Multi site dual-isp with redundant VPN connections: PBF vs alternatives?

Reply
L7 Applicator

Re: Multi site dual-isp with redundant VPN connections: PBF vs alternatives?


@uvdeswrote:

 

Does the same requirement for multiple routers hold true with ECMP to keep the tunnels active, or is it different now?


I don't see a requirement for more than one virtual router. (Yes, I would use 2, but just to separate internal and external routing). Actually I don't really see a technical reason why you use 2 VRs today, as it is also possible to keep all tunnels up and running (with tunnel monitoring and/or PBF monitoring).

 

In any case with PAN-OS 8 and the route monitoring there is no need for PBF rules in your case.

L2 Linker

Re: Multi site dual-isp with redundant VPN connections: PBF vs alternatives?

Thank you all for all the information. I'll let you know how things work out next week!

L2 Linker

Re: Multi site dual-isp with redundant VPN connections: PBF vs alternatives?

I wanted to give a report on how this all went.

 

I ended up going active-standby on the ISPs since while the primary ISPs are symetric upload/download, the secondaries aren't, which makes balancing a challenge with ECMP.

 

I used two virtual routers in the active-standby ISP config to keep all ipsec tunnels up and running all the time. When I tried to use a single VR, I could only have one active default route at a time, so the standby tunnels weren't up and running. With two VRs, all the tunnels are up and running all the time. I have one main VR when most everything terminates including ispec tunnels and the primary ISP, and another VR where just the standby ISP terminates. In the main VR I setup path monitoring for the primary ISP default route, and if it drops, have a default route with a higher metric that goes to the next VR.

 

I also used OSPF to handle the tunnels. It worked really well, was relatively easy, and handles tunnel failover very nicely, as well as saving me from entering a ton of static routes.

 

Thanks for all your help!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!