Dual ISP Active/Active Best Practice?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Dual ISP Active/Active Best Practice?

L0 Member

Hi all,

 

We are in a situation now where we are trying to effectively configure our new dual ISP circuits in our primary location. Our initial thought was we would leverage these circuits using PBF and manually govern traffic flow. Ex: All video traffic to streaming-service, go out ISP-A. All web traffic, use ISP-B, etc. We were looking at PBF to do this based on application.

 

However, through our research, we saw ECMP and was looking at that as the active/active solution since it seems rather straight forward to setup without any major lifts that could potentially cause production issues. However, from reading and research, while not explicitly stated, it would appear that you either use ECMP or PBF, but not both. Is this correct? If so, is there any way with ECMP to govern what traffic goes over what link? I’m assuming not as it appears the entire point of ECMP is to be as dynamic as possible…”set it and forget it”, so to speak.

 

Any thoughts you can weight in on would be appreciated as we now have dual circuits we want to utilize from not on a failover perspective, but also active-active, if possible. However, we can see the need for traffic engineering where we have control over what traffic goes over what link.

 

To better understand our PA landscape - we are using 1 virtual router, ISP circuits are connected to a switch and then we are using sub-interface tagging for the termination on the Palo Alto. 

 

Thank you in advance!

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello,

So one thing to remember is that PBF takes affect before the virtual router. Meaning it will follow PBF before anything the virtual router does. PBF is great if you always want traffic to flow down one path, i.e. video traffic going out ISP B. ECMP does a lot of load balancing for you. Check out this video, it might help you decide.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClH0CAK

 

Regards,

L6 Presenter

Also if you have Panorama you may check the SD-WAN option of the Palo Alto firewalls.You may ask for SD-WAN test license to see if it is for you.

L6 Presenter

Hi @JNicoletti ,

 

As per the requirement given, there would be two approaches.

 

1. As stated by @OtakarKlier You can have PBF rule for specific traffic. And as PBF take effect before VR so for that specific traffic 2nd ISP will get used. And for rest traffic, primary ISP will get used with the help of routes mentioned on the VR. In this scenario, both ISP will get used in real time. Additionally, you can use the monitoring profiles for monitoring the internet reachability from each circuit. At any point if internet becomes unreachable then with the help of monitoring profile you can failover the traffic to the other available ISP.

 

2. Second approach would be use of ECMP. With ECMP, you can load balance all the internet traffic on both the ISPs in real time. Also both ISP can also work as a failover for each other using path monitoring feature on the static route. Kindly refer below article for ECMP.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF8CAK

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks
  • 9525 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!