Names instead for IP address on routing table

L1 Bithead

Names instead for IP address on routing table

Hi there,

 

We have a PA with two Virtual Routers, Internal VR and DMZ-Internet VR. When I type show routing fib virtual-router "Internal VR" for example the forwarding table shows a name for next hop and interface, see the output below:

 

show routing fib virtual-router "Internal VR"

id destination nexthop flags interface mtu
--------------------------------------------------------------------------------
51814 0.0.0.0/0 DMZ-Internet VR u Internal VR/i3 0

 

How can I change the output to see the IP address of "DMZ-Internet VR" instead of the name? Which interface is that Internal VR/i3, there is not such interface on show interface all. 

 

The same happens if I change the Virtual router on the command:

 

show routing fib virtual-router "DMZ-Internet VR"

 

id destination nexthop flags interface mtu
--------------------------------------------------------------------------------
34049 0.0.0.0/0 210.10.200.193 ug ae4.32 1500
50428 10.0.0.0/24 Internal VR u DMZ-Internet VR/i3 0
50429 10.4.0.0/24 Internal VR u DMZ-Internet VR/i3 0
52354 10.5.0.0/24 Internal VR u DMZ-Internet VR/i3 0

 

Cheers

L2 Linker

Re: Names instead for IP address on routing table

To display route entries for any Virtual-Router that you have (for example Internal VR), run the following command:
> show routing route virtual-router Internal VR

 

for more details find blow Palo Alto Firewall CLI Cheat Sheet: Networking.

https://www.paloaltonetworks.com/documentation/71/pan-os/cli-gsg/cli-cheat-sheets/cli-cheat-sheet-ne...

Fawaz El-Diasti
PCNSE 7, ACE PAN-OS 6.1, 7.0, 8.0
Community Manager

Re: Names instead for IP address on routing table

there is no IP address associated to these routes as they are 'next-vr' internal routes. They are not directed at an ip address but rather at another internal virtual router. once the packet is delivered to the next router, that router will take care of routing to the next hop 

 

 

eg:

 

a packet departing a host on your DMZ arrives on the firewall on the "Internal" router

that router had a default route pointed at a different virtual router, so the "Internal" simply hands off the packet to the other VR:

51814 0.0.0.0/0 DMZ-Internet VR u Internal VR/i3 0

DMZ-internet is the next hop, there is an internal transaction so this is handled through the VR/i3 internal interface 

 

 

then the next router "DMZ-Internet" has it's default gateway go out to the next hop 210.10.200.193 going out of the ae4.32 subinterface

34049 0.0.0.0/0 210.10.200.193 ug ae4.32 1500

 

returning packets from the internet are received on "DMZ-Internet" and forwarded to the other VR through the VR/i3 interface, back to where the client has a physical connection

50428 10.0.0.0/24 Internal VR u DMZ-Internet VR/i3 0
50429 10.4.0.0/24 Internal VR u DMZ-Internet VR/i3 0
52354 10.5.0.0/24 Internal VR u DMZ-Internet VR/i3 0

 

 

the VR config will look like this

next vr.pngRoute pointing to a different VR

So, because you are directing packets at the VR, there will not be an IP

 

hope this helps


Help the community: Like helpful comments and mark solutions
Reaper out
L1 Bithead

Re: Names instead for IP address on routing table

Hi Reaper,

 

You gave the answer that I was looking for but I didn't find. Thank you.

 

Then Palo Alto do not use IP addresses when there is a "directc" connection between two virtual routers, and this connection can be made internally.

 

I have seen different vendors using an external device to route traffic between two virtual routers (VRF). This is the reason why I got confused when I saw the PA FIB.

 

I have another question for you. The internal interface is created automatically when next-vr is selected on static route configuration. is it right?

 

By the way, I am new at PA

Community Manager

Re: Names instead for IP address on routing table

Hi @DaniloBarbosa

 

There's multiple options available and external routing is certainly an option if you do not wish to perform internal forwarding (just route out to a next hop like you would do normally), but as you noticed this is not mandatory (wait till you see inter-vsys routing ;) )

 

The internal interface is always there and gets used once internal forwarding is set up, no need to create it

 

 

And welcome to the Community! Hope you like it here :)

 

Tom


Help the community: Like helpful comments and mark solutions
Reaper out
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!