I have the Following Scenario on a PA-200
Zone = Untrust
Eth1/1 = 192.168.7.110/24
Modem GW = 192.168.7.1/24
Eth1/2 = 192.168.5.110/24
Modem GW = 192.168.5.1/24
Eth1/3 = 10.1.1.1/24
Running DNS-Proxy and DHCP for Eth1/3
In the Default VR
0/0 to 192.168.7.1 [ ISP1 ]
0/0 to 192.168.5.1 [ ISP2 ]
Successfull injection with equal metric and uge in forwarding table.
SecurityPolicy> Untust to Trust Allow.
NATPolicy> SNAT Untrust to Trust DIPP Eth1/1
NATPolicy> SNAT Untrust to Trust DIPP Eth1/2
My issues are as following.
1. There has to be one SNAT Policy, the first takes the precendence, I wonder if i can use a PBR here?
2. The Route / Forwarding Table does not take out the disconnected ISP's default route and keeps it in the table, I wonder do i need to enable BFD Bidirectional Forwarding detection, if yes PA-200 with 7.1.3 seems not to support it?
3. Is there a better design for this scenario?
Note-1 When Connecting to two ISPs at Layer 3, we can only do Link Load-Balancing or Link Sharing. We can not do Link Aggregation or Link Bonding, is possible only when we connect to ISP/s at Layer 2.
Instead of using ECMP for this, it would be preferable to use PBF. I believe this guide made by dpalani can help you set up what you are looking to achieve:
hope this helps,
The potential issue I see with PBF is that you will have to logically separate your 10.1.1.0/24 into smaller subnets to get part of the /24 range to forward to each of the ISPs. The PBF will need source information for forwarding to each ISP and using the full /24 will keep anything from getting to the second policy rule.
Do your ISPs support BGP? You could receive the default from each ISP, set up ecmp for BGP and assign a different zone to each ISP. Then you could create different NAT policies for each ISP zone and the NAT lookup should alternate based on ecmp.
I have an open ticket with TAC becuase I also have ECMP running but the issue is that with ECMP enabled it completely bypasses any PBR rules. They thing this is a bug but the case is still being investigated.
Thank You Bmorris1,
I have seen this article, in my case i have a single ip network in my branch that connects to two ISPs on Static default routes, the limitations are,
Thank You for your post,
I only have static default routes to the ISPs, my objective is to do link load balancing, by segmenting the /24 network i am actually segmenting my traffic to my upstream providers.
Thank You mjillson,
Please do update us if you get a resolution, I have seen a similar case with my ECMP routes on the Forwarding table, when i disconnect one of my ISPs The Forwarding Table keeps indicating that the disconnected ISP is the preffered route with the * sign, I think i will end up opening a case with the support guys as well :).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!