exclude a network from static route

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

exclude a network from static route

L2 Linker

Is it possible to exclude a network from static route.

 

For eg  I have static route 10.20.0.0/16 to the core-switch.

unfortunately my management network (including PA) is 10.20.200.0/24

I dont want traffic to 10.20.200.0/24 going to core switch.

 

just exclude that network from the route. As it's directly connected to PA, it should take that path by default.

3 REPLIES 3

L6 Presenter

In network routing, the most specific route takes precedence. So in the most aggregated form, if you have a large network block to one destination and a small subset to a different destination you have an overlapping netblock route. For instance:

10.20.0.0/16   eth1/2   gw 192.168.2.1

10.20.200.0/24   eth1/3   gw 192.168.3.1

 

The 10.20.200.0/24 traffic will always take the more specific route unless the interface is down or the gateway is unreachable. Note that you actually have 3 (or more) routes that encompass the 10.20.200.0/24 above - you also need to consider the default route 0.0.0.0/0 eth1/1 gw 192.168.1.1 which will take the 10.20.200.0/24 traffic if the first 2 more specific routes are down.

 

The alternative is that you have to de-aggregate the routing into many netblocks to particular destinations. But again, if eth1/3 is down the 10.20.200.0/24 traffic will still take the default route.

10.20.0.0/17   eth1/2   gw 192.168.2.1

10.20.129.0/18    eth1/2   gw 192.168.2.1

10.20.192.0/21    eth1/2   gw 192.168.2.1

10.20.200.0/24   eth1/3   gw 192.168.3.1

10.20.201.0/24    eth1/2   gw 192.168.2.1

10.20.202.0/23    eth1/2   gw 192.168.2.1

10.20.204.0/22    eth1/2   gw 192.168.2.1

10.20.208.0/20    eth1/2   gw 192.168.2.1

10.20.224.0/19    eth1/2   gw 192.168.2.1

 

If you want to explicitly deny 10.20.200.0/24 traffic to any other destination then you need to create a blackhole route:

10.20.0.0/16   eth1/2   gw 192.168.2.1

10.20.200.0/24   eth1/3   gw 192.168.3.1   metric 10

10.20.200.0/24   tunnel.999   gw none   metric 20

 

L2 Linker

thank you @Adrian_Jensen 

I was looking for an option to route traffic via management interface. There is no option in PA to route via MGMT interface. As a workaround I have written separate routes.

 

When I connect via globalprotect, am not able to access the Management interface IP in GUI.

L6 Presenter

Yes, the management interface is not part of the dataplane, by design. So you can not route data in/out the management port, just use it for PA controller management. If, for some reason, you need a particular PA service to use a data port instead of the management port (or need to setup special port routing for that), you can do that from Setup -> Services -> Service Route Configuration. But it doesn't work the other direction.

 

If you absolutely do not want to pass management-port-bound data from your dataplane segement thru a third device, you could dedicate a dataplane port as the gateway for the management port and cross-connect it there, instead of an external switch/router.

Eth1/1 - External WAN zone

Eth1/2 - Internal LAN zone

Eth1/3 - Management Net zone [192.168.0.1]  <-cable->  Mgmt - [192.168.0.2]

 

  • 3066 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!