BGP Usage and Behavior
Table of Contents
Expand all | Collapse all
BGP Usage and Behavior
Getting started with BGP using PAN-OS OpenConfig plugin.
You can use the openconfig-bgp model to manage BGP Routes in PAN-OS.
BGP Behavior in PAN-OS
Review the deviation file before using the
openconfig-bgp model to familiarize yourself with supported paths.
When using the BGP model with PAN-OS firewalls:
- You can enable multipath configuration by setting ECMP globally at the virtual router level.
- Setting /bgp/global/graceful-restart requires the use of an integer, but the Get request response returns a string.
For neighbors:
- The peer-type field is set at the peer-group level, it returns the same value if the neighbor value is identical.
- Setting an auth password on a set request creates an auth profile. On the Get request, the response comes back as an encrypted value string.
- Using a local-interface requires you to have an already configured interface. To set the local-address, you must use the transport child container in a Set request.
- Setting /bgp/neighbors/neighbor/timers requires the use of an integer, but the Get request response returns a string.
- Descriptions support hyphens, underscores, and periods.
For the RIB Model, PAN-OS OpenConfig:
- only supports peers with valid IPv6 addresses as names or hyphen format such as 2001-98-98-98--1 for the corresponding IPv6 address is 2001:98:98:98::1.
- Extended-communities returns as binary while the hex value is returned by the XML-API.
- /bgp/rib/attr-sets and /bgp/rib/afi-safis/afi-safi/ipv4-unicast/loc-rib/routes can’t be filtered.
Managing BGP Using the OpenConfig Plugin
The following examples shows use cases for the BGP model. To see what is supported
through PAN-OS OpenConfig view the reference material.
The following examples retrieve and set information for BGP routes.
Because of the length of the requests for BGP each of these settings, use the GNMIC
flag--update-file
BGP Global Settings
Send a request to set the BGP global settings for router at address 1.1.1.1 using a
JSON file.
gnmic -a 10.1.1.1 --port 9339 -u admin -p password --skip-verify -e JSON_IETF set --update-path / --update-file bgp/bgp-global.json
The contents of the JSON file are as follows:
{ "bgp": { "global": { "config": { "as": 650001, "router-id": "1.1.1.1" }, "default-route-distance": { "config": { "external-route-distance": 45, "internal-route-distance": 200 } }, "graceful-restart": { "config": { "enabled": true, "helper-only": false, "restart-time": 120, "stale-routes-time": 120 } }, "route-selection-options": { "config": { "advertise-inactive-routes": false, "always-compare-med": false, "enable-aigp": false, "external-compare-router-id": true, "ignore-as-path-length": false, "ignore-next-hop-igp-metric": false } } } } }
The AS number is set as plain notation in the requests and set as AS dot notation
in PAN-OS
A successful request returns the output below:
Set Response: { "timestamp": 1614404816402806852, "time": "2021-02-26T21:46:56.402806852-08:00", "results": [ { "operation": "UPDATE" } ] }
BGP Peer Groups
You can send a request to
set the BGP peer groups by using a JSON file as follows:
gnmic -a
localhost --port 9339 -u admin -p password --skip-verify -e JSON_IETF set
--update-path / --update-file bgp/bgp-peer-groups.json
The following are the contents of the BGP
files:
{ "bgp": { "peer-groups": { "peer-group": [ { "config": { "auth-password": "", "description": "", "local-as": 650001, "peer-group-name": "ibgp", "peer-type": "INTERNAL", "route-flap-damping": false }, "peer-group-name": "ibgp" }, { "config": { "auth-password": "", "description": "", "local-as": 650001, "peer-group-name": "test", "peer-type": "EXTERNAL", "remove-private-as": "PRIVATE_AS_REMOVE_ALL", "route-flap-damping": false }, "peer-group-name": "test" } ] } } }
You must create the peer groups before
creating the peers.
