Virtual router to virtual router communication

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Virtual router to virtual router communication

L2 Linker

 Hi, 

 

We have a setup in which a switch is used for interconnecting several virtual systems to a perimeter router. The switch is going end of life and needs to be replaced. Is it possible to replace this switch with a "Virtual router" in Palo Alto?

Below is the setup:

 

1. All virtual systems have their own virtual routers. 

2. Default routes from the virtual systems are pointing to the corresponding SVIs in the switch

3. From the switch traffic gets routed to perimeter router

4. There are NAT IPs in each Vsys. Switch has reverse routes pointing to those NAT IPs to the particular interfaces of the vsys.

 

Query: 

 

1. Is it possible to replace the switch with a new virtual router? Will the new virtual router be visible to all vsys?

2. If i select next hop as "Virtual router" while adding a static route, it does not allow me to choose an interface in the next hop vritual router.  Will this work for static routes configured for NAT IPs in the next hop VR? And also for static routes?

In the diagram below, 192.66.2.2 is a NAT IP configured in vsys1. My question is if the "Switch with SVIs" is replaced by a new virtual router, will I be able to add routes for 192.66.2.2 pointing to next hop virtual router as "vsys 1" in it?

 

 

Inter vr-routing.jpg

3 REPLIES 3

Cyber Elite
Cyber Elite

check out inter-vsys routing: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSVCA0

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi, Thanks for the link.  The link talks about configuring an "external zone" for doing inter vsys routing. My query is slightly different. We are only choosing a next hop virtual router and not a specific interface in the next hop router. In such cases, will the route work for a NAT IP? 

The "external" zone is used to indicate that the next hop is outside of the current vsys, it is not attached to an interface
The next hop vr then accepts a packet from the "external" zone and points it to an egress interface
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 7879 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!