Dual ISP - ECMP and/or PBF

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Dual ISP - ECMP and/or PBF

L2 Linker

So may be a 2-part question.  First, we have 2 ISPs both equal bandwidth so I've setup ECMP using IP Modulo do i need to set up PBF, or is that if you don't have equal ISPs?

 

2nd and the real issue.  One of my applications that is tided via public dns to my secondary isp can't be reached. I've set up NAT and Security policy to it (i think correctly) but when i monitor the traffic i never see it attempt to hit it. this is a new firewall so wondering if issue with route setup?  any advice would be appreciated.

3 REPLIES 3

Cyber Elite
Cyber Elite

ecmp can also be configured to assign a weight to each interface so the "bandwidth" is balanced the way you prefer it

 

not sure if the traffic you're describing is inbound or outbound?

on the inbound (from the internet to a service hosted internally) you can enable 'symmetric return' on the ECMP configuration to ensure packets flow back to the originating ISP

on the outbound you can create a PBF policy to force your outbound packets for your particular destination out of your preferred ISP interface

your NAT rules should be set to an egress interface so NAT is applied in corespondance to the ISP packets are egressing to

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Cyber Elite
Cyber Elite

@branedge,


@branedge wrote:

First, we have 2 ISPs both equal bandwidth so I've setup ECMP using IP Modulo do i need to set up PBF, or is that if you don't have equal ISPs?

attempt to hit it. this is a new firewall so wondering if issue with route setup?  any advice would be appreciated.


In your situation whether or not you use PBF would depend on a couple different factors. Your ECMP setup won't mandate the use of PBF by itself, however certain situations may have you wanting a subset of traffic to always exit from a given ISP. In short though, no unless you need it for something else you won't need to utilize PBF.

 


@branedge wrote:

One of my applications that is tided via public dns to my secondary isp can't be reached. I've set up NAT and Security policy to it (i think correctly) but when i monitor the traffic i never see it attempt to hit it. this is a new firewall so wondering if issue with route setup?  any advice would be appreciated.


This second question is harder to answer without knowing what you've actually configured. First and foremost, have you enabled logging on the interzone-default policy or otherwise setup a logged "deny-all" policy at the end of your rulebase? Without this setup, you could be denying the traffic and the firewall won't log it by default.

Secondly are you using symmetric return on your ECMP configuration? 

I have disabled my PBF rules for now. 

The Interzone-default policy did not have logging on (had to override it) but  i turned it on for "log at session start" only.  Should this stay on?

I have Symmetric Return enabled in ECMP but not Strict Source Path

 

Basic Layout

...not real info...

public dns record

   app1.publicdomain.com 168.x.x.x

   app2.publicdomain.com 207.x.x.x

 

Internal NAT

     app1.local.com 172.3.3.5

     app2.local.com 172.3.3.10

 

 

onsite app1 and app2 work

offsite app1 works but not app2

 

i have 2 zones (zone168 and zone 207)   - 2 physical connections

 

 

 

NAT policy

branedge_0-1688125397153.png

 

 

Security policy

branedge_1-1688125714298.png

 

 

 

   

  • 1768 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!