Incorrect QoS Configuration Caused Network Traffic Outage

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Incorrect QoS Configuration Caused Network Traffic Outage

L1 Bithead

Quick design question Community. The setup is a core switch that terminates a Palo Alto for WAN and then a private circuit for internal resources back to a core in a different location. In the event they lose the WAN circuit, I need to route all the internet bound traffic back through the private circuit. I was going to treat it like a Dual ISP setup, where the private circuit is my backup internet circuit. Looking to see if there is a better way to do it, or if this is it.

 

Thanks!!!!

1 accepted solution

Accepted Solutions

 

The quick and easy way would be to:

 

  • Create a static route to circuit one with a next-hop monitoring of an IP facing your main circuit that would not reply to pings if the circuit is down (say the far IP interface). 
  • Create a second static IP address with a higher metric that points to a gateway on your secondary route.  When the monitoring IP is not reachable for X time, that static route is dropped from the FIB and your second route will begin to be used.
  • Make sure that OSPF has a route to get to the network from both sides, with one being less prefered, so that it traffic is not blackholled at the backup site. Or, use a static route with next-hop monitoring to send traffic back over the backup link.

You could get crafty with policy based routing and use it to forward some or all traffic in one direction or another, you just need to match the policy based route on the destination side as well with a matching policy.  


We utilize both of these types of setup in our environment so I know that they work, and pretty well.

 

- Matt

View solution in original post

5 REPLIES 5

L4 Transporter

I would have to see a diagram of your setup but it seems like a plausible solution.  You could:

 

  • Use a static route next-hop monitoring (if your are not doing dynamic routing)
  • Use policy based routing with next-hop monitoring   
  • Select the next hop as decided by a dynamic routing protocol (OSPF, BGP, etc)

The biggest thing to be concerned with would be asymetrical routing at the other end, but if the circuit is hard down, that should be less of an issue.

 

- Matt

 

 

Thank you for the reply. I just realized the topic subject is not correct, my bad on a copy paste!

 

We are running OSPF Internally for the internal circuit, I could introduce the Palo into it if it makes sense. This is a quick visio of the design. This is a satellite office, all internal traffic goes back to their central office

Capture.JPG

 

 

The quick and easy way would be to:

 

  • Create a static route to circuit one with a next-hop monitoring of an IP facing your main circuit that would not reply to pings if the circuit is down (say the far IP interface). 
  • Create a second static IP address with a higher metric that points to a gateway on your secondary route.  When the monitoring IP is not reachable for X time, that static route is dropped from the FIB and your second route will begin to be used.
  • Make sure that OSPF has a route to get to the network from both sides, with one being less prefered, so that it traffic is not blackholled at the backup site. Or, use a static route with next-hop monitoring to send traffic back over the backup link.

You could get crafty with policy based routing and use it to forward some or all traffic in one direction or another, you just need to match the policy based route on the destination side as well with a matching policy.  


We utilize both of these types of setup in our environment so I know that they work, and pretty well.

 

- Matt

Hello,

I agree with @mlinsemier design. I have also used it very effectivly. We have since changed our model a bit and use OSPF and use the weighted metrics to determine which path the traffic takes. 

 

Check out this post as it is similar to yours.

 

https://live.paloaltonetworks.com/t5/General-Topics/Multi-site-dual-isp-with-redundant-VPN-connectio...

 

Cheers!

Thank you everyone for your replies!

  • 1 accepted solution
  • 3464 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!