O'Reilly logo

ScreenOS Cookbook by Sunil Wadhwa, Joe Kelly, Ken Draper, David Delcourt, Vik Davar, Stefan Brunner

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

4.1. View the Routing Table on the Firewall

Problem

You want to view the routing table on the firewall to verify which IP networks are reachable.

Solution

The get route command shows the contents of the routing table:

	SSG-> get route

	IPv4 Dest-Routes for <untrust-vr> (0 entries)
	----------------------------------------------------------------------
	H: Host C: Connected S: Static A: Auto-Exported
	I: Imported R: RIP P: Permanent D: Auto-Discovered
	iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
	E2: OSPF external type 2

	IPv4 Dest-Routes for <trust-vr> (4 entries)
	----------------------------------------------------------------------
	   ID          IP-Prefix  Interface    Gateway   P Pref    Mtr    Vsys
	----------------------------------------------------------------------
	*   4         1.1.1.2/32     eth0/1    0.0.0.0   H    0      0    Root
	*   2     192.168.1.1/32     eth0/0    0.0.0.0   H    0      0    Root
	*   1     192.168.1.0/24     eth0/0    0.0.0.0   C    0      0    Root
	*   3         1.1.1.0/24     eth0/1    0.0.0.0   C    0      0    Root

If IPv6 is enabled on the firewall, the routing table contains its routes. These are listed at the end of the get route command, or you can display them separately with the get route v6 command:

	SSG-> get route v6

	IPv6 Dest-Routes for <untrust-vr> (0 entries)
	--------------------------------------------------------------------
	H: Host C: Connected S: Static A: Auto-Exported
	I: Imported R: RIP P: Permanent D: Auto-Discovered
	iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
	E2: OSPF external type 2

	IPv6 Dest-Routes for <trust-vr> (2 entries)
	-------------------------------------------------------------------
	  ID      IP-Prefix   Interface        Gateway   P Pref  Mtr   Vsys
	-------------------------------------------------------------------
	*  3    9009:1::/64    eth0/3 ::   C   0      0   Root
	*  4 9009:1::205:85ff:fe7e:2f87/128  eth0/3 ::   H    0    0   Root

When dynamic routing protocols are running on the device, you can use the get route prot <protocol> command to list routes specific to the routing protocol, such as OSPF, BGP, RIP, and RIPng (next generation), as well as static routes:

	SSG-> get route prot ospf


	IPv4 Dest-Routes for <trust-vr> (8 entries)
	-------------------------------------------------------------------
	 ID        IP-Prefix   Interface         Gateway   P Pref Mtr  Vsys
	-------------------------------------------------------------------
	* 8   192.168.2.0/24       tun.1   192.168.254.1   O   60  11  Root

Discussion

The get route command is the basic command for listing routes in the routing table. The first command in this recipe, without any options, shows the contents of all the routing tables. This output shows the contents of two routing tables, trust-vr and untrust-vr, which are the default VRs on the firewall. By default, all interfaces are in the trust-vr routing table.

The first line shows which VR you are viewing. The next four lines of the get route output show the description of the P (Protocol) column for the entries in the route table:

	H: Host C: Connected S: Static A: Auto-Exported
	I: Imported R: RIP P: Permanent D: Auto-Discovered
	iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
	E2: OSPF external type 2

The trust-vr table shows four routes: two connected routes and two host routes. On the left of the route entry, an asterisk (*) indicates which routes are the active routes. If there is no asterisk in front of a route, it means the route is inactive and will not be matched when the firewall is doing a route lookup. By default, the connected routes are the interface subnetworks configured by the user and the host routes for the interface IP address itself. Following the asterisk is the route ID, which you can use to get detailed output of the route, and then the route prefix.

To the right of the route prefix are the outgoing interfaces for each route, the next-hop gateway address, and the protocol type. For example, an H indicates a Host route. Refer to the description for this column in the first few lines of the output.

The Pref (Preference) column shows the local preference for the route entry. The preference values shown in the output are all the default values. You can check the default preferences using the following command:

	Chicago-> get vr trust-vr preference
	vrouter trust-vr route preference table
	---------------------------------------------
	Host Routes:            0
	Connected Routes:       0
	Static Routes:          20
	Auto-exported Routes:   30
	Imported Routes:        140
	RIP Routes:             100
	EBGP Routes:            40
	IBGP Routes:            250
	OSPF Routes:            60
	OSPF External Type-2 Routes:    200

The Mtr column lists the metrics for the routes. All connected routes have a default metric of 0 and static routes have a default metric of 1. All other route metrics are calculated by the routing protocol.

The last column, Vsys, is the Virtual System (VSYS) to which this route belongs.

You may wonder why the firewall has many addresses in its routing tables when no routing protocols or static routes have been configured. When you configure interfaces, the ScreenOS software automatically places routes in the routing table. For the routing table examples in this recipe, the following interfaces and interface addresses are configured:

	SSG-> get int

	A - Active, I - Inactive, U - Up, D - Down, R - Ready

	H - IPv6 Host Mode, O - IPv6 Router Mode
	Interfaces in vsys Root:
	Name    IP Address         Zone       MAC/INT-ID     VLAN State VSD
	eth0/0  192.168.1.1/24     Trust      0005.857e.2f80    -   U   -
	eth0/1  1.1.1.2/24         Untrust    0005.857e.2f85    -   U   -
	eth0/2  0.0.0.0/0          Untrust    0005.857e.2f86    -   D   -
	eth0/3  0.0.0.0/0          DMZ        0005.857e.2f87    -   U   -
	        9009:1::205:85ff:fe7e:2f87/64 020585fffe7e2f87      O
	eth0/4  0.0.0.0/0          Null       0005.857e.2f88    -   D   -
	eth0/5  0.0.0.0/0          Null       0005.857e.2f89    -   D   -
	eth0/6  0.0.0.0/0          Null       0005.857e.2f8a    -   D   -
	eth0/7  0.0.0.0/0          Null       0005.857e.2f8b    -   D   -
	eth0/8  0.0.0.0/0          Null       0005.857e.2f8c    -   D   -
	eth0/9  0.0.0.0/0          Null       0005.857e.2f8d    -   D   -
	vlan1   0.0.0.0/0          VLAN       0005.857e.2f8f    1   D   -
	null    0.0.0.0/0          Null       N/A               -   U   0
	Chicago->

Looking at the trust-vr routing table, you see it contains entries for each interface and for the subnetworks (the /24 address) to which they are connected:

	*   4       1.1.1.2/32   eth0/1    0.0.0.0   H    0      0     Root
	*   2   192.168.1.1/32   eth0/0    0.0.0.0   H    0      0     Root
	*   1   192.168.1.0/24   eth0/0    0.0.0.0   C    0      0     Root
	*   3       1.1.1.0/24   eth0/1    0.0.0.0   C    0      0     Root

This output shows entries for the two configured interfaces. For eth0/1, there is an entry for the interface itself (1.1.1.2/32), and an entry for the summary of all the addresses on the subnetwork (1.1.1.0/24). There are similar entries for the eth0/0 interface.

This is the basic output of the routing table on the firewall. Refer to Chapter 15 to understand how the routing entries are populated based on the protocol updates.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required