Routing Configuration
PAN-OS software supports static routes, BGP, OSPF, RIP, and Multicast routing configured in the virtual router (VR). There are limitations for the number of entries in the forwarding and routing tables. Different platform levels also can support varying numbers of VRs. The VR configuration is meant to match the existing routing and routed infrastructure. In addition to protocol configuration, redistribution profiles can support protocol interoperability.
A discussion of virtual routers and each of the supported dynamic routing protocol is found on this link.
2) Area 101- which is the User Network
3) Area 201 - which is the Server Network
SW1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#router ospf ?
<1-65535> Process ID
SW1(config)#router ospf 1
IP routing not enabled
SW1(config)#ip routing
SW1(config)#router ospf 1
SW1(config-router)#?
Router configuration commands:
area OSPF area parameters
auto-cost Calculate OSPF interface cost according to bandwidth
bfd BFD configuration commands
capability Enable specific OSPF feature
compatible OSPF compatibility list
default Set a command to its defaults
default-information Control distribution of default information
default-metric Set metric of redistributed routes
discard-route Enable or disable discard-route installation
distance Define an administrative distance
distribute-list Filter networks in routing updates
domain-id OSPF domain-id
domain-tag OSPF domain-tag
exit Exit from routing protocol configuration mode
help Description of the interactive help system
ignore Do not complain about specific event
ispf Enable incremental SPF computation
limit Limit a specific OSPF feature
log-adjacency-changes Log changes in adjacency state
max-lsa maximum number of LSAs OSPF process will receive
max-metric Set maximum metric
maximum-paths Forward packets over multiple paths
neighbor Specify a neighbor router
network Enable routing on an IP network
no Negate a command or set its defaults
nsf Non-stop forwarding
passive-interface Suppress routing updates on an interface
process-min-time Percentage of quantum to be used before releasing CPU
queue-depth OSPF Hello/Router process queue depth
redistribute Redistribute information from another routing protocol
router-id router-id for this OSPF process
summary-address Configure IP address summaries
timers Adjust routing timers
traffic-share How to compute traffic share over alternate paths
SW1(config-router)#network 172.17.99.0 ?
A.B.C.D OSPF wild card bits
SW1(config-router)#network 172.17.99.0 0.0.0.7 ?
area Set the OSPF area ID
SW1(config-router)#network 172.17.99.0 0.0.0.7 area 0
SW1(config-router)#network 172.17.101.0 0.0.0.255 area 101
SW1(config-router)#network 172.17.201.0 0.0.0.255 area 201
SW1(config-router)#passive-interface default // DISABLE OSPF ADJACENCY ON ALL LAYER 3 INTERFACE
SW1(config-router)#no passive-interface fastethernet0/12 // ENABLE OSPF ON F0/12 (UPLINK TO PAN FIREWALL)
SW1(config-router)#end
SW1#
*Mar 1 03:46:12.758: %SYS-5-CONFIG_I: Configured from console by console
SW1#show ip ospf neighbor // NO OSPF ADJACENCY FORMED YET SINCE NO OSPF CONFIGURED ON PAN FIREWALL
SW1#show ip ospf interface fastethernet0/12
FastEthernet0/12 is up, line protocol is up (connected)
Internet Address 172.17.99.2/29, Area 0
Process ID 1, Router ID 172.17.201.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DR, Priority 1 // SW1 IS THE DR IN OSPF AREA 0
Designated Router (ID) 172.17.201.1, Interface address 172.17.99.2
Backup Designated router (ID) 172.17.99.1, Interface address 172.17.99.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:05
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 172.17.99.1 (Backup Designated Router)
Suppress hello for 0 neighbor(s)
The PAN firewall became the BDR (in OSPF election) since it has a lower Router ID compared to SW1 which has the highest IP address 172.17.201.1 (SVI 201). Scroll further to the right to check the DR IP address.
