07-13-2018 10:53 AM - edited 07-13-2018 10:57 AM
I have a Cisco backround & I am currently studying Virtual Routers & Static Routes in the PA 8.0 admin guide. I am trying to understand how Metrics are used in the firewall because it sounds like Administrative Distance does the same thing. Can someone tell me if my theory is right when it comes to Palo Alto forwarding packets to an intended destination. Here is my assumption below...
I am assuming that if traffic hits a virtual router & there are multiple routes to the same destination address the Palo Alto will first prefer the route with the most specific destination prefix (longest prefix match) and if the prefix's are the same for all routes the Palo Alto will prefer the route with the lowest Administrative Distance & if the Admin Distance is the same for the for all routes the Palo Alto will prefer the route with the lowest Metric. Is this theory correct?
07-14-2018 09:47 AM
There is only metric in the actual routing tables.
PAN uses the term administrative distance to set the default metric per protocol for the virtual routers when you create them.
07-16-2018 05:46 AM - edited 07-16-2018 05:47 AM
Thanks for the feedback. So if Metric exists in the routing table & Admin Distance does not that would mean that if I had 2 static default routes (1 going to ISP-A the other going to ISP-B) I would need to lower the Metric on one static route & raise the Metric on the other static route in order to choose which ISP I would send the internet traffic trhough correct?
07-16-2018 06:48 AM
@MarioMarquez wrote:
I am assuming that if traffic hits a virtual router & there are multiple routes to the same destination address the Palo Alto will first prefer the route with the most specific destination prefix (longest prefix match) and if the prefix's are the same for all routes the Palo Alto will prefer the route with the lowest Administrative Distance & if the Admin Distance is the same for the for all routes the Palo Alto will prefer the route with the lowest Metric. Is this theory correct?
Correct
10-30-2018 11:59 AM
@MarioMarquez wrote:I have a Cisco backround & I am currently studying Virtual Routers & Static Routes in the PA 8.0 admin guide. I am trying to understand how Metrics are used in the firewall because it sounds like Administrative Distance does the same thing. Can someone tell me if my theory is right when it comes to Palo Alto forwarding packets to an intended destination. Here is my assumption below...
I am assuming that if traffic hits a virtual router & there are multiple routes to the same destination address the Palo Alto will first prefer the route with the most specific destination prefix (longest prefix match) and if the prefix's are the same for all routes the Palo Alto will prefer the route with the lowest Administrative Distance & if the Admin Distance is the same for the for all routes the Palo Alto will prefer the route with the lowest Metric. Is this theory correct?
Hi Team,
Unfortunately, the logic provided by @MarioMarquez does not seem to apply here. I have the following setup:
Two routes for 176.24.0.0/16:
> One static route with AD manually set to 110 and metric of 15.
> The other route learned via OSPF with the default AD of 110 and metric of 20.
I have observed that the firewall still prefers the OSPF route, even as logic dictates that for routes with the same prefix-length and same AD value, the Active route will be chosen based on the lower metric value.
VIRTUAL ROUTER: default (id 1)
==========
destination nexthop metric flags age interface next-AS
0.0.0.0/0 10.129.138.1 10 A S ethernet1/1
176.24.0.0/16 192.168.20.1 15 S E ethernet1/1 <<<<<<<<<<<<<<<
176.24.0.0/16 192.168.20.1 20 A O2E 67572 ethernet1/2 <<<<<<<<<<<<<<<
I was looking for an existing ETAC discussion about this behavior and found this thread. Could anyone help me understand this behavior? Also, for the same AD value, the firewall continues to prefer the OSPF route over the static route, irrespective of the metric value.
10-30-2018 12:57 PM
Hey @hgaddamwar
"By default, static routes have an administrative distance of 10. When the firewall has two or more routes to the same destination, it uses the route with the lowest administrative distance. By increasing the administrative distance of a static route to a value higher than a dynamic route, you can use the static route as a backup route if the dynamic route is unavailable."
If you decrease the admin distance for the static route then that should be preferred over the OSPF route. I believe that if multiple routes for the same network exists, admin distance is used instead of metric?
10-30-2018 01:38 PM
@LukeBullimore I agree and by varying the AD value, I am able to set the desired active route. However, I wish to set the active route among two routes with similar AD and hence I'm looking for the metric value as the deciding parameter.
My customer has a peculiar setup is as follows:
> There are three routes for a subnet on the firewall: two learned via OSPF and one via a static route. The two OSPF routes has metric values of 30 and 40.
> He wishes to have the routes installed on the firewall in the following preference: OSPF with metric 30 > static route > OSPF with metric 40.
Theoretically, this should be possible by setting a similar AD value for all the routes and varying the metric as required. But practically, it was observed that the static route was being preferred first.
As this is slightly complex, he decided to first try with two routes: the static route and the OSPF route with metric 30. Among these two routes, he wished to set the static route as the preferred one. He has confirmed that with different AD values, the route preference is working as expected. But with similar AD values, the firewall ALWAYS prefers the OSPF route.
Hence my question: with same prefix-length and same AD values for different routing protocols, how does the firewall select the Active route? What parameters are used during this selection process?
10-30-2018 02:26 PM
Hello,
Check out this article since it talks about int vs ext OSPF and their admin distances.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKnCAK
Regards,
10-31-2018 06:58 AM
Hi @OtakarKlier
Thank you for the assistance. I have checked this document but unfortunately, it is not related to my requirement. The document provides the solution by varying the AD value of the static route, whereas I am interested in the PAN-OS route selection process for routes with the same AD value.
To reiterate my query: with same prefix-length and same AD values for different routing protocols, how does the PAN firewall select the Active route? What parameters are used during this selection process?
10-31-2018 10:09 AM - edited 10-31-2018 11:48 AM
Hey @hgaddamwar
It's definitely possible what you're trying to do. Do you have ECMP configured on the virtual router?
edit: "with same prefix-length and same AD values for different routing protocols, how does the PAN firewall select the Active route? What parameters are used during this selection process?"
This would be the metric value. But from your outputs you provided earlier I believe ECMP is being used that's why the metric value isn't being considered.
Cheers,
Luke.
10-31-2018 11:24 PM
That's another thing: ECMP is not configured on the virtual router, but the two routes with same AD values are always displayed as ECMP routes
Based on my lab observations, this seems to be an expected behavior i.e. if two routes with the same-prefix length and same AD value are configured, they are displayed as ECMP routes. If we vary the AD values, the 'E' flag on both the routes disappear.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
