Posted in : Other

2 years ago

In this example I will be showing you how you can configure BGP between Arista and Palo Alto. The setup has two Arista COR-switches which is configured with MLAG and a Palo Alto Networks firewall.
The goal is to use iBGP between the Arista-switches and eBGP between the Arista-switches and Palo Alto.
We will also be using a specific VRF in this example, if you have more than one VRF the same configuration-method can be applied again.
We will also assume that all linknet-interfaces are already configured on each device.
The topology is shown below.

Start by adding your route distinguisher and activate routing on your VRF on the Arista-switches.

CORE1
arista-core1(config)# vrf defenition vrf-01
arista-core1(config-vrf-vrf-01)# rd 65001:1
arista-core1(config-vrf-vrf-01)# exit
arista-core1(config)# ip routing vrf vrf-01
arista-core1(config)# exit
CORE2
arista-core2(config)# vrf defenition vrf-01
arista-core2(config-vrf-vrf-02)# rd 65002:1
arista-core2(config-vrf-vrf-02# exit
arista-core2(config)# ip routing vrf vrf-01
arista-core2(config)# exit

Configure the loopback-interfaces and create static routes between them.

CORE1
arista-core1(config)# interface Loopback1
arista-core1(config-if-Lo1)# vrf forwarding vrf-01
arista-core1(config-if-Lo1)# ip address 2.2.2.2/32
arista-core1(config-if-Lo1)# exit
arista-core1(config)# ip route vrf vrf-01 1.1.1.1/32 10.0.0.1 name Linknet_vrf-01_CORE1-PA
arista-core1(config)# ip route vrf vrf-01 3.3.3.3/32 10.0.0.5 name Linknet_vrf-01_CORE1-CORE2
CORE2
arista-core2(config)# interface Loopback1
arista-core2(config-if-Lo1)# vrf forwarding vrf-01
arista-core2(config-if-Lo1)# ip address 3.3.3.3/32
arista-core2(config-if-Lo1)# exit
arista-core2(config)# ip route vrf vrf-01 1.1.1.1/32 10.0.0.3 name Linknet_vrf-01_CORE2-PA
arista-core2(config)# ip route vrf vrf-01 2.2.2.2/32 10.0.0.4 name Linknet_vrf-01_CORE2-CORE1

Next we will configure BGP on both Arista-switches. Both Arista-switches will have the same router BGP-ID but will be distinguished by ”local-as”. Also in this example we will redistribute connected and static routes, these can be changed depending on your needs.

CORE1
arista-core1(config)# router bgp 65535
arista-core1(config-router-bgp)# vrf vrf-01
arista-core1(config-router-bgp-vrf-vrf-01)# local-as 65001
arista-core1(config-router-bgp-vrf-vrf-01)# router-id 2.2.2.2
arista-core1(config-router-bgp-vrf-vrf-01)# timers bgp 10 30
arista-core1(config-router-bgp-vrf-vrf-01)# neighbor 3.3.3.3 remote-as 65002
arista-core1(config-router-bgp-vrf-vrf-01)# neighbor 3.3.3.3 update-source Loopback1
arista-core1(config-router-bgp-vrf-vrf-01)# neighbor 3.3.3.3 maximum-routes 12000
arista-core1(config-router-bgp-vrf-vrf-01)# neighbor 1.1.1.1 remote-as 65000
arista-core1(config-router-bgp-vrf-vrf-01)# neighbor 1.1.1.1 update-source Loopback1
arista-core1(config-router-bgp-vrf-vrf-01)# neighbor 1.1.1.1 ebgp-multihop
arista-core1(config-router-bgp-vrf-vrf-01)# neighbor 1.1.1.1 maximum-routes 12000
arista-core1(config-router-bgp-vrf-vrf-01)# redistribute connected
arista-core1(config-router-bgp-vrf-vrf-01)# redistribute static
arista-core1(config-router-bgp-vrf-vrf-01)# exit
arista-core1(config-router-bgp)# exit
CORE2
arista-core2(config)# router bgp 65535
arista-core2(config-router-bgp)# vrf vrf-01
arista-core2(config-router-bgp-vrf-vrf-01)# local-as 65002
arista-core2(config-router-bgp-vrf-vrf-01)# timers bgp 10 30
arista-core2(config-router-bgp-vrf-vrf-01)# router-id 3.3.3.3
arista-core2(config-router-bgp-vrf-vrf-01)# neighbor 2.2.2.2 remote-as 65001
arista-core2(config-router-bgp-vrf-vrf-01)# neighbor 2.2.2.2 update-source Loopback1
arista-core2(config-router-bgp-vrf-vrf-01)# neighbor 2.2.2.2 maximum-routes 12000
arista-core2(config-router-bgp-vrf-vrf-01)# neighbor 1.1.1.1 remote-as 65000
arista-core2(config-router-bgp-vrf-vrf-01)# neighbor 1.1.1.1 update-source Loopback1
arista-core2(config-router-bgp-vrf-vrf-01)# neighbor 1.1.1.1 ebgp-multihop
arista-core2(config-router-bgp-vrf-vrf-01)# neighbor 1.1.1.1 maximum-routes 12000
arista-core2(config-router-bgp-vrf-vrf-01)# redistribute connected
arista-core2(config-router-bgp-vrf-vrf-01)# redistribute static
arista-core2(config-router-bgp-vrf-vrf-01)# exit
arista-core2(config-router-bgp)# exit

