Route & Path Selection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Route & Path Selection

L3 Networker

I have a Cisco backround & I am currently studying Virtual Routers & Static Routes in the PA 8.0 admin guide.  I am trying to understand how Metrics are used in the firewall because it sounds like Administrative Distance does the same thing.  Can someone tell me if my theory is right when it comes to Palo Alto forwarding packets to an intended destination.  Here is my assumption below...

 

I am assuming that if traffic hits a virtual router & there are multiple routes to the same destination address the Palo Alto will first prefer the route with the most specific destination prefix (longest prefix match) and if the prefix's are the same for all routes the Palo Alto will prefer the route with the lowest Administrative Distance & if the Admin Distance is the same for the for all routes the Palo Alto will prefer the route with the lowest Metric.  Is this theory correct?

10 REPLIES 10

L7 Applicator

There is only metric in the actual routing tables. 

 

PAN uses the term administrative distance to set the default metric per protocol for the virtual routers when you create them.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

@pulukas

 

Thanks for the feedback.  So if Metric exists in the routing table & Admin Distance does not that would mean that if I had 2 static default routes (1 going to ISP-A the other going to ISP-B) I would need to lower the Metric on one static route & raise the Metric on the other static route in order to choose which ISP I would send the internet traffic trhough correct?

L2 Linker
@MarioMarquez wrote:

 

I am assuming that if traffic hits a virtual router & there are multiple routes to the same destination address the Palo Alto will first prefer the route with the most specific destination prefix (longest prefix match) and if the prefix's are the same for all routes the Palo Alto will prefer the route with the lowest Administrative Distance & if the Admin Distance is the same for the for all routes the Palo Alto will prefer the route with the lowest Metric.  Is this theory correct?

 

Correct

 

L2 Linker

@MarioMarquez wrote:

I have a Cisco backround & I am currently studying Virtual Routers & Static Routes in the PA 8.0 admin guide.  I am trying to understand how Metrics are used in the firewall because it sounds like Administrative Distance does the same thing.  Can someone tell me if my theory is right when it comes to Palo Alto forwarding packets to an intended destination.  Here is my assumption below...

 

I am assuming that if traffic hits a virtual router & there are multiple routes to the same destination address the Palo Alto will first prefer the route with the most specific destination prefix (longest prefix match) and if the prefix's are the same for all routes the Palo Alto will prefer the route with the lowest Administrative Distance & if the Admin Distance is the same for the for all routes the Palo Alto will prefer the route with the lowest Metric.  Is this theory correct?


 

Hi Team,

 

Unfortunately, the logic provided by @MarioMarquez does not seem to apply here. I have the following setup:

 

Two routes for 176.24.0.0/16:

> One static route with AD manually set to 110 and metric of 15.

> The other route learned via OSPF with the default AD of 110 and metric of 20.

 

I have observed that the firewall still prefers the OSPF route, even as logic dictates that for routes with the same prefix-length and same AD value, the Active route will be chosen based on the lower metric value.

 

VIRTUAL ROUTER: default (id 1)
==========
destination nexthop metric flags age interface next-AS
0.0.0.0/0 10.129.138.1 10 A S ethernet1/1
176.24.0.0/16 192.168.20.1 15 S E ethernet1/1                       <<<<<<<<<<<<<<<
176.24.0.0/16 192.168.20.1 20 A O2E 67572 ethernet1/2                       <<<<<<<<<<<<<<<

 

 

I was looking for an existing ETAC discussion about this behavior and found this thread. Could anyone help me understand this behavior? Also, for the same AD value, the firewall continues to prefer the OSPF route over the static route, irrespective of the metric value.

 

@pulukas @9t89m8fu

Hey @hgaddamwar

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/networking/static-routes/static-rout...

 

"By default, static routes have an administrative distance of 10. When the firewall has two or more routes to the same destination, it uses the route with the lowest administrative distance. By increasing the administrative distance of a static route to a value higher than a dynamic route, you can use the static route as a backup route if the dynamic route is unavailable."

 

If you decrease the admin distance for the static route then that should be preferred over the OSPF route. I believe that if multiple routes for the same network exists, admin distance is used instead of metric?

@LukeBullimore I agree and by varying the AD value, I am able to set the desired active route. However, I wish to set the active route among two routes with similar AD and hence I'm looking for the metric value as the deciding parameter.

 

My customer has a peculiar setup is as follows:

 

> There are three routes for a subnet on the firewall: two learned via OSPF and one via a static route. The two OSPF routes has metric values of 30 and 40.
> He wishes to have the routes installed on the firewall in the following preference: OSPF with metric 30 > static route > OSPF with metric 40.

 

Theoretically, this should be possible by setting a similar AD value for all the routes and varying the metric as required. But practically, it was observed that the static route was being preferred first.

 

As this is slightly complex, he decided to first try with two routes: the static route and the OSPF route with metric 30. Among these two routes, he wished to set the static route as the preferred one. He has confirmed that with different AD values, the route preference is working as expected. But with similar AD values, the firewall ALWAYS prefers the OSPF route.

 

Hence my question: with same prefix-length and same AD values for different routing protocols, how does the firewall select the Active route? What parameters are used during this selection process?

Hello,

Check out this article since it talks about int vs ext OSPF and their admin distances.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKnCAK

 

Regards,

Hi @OtakarKlier

 

Thank you for the assistance. I have checked this document but unfortunately, it is not related to my requirement. The document provides the solution by varying the AD value of the static route, whereas I am interested in the PAN-OS route selection process for routes with the same AD value.

 

To reiterate my query: with same prefix-length and same AD values for different routing protocols, how does the PAN firewall select the Active route? What parameters are used during this selection process?

Hey @hgaddamwar

 

It's definitely possible what you're trying to do. Do you have ECMP configured on the virtual router?

 

edit: "with same prefix-length and same AD values for different routing protocols, how does the PAN firewall select the Active route? What parameters are used during this selection process?"

 

This would be the metric value. But from your outputs you provided earlier I believe ECMP is being used that's why the metric value isn't being considered.

 

Cheers,

Luke.

@LukeBullimore

 

That's another thing: ECMP is not configured on the virtual router, but the two routes with same AD values are always displayed as ECMP routes

 

Based on my lab observations, this seems to be an expected behavior i.e. if two routes with the same-prefix length and same AD value are configured, they are displayed as ECMP routes. If we vary the AD values, the 'E' flag on both the routes disappear.

  • 26474 Views
  • 10 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!