A successful response returns the output
below:
Set Response: { "timestamp": 1614404816403816854, "time": "2021-02-26T21:46:56.402806852-08:00", "results": [ { "operation": "UPDATE" } ] }
BGP Neighbors
You can send a request to
set the BGP neighbors for router 1.1.1.1 using a JSON file:
gnmic -a
localhost --port 9339 -u admin-p password --skip-verify -e JSON_IETF set
--update-path / --update-file bgp/bgp-peer-neighbors.json
The following are the contents of the BGP
files:
{"bgp": { "neighbors": { "neighbor": [ { "config": { "auth-password": "", "description": "", "local-as": 650001, "neighbor-address": "172.16.2.101", "peer-as": 655, "peer-group": "test", "peer-type": "EXTERNAL", "remove-private-as": "PRIVATE_AS_REMOVE_ALL", "route-flap-damping": false }, "ebgp-multihop": { "config": { "enabled": true, "multihop-ttl": 0 } }, "neighbor-address": "172.16.2.101", "timers": { "config": { "connect-retry": "0", "hold-time": "90", "keepalive-interval": "30", "minimum-advertisement-interval": "30" } }, "transport": { "config": { "local-address": "172.16.2.100/24", "mtu-discovery": false, "passive-mode": false } } }, { "config": { "auth-password": "", "description": "", "local-as": 650001, "neighbor-address": "2.2.2.3", "peer-as": 650001, "peer-group": "ibgp", "peer-type": "INTERNAL", "route-flap-damping": false }, "ebgp-multihop": { "config": { "enabled": true, "multihop-ttl": 0 } }, "neighbor-address": "2.2.2.3", "timers": { "config": { "connect-retry": "0", "hold-time": "90", "keepalive-interval": "30", "minimum-advertisement-interval": "30" } }, "transport": { "config": { "local-address": "2.2.2.1/24", "mtu-discovery": false, "passive-mode": false } } } ] } } }
The interfaces must exist prior to using
these settings. The interface used for BGP internal peer is handled in the transport
container. The local-address key has the value of the interface
used for the internal peer.
A successful request returns the output
below:
Set Response: { "timestamp": 1614405428002788603, "time": "2021-02-26T21:57:08.002788603-08:00", "results": [ { "operation": "UPDATE" } ] }}
After you complete all of the previous configurations for
Peer Groups and Neighbors, the user interface shows the following under NetworkVirtual RoutersDefaultBGPPeer Group:
Retrieving BGP Settings
Doing a Get on the all of the BGP settings set above returns the following
output:
"bgp": { "global": { "config": { "as": 650001, "router-id": "1.1.1.1" }, "default-route-distance": { "config": { "external-route-distance": 45, "internal-route-distance": 200 } }, "graceful-restart": { "config": { "enabled": true, "helper-only": false, "restart-time": 120, "stale-routes-time": "120" } }, "route-selection-options": { "config": { "advertise-inactive-routes": false, "always-compare-med": false, "enable-aigp": false, "external-compare-router-id": true, "ignore-as-path-length": false, "ignore-next-hop-igp-metric": false } } }, "neighbors": { "neighbor": [ { "config": { "auth-password": "", "description": "", "local-as": 650001, "neighbor-address": "172.16.2.101", "peer-as": 655, "peer-group": "test", "peer-type": "EXTERNAL", "remove-private-as": "PRIVATE_AS_REMOVE_ALL", "route-flap-damping": false }, "ebgp-multihop": { "config": { "enabled": true, "multihop-ttl": 0 } }, "neighbor-address": "172.16.2.101", "timers": { "config": { "connect-retry": "0", "hold-time": "0", "keepalive-interval": "0", "minimum-advertisement-interval": "0" } }, "transport": { "config": { "local-address": "172.16.2.100/24", "mtu-discovery": false, "passive-mode": false } } }, { "config": { "auth-password": "", "description": "", "local-as": 650001, "neighbor-address": "2.2.2.3", "peer-as": 650001, "peer-group": "ibgp", "peer-type": "INTERNAL", "route-flap-damping": false }, "ebgp-multihop": { "config": { "enabled": true, "multihop-ttl": 0 } }, "neighbor-address": "2.2.2.3", "timers": { "config": { "connect-retry": "0", "hold-time": "90", "keepalive-interval": "30", "minimum-advertisement-interval": "30" } }, "transport": { "config": { "local-address": "2.2.2.1/24", "mtu-discovery": false, "passive-mode": false } } } ] }, "peer-groups": { "peer-group": [ { "config": { "auth-password": "", "description": "", "local-as": 650001, "peer-group-name": "ibgp", "peer-type": "INTERNAL", "route-flap-damping": false }, "peer-group-name": "ibgp" }, { "config": { "auth-password": "", "description": "", "local-as": 650001, "peer-group-name": "test", "peer-type": "EXTERNAL", "remove-private-as": "PRIVATE_AS_REMOVE_ALL", "route-flap-damping": false }, "peer-group-name": "test" } ] } } }