Verify that that the neighbor Arista-switch is in established state with the below command.

CORE1
arista-core1# show bgp statistics vrf vrf-01
CORE2
arista-core2# show bgp statistics vrf vrf-01

Next we will configure the Palo Alto-firewall with BGP. For simplicity we will call the Virtual Router ”vrf-01” here as well.
Start by creating your loopback-interface.

PA-FW01 - GUI
Network > Interfaces > Loopback
> Press Add
> Interface Name: loopback.1
> Comment: Linknet_vrf-01_PA-CORE
> Config > Assign Interface To > Virtual Router: vrf-01
> Config > Assign Interface To > Security Zone: Linknet_vrf-01_CORE
> IPv4 > Type: [v] Static
> IPv4 > Add: 1.1.1.1/32
> Press OK

Then create your static-routes and enable ECMP to be able to use both paths.

PA-FW01 - GUI
Network > Virtual Routers > vrf-01
> Static Routes > Press Add
> Name: Linknet_vrf-01_PA-CORE1
> Destination: 2.2.2.2/32
> Interface: none
> Next Hop: [v] IP Address: 10.0.0.0
> Admin Distance: <empty>
> Metric: 10
> Route Table: Unicast
> Press OK
> Press Add
> Name: Linknet_vrf-01_PA-CORE2
> Destination: 3.3.3.3/32
> Interface: none
> Next Hop: [v] IP Address: 10.0.0.2
> Admin Distance: <empty>
> Metric: 10
> Route Table: Unicast
> Press OK > Press OK
Network > Virtual Routers > vrf-01 > Router Settings > ECMP
> ECMP: [v] Enable
> Max Path: 2
> Load Balance > Method: IP Modulo

Next we will create a redistribution profile to decide what routes will be redistributed. As on the Arista-switches we will redistribute connected and static routes.

PA-FW01 - GUI
Network -> Virtual Routers: Open vrf-01
> Redistribution Profile > IPv4: Press Add
> Redistribution Profile IPv4 > Name: rd-01_arista-cor
> Redistribution Profile IPv4 > Priority: 1
> Redistribution Profile IPv4 > Redistribute: [v] Redist
> General Filter > Source Type: [v] connect, [v] static
> Press OK

As a final step we will configure BGP on the VR. This can be configured in several different ways depending on your needs and this example is kind of slim but enough to distribute the routes.

