Configure second ISP with failover and aggregation

Reply
L1 Bithead

Configure second ISP with failover and aggregation

Hi all,

 

I'm newbie on Palo Alto systems an i have a question bout a configuration point.

 

I have a PA-220 with one Internet connection (100 mbps). I have a second Internet connection from the same ISP (with the same bandwith => 100 mbps).

 

Now, I need to :

 

Aggregate this two links in one logical link ;
Use failover system if one of this two links falls.
I did some research on Palo Alto Knowledge Base to find a documentation about that and I find this :

 

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/networking/configure-an-aggregate-in...
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-ISP-Redundancy-and-Load...
https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-Multiple-ISPs/ta-p/67831


I'm not sure if this links are correct to do what I want.

 

Anyone know how should I go about setting up a viable setup for my PA-220 ?

 

Thank you in advance for your help.

 

Best regards.

 

BB

Community Manager

Re: Configure second ISP with failover and aggregation

Hi @feelgood

 

Theres several different approaches depending on your needs, do you simply want to have outbound connections maximally utilize all available bandwidth or do you need specific services to use a preferred route, or have one line as hot standby, have vpn redundancy, etc...

does each link have it's own ip or does your ISP also aggregate the links?

 

The simplest setup is to setup both links equally and enable ECMP (in the virtual router), this will load balance traffic over both links, all you need to do is set up 2 individual NAT policies, one for each link


Help the community: Like helpful comments and mark solutions
Reaper out
L1 Bithead

Re: Configure second ISP with failover and aggregation

Hi @reaper

 

Thank you for your reply.

 

I have two differents IPs on each link, our ISP don't aggregate the links.

 

So, to answer at your question, in first place, I need to use all available bandwidth (i.e 100 Mbps x 2 so 200 Mbps) then I want to have failover mechanism which use the backup link if my primary link falls. And, when the primary link is up, the virtual router reactive automatically this link

 

Of course, I need all my VLAN toggle automatically on the backup link for continuity of service for my users.

 

Ok for ECMP, so I need to create a second virtual router with the same configuration of my default configuration to permit a load balance traffic between this two links ? That's all ?

 

Thanks.

L7 Applicator

Re: Configure second ISP with failover and aggregation

@feelgood,

ECMP doens't require an additional virtual router; it's a feature available within the virtual router configuration that allows Load Balancing between both of the ISP links. The link HERE will go into how to actually configure ECMP. 

 

Since ECMP is load-balancing the sessions between both of the uplinks, everything that you are looking for will work as best as it's able. You'll want to configure Path Monitoring on the route so that it actually gets taken out of action if it were to go down. 

L1 Bithead

Re: Configure second ISP with failover and aggregation

Hi,

 

Thank you very much @reaper and @BPry, I setup ECMP on my PA-220 on my virtual router with the "How To" suggests by @BPry and for the moment, it works very well.

 

When I unplug my primary link on my PA-220 for test, the traffic goes automatically on my secondary link. Furthermore, I see in "Traffic Logs" of my PA-220, the load balancing between the two interfaces.

 

So, now I'll monitor if all everything it's ok and try to configure GlobalProtect and IPSec on the second link.

 

Many thanks for your help guys.

 

PS : Do you know how I can change my pseudo display ?

 

Highlighted
Community Manager

Re: Configure second ISP with failover and aggregation

Glad to hear all is working!
You can change your display name from the support portal profile editor: https://live.paloaltonetworks.com/t5/Support-Articles/How-to-Change-Your-Community-Username-Display-...

Help the community: Like helpful comments and mark solutions
Reaper out
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!