04-23-2021 01:19 PM - edited 04-23-2021 01:38 PM
Hi all,
We are in a situation now where we are trying to effectively configure our new dual ISP circuits in our primary location. Our initial thought was we would leverage these circuits using PBF and manually govern traffic flow. Ex: All video traffic to streaming-service, go out ISP-A. All web traffic, use ISP-B, etc. We were looking at PBF to do this based on application.
However, through our research, we saw ECMP and was looking at that as the active/active solution since it seems rather straight forward to setup without any major lifts that could potentially cause production issues. However, from reading and research, while not explicitly stated, it would appear that you either use ECMP or PBF, but not both. Is this correct? If so, is there any way with ECMP to govern what traffic goes over what link? I’m assuming not as it appears the entire point of ECMP is to be as dynamic as possible…”set it and forget it”, so to speak.
Any thoughts you can weight in on would be appreciated as we now have dual circuits we want to utilize from not on a failover perspective, but also active-active, if possible. However, we can see the need for traffic engineering where we have control over what traffic goes over what link.
To better understand our PA landscape - we are using 1 virtual router, ISP circuits are connected to a switch and then we are using sub-interface tagging for the termination on the Palo Alto.
Thank you in advance!
04-23-2021 02:32 PM
Hello,
So one thing to remember is that PBF takes affect before the virtual router. Meaning it will follow PBF before anything the virtual router does. PBF is great if you always want traffic to flow down one path, i.e. video traffic going out ISP B. ECMP does a lot of load balancing for you. Check out this video, it might help you decide.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClH0CAK
Regards,
04-26-2021 12:07 AM - edited 04-26-2021 01:03 AM
Also if you have Panorama you may check the SD-WAN option of the Palo Alto firewalls.You may ask for SD-WAN test license to see if it is for you.
04-26-2021 02:34 AM - edited 04-26-2021 02:35 AM
Hi @JNicoletti ,
As per the requirement given, there would be two approaches.
1. As stated by @OtakarKlier You can have PBF rule for specific traffic. And as PBF take effect before VR so for that specific traffic 2nd ISP will get used. And for rest traffic, primary ISP will get used with the help of routes mentioned on the VR. In this scenario, both ISP will get used in real time. Additionally, you can use the monitoring profiles for monitoring the internet reachability from each circuit. At any point if internet becomes unreachable then with the help of monitoring profile you can failover the traffic to the other available ISP.
2. Second approach would be use of ECMP. With ECMP, you can load balance all the internet traffic on both the ISPs in real time. Also both ISP can also work as a failover for each other using path monitoring feature on the static route. Kindly refer below article for ECMP.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF8CAK
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