SW1#show ip route // SW1 HAS NO OSPF ROUTE FROM PAN FIREWALL
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.17.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.17.201.0/24 is directly connected, Vlan201
C 172.17.101.0/24 is directly connected, Vlan101
C 172.17.99.0/29 is directly connected, FastEthernet0/12
*Mar 1 04:54:56.397: %OSPF-5-ADJCHG: Process 1, Nbr 172.17.99.1 on FastEthernet0/12 from LOADING to FULL, Loading Done // OSPF ADJACENCY BOUNCED AFTER REDISTRIBUTION PROFILE WAS APPLIED AND HIT COMMIT
SW1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.17.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.17.201.0/24 is directly connected, Vlan201
C 172.17.101.0/24 is directly connected, Vlan101
C 172.17.99.0/29 is directly connected, FastEthernet0/12
O*E2 0.0.0.0/0 [110/1] via 172.17.99.1, 00:00:00, FastEthernet0/12 // OSPF EXTERNAL TYPE 2 RECEIVED FROM PAN FIREWALL
PAN-OS software supports static routes, BGP, OSPF, RIP, and Multicast routing configured in the virtual router (VR). There are limitations for the number of entries in the forwarding and routing tables. Different platform levels also can support varying numbers of VRs. The VR configuration is meant to match the existing routing and routed infrastructure. In addition to protocol configuration, redistribution profiles can support protocol interoperability.
A discussion of virtual routers and each of the supported dynamic routing protocol is found on this link.
To configure a static default route in order for TRUST zone
users (and servers) to reach the UNTRUST zone or the Internet, go to Network > Virtual Routers.
Since ethernet1/1 interface is set to DHCP
client, it will automatically receive a default route from the ISP. To check the static route assigned by the ISP, go to Network > Virtual Routers > More
Runtime Stats (for LAB-VR).Notice the Destination route 0.0.0.0/0 to ISP as
the next hop is automatically created. The Flags A S means Active-Static.
To manually add a static route on a PAN firewall, go to Network > Virtual Routers > click on
the custom Virtual Router name (LAB-VR) > Static Routes > click Add.
Type the name of the static route, Destination (0.0.0.0/0), Interface (exit interface ethernet1/1 in this case) and Next Hop IP Address (ISP hop/gateway address).
Below are the OSPF areas used on my Palo Alto firewall lab:
1) Backbone Area 0 - which is the link between the PAN firewall and SW1
1) Backbone Area 0 - which is the link between the PAN firewall and SW1
2) Area 101- which is the User Network
3) Area 201 - which is the Server Network
SW1 will dynamically advertise the User and Server networks to the PAN firewall. Likewise, the PAN firewall will need to advertise its
default route to OSPF Area 101 and 201 networks. Below are the configurations done on SW1.
SW1#show run interface fastethernet0/12
Building configuration...
Current configuration : 128 bytes
!
interface FastEthernet0/12 // L3 LINK TO PAN FIREWALL
no switchport
ip address 172.17.99.2 255.255.255.248
no ip route-cache
no ip mroute-cache
end
SW1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#vlan 101 // CREATE LAYER 2 VLAN
SW1(config-vlan)#name USER
SW1(config-vlan)#vlan 201
SW1(config-vlan)#name SERVER
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#interface vlan 101 // CREATE LAYER 3/SVI INTERFACE
SW1(config-if)#
*Mar 1 03:39:20.668: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan101, changed state to down
SW1(config-if)#ip address 172.17.101.1 255.255.255.0
SW1(config-if)#
SW1(config-if)#interface vlan 201 // no autostate IS NOT SUPPORTED ON MY 3560 SWITCH
SW1(config-if)#
*Mar 1 03:39:52.327: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan201, changed state to down
SW1(config-if)#ip address 172.17.201.1 255.255.255.0
SW1(config)#interface fastethernet0/22
SW1(config-if)#switchport host // AUTO CONFIGURE PORTFAST AND ACCESS VLAN
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
SW1(config-if)#switchport access vlan 101 // NEED A HOST CONNECTED ON VLAN 101 AND 201 FOR OSPF ROUTES TO BE ADVERTISED TO PAN FIREWALL
SW1(config-if)#interface fastethernet0/23
SW1(config-if)#description ### SERVER - 172.17.201.101 ###
SW1(config-if)#switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
SW1(config-if)#switchport access vlan 201
SW1(config-if)#end
SW1#
*Mar 1 03:40:24.136: %SYS-5-CONFIG_I: Configured from console by console
SW1#show run interface vlan 101
Building configuration...
Current configuration : 64 bytes
!
interface Vlan101
ip address 172.17.101.1 255.255.255.0
end
SW1#show run interface vlan 201
Building configuration...
Current configuration : 64 bytes
!
interface Vlan201
ip address 172.17.201.1 255.255.255.0
end
SW1#show run interface fastethernet0/12
Building configuration...
