Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

ISP Load balancing with ECMP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

ISP Load balancing with ECMP

L1 Bithead

I have the Following Scenario on a PA-200

 

[ISP1]

Zone = Untrust

Eth1/1 = 192.168.7.110/24

Modem GW = 192.168.7.1/24

 

[ISP2]

Zone= Untrust

Eth1/2 = 192.168.5.110/24

Modem GW = 192.168.5.1/24

 

[Local LAN]

Zone=Trust

Eth1/3 = 10.1.1.1/24

Running DNS-Proxy and DHCP for Eth1/3

 

In the Default VR

Enabled ECMP

0/0 to 192.168.7.1 [ ISP1 ]

0/0 to 192.168.5.1 [ ISP2 ]

Successfull injection with equal metric and uge in forwarding table.

 

Policies

SecurityPolicy> Untust to Trust Allow. 

NATPolicy> SNAT Untrust to Trust  DIPP Eth1/1

NATPolicy> SNAT Untrust to Trust  DIPP Eth1/2

 

My issues are as following.

 

1. There has to be one SNAT Policy, the first  takes the precendence, I wonder if i can use a PBR here?

2. The Route / Forwarding Table does not take out the disconnected ISP's default route and keeps it in the table, I wonder do i need to enable BFD Bidirectional Forwarding detection, if yes PA-200 with 7.1.3 seems not to support it?

3. Is there a better design for this scenario?

 

Thank You.

Muhammad Usman

 

09-AUG-2016

Note-1 When Connecting to two ISPs at Layer 3, we can only do Link Load-Balancing or Link Sharing. We can not do Link Aggregation or Link Bonding, is possible only when we connect to ISP/s at Layer 2.

 

 

 

 

 

6 REPLIES 6

L4 Transporter

Hi Muhammed,

 

Instead of using ECMP for this, it would be preferable to use PBF. I believe this guide made by dpalani can help you set up what you are looking to achieve:

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-ISP-Redundancy-and-Load...

 

hope this helps,

Ben

L3 Networker

Muhammad,

 

The potential issue I see with PBF is that you will have to logically separate your 10.1.1.0/24 into smaller subnets to get part of the /24 range to forward to each of the ISPs. The PBF will need source information for forwarding to each ISP and using the full /24 will keep anything from getting to the second policy rule.

 

Do your ISPs support BGP? You could receive the default from each ISP, set up ecmp for BGP and assign a different zone to each ISP. Then you could create different NAT policies for each ISP zone and the NAT lookup should alternate based on ecmp.

I have an open ticket with TAC becuase I also have ECMP running but the issue is that with ECMP enabled it completely bypasses any PBR rules.  They thing this is a bug but the case is still being investigated. 

Thank You Bmorris1,

                                  I have seen this article, in my case i have a single ip network in my branch that connects to two ISPs on Static default routes, the limitations are,

  • I need to make a source NAT dipp directed towards either of the ISPs.
  • This do not do Link load balancing as i do get ECMP routes on the forwarding table And in case of ISP Failure, i need to manually source NAT DIPP to the other ISP.

 

 

Thank You for your post,

                                          I only have static default routes to the ISPs, my objective is to do link load balancing, by segmenting the /24 network i am actually segmenting my traffic to my upstream providers. 

Thank You mjillson,




                                Please do update us if you get a resolution, I have seen a similar case with my ECMP routes on the Forwarding table, when i disconnect one of my ISPs The Forwarding Table keeps indicating that the disconnected ISP is the preffered route with the * sign, I think i will end up opening a case with the support guys as well :).

 

 

  • 5136 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!