topic Active/Passive PA with Dual ISP in eBGP and private owned /24 ASN in General Topics https://live.paloaltonetworks.com/t5/general-topics/active-passive-pa-with-dual-isp-in-ebgp-and-private-owned-24-asn/m-p/453932#M101402 <P>Hi,</P><P>&nbsp;</P><P>Looking for some guidance on our setup. I am looking to establish pure ISP failover without having to take action on my / my team's side. Presently when there is an outage, we need to do manual intervention to get connectivity back up.</P><P>&nbsp;</P><P>Here is an overview of our network, internet facing.</P><P>&nbsp;</P><P>ISP A (/30) -&gt; Cisco ASR Router 1 (I control) (/24 ASN eBGP established to ISP A) WAN Interface -&gt; ASR Router (LAN Interface - Public IP in same /24) -&gt; DMZ Switch Stack (VLAN 5 - WAN Facing)</P><P>&nbsp;</P><P>ISP B (/30) -&gt; Cisco ASR Router 2 (I control) (/24 ASN eBGP established to ISP B) WAN Interface -&gt; ASR Router (LAN Interface - Public IP in same /24) -&gt; DMZ Switch Stack (VLAN 5 - WAN Facing)</P><P>&nbsp;</P><P>ISP A = 1Gb</P><P>ISP B = 500Mb</P><P>&nbsp;</P><P>Cisco Router 1 - No prepend, default route to ISP carrier</P><P>Cisco Router 2 - Prepend, default route to ISP carrier + ip route x.x.x.x /24 null0</P><P>&nbsp;</P><P>*** (I have found if I take away the prepend and null0 loopback, packets going out cannot route back in)</P><P>&nbsp;</P><P>PA 3020 x2 (Active/Passive) (E1/1) -&gt; DMZ Switch Stack (VLAN 5)</P><P>E1/1 - WAN IP in the same /24 block above</P><P>NAT from the PA is dynamic-ip-and-port with the E1/1 Interface IP from untrust to trust zone</P><P>No PBF but x1 VR in default route, with traffic going to Cisco Router 1 LAN IP for next hop</P><P>&nbsp;</P><P>- I have tried putting in route monitoring in the VR default route to the Cisco Router 2 LAN IP, removing the prepend on Cisco Router 2 and null route and internet stops working from behind the PA.</P><P>&nbsp;</P><P>When ISP A goes down, we need to remove the prepend and remove the null route, change the route manually on PA and clear NAT sessions. Not ideal ...</P><P>&nbsp;</P><P>Can anyone offer any suggestions or thoughts on how to improve the setup? Changing setup, connections, hardware, etc... is all open and fine.</P><P>&nbsp;</P> Fri, 17 Dec 2021 13:26:05 GMT system2 2021-12-17T13:26:05Z Active/Passive PA with Dual ISP in eBGP and private owned /24 ASN https://live.paloaltonetworks.com/t5/general-topics/active-passive-pa-with-dual-isp-in-ebgp-and-private-owned-24-asn/m-p/453932#M101402 <P>Hi,</P><P>&nbsp;</P><P>Looking for some guidance on our setup. I am looking to establish pure ISP failover without having to take action on my / my team's side. Presently when there is an outage, we need to do manual intervention to get connectivity back up.</P><P>&nbsp;</P><P>Here is an overview of our network, internet facing.</P><P>&nbsp;</P><P>ISP A (/30) -&gt; Cisco ASR Router 1 (I control) (/24 ASN eBGP established to ISP A) WAN Interface -&gt; ASR Router (LAN Interface - Public IP in same /24) -&gt; DMZ Switch Stack (VLAN 5 - WAN Facing)</P><P>&nbsp;</P><P>ISP B (/30) -&gt; Cisco ASR Router 2 (I control) (/24 ASN eBGP established to ISP B) WAN Interface -&gt; ASR Router (LAN Interface - Public IP in same /24) -&gt; DMZ Switch Stack (VLAN 5 - WAN Facing)</P><P>&nbsp;</P><P>ISP A = 1Gb</P><P>ISP B = 500Mb</P><P>&nbsp;</P><P>Cisco Router 1 - No prepend, default route to ISP carrier</P><P>Cisco Router 2 - Prepend, default route to ISP carrier + ip route x.x.x.x /24 null0</P><P>&nbsp;</P><P>*** (I have found if I take away the prepend and null0 loopback, packets going out cannot route back in)</P><P>&nbsp;</P><P>PA 3020 x2 (Active/Passive) (E1/1) -&gt; DMZ Switch Stack (VLAN 5)</P><P>E1/1 - WAN IP in the same /24 block above</P><P>NAT from the PA is dynamic-ip-and-port with the E1/1 Interface IP from untrust to trust zone</P><P>No PBF but x1 VR in default route, with traffic going to Cisco Router 1 LAN IP for next hop</P><P>&nbsp;</P><P>- I have tried putting in route monitoring in the VR default route to the Cisco Router 2 LAN IP, removing the prepend on Cisco Router 2 and null route and internet stops working from behind the PA.</P><P>&nbsp;</P><P>When ISP A goes down, we need to remove the prepend and remove the null route, change the route manually on PA and clear NAT sessions. Not ideal ...</P><P>&nbsp;</P><P>Can anyone offer any suggestions or thoughts on how to improve the setup? Changing setup, connections, hardware, etc... is all open and fine.</P><P>&nbsp;</P> Fri, 17 Dec 2021 13:26:05 GMT https://live.paloaltonetworks.com/t5/general-topics/active-passive-pa-with-dual-isp-in-ebgp-and-private-owned-24-asn/m-p/453932#M101402 system2 2021-12-17T13:26:05Z Re: Active/Passive PA with Dual ISP in eBGP and private owned /24 ASN https://live.paloaltonetworks.com/t5/general-topics/active-passive-pa-with-dual-isp-in-ebgp-and-private-owned-24-asn/m-p/485556#M104537 <P>Hi,&nbsp;</P><P>&nbsp;</P><P>My approach would be slightly different than yours.</P><P>1) Seperate Vlans for each ISP.</P><P>2) Separate physical int on the palo for each ISP.</P><P>3) Two default routes with different metrics one for each ISP.</P><P>4) Enable Path monitoring for a static route.</P><P>&nbsp;</P><P>See&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/static-routes/static-route-removal-based-on-path-monitoring" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/static-routes/static-route-removal-based-on-path-monitoring</A></P> Sat, 07 May 2022 08:44:12 GMT https://live.paloaltonetworks.com/t5/general-topics/active-passive-pa-with-dual-isp-in-ebgp-and-private-owned-24-asn/m-p/485556#M104537 Y-alwaysMe 2022-05-07T08:44:12Z