09-03-2018 08:37 AM
Hi, Community!
I'm looking for some help with a customer today 🙂
Here's the situation: a customer has a dual ISP configuration and wants the traffic both to be balanced between the routes of the two providers and that a redundancy scheme is put in place, so that in the case one ISP fails, users can go out to the internet through the other one.
I enabled ECMP on the router with the routes with the same metric, which was successful in balancing the load between the routes of the two providers. But when I tried using PBF for a kind of active/passive redundancy, not only it invalidated the effect of ECMP (understandable, since I'm forcing traffic through a specific interface), but it didn't work. I followed the guidelines here: https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/policy/policy-based-forwarding/use-c... but when we did the test deactivating the interface for the main ISP, the other didn't "become active" (my users lost internet access).
Thoughts?
09-05-2018 08:47 AM
The firewall needs to be told that the static route is no longer valid. If the interface is up but the next hop is down, then the firewall has no way to know that the route is no longer valid. Or if the next hop is up but another hop further upstream is down, then the route will no longer be valid.
Path monitoring is probably the easiest way to determine a next hop is no longer valid. It's configured on the static route and pings some destination that you specify. If the ping to that destination fails, then the route is considered invalid and is removed from the routing table.
09-04-2018 05:18 AM
you'll either want to use balancing through ECMP or redundancy through PBF
did you disable ECMP to perform the PBF test? without ECMP the pbf configuration should work like a charm (with ecmp results may be unpredictable)
09-04-2018 06:30 AM - edited 09-04-2018 07:44 AM
Hey, Reaper.
Thanks for replying.
1. I actually didn't disable ECMP for the tests, now that I think about it. Could we then say ECMP and PBF (for this use case) are mutually exclusive?
2. Is there a way to achieve both results? ISP redundancy in case any of the ISPs fail, but load balancing when both of them are ok.
I guess the real question is, if ECMP is balancing the load between routes, would it be able to assign the complete load to a surviving route in the case one of the ISPs fail?
09-05-2018 07:46 AM
Have you looked at using BGP instead of PBF? You could have each ISP send you provider prefixes plus the default; or just the default if your PA is too small or improved path selection isn't important.
ECMP will use routes learned through a dynamic routing protocol. If one ISP goes down, then that learned route just drops out and the path through the other ISP is taken.
09-05-2018 07:53 AM
Appreciate your reply!
I looked into some other routing protocols, but the customer wants to work with only certain established routes.
Reading more into ECMP, I think it will