I'm working on configuring a branch office firewall with two ISPs and Site-to-Site VPN to our data center. The data center side has only 1 ISP connection
I'm reviewing this article again, as I've used it in the past.
It's been a while since I've done this setup, but something doesn't seem right. I get the two VR idea, since the traffic sourcing from the firewall does not use PBR. My issue is with the default route.
Configure two interfaces:
Eth 1/3: 10.185.140.138/24 (connection to ISP1) in the untrust zone
Eth 1/4: 10.80.40.38/24 (connection to ISP2) in the untrust zone
There are two virtual routers:
VR1: Primary (ISP1) (Ethernet1/3)
VR2: Secondary (ISP2) (Ethernet1/4)
On Primary VR1, they have a default route pointing to the gateway of ISP1 0.0.0.0/0 10.185.140.1. Then, on Secondary VR2, they do not add a default route. I also saw a post in the comments that you need a static default route configured on both VR1 and VR2
I believe both are incorrect, unless I'm missing something. If you add a static route pointing to Primary ISP1 on VR1, it will cause issues with failover, even if you also have a default route on VR2.
I'm thinking they meant to create the default route to the next hope for ISP2. If correct, wouldn't that be on VR2?
We're running this setup on one of our sites.
Both VR has default routes pointing to each individual ISP GW.
VR1 has my internal LAN segments and ISP1 interface. VR2 has only ISP2 interface. VR1 has a backup default-route pointing to next VR (VR2)
This can be accomplished with 1 VR and a PBF rule or dynamic routing (with weighted routes). Since both tunnels are up but you will only be using one at a time (assumption). A 1 VR solution works well.
there's a picture of the routes on the secondary-vr further down in the article that shows it does have a default route:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!