topic Equal Metric Default Route using a Single Virtual Router (Single ISP Providing 2x Internet Circuits) in General Topics

Equal Metric Default Route using a Single Virtual Router (Single ISP Providing 2x Internet Circuits)

Smi12 — Fri, 06 Dec 2013 11:26:11 GMT

We are in the process of replacing an internet facing Check Point (NokiaIP560) deployment with Palo Alto (PA-2050) running PAN-OS 5.0.9.

The current checkpoint deployment has two equal cost default routes to the upstream providers routes. These two next hop IP addresses are the multi-group VRRP IP addresses to achieve outbound load sharing. Below is the "show route" output from the Check Point firewalls routing table, it appears to show two equal cost static default routes.

S 0.0.0.0/0 via x.x.x.209, eth-s4p1c0, cost 0, age 31245795

via x.x.x.210, eth-s4p1c0

Does anyone know if Palo Alto will support the above equal cost/metric default route in the way Check Point does?

If we attempt to add the two static routes as above, the commit fails with the error:

In virtual-router default, the static route Default-2 metric value 10 is not unique among static routes to destination 0.0.0.0/0.(Module: routed)

Config commit phase 1 aborted(Module: device)

Commit failed

If we are not able to duplicate the Check Point routing, we believe this would mean sending all outbound traffic on a single default route to a single upstream router IP address, and essentially loose the ability to load share the two upstream Internet circuits thus loosing 50% of outbound bandwidth.

Does anyone have any suggestions on our scenario?

Re: Equal Metric Default Route using a Single Virtual Router (Single ISP Providing 2x Internet Circuits)

pulukas — Fri, 06 Dec 2013 14:11:40 GMT

PanOS does not support equal cost multipath at this point (ECMP).

You will have to use policy based routing (PBR) and choose only one active default route.

This is a sample configuration to use PBR for a simple failover only setup with dual isp. You would need to setup multiple PBR rules to push traffic out both ISP at the same time using different criteria.

Dual ISP Branch Office Configuration

Re: Equal Metric Default Route using a Single Virtual Router (Single ISP Providing 2x Internet Circuits)

jvalentine — Fri, 06 Dec 2013 21:09:47 GMT

You can take it one step further with PBR. You could create a policy that says:

- policy-route 1/2 the users through ISPA

- policy-route the other users through ISPB

- policy-route all users through ISPA

- policy-route all users through ISPB

This way, if both connections are up (as determined by the PBR Monitor / Health Check), then you get utilization out of both ISPs. Still not as nice as ECMP would be, but it's one way to get utilization out of both links when they're both up and running.

Re: Equal Metric Default Route using a Single Virtual Router (Single ISP Providing 2x Internet Circuits)

Smi12 — Mon, 09 Dec 2013 09:15:44 GMT

Thanks for the quick answers!

It's very disappointing that PA do not support ECMP, especially as our current CheckPoint platform does: Routing Options

Anyway we are raising this "feature" with our SE to confirm if it is under development.

Thanks again.