PANOS – Configuring OSPF and Default Route Advertisement

I have a very modest lab setup and have been putting the PAN-VM 100 to the test, in this case, I have 2 firewalls setup to handle the internet of the internal VMs in my lab

Here I a quick snapshot of the all the junk I have been running
UntitledImage

So I decided that I want to use the PANVM as my primary internet, due to some limitations of speed with the ASA5506X (Only 250Mbps) – I’m running currently a 1Gbps internet for the lab so I wanted to make sure I could use all my bandwidth! (I want my money and I want it now!!)

** Here is a quick reason why I’m doing this, my setup can be shutdown at any time, and the servers are too noisy, so in the event that I have to restart or shutdown the servers I don’t want to loose internet access… I have more crap running in my lab (what I like to call experimental projects)

My Network

I have 1 3750G running as my CORE switch (I know I have not been able to afford an upgraded model) – This switch has the IPServices IOS image, which allows me to do EIGRP and OSPF and all my VLANs are trunk’ed to the ESX servers
UntitledImage

The Switch Configuration

My switch uses EIGRP and is peered with the ASA


router eigrp 250
 network 10.1.100.0 0.0.0.255
 network 10.1.222.0 0.0.0.3
!!!!!!!!!!!!!!!!! - NOTE THE TRANSIT NETWORK, THIS IS THE INSIDE OF the ASA5506X
 No auto-summary

 

The ASA sends me the default route that I need to provide internet access to my VMs

The routing table looks like this when the PAN-VM is not on
UntitledImage

Here is the OSPF Configuration


router ospf 200
 router-id 1.1.1.1
 log-adjacency-changes
 network 10.1.100.0 0.0.0.255 area 0
 network 10.1.112.0 0.0.0.3 area 0
!!!!!!!!!!!!!!!!! - NOTE THE TRANSIT NETWORK, THIS IS THE INSIDE OF the PAN-VM

 

The ASA Configuration

The ASA Config is simple, no crazy stuff, just redistributing the default route to the switch and I list my transit network with the switch


router eigrp 250
 network 10.1.222.0 255.255.255.252
 network 10.1.255.0 255.255.255.0
 redistribute static

 

So at this point all my configuration is normal, nothing new here, except that I want the PAN-VM to give me the routes using OSPF and I want to receive the default route in my CORE switch so that we all can be happy, here is the config in the PAN-VM

Enable OSPF on PANOS

Make sure you go Network –> Virtual Routers –> Select your Virtual Router ** Mine is called lab-vr
UntitledImage

Go to OSPF, click Enable, enter a router ID, and Click Add at the bottom
UntitledImage

This one tricked me out a bit, the Area ID is not a decimal number instead it has to be in IP based format, but is not an IP… wait what? – in my case the OSPF area in IP Format is 0.0.0.0 because hey I’m running Area 0 – Nothing too crazy here.

Select your Type Mine is Normal
UntitledImage

Enter the ranges, I decided to do the Transit network off course and the DMZ
UntitledImage

Next select the interface, in my case I selected eth1/2 – which is again my transit network – Make sure your timmers are good and match with the Cisco equipment in my case is a Cisco switch
UntitledImage

Now accept all the changes and modifications and go to the main window for your Virtual Router, we are going to define the redistribution of the default route under the Export Rules Tab
UntitledImage

After this you should be all set! – Wait! You need to COMMIT your changes! Dang!! – imagine how many times I have been upset that my changes were not taking effect? – Commit, Commit and Commit, always!!

Troubleshooting

Under the Monitor Tab and System, you will get all the information related to routing under the type routing, here is a snapshot of what that looks like
UntitledImage

What to know how to build the silly filter?

Just clicl the + sign next to the search bar and enter as follows
UntitledImage

Lets Test – Sabotage the network interface on the VM!

This is like pulling the plug from the VM

UntitledImage

Lets check the internet ping – We see it going down and coming back up with EIGRP, the timers here feel like an eternity! – Make sure you tweak them to your environment
UntitledImage

Here is the final again back to the ASA automatically
UntitledImage

Few things to now

In production make sure you play with your timers to get something decent, my timers suck, but this should not be the case in production if you are using something like this

What is the Next?

Lets see what I come up with tomorrow or any of these days

About the Author:

Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 15 years of experience, Andres is specialized in Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.

You can follow Andres using Twitter, LinkedIn or Facebook

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.