BGP Configuration with 2 diffrent ISP and /24 class

Hi @michalpawlak ,

The advice from @Raido_Rattameister is good.  I will include some and add my own:

1. As long as the ISP routes your /24 then NAT and interfaces in that subnet will work fine.  For NAT to work, there must be a route to your /24 om the NGFW.
2. Unless you have a huge NGFW, you can only accept the default route from you ISPs.  The NGFW does not have the memory for the Internet routing table (900K+ prefixes).
3. You said that you want ISP1 active and ISP2 as a backup, and you have working BGP connections.  So ECMP is not required.
4. To do this you want to configure the NGFW so that:
   1. No traffic goes out ISP2, and
   2. No traffic comes in ISP2.  (Traffic coming in ISP2 and going out ISP1 will break.)

Item 3a can be accomplished with BGP weight or local preference.  In a nutshell, weight works for a single NGFW while local preference works for multiple NGFWs in the same BGP ASN.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClszCAC

Item 3b can be accomplished with conditional advertisement.  Adjusting BGP attributes will not stop all traffic from coming in.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEUCA0

ECMP could get you twice the bandwidth.  Symmetric return is needed to fix asymmetric routing for inbound traffic.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF5CAK  NATing traffic to the ISP IP interface address or putting both ISPs in the same zone will fix asymmetric routing for outbound traffic.

Going back to BGP, you could tune failover times by adjusting BGP timers or using BFD.  You could add authentication as a security mechanism.

I heard of one case where the ISP lost some connectivity, but did not withdraw the default route from customers.  If that happens to you, then consider static routes and path monitoring as @Raido_Rattameister suggested.  Keep in mind if you use BGP to manipulate inbound traffic and static routes to manipulate outbound traffic the protocols may not be in sync.

Thanks,

Tom

Guys, 

I really appreciate your support, so the best way to go is just leave 2 ISP to work as active/active with load balance enabled can you please advise? another think is Lets say I'm receiving IPs from ISP 1: A.A.A.A ISP 2: B.B.B.B and my class is C.C.C.C/24 in the BGP configuration in Router ID I set IP from ISP 1 which is A.A.A.A I'm not sure if that is the proper way to go? when I'm browsing internet my IP is A.A.A.A but I'd like to be identified as C.C.C.C when I add loopback interface with IP C.C.C.C/32 to the VR and set up NAT as a source address: internal LAN and Destination: C.C.C.C then when I'm browsing internet my IP address is showing C.C.C.C which is absoluletly fine but I'm not sure if this good configuration? I could leave like this if it works it works 🙂 but this NGFW will be configured in 24/7 environment so I can't afford any missconfiguration. 

Thanks

Hi @michalpawlak ,

Setting your BGP Router ID to C.C.C.C is fine.  If you NAT to C.C.C.C, the traffic may go out one ISP and come back in another.  If both ISPs are in the same zone, then it should work fine.  If the ISPs are in different zones, then the return traffic will not match the session and be dropped.

I always advise you test before putting into production.

Thanks,

Tom