I have a very modest lab setup and have been putting the PAN-VM 100 to the test, in this case, I have 2 firewalls setup to handle the internet of the internal VMs in my lab
Here I a quick snapshot of the all the junk I have been running
So I decided that I want to use the PANVM as my primary internet, due to some limitations of speed with the ASA5506X (Only 250Mbps) – I’m running currently a 1Gbps internet for the lab so I wanted to make sure I could use all my bandwidth! (I want my money and I want it now!!)
** Here is a quick reason why I’m doing this, my setup can be shutdown at any time, and the servers are too noisy, so in the event that I have to restart or shutdown the servers I don’t want to loose internet access… I have more crap running in my lab (what I like to call experimental projects)
I have 1 3750G running as my CORE switch (I know I have not been able to afford an upgraded model) – This switch has the IPServices IOS image, which allows me to do EIGRP and OSPF and all my VLANs are trunk’ed to the ESX servers
The Switch Configuration
My switch uses EIGRP and is peered with the ASA
router eigrp 250 network 10.1.100.0 0.0.0.255 network 10.1.222.0 0.0.0.3 !!!!!!!!!!!!!!!!! - NOTE THE TRANSIT NETWORK, THIS IS THE INSIDE OF the ASA5506X No auto-summary
The ASA sends me the default route that I need to provide internet access to my VMs
The routing table looks like this when the PAN-VM is not on
Here is the OSPF Configuration
router ospf 200 router-id 220.127.116.11 log-adjacency-changes network 10.1.100.0 0.0.0.255 area 0 network 10.1.112.0 0.0.0.3 area 0 !!!!!!!!!!!!!!!!! - NOTE THE TRANSIT NETWORK, THIS IS THE INSIDE OF the PAN-VM
The ASA Configuration
The ASA Config is simple, no crazy stuff, just redistributing the default route to the switch and I list my transit network with the switch
router eigrp 250 network 10.1.222.0 255.255.255.252 network 10.1.255.0 255.255.255.0 redistribute static
So at this point all my configuration is normal, nothing new here, except that I want the PAN-VM to give me the routes using OSPF and I want to receive the default route in my CORE switch so that we all can be happy, here is the config in the PAN-VM
Enable OSPF on PANOS
Make sure you go Network –> Virtual Routers –> Select your Virtual Router ** Mine is called lab-vr
Go to OSPF, click Enable, enter a router ID, and Click Add at the bottom
This one tricked me out a bit, the Area ID is not a decimal number instead it has to be in IP based format, but is not an IP… wait what? – in my case the OSPF area in IP Format is 0.0.0.0 because hey I’m running Area 0 – Nothing too crazy here.
Select your Type Mine is Normal
Enter the ranges, I decided to do the Transit network off course and the DMZ
Next select the interface, in my case I selected eth1/2 – which is again my transit network – Make sure your timmers are good and match with the Cisco equipment in my case is a Cisco switch
Now accept all the changes and modifications and go to the main window for your Virtual Router, we are going to define the redistribution of the default route under the Export Rules Tab
After this you should be all set! – Wait! You need to COMMIT your changes! Dang!! – imagine how many times I have been upset that my changes were not taking effect? – Commit, Commit and Commit, always!!
Under the Monitor Tab and System, you will get all the information related to routing under the type routing, here is a snapshot of what that looks like
What to know how to build the silly filter?
Just clicl the + sign next to the search bar and enter as follows
Lets Test – Sabotage the network interface on the VM!
This is like pulling the plug from the VM
Lets check the internet ping – We see it going down and coming back up with EIGRP, the timers here feel like an eternity! – Make sure you tweak them to your environment
Here is the final again back to the ASA automatically
Few things to now
In production make sure you play with your timers to get something decent, my timers suck, but this should not be the case in production if you are using something like this
What is the Next?
Lets see what I come up with tomorrow or any of these days
About the Author:
Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 15 years of experience, Andres is specialized in Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.