PA-FW01 - GUI
Open vrf-01 > BGP
> BGP > [v] Enable
> BGP > Router ID: 1.1.1.1
> BGP > AS Number: 65000
> BGP > General > Options: [v] Reject Default Route
> BGP > General > Options: [v] Install Route
> BGP > General > Options: [v] Aggregate MED
> BGP > General > Options > Default Local Preference: 100, AS Format: [v] 2 Byte
BGP > Peer Group: Press Add
> Peer Group > Name: peergroup-vrf-01_arista-cor
> Peer Group > [v] Enable
> Peer Group > [v] Aggregated Confed AS Path
> Peer Group > Type: EBGP
> Peer Group > Import Next Hop: [v] Original
> Peer Group > Export Next Hop: [v] Resolve
> Peer Group > [v] Remove Private AS
> Press Add
> Peer > Name: peer-arista-core1
> Peer > [v] Enable
> Peer > Peer AS: 65001
> Peer > Addressing > Local Address > Interface: loopback.1
> Peer > Addressing > Local Address > IP: 1.1.1.1/32
> Peer > Addressing > Peer Address: 2.2.2.2/32
> Press OK
> Press Add
> Peer > Name: peer-arista-core2
> Peer > [v] Enable
> Peer > Peer AS: 65002
> Peer > Addressing > Local Address > Interface: loopback.1
> Peer > Addressing > Local Address > IP: 1.1.1.1/32
> Peer > Addressing > Peer Address: 3.3.3.3/32
> Press Ok x2
BGP > Import: Press Add
> General > Rules: import-vrf-01_arista-core
> General > [v] Enable
> General > Press Add: peergroup-vrf-01_arista-core
> Action > Action: Allow
> Action > Orgin: incomplete
> Press OK
BGP > Export: Press Add
> General > Rules: export-vrf-01_arista-core
> General > [v] Enable
> General > Press Add: peergroup-vrf-01_arista-core
> Action > Action: Allow
> Action > Orgin: incomplete
> Press OK
BGP > Redist Rules
> Redist Rules > [v] Allow Redistribute Default Route
> Redist Rules: Press Add
> Rule > Address Family Type: [v] IPv4
> Rule > Name: rd-01_arista-core
> Rule > [v] Enable
> Rule > Metric: None
> Rule > Set Orgin: incomplete
> Rule > Set MED: None
> Press OK

Verify that BGP is established to both arista-core1 & arista-core2 by going to:

PA-FW01 - GUI
Network > Virtual Routers > More Runtime Stats (vrf-01), then go to BGP -> Peer

You should see that both ”peer-arista-core1” and ”peer-arista-core2” is established.
Also verify the established neighbors (should be two) on the Arista-switches with the below command:

CORE1
arista-core1# show bgp statistics vrf vrf-01
CORE2
arista-core2# show bgp statistics vrf vrf-01

At this point the only routes that should be added by BGP is the linknets that is not directly connected.
For example on arista-cor1:

CORE1
arista-core1# show ip route vrf vrf-01
VRF: vrf-01
Codes: C - connected, S - static, K - kernel,
       O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
       E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
       N2 - OSPF NSSA external type2, B I - iBGP, B E - eBGP,
       R - RIP, I L1 - IS-IS level 1, I L2 - IS-IS level 2,
       O3 - OSPFv3, A B - BGP Aggregate, A O - OSPF Summary,
       NG - Nexthop Group Static Route, V - VXLAN Control Service,
       DH - DHCP client installed default route, M - Martian
Gateway of last resort:
 C      10.0.0.0/31 is directly connected, Vlan4010
 C      10.0.0.4/31 is directly connected, Vlan4012
 C      1.1.1.1/32 is directly connected, Loopback1
 B I	10.0.0.2/31 [200/0] via 10.0.0.5, Vlan4012
 S      3.3.3.3/32 [1/0] via 10.0.0.5, Vlan4012
 S      1.1.1.1/32 [1/0] via 10.0.0.1, Vlan4010

As seen in the topology 10.0.0.2/31 is between arista-core2<->pa-fw01 and arista-core1 routes this traffic via the linknet ip on arista-core2.
Feel free to send me any questions to petter.vikstrom@xenit.se or add your question in the comments.

Tags : Arista, BGP, eBGP, iBGP, Loopback, Palo Alto

Add comment

Your comment will be revised by the site if needed.