Active/Passive PA with Dual ISP in eBGP and private owned /24 ASN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Active/Passive PA with Dual ISP in eBGP and private owned /24 ASN

L0 Member

Hi,

 

Looking for some guidance on our setup. I am looking to establish pure ISP failover without having to take action on my / my team's side. Presently when there is an outage, we need to do manual intervention to get connectivity back up.

 

Here is an overview of our network, internet facing.

 

ISP A (/30) -> Cisco ASR Router 1 (I control) (/24 ASN eBGP established to ISP A) WAN Interface -> ASR Router (LAN Interface - Public IP in same /24) -> DMZ Switch Stack (VLAN 5 - WAN Facing)

 

ISP B (/30) -> Cisco ASR Router 2 (I control) (/24 ASN eBGP established to ISP B) WAN Interface -> ASR Router (LAN Interface - Public IP in same /24) -> DMZ Switch Stack (VLAN 5 - WAN Facing)

 

ISP A = 1Gb

ISP B = 500Mb

 

Cisco Router 1 - No prepend, default route to ISP carrier

Cisco Router 2 - Prepend, default route to ISP carrier + ip route x.x.x.x /24 null0

 

*** (I have found if I take away the prepend and null0 loopback, packets going out cannot route back in)

 

PA 3020 x2 (Active/Passive) (E1/1) -> DMZ Switch Stack (VLAN 5)

E1/1 - WAN IP in the same /24 block above

NAT from the PA is dynamic-ip-and-port with the E1/1 Interface IP from untrust to trust zone

No PBF but x1 VR in default route, with traffic going to Cisco Router 1 LAN IP for next hop

 

- I have tried putting in route monitoring in the VR default route to the Cisco Router 2 LAN IP, removing the prepend on Cisco Router 2 and null route and internet stops working from behind the PA.

 

When ISP A goes down, we need to remove the prepend and remove the null route, change the route manually on PA and clear NAT sessions. Not ideal ...

 

Can anyone offer any suggestions or thoughts on how to improve the setup? Changing setup, connections, hardware, etc... is all open and fine.

 

1 REPLY 1

L3 Networker

Hi, 

 

My approach would be slightly different than yours.

1) Seperate Vlans for each ISP.

2) Separate physical int on the palo for each ISP.

3) Two default routes with different metrics one for each ISP.

4) Enable Path monitoring for a static route.

 

See 

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/static-routes/static-route-rem...

  • 1645 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!