Having a paloalto with multiple VR and subnet overlapping ( having multiple interfaces / Sub witth same subnet).
Int1 - IP: 10.1.1.1/24 - VR1
Int2 - IP: 10.1.1.1/24 - VR2
It works but does anybody knoes how:
For management services, specify one VR or another. You can choose per IP but not per VR / Interface ?
For making a ping in cli, specify as argument which is the source VR ? Because you can specify source IP but not VR.
Thx for your help.
Solved! Go to Solution.
Nice catch Vince, it looks like you cannot tie the ping to a source interface. It "looks" like you should when you consider the ping options:
+ bypass-routing Bypass routing table, use specified interface
But the bypass-routing allows only 'yes' or 'no' as it's arguments, not a source interface. Bug? Feature? I don't know, but it would be useful if you could. :smileyplain:
Looks like this has been overseen by PA and you should contact your SE to get this fixed (most likely through a feature request).
The CLI docs for ping says:
> bypass-routing — Sends the ping request directly to the host on a direct attached network, bypassing usual routing table
> count — Specifies the number of ping requests to be sent (1-2,000,000,000)
> do-not-fragment — Prevents packet fragmentation by use of the do-not-fragment bit in the packet’s IP header
> inet6 — Specifies that the ping packets will use IP version 6
> interval — Specifies how often the ping packets are sent (0 to 2000000000 seconds)
> no-resolve — Provides IP address only without resolving to hostnames
> pattern — Specifies a custom string to include in the ping request (you can specify up to 12 padding bytes to fill out the packet that is sent as an aid in diagnosing data-dependent problems)
> size — Specifies the size of the ping packets (0-65468 bytes)
> source — Specifies the source IP address for the ping command
> tos — Specifies the type of service (TOS) treatment for the packets by way of the TOS bit for the IP header in the ping packet (1-255)
> ttl — Specifies the time-to-live (TTL) value for the ping packet (IPv6 hop-limit value) (0-255 hops)
> verbose — Requests complete details of the ping request.
* host — Specifies the host name or IP address of the remote host
I can somewhat understand why it doesnt work for different vrouters within the same vsys, but why doesnt it work for different vsys?
Isnt the point of using a vsys to be able to segment the hardware into partitions where each partition doesnt care about the others?
That is a common usecase is if you have several customers where each will manage their own VSYS. In this case it would suck big time if customer2 cannot use 10.0.0.1/30 because customer1 (on a different vsys) has already assigned this to one of their interfaces...
Thx all for your answer. I am working on validation archie. I bypass this limitation by fixing different IP for each Pa's interfaces. But of course it's not really usefull.
Mean using different VR doesn't mean fully independant routing table .... :-(
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!