Palo Alto FW loopback interface routing
Recently I started deploying loopbacks on all of my network devices that are somehow participating in routing and I hit a momentary roadblock when I realised that none of my loopbacks configured on firewalls are being advertised via iBGP.
The reason for that is because all loopback interfaces are categorised as host routes (instead of connected routes) on the originating firewalls and because of that are not redistributed in routing when connected routes are included.
To resolve this issue there are two options - one of them is to create a new Redistribution rule with the name of the rule being subnet of the loopback interface itself (x.x.x.x/32
), enabling it and setting the appropriate origin.
Second option is to create static routes for loopback interfaces pointing to its own IP address as next hop, like this:
Once the route is created and redistribution of static routes is included in it, the route for loopback interface will show up in neighbouring router's routes:
admin@fw-ho-pri(active)> show routing route
flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast
VIRTUAL ROUTER: HONETRouter (id 2)
==========
destination nexthop metric flags age interface next-AS
1.65.0.1/32 10.255.0.6 A?B 252847 0
I always preferred to use loopback interfaces in the past when I was doing any kind of name resolution, but for some reason I abandoned the idea when I started dealing with firewalls. Since I'm reconfiguring my network now to better fit my needs, I decided to go with them once again. Major benefit of using them is of course reachability, and especially when you tie-in your DNS resolution to them. Now I no longer have to worry if I ever change interface IP addresses, as my DNS names are tied to loopbacks instead of physical/VLAN interfaces.
Member discussion