Quick refresher: iBGP neighbors peered loopback-to-loopback in the usual fashion aren't advertising their own loopback address (their update-source) to their neighbors. Is this normal?
The consensus in that thread was:
- Wanting the update-source advertised to peers is a reasonable thing to want.
- Other platforms don't surprise in this regard.
- Maybe it's a bug.
- Call Palo Alto TAC.
The answer (drumroll please)...
It's a feature.
Transparently dropping your own peering address1 from BGP advertisements was added to PAN OS around version 6.1. This was added to the code to prevent tunnel recursion problems2.
So that's... Weird. Without revised software I'll need to provision extra loopback IPs on each box, just for BGP to use. Then do all of my normal management stuff using other addresses.
This should be fun for the next guy to figure out.
[1] This may only apply to loopback interfaces and iBGP peers. The wording in the internal writeup wasn't clear about exactly how to trigger the feature.
[2] Fixing a recursion problem this way is a super weird choice IMO. I'd much rather have all the rope required to hang myself, plus the tooling to protect myself.
No comments:
Post a Comment