- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-29-2016 06:25 PM - edited 08-09-2016 07:10 AM
I have the Following Scenario on a PA-200
[ISP1]
Zone = Untrust
Eth1/1 = 192.168.7.110/24
Modem GW = 192.168.7.1/24
[ISP2]
Zone= Untrust
Eth1/2 = 192.168.5.110/24
Modem GW = 192.168.5.1/24
[Local LAN]
Zone=Trust
Eth1/3 = 10.1.1.1/24
Running DNS-Proxy and DHCP for Eth1/3
In the Default VR
Enabled ECMP
0/0 to 192.168.7.1 [ ISP1 ]
0/0 to 192.168.5.1 [ ISP2 ]
Successfull injection with equal metric and uge in forwarding table.
Policies
SecurityPolicy> Untust to Trust Allow.
NATPolicy> SNAT Untrust to Trust DIPP Eth1/1
NATPolicy> SNAT Untrust to Trust DIPP Eth1/2
My issues are as following.
1. There has to be one SNAT Policy, the first takes the precendence, I wonder if i can use a PBR here?
2. The Route / Forwarding Table does not take out the disconnected ISP's default route and keeps it in the table, I wonder do i need to enable BFD Bidirectional Forwarding detection, if yes PA-200 with 7.1.3 seems not to support it?
3. Is there a better design for this scenario?
Thank You.
Muhammad Usman
09-AUG-2016
Note-1 When Connecting to two ISPs at Layer 3, we can only do Link Load-Balancing or Link Sharing. We can not do Link Aggregation or Link Bonding, is possible only when we connect to ISP/s at Layer 2.
08-01-2016 02:15 AM
Hi Muhammed,
Instead of using ECMP for this, it would be preferable to use PBF. I believe this guide made by dpalani can help you set up what you are looking to achieve:
hope this helps,
Ben
08-01-2016 09:14 AM
Muhammad,
The potential issue I see with PBF is that you will have to logically separate your 10.1.1.0/24 into smaller subnets to get part of the /24 range to forward to each of the ISPs. The PBF will need source information for forwarding to each ISP and using the full /24 will keep anything from getting to the second policy rule.
Do your ISPs support BGP? You could receive the default from each ISP, set up ecmp for BGP and assign a different zone to each ISP. Then you could create different NAT policies for each ISP zone and the NAT lookup should alternate based on ecmp.
08-02-2016 07:34 AM
I have an open ticket with TAC becuase I also have ECMP running but the issue is that with ECMP enabled it completely bypasses any PBR rules. They thing this is a bug but the case is still being investigated.
08-07-2016 03:51 AM
Thank You Bmorris1,
I have seen this article, in my case i have a single ip network in my branch that connects to two ISPs on Static default routes, the limitations are,
08-07-2016 03:59 AM
Thank You for your post,
I only have static default routes to the ISPs, my objective is to do link load balancing, by segmenting the /24 network i am actually segmenting my traffic to my upstream providers.
08-07-2016 04:09 AM
Thank You mjillson,
Please do update us if you get a resolution, I have seen a similar case with my ECMP routes on the Forwarding table, when i disconnect one of my ISPs The Forwarding Table keeps indicating that the disconnected ISP is the preffered route with the * sign, I think i will end up opening a case with the support guys as well :).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!