available, best #1, table STAFF)
Multipath: iBGP
Advertised to update-groups:
6
Refresh Epoch 2
65020, imported path from 65000:1026:10.8.74.0/24 (global)
10.0.4.26 (metric 21) from 10.0.0.100 (10.0.0.100)
Origin IGP, metric 0, localpref 100, valid, internal, best
Extended Community: RT:65000:1000 RT:65000:1026 <--these are the extended communities from the import/export maps)--
Originator: 10.0.4.26, Cluster list: 10.0.0.100
Connector Attribute: count=1
type 1 len 12 value 65000:1026:10.0.4.26
mpls labels in/out nolabel/47
rx pathid: 0, tx pathid: 0x0
EVE_VPE-17-231#

 

I hope this make sense :) 

 

I have gone bold in the past few weeks just from this one project.....

 

Thank you

 

For anyone who has this issue: 

 

What i did is create an extended community list first and then used it in a route map to be set to a standard community. 

 

On the firewall, I matched the standard community for incoming routes and only those routes part of the particular VRF was learnt. 

 

In our environment, we have about 13 to 15 VRFs and they all use the firewall as a fusion router and default gateway to the internet. 

Review Cisco Networking for a $25 gift card