Current configuration : 128 bytes
!
interface FastEthernet0/12 // L3 LINK TO PAN FIREWALL
no switchport
ip address 172.17.99.2 255.255.255.248
no ip route-cache
no ip mroute-cache
end
SW1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#vlan 101 // CREATE LAYER 2 VLAN
SW1(config-vlan)#name USER
SW1(config-vlan)#vlan 201
SW1(config-vlan)#name SERVER
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#interface vlan 101 // CREATE LAYER 3/SVI INTERFACE
SW1(config-if)#
*Mar 1 03:39:20.668: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan101, changed state to down
SW1(config-if)#ip address 172.17.101.1 255.255.255.0
SW1(config-if)#
SW1(config-if)#interface vlan 201 // no autostate IS NOT SUPPORTED ON MY 3560 SWITCH
SW1(config-if)#
*Mar 1 03:39:52.327: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan201, changed state to down
SW1(config-if)#ip address 172.17.201.1 255.255.255.0
SW1(config)#interface fastethernet0/22
SW1(config-if)#switchport host // AUTO CONFIGURE PORTFAST AND ACCESS VLAN
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
SW1(config-if)#switchport access vlan 101 // NEED A HOST CONNECTED ON VLAN 101 AND 201 FOR OSPF ROUTES TO BE ADVERTISED TO PAN FIREWALL
SW1(config-if)#interface fastethernet0/23
SW1(config-if)#description ### SERVER - 172.17.201.101 ###
SW1(config-if)#switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
SW1(config-if)#switchport access vlan 201
SW1(config-if)#end
SW1#
*Mar 1 03:40:24.136: %SYS-5-CONFIG_I: Configured from console by console
SW1#show run interface vlan 101
Building configuration...
Current configuration : 64 bytes
!
interface Vlan101
ip address 172.17.101.1 255.255.255.0
end
SW1#show run interface vlan 201
Building configuration...
Current configuration : 64 bytes
!
interface Vlan201
ip address 172.17.201.1 255.255.255.0
end
SW1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#router ospf ?
<1-65535> Process ID
SW1(config)#router ospf 1
IP routing not enabled
SW1(config)#ip routing
SW1(config)#router ospf 1
SW1(config-router)#?
Router configuration commands:
area OSPF area parameters
auto-cost Calculate OSPF interface cost according to bandwidth
bfd BFD configuration commands
capability Enable specific OSPF feature
compatible OSPF compatibility list
default Set a command to its defaults
default-information Control distribution of default information
default-metric Set metric of redistributed routes
discard-route Enable or disable discard-route installation
distance Define an administrative distance
distribute-list Filter networks in routing updates
domain-id OSPF domain-id
domain-tag OSPF domain-tag
exit Exit from routing protocol configuration mode
help Description of the interactive help system
ignore Do not complain about specific event
ispf Enable incremental SPF computation
limit Limit a specific OSPF feature
log-adjacency-changes Log changes in adjacency state
max-lsa maximum number of LSAs OSPF process will receive
max-metric Set maximum metric
maximum-paths Forward packets over multiple paths
neighbor Specify a neighbor router
network Enable routing on an IP network
no Negate a command or set its defaults
nsf Non-stop forwarding
passive-interface Suppress routing updates on an interface
process-min-time Percentage of quantum to be used before releasing CPU
queue-depth OSPF Hello/Router process queue depth
redistribute Redistribute information from another routing protocol
router-id router-id for this OSPF process
summary-address Configure IP address summaries
timers Adjust routing timers
traffic-share How to compute traffic share over alternate paths
SW1(config-router)#network 172.17.99.0 ?
A.B.C.D OSPF wild card bits
SW1(config-router)#network 172.17.99.0 0.0.0.7 ?
area Set the OSPF area ID
SW1(config-router)#network 172.17.99.0 0.0.0.7 area 0
SW1(config-router)#network 172.17.101.0 0.0.0.255 area 101
SW1(config-router)#network 172.17.201.0 0.0.0.255 area 201
SW1(config-router)#passive-interface default // DISABLE OSPF ADJACENCY ON ALL LAYER 3 INTERFACE
SW1(config-router)#no passive-interface fastethernet0/12 // ENABLE OSPF ON F0/12 (UPLINK TO PAN FIREWALL)
SW1(config-router)#end
SW1#
*Mar 1 03:46:12.758: %SYS-5-CONFIG_I: Configured from console by console
SW1#show ip ospf neighbor // NO OSPF ADJACENCY FORMED YET SINCE NO OSPF CONFIGURED ON PAN FIREWALL
To configure OSPF on a PAN firewall, go to Network >
Virtual Routers > click on the custom Virtual Router (LAB-VR in this case)
> OSPF.
