topic Re: ISP Load balancing with ECMP in General Topics

ISP Load balancing with ECMP

m7usman — Tue, 09 Aug 2016 14:10:56 GMT

I have the Following Scenario on a PA-200

[ISP1]

Zone = Untrust

Eth1/1 = 192.168.7.110/24

Modem GW = 192.168.7.1/24

[ISP2]

Zone= Untrust

Eth1/2 = 192.168.5.110/24

Modem GW = 192.168.5.1/24

[Local LAN]

Zone=Trust

Eth1/3 = 10.1.1.1/24

Running DNS-Proxy and DHCP for Eth1/3

In the Default VR

Enabled ECMP

0/0 to 192.168.7.1 [ ISP1 ]

0/0 to 192.168.5.1 [ ISP2 ]

Successfull injection with equal metric and uge in forwarding table.

Policies

SecurityPolicy> Untust to Trust Allow.

NATPolicy> SNAT Untrust to Trust DIPP Eth1/1

NATPolicy> SNAT Untrust to Trust DIPP Eth1/2

My issues are as following.

1. There has to be one SNAT Policy, the first takes the precendence, I wonder if i can use a PBR here?

2. The Route / Forwarding Table does not take out the disconnected ISP's default route and keeps it in the table, I wonder do i need to enable BFD Bidirectional Forwarding detection, if yes PA-200 with 7.1.3 seems not to support it?

3. Is there a better design for this scenario?

Thank You.

Muhammad Usman

09-AUG-2016

Note-1 When Connecting to two ISPs at Layer 3, we can only do Link Load-Balancing or Link Sharing. We can not do Link Aggregation or Link Bonding, is possible only when we connect to ISP/s at Layer 2.

Re: ISP Load balancing with ECMP

bmorris1 — Mon, 01 Aug 2016 09:15:26 GMT

Hi Muhammed,

Instead of using ECMP for this, it would be preferable to use PBF. I believe this guide made by dpalani can help you set up what you are looking to achieve:

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-ISP-Redundancy-and-Load-Balancing/ta-p/58361

hope this helps,

Ben

Re: ISP Load balancing with ECMP

RFalconer — Mon, 01 Aug 2016 16:14:27 GMT

Muhammad,

The potential issue I see with PBF is that you will have to logically separate your 10.1.1.0/24 into smaller subnets to get part of the /24 range to forward to each of the ISPs. The PBF will need source information for forwarding to each ISP and using the full /24 will keep anything from getting to the second policy rule.

Do your ISPs support BGP? You could receive the default from each ISP, set up ecmp for BGP and assign a different zone to each ISP. Then you could create different NAT policies for each ISP zone and the NAT lookup should alternate based on ecmp.

Re: ISP Load balancing with ECMP

mjillson — Tue, 02 Aug 2016 14:34:21 GMT

I have an open ticket with TAC becuase I also have ECMP running but the issue is that with ECMP enabled it completely bypasses any PBR rules. They thing this is a bug but the case is still being investigated.

Re: ISP Load balancing with ECMP

m7usman — Sun, 07 Aug 2016 10:51:40 GMT

Thank You Bmorris1,

I have seen this article, in my case i have a single ip network in my branch that connects to two ISPs on Static default routes, the limitations are,

I need to make a source NAT dipp directed towards either of the ISPs.
This do not do Link load balancing as i do get ECMP routes on the forwarding table And in case of ISP Failure, i need to manually source NAT DIPP to the other ISP.

Re: ISP Load balancing with ECMP

m7usman — Sun, 07 Aug 2016 10:59:24 GMT

Thank You for your post,

I only have static default routes to the ISPs, my objective is to do link load balancing, by segmenting the /24 network i am actually segmenting my traffic to my upstream providers.

Re: ISP Load balancing with ECMP

m7usman — Sun, 07 Aug 2016 11:09:12 GMT

Thank You mjillson,

Please do update us if you get a resolution, I have seen a similar case with my ECMP routes on the Forwarding table, when i disconnect one of my ISPs The Forwarding Table keeps indicating that the disconnected ISP is the preffered route with the * sign, I think i will end up opening a case with the support guys as well :).