HOW TO: Configure BGP between Arista and Palo Alto using loopback-interfaces

In this example I will be showing you how you can configure BGP between Arista and Palo Alto. The setup has two Arista COR-switches which is configured with MLAG and a Palo Alto Networks firewall.

The goal is to use iBGP between the Arista-switches and eBGP between the Arista-switches and Palo Alto.

We will also be using a specific VRF in this example, if you have more than one VRF the same configuration-method can be applied again.

We will also assume that all linknet-interfaces are already configured on each device.

The topology is shown below.

Start by adding your route distinguisher and activate routing on your VRF on the Arista-switches.

Configure the loopback-interfaces and create static routes between them.

Next we will configure BGP on both Arista-switches. Both Arista-switches will have the same router BGP-ID but will be distinguished by ”local-as”. Also in this example we will redistribute connected and static routes, these can be changed depending on your needs.

Verify that that the neighbor Arista-switch is in established state with the below command.

Next we will configure the Palo Alto-firewall with BGP. For simplicity we will call the Virtual Router ”vrf-01” here as well.

Start by creating your loopback-interface.

Then create your static-routes and enable ECMP to be able to use both paths.

Next we will create a redistribution profile to decide what routes will be redistributed. As on the Arista-switches we will redistribute connected and static routes.

As a final step we will configure BGP on the VR. This can be configured in several different ways depending on your needs and this example is kind of slim but enough to distribute the routes.

Verify that BGP is established to both arista-core1 & arista-core2 by going to:

You should see that both ”peer-arista-core1” and ”peer-arista-core2” is established.

Also verify the established neighbors (should be two) on the Arista-switches with the below command:

At this point the only routes that should be added by BGP is the linknets that is not directly connected.

For example on arista-cor1:

As seen in the topology 10.0.0.2/31 is between arista-core2<->pa-fw01 and arista-core1 routes this traffic via the linknet ip on arista-core2.

Feel free to send me any questions to petter.vikstrom@xenit.se or add your question in the comments.

Disclaimer: All information on this blog is offered "as is" with no warranty. It is strongly recommended that you verify all information and validate all scripts in isolated test environments before using them in production environments.