topic Re: Names instead for IP address on routing table in General Topics

Names instead for IP address on routing table

DaniloBarbosa — Mon, 06 Nov 2017 06:12:29 GMT

Hi there,

We have a PA with two Virtual Routers, Internal VR and DMZ-Internet VR. When I type show routing fib virtual-router "Internal VR" for example the forwarding table shows a name for next hop and interface, see the output below:

show routing fib virtual-router "Internal VR"

id destination nexthop flags interface mtu
--------------------------------------------------------------------------------
51814 0.0.0.0/0 DMZ-Internet VR u Internal VR/i3 0

How can I change the output to see the IP address of "DMZ-Internet VR" instead of the name? Which interface is that Internal VR/i3, there is not such interface on show interface all.

The same happens if I change the Virtual router on the command:

show routing fib virtual-router "DMZ-Internet VR"

id destination nexthop flags interface mtu
--------------------------------------------------------------------------------
34049 0.0.0.0/0 210.10.200.193 ug ae4.32 1500
50428 10.0.0.0/24 Internal VR u DMZ-Internet VR/i3 0
50429 10.4.0.0/24 Internal VR u DMZ-Internet VR/i3 0
52354 10.5.0.0/24 Internal VR u DMZ-Internet VR/i3 0

Cheers

Re: Names instead for IP address on routing table

Feldiasti — Mon, 06 Nov 2017 06:29:55 GMT

To display route entries for any Virtual-Router that you have (for example Internal VR), run the following command:
> show routing route virtual-router Internal VR

for more details find blow Palo Alto Firewall CLI Cheat Sheet: Networking.

https://www.paloaltonetworks.com/documentation/71/pan-os/cli-gsg/cli-cheat-sheets/cli-cheat-sheet-networking

Re: Names instead for IP address on routing table

reaper — Mon, 06 Nov 2017 07:46:52 GMT

there is no IP address associated to these routes as they are 'next-vr' internal routes. They are not directed at an ip address but rather at another internal virtual router. once the packet is delivered to the next router, that router will take care of routing to the next hop

eg:

a packet departing a host on your DMZ arrives on the firewall on the "Internal" router

that router had a default route pointed at a different virtual router, so the "Internal" simply hands off the packet to the other VR:

51814 0.0.0.0/0 DMZ-Internet VR u Internal VR/i3 0

DMZ-internet is the next hop, there is an internal transaction so this is handled through the VR/i3 internal interface

then the next router "DMZ-Internet" has it's default gateway go out to the next hop 210.10.200.193 going out of the ae4.32 subinterface

34049 0.0.0.0/0 210.10.200.193 ug ae4.32 1500

returning packets from the internet are received on "DMZ-Internet" and forwarded to the other VR through the VR/i3 interface, back to where the client has a physical connection

50428 10.0.0.0/24 Internal VR u DMZ-Internet VR/i3 0
50429 10.4.0.0/24 Internal VR u DMZ-Internet VR/i3 0
52354 10.5.0.0/24 Internal VR u DMZ-Internet VR/i3 0

the VR config will look like this

So, because you are directing packets at the VR, there will not be an IP

hope this helps

Re: Names instead for IP address on routing table

DaniloBarbosa — Mon, 06 Nov 2017 21:42:57 GMT

Hi Reaper,

You gave the answer that I was looking for but I didn't find. Thank you.

Then Palo Alto do not use IP addresses when there is a "directc" connection between two virtual routers, and this connection can be made internally.

I have seen different vendors using an external device to route traffic between two virtual routers (VRF). This is the reason why I got confused when I saw the PA FIB.

I have another question for you. The internal interface is created automatically when next-vr is selected on static route configuration. is it right?

By the way, I am new at PA

Re: Names instead for IP address on routing table

reaper — Tue, 07 Nov 2017 09:18:33 GMT

Hi @DaniloBarbosa

There's multiple options available and external routing is certainly an option if you do not wish to perform internal forwarding (just route out to a next hop like you would do normally), but as you noticed this is not mandatory (wait till you see inter-vsys routing 😉 )

The internal interface is always there and gets used once internal forwarding is set up, no need to create it

And welcome to the Community! Hope you like it here 🙂

Tom

Re: Names instead for IP address on routing table

jchen1 — Fri, 15 May 2020 02:48:24 GMT

I3 interface is created automatically not at the static route configuration time, but it is created with the virtual router. It is useful to route traffic from one virtual router to another virtual router internally.

It is also visible by "show routing interface".