Focus
Focus
Table of Contents

MP-BGP

MP-BGP routing protocol configuration parameter differences between legacy and advanced routing engine.
The advanced routing engine provides the same functionality as the legacy routing engine but with enhanced capabilities. For example, PAN-OS 11.0 enables you to advertise IPv4 Network Layer Reachability Information (NLRI) with an IPv6 next hop address. As a result, you can deploy Palo Alto Networks Next-Generation Firewalls in a dual stack network using fewer peers.
There are several multiprotocol BGP (MP-BGP) configuration differences between the legacy and advanced routing engines.

Dampening Profile

Migration Exception: The virtual router dampening profiles on the legacy routing engine are incompatible with advanced routing engine dampening profiles. The dampening profile will migrate with only default values and will not be linked to any peer groups.
The following table compares the dampening profile parameters of the two routing engines:
CONFIGURED IN (LEGACY ROUTING ENGINE)
LEGACY ROUTING ENGINE
MIGRATED TO (ADVANCED ROUTING ENGINE)
ADVANCED ROUTING ENGINE
NetworkVirtual Router BGP Advanced
  • Cutoff—Specifies a route withdrawal threshold above which a route advertisement is suppressed (range is 0.0 to 1,000.0; default is 1.25).
  • Reuse—Specifies a route withdrawal threshold below which a suppressed route is reused (range is 0.0 to 1,000.0; default is 5).
  • Max Hold Time (sec)—Specifies the maximum length of time, in seconds, that a route can be suppressed, regardless of how unstable it is (range is 0 to 3,600; default is 900).
  • Decay Half Life Reachable (sec)—Specifies the length of time, in seconds, after which a route’s stability metric is halved if the firewall considers the route to be reachable (range is 0 to 3,600; default is 300).
  • Decay Half Life Unreachable (sec)—Specifies the length of time, in seconds, after which a route’s stability metric is halved if the firewall considers the route is unreachable (range is 0 to 3,600; default is 300).
NetworkRouting Routing Profiles BGPBGP Dampening Profiles
  • Suppress Limit—Specifies the cumulative value of the penalties for flapping, at which point all the routes coming from a peer are dampened (range is 1 to 20,000; default is 2,000).
  • Reuse Limit—Controls when a route can be reused based on the procedure described for Half Life (range is 1 to 20,000; default is 750).
  • Half Life (min)—Specifies the number of minutes for the half life time to control the stability metric (penalty) applied to a flapping route (range is 1 to 45; default is 15). The stability metric starts at 1,000. After a penalized route stabilizes, the half life timer counts down until it expires, at which point the next stability metric applied to the router is only half of the previous value (500). Successive cuts continue until the stability metric is less than half of the Reuse Limit, and then the stability metric is removed from the router.
  • Maximum Suppress Time (min)—Specifies the maximum number of minutes a route can be suppressed, regardless of how unstable it has been (range is 1 to 255; default is 60).

Route Reflector Client Parameters

To avoid routing table loops, interior BGP (iBGP) does not advertise iBGP-learned routes to other routers in the same session to avoid routing table loops. As a result, iBGP requires a complete mesh of all peers, which quickly becomes unscalable in large networks. Using route reflectors eliminates the need for full-mesh connectivity between iBGP peers.
Route reflectors broadcast routes announced by peers that are configured as clients to all other clients.
Migration Exception: The advanced routing engine supports only the route reflector client mode; no other modes are supported. The advanced routing engine receives routes from the route reflector in client mode and can send routes only to a route reflector when client mode is enabled.
CONFIGURED IN (LEGACY ROUTING ENGINE)
LEGACY ROUTING ENGINE
MIGRATED TO (ADVANCED ROUTING ENGINE)
ADVANCED ROUTING ENGINE
NetworkVirtual RouterBGPPeer GroupPeer Advanced
Supported Reflector Client types:
  • Non-Client—Specifies that the firewall reflects all routes from non-client to all clients.
  • Client—Specifies that routes advertised by this client type are reflected to all non-client and client peers.
  • Meshed-Client—Specifies that routes advertised from a meshed client are reflected to all neighbors except for other meshed-client iBGP peers.
NetworkRouting Routing Profiles BGPBGP Address Family Profiles
Supported Reflector Client types:
  • Route Reflector Client—Specifies that routes advertised by this client type are reflected to all non-client and client peers.

