We have setup in our PA-500 two ISP interfaces: Primary (eth1/1) is our primary Internet connection, and the Secondary (eth1/2) is our Backup ISP (configured for failover, and this one also is an MPLS connection to another site). Eth1/3 is our private LAN.
There are two virtual routers setup for this scenario (also including GlobalProtect configurations):
default - destination: 0.0.0.0 - type: ip-address - value: <primary ISP>
gp - destination: <GP private addressing> - interface: tunnel-1
LAN - destination: <private LAN> - type: next-vr - value: SecondaryVR
default - destination 0.0.0.0 - type: ip-address - value <secondary ISP>
gp - destination: <GP private addressing> - type: next-vr - value: PrimaryVR
Now, we have a new circuit brought in that will MPLS to the company that acquired ours. I've set up eth1/4 for the interface to the new MPLS, and I've set up addresses/groups for all the locations in the new MPLS, Security Zone, NAT, Policy Based Forwarding (traffic destined for the new MPLS to use eth1/4). Where I have questions is how to configure the static routing in the virtual routers for the new MPLS connections. Do I have to setup a third virtual router with the default going to the MPLS gateway? If so, what routes under that do I add to connect it to the other two virtual routers? Or, do I just add the eth1/4 interface to say PrimaryVR and the Policy Based Forwarding rule will route to the appropriate interface instead of the default value (but then do I add static routes for all the other MPLS site locations in the router too)?
Looking for some advice.
Solved! Go to Solution.
Depends on what destination ips are routed through the MPLS. If you are routing traffic to LAN on the other side of MPLS then a static route on one of the VR (lets say primary VR) and on Secondary VR you can configure a route that says next hop to LAN is primary vr. Is this what you are trying to configure ?
With the new MPLS, access from those multiple sites to my internal LAN and vice versa is needed. I'll test with static routes in the PrimaryVR for all the outside MPLS sites.
did you check that
only one VR is needed
I think for a backup link you need to create a PBF rule which direct the traffic to primary next hop with monitor and define the default route to the backup next hop in the virtual router like explain in this doc
and for the New MPLS create a static route in the VR.
The backup ISP and PBF rule scenario was already created, in place and working for a few months now. I'm only concerned with the new MPLS connections at this time. Thanks though.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!