Names instead for IP address on routing table

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Names instead for IP address on routing table

L1 Bithead

Hi there,

 

We have a PA with two Virtual Routers, Internal VR and DMZ-Internet VR. When I type show routing fib virtual-router "Internal VR" for example the forwarding table shows a name for next hop and interface, see the output below:

 

show routing fib virtual-router "Internal VR"

id destination nexthop flags interface mtu
--------------------------------------------------------------------------------
51814 0.0.0.0/0 DMZ-Internet VR u Internal VR/i3 0

 

How can I change the output to see the IP address of "DMZ-Internet VR" instead of the name? Which interface is that Internal VR/i3, there is not such interface on show interface all. 

 

The same happens if I change the Virtual router on the command:

 

show routing fib virtual-router "DMZ-Internet VR"

 

id destination nexthop flags interface mtu
--------------------------------------------------------------------------------
34049 0.0.0.0/0 210.10.200.193 ug ae4.32 1500
50428 10.0.0.0/24 Internal VR u DMZ-Internet VR/i3 0
50429 10.4.0.0/24 Internal VR u DMZ-Internet VR/i3 0
52354 10.5.0.0/24 Internal VR u DMZ-Internet VR/i3 0

 

Cheers

2 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

there is no IP address associated to these routes as they are 'next-vr' internal routes. They are not directed at an ip address but rather at another internal virtual router. once the packet is delivered to the next router, that router will take care of routing to the next hop 

 

 

eg:

 

a packet departing a host on your DMZ arrives on the firewall on the "Internal" router

that router had a default route pointed at a different virtual router, so the "Internal" simply hands off the packet to the other VR:

51814 0.0.0.0/0 DMZ-Internet VR u Internal VR/i3 0

DMZ-internet is the next hop, there is an internal transaction so this is handled through the VR/i3 internal interface 

 

 

then the next router "DMZ-Internet" has it's default gateway go out to the next hop 210.10.200.193 going out of the ae4.32 subinterface

34049 0.0.0.0/0 210.10.200.193 ug ae4.32 1500

 

returning packets from the internet are received on "DMZ-Internet" and forwarded to the other VR through the VR/i3 interface, back to where the client has a physical connection

50428 10.0.0.0/24 Internal VR u DMZ-Internet VR/i3 0
50429 10.4.0.0/24 Internal VR u DMZ-Internet VR/i3 0
52354 10.5.0.0/24 Internal VR u DMZ-Internet VR/i3 0

 

 

the VR config will look like this

Route pointing to a different VR

So, because you are directing packets at the VR, there will not be an IP

 

hope this helps

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

Hi @DaniloBarbosa

 

There's multiple options available and external routing is certainly an option if you do not wish to perform internal forwarding (just route out to a next hop like you would do normally), but as you noticed this is not mandatory (wait till you see inter-vsys routing 😉 )

 

The internal interface is always there and gets used once internal forwarding is set up, no need to create it

 

 

And welcome to the Community! Hope you like it here 🙂

 

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

5 REPLIES 5

L2 Linker

To display route entries for any Virtual-Router that you have (for example Internal VR), run the following command:
> show routing route virtual-router Internal VR

 

for more details find blow Palo Alto Firewall CLI Cheat Sheet: Networking.

https://www.paloaltonetworks.com/documentation/71/pan-os/cli-gsg/cli-cheat-sheets/cli-cheat-sheet-ne...

Fawaz El-Diasti
PCNSE 7, ACE PAN-OS 6.1, 7.0, 8.0

Cyber Elite
Cyber Elite

there is no IP address associated to these routes as they are 'next-vr' internal routes. They are not directed at an ip address but rather at another internal virtual router. once the packet is delivered to the next router, that router will take care of routing to the next hop 

 

 

eg:

 

a packet departing a host on your DMZ arrives on the firewall on the "Internal" router

that router had a default route pointed at a different virtual router, so the "Internal" simply hands off the packet to the other VR:

51814 0.0.0.0/0 DMZ-Internet VR u Internal VR/i3 0

DMZ-internet is the next hop, there is an internal transaction so this is handled through the VR/i3 internal interface 

 

 

then the next router "DMZ-Internet" has it's default gateway go out to the next hop 210.10.200.193 going out of the ae4.32 subinterface

34049 0.0.0.0/0 210.10.200.193 ug ae4.32 1500

 

returning packets from the internet are received on "DMZ-Internet" and forwarded to the other VR through the VR/i3 interface, back to where the client has a physical connection

50428 10.0.0.0/24 Internal VR u DMZ-Internet VR/i3 0
50429 10.4.0.0/24 Internal VR u DMZ-Internet VR/i3 0
52354 10.5.0.0/24 Internal VR u DMZ-Internet VR/i3 0

 

 

the VR config will look like this

Route pointing to a different VR

So, because you are directing packets at the VR, there will not be an IP

 

hope this helps

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi Reaper,

 

You gave the answer that I was looking for but I didn't find. Thank you.

 

Then Palo Alto do not use IP addresses when there is a "directc" connection between two virtual routers, and this connection can be made internally.

 

I have seen different vendors using an external device to route traffic between two virtual routers (VRF). This is the reason why I got confused when I saw the PA FIB.

 

I have another question for you. The internal interface is created automatically when next-vr is selected on static route configuration. is it right?

 

By the way, I am new at PA

Hi @DaniloBarbosa

 

There's multiple options available and external routing is certainly an option if you do not wish to perform internal forwarding (just route out to a next hop like you would do normally), but as you noticed this is not mandatory (wait till you see inter-vsys routing 😉 )

 

The internal interface is always there and gets used once internal forwarding is set up, no need to create it

 

 

And welcome to the Community! Hope you like it here 🙂

 

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

I3 interface is created automatically not at the static route configuration time, but it is created with the virtual router. It is useful to route traffic from one virtual router to another virtual router internally.

It is also visible by "show routing interface".

  • 2 accepted solutions
  • 4901 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!