Tick Enable (to enable
OSPF routing on the PAN firewall) > type the Router ID (this IP will be used by the router to uniquely
identify itself in OSPF domain) 172.17.99.1 (no
subnet mask needed) > click Add under Area tab.
Type the Area ID in
dotted decimal (like an IPv4 address) 0.0.0.0 > leave the default Type (Area Type) as
Normal.
Go to Range tab >
click Add > type the network/nm that will participate in OSPF routing >
choose Advertise under Action drop-down menu.
Go to Interface tab
> click Add > choose the interface that will participate in OSPF Area 0
(ethernet1/2 TRUST-L3 interface in this case) > leave the default Link Type
as Broadcast and other OSPF timers and other metric > click OK > OK >
then click Commit to apply the changes.
The OSPF adjacency was established on SW1 after configuring
OSPF and hit Commit on the PAN firewall.
*Mar 1 04:06:05.803: %OSPF-5-ADJCHG: Process 1, Nbr 172.17.99.1 on FastEthernet0/12 from LOADING to FULL, Loading Done
SW1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
172.17.99.1 1 FULL/BDR 00:00:38 172.17.99.1 FastEthernet0/12
SW1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
172.17.99.1 1 FULL/BDR 00:00:38 172.17.99.1 FastEthernet0/12
Click More Runtime
Stats under LAB-VR to check the routing table. Notice the Flags has O which means OSPF route. Issue a show routing route command on the PAN firewall CLI to view the routing table.
The PAN firewall became an ASBR since it has default
route to Internet.
SW1#show ip ospf interface fastethernet0/12
FastEthernet0/12 is up, line protocol is up (connected)
Internet Address 172.17.99.2/29, Area 0
Process ID 1, Router ID 172.17.201.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DR, Priority 1 // SW1 IS THE DR IN OSPF AREA 0
Designated Router (ID) 172.17.201.1, Interface address 172.17.99.2
Backup Designated router (ID) 172.17.99.1, Interface address 172.17.99.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:05
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 172.17.99.1 (Backup Designated Router)
Suppress hello for 0 neighbor(s)
The PAN firewall became the BDR (in OSPF election) since it has a lower Router ID compared to SW1 which has the highest IP address 172.17.201.1 (SVI 201). Scroll further to the right to check the DR IP address.
SW1#show ip route // SW1 HAS NO OSPF ROUTE FROM PAN FIREWALL
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.17.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.17.201.0/24 is directly connected, Vlan201
C 172.17.101.0/24 is directly connected, Vlan101
C 172.17.99.0/29 is directly connected, FastEthernet0/12
SW1 still doesn’t receive any OSPF route from the PAN
firewall. To advertise OSPF routes, go to Network
> Virtual Routers > click LAB-VR > Redistribution Profiles > click
Add.
Type the
Redistribution Profile name, type a number for the Priority (1 in this case)
> click Redist under Redistribute > tick Static under General Filter tab
> Source Type > under Destination column click Add > type the static
default route 0.0.0.0/0 > click OK.
Bind the Redistribution Profile by going to OSPF > Export Rules tab > tick Allow
Redistribute Default Route > click Add.
Choose the created
Redistribution Profile (RP-STATIC in this case) and leave the New Path Type to
Ext 2 (External Type 2 route) > click OK > then Commit.
*Mar 1 04:54:56.397: %OSPF-5-ADJCHG: Process 1, Nbr 172.17.99.1 on FastEthernet0/12 from LOADING to FULL, Loading Done // OSPF ADJACENCY BOUNCED AFTER REDISTRIBUTION PROFILE WAS APPLIED AND HIT COMMIT
SW1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.17.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.17.201.0/24 is directly connected, Vlan201
C 172.17.101.0/24 is directly connected, Vlan101
C 172.17.99.0/29 is directly connected, FastEthernet0/12
O*E2 0.0.0.0/0 [110/1] via 172.17.99.1, 00:00:00, FastEthernet0/12 // OSPF EXTERNAL TYPE 2 RECEIVED FROM PAN FIREWALL
Awesome job! Really useful
ReplyDeleteThanks Alot, Really Solved my Problem
ReplyDeleteThankkkkkkkkkkkkkkkkkkkssssssssssssssssssssssss !!!!!!!!!!!!!!!