Palo Alto Advanced Routing

on

 

Palo Alto Advanced Routing

PAN-OS 10.2 offers an advanced routing engine that uses an industry-standard configuration methodology to reduce your learning curve. It allows the creation of profile-based filtering lists and conditional route maps, all of which can be used across logical routers. These profiles provide finer granularity to filter routes for each dynamic routing protocol and improve route redistribution across multiple protocols.

The Advanced Routing Engine uses logical routers, rather than virtual routers, to participate in Layer 3 routing.

Only one routing engine (advanced engine or legacy engine) is in effect at a time. 

Changing the engine needs commit and reboot the firewall

Make a backup before change routing engine.

Device > Setup > Management, enable Advanced Routing


https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/advanced-routing/enable-advanced-routing


After reboot, previous VR is migrated to LR



rename Logical Router 



The firewall uses logical routers (LR) to obtain routes by static routes or dynamic routes. The firewall then populate the routes into IP routing information base (RIB). When a packet is destined for a different subnet than the one it arrived on, the LR obtains the best route from the RIB, places it in the forwarding information base (FIB), and forwards the packet to the next hop router defined in the FIB. 

You can configure dynamic routing from one LR to another by configuring a loopback interface in each LR, creating a static route between the two loopback interfaces, and then configuring a dynamic routing protocol to peer between these two interfaces. The firewall supports only one hop between logical routers. For example, with logical routers A, B, and C, a route cannot go from A to B to C; it would have to go from A to C.






Lab:





PA Eth1/1 is configured as DHCP client, receive 203.0.113.x IP and default route.


Basic BGP Lab: 

router configuration:

CSR2#sh run | s router
router bgp 65002
 bgp router-id 10.1.2.3
 bgp log-neighbor-changes
 neighbor 10.1.2.254 remote-as 65001
 neighbor 10.1.2.254 password Cisco123
 !
 address-family ipv4
  network 172.16.0.0 mask 255.255.255.0
  neighbor 10.1.2.254 activate
 exit-address-family
CSR2#

PA configuration:

1. Create Auth Profile


2. Create Peer Group and Peer.




Two ways to inject default route to CSR:

1. BGP Redistribution Profile with static route redistribution

2. BGP Address Family Profile with "Originate Default Route" enabled.













Comments

Post a Comment