Route Map

Palo Alto Networks recommends BGP route maps for filtering prefixes within BGP and both from and to another interior gateway protocol (IGP). However, BGP route maps do not support configuring extended communities in route maps set action.
CONFIGURED IN (LEGACY ROUTING ENGINE)
LEGACY ROUTING ENGINE
MIGRATED TO (ADVANCED ROUTING ENGINE)
ADVANCED ROUTING ENGINE
NetworkVirtual RouterBGPRedist Rules
  • Set Community—Supports standard community. Enter a 32-bit value in decimal or hexadecimal, or enter a value in AS:VAL format, where Autonomous System (AS) and VAL are each in the range 0 to 65,525. You can enter a maximum of 10 entries.
  • Set Extended Community—Set Extended Community is a 64-bit value in hexadecimal or in TYPE:AS:VAL or TYPE:IP:VAL format. TYPE is 16 bits; AS or IP is 16 bits; VAL is 32 bits. You can enter a maximum of five entries.
NetworkRouting Routing Profiles FiltersFilters Route Map BGP
  • Regular Community—In the Set tab, for Regular Community, enter either AS:VAL pairs or well-known community names.
  • Large Community—Enables additional functionality and convenience over traditional community. The 32-bit Global Administrator field (GLOBAL) enables seamless use in networks using 4-byte Autonomous System Number (ASN). In the Set tab, Large Community has three components instead of two and each are 32-bits values.
    Define Large Community values in GLOBAL:LOCAL1:LOCAL2 format. Where, GLOBAL is a 32-bit Global Administrator field (commonly used as the AS number of the operator); LOCAL1 is a 32-bit Local Data Part 1 subfield (referred to as a function); LOCAL2 is a 32-bit Local Data Part 2 field (referred to as the parameter subfield). For example, 65551:1:10 represents AS as 65551, function as 1, and parameter as 10.

Multicast

Both the legacy and the advanced routing engines support the multicast subsequent address family identifier (SAFI) for IPv4 addresses.
Migration Exception: The advanced routing engine doesn’t redistribute multicast source prefixes into MP-BGP (IPv4 address family) and multicast subsequent family; hence, it can’t be used for reverse path forwarding (RPF) check.
LEGACY ROUTING ENGINE
ADVANCED ROUTING ENGINE
  • Enables you to configure multicast as SAFI for specific IPv4 peers.
  • Enables you to redistribute a static IPv4 route used for multicast RPF verification into BGP.
  • Enables you to select the multicast SAFI in the BGP Address Family Identifier (AFI) profile. After you select an multicast SAFI, the profile is applied to all peers assigned to this profile.
  • Does not support redistribution of static IPv4 routes used for multicast RPF verification into BGP.

AS Path Limit Attribute

The AS Path Limit is an optional path transitive attribute. It improves routing subsystem scalability by providing a maximum range of Autonomous System (AS) numbers where a prefix will propagate. If used improperly, this attribute can cause routing loops caused by inconsistent routing tables. As a result, the IETF didn’t standardize this attribute.
Migration Exception: The advanced routing engine does not support AS path limit attribute; it will ignore the attribute and advertise the prefix without AS path limit attribute.
CONFIGURED IN (LEGACY ROUTING ENGINE)
LEGACY ROUTING ENGINE
ADVANCED ROUTING ENGINE
NetworkVirtual RouterBGPImport or ExportAction
Supports the AS path limit attribute. If configured, the AS path limit attribute will be exchanged with peers and is applied to prefixes.
Does not support AS path limit attribute.
The advanced routing engine ignores the AS path limit attribute and advertise the prefix without AS path limit attribute. If you need this attribute, replace it with a route map that matches a specific AS path length (using a regular expression) and configure the community to not advertise.