04-13-2018 05:51 AM
Hi all,
I'm newbie on Palo Alto systems an i have a question bout a configuration point.
I have a PA-220 with one Internet connection (100 mbps). I have a second Internet connection from the same ISP (with the same bandwith => 100 mbps).
Now, I need to :
Aggregate this two links in one logical link ;
Use failover system if one of this two links falls.
I did some research on Palo Alto Knowledge Base to find a documentation about that and I find this :
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/networking/configure-an-aggregate-in...
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-ISP-Redundancy-and-Load...
https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-Multiple-ISPs/ta-p/67831
I'm not sure if this links are correct to do what I want.
Anyone know how should I go about setting up a viable setup for my PA-220 ?
Thank you in advance for your help.
Best regards.
BB
04-13-2018 06:45 AM
Hi @feelgood
Theres several different approaches depending on your needs, do you simply want to have outbound connections maximally utilize all available bandwidth or do you need specific services to use a preferred route, or have one line as hot standby, have vpn redundancy, etc...
does each link have it's own ip or does your ISP also aggregate the links?
The simplest setup is to setup both links equally and enable ECMP (in the virtual router), this will load balance traffic over both links, all you need to do is set up 2 individual NAT policies, one for each link
04-13-2018 01:23 PM
ECMP doens't require an additional virtual router; it's a feature available within the virtual router configuration that allows Load Balancing between both of the ISP links. The link HERE will go into how to actually configure ECMP.
Since ECMP is load-balancing the sessions between both of the uplinks, everything that you are looking for will work as best as it's able. You'll want to configure Path Monitoring on the route so that it actually gets taken out of action if it were to go down.
04-13-2018 06:45 AM
Hi @feelgood
Theres several different approaches depending on your needs, do you simply want to have outbound connections maximally utilize all available bandwidth or do you need specific services to use a preferred route, or have one line as hot standby, have vpn redundancy, etc...
does each link have it's own ip or does your ISP also aggregate the links?
The simplest setup is to setup both links equally and enable ECMP (in the virtual router), this will load balance traffic over both links, all you need to do is set up 2 individual NAT policies, one for each link
04-13-2018 07:05 AM
Hi @reaper
Thank you for your reply.
I have two differents IPs on each link, our ISP don't aggregate the links.
So, to answer at your question, in first place, I need to use all available bandwidth (i.e 100 Mbps x 2 so 200 Mbps) then I want to have failover mechanism which use the backup link if my primary link falls. And, when the primary link is up, the virtual router reactive automatically this link
Of course, I need all my VLAN toggle automatically on the backup link for continuity of service for my users.
Ok for ECMP, so I need to create a second virtual router with the same configuration of my default configuration to permit a load balance traffic between this two links ? That's all ?
Thanks.
04-13-2018 01:23 PM
ECMP doens't require an additional virtual router; it's a feature available within the virtual router configuration that allows Load Balancing between both of the ISP links. The link HERE will go into how to actually configure ECMP.
Since ECMP is load-balancing the sessions between both of the uplinks, everything that you are looking for will work as best as it's able. You'll want to configure Path Monitoring on the route so that it actually gets taken out of action if it were to go down.
04-14-2018 04:46 AM
Hi,
Thank you very much @reaper and @BPry, I setup ECMP on my PA-220 on my virtual router with the "How To" suggests by @BPry and for the moment, it works very well.
When I unplug my primary link on my PA-220 for test, the traffic goes automatically on my secondary link. Furthermore, I see in "Traffic Logs" of my PA-220, the load balancing between the two interfaces.
So, now I'll monitor if all everything it's ok and try to configure GlobalProtect and IPSec on the second link.
Many thanks for your help guys.
PS : Do you know how I can change my pseudo display ?
04-14-2018 10:21 AM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
