On a firewall that uses the legacy routing engine, configure a virtual router to
participate in Layer 3 routing.
| Where Can I Use This? | What Do I Need? |
|---|
|
|
One of these licenses for Strata Cloud Manager managed NGFWs:
- Strata Cloud Manager Essentials
- Strata Cloud Manager Pro
This feature is available on request.
Contact your account team to enable the feature.
|
This feature is available on request. Contact your account team to enable the
feature.
The firewall uses virtual routers on a legacy routing engine to obtain Layer 3 routes
to other subnets. The firewall obtains routes when you manually define static routes
or when the firewall participates in one or more Layer 3 routing protocols (dynamic
routes).
The routes that the firewall obtains through these methods populate the
IP routing information base (RIB) on the firewall. When a packet is destined for a
different subnet than the one it arrived on, the virtual router obtains the best
route from the RIB, places it in the forwarding information base (FIB), and forwards
the packet to the next hop router defined in the FIB. The firewall uses Ethernet
switching to reach other devices on the same IP subnet. (An exception to one best
route going in the FIB occurs if you are using
ECMP, in which case all equal-cost routes go in the
FIB.)
The Ethernet, VLAN, and tunnel interfaces defined on the firewall receive and forward
Layer 3 packets. The destination zone is derived from the outgoing interface
based on the forwarding criteria, and the firewall consults policy rules to identify
the security policies that it applies to each packet. In addition to routing to
other network devices, virtual routers can route to other virtual routers within the
same firewall if a next hop is specified to point to another virtual router.
You can
configure Layer 3 interfaces on a
virtual router to participate with dynamic routing protocols (BGP, OSPF,
OSPFv3, or RIP) as well as add static routes. You can also create multiple virtual
routers, each maintaining a separate set of routes that aren’t shared between
virtual routers, enabling you to configure different routing behaviors for different
interfaces.
For example, if you need to configure multiple BGP AS numbers, you must create
separate virtual routers because each virtual router supports only one BGP Local
AS.
You can configure dynamic routing from one virtual router to another by configuring a
loopback interface in each virtual router, creating a static route between the two
loopback interfaces, and then configuring a dynamic routing protocol to peer between
these two interfaces. The firewall supports only one hop between virtual routers.
For example, with virtual routers A, B, and C, a route cannot go from A to B to C;
it would have to go from A to C. This inter-VR routing capability is useful when you
need multiple BGP AS numbers; you can create a virtual router for each AS and use
static routes with the next hop set to another virtual router to enable communication
between them.
Each Layer 3 Ethernet, loopback, VLAN, and tunnel interface defined on the firewall
must be associated with a virtual router. While each interface can belong to only
one virtual router, you can configure multiple routing protocols and static routes
for a virtual router. Regardless of the static routes and dynamic routing protocols
you configure for a virtual router, one general configuration is required.
Configure a virtual router on the firewall to participate in Layer 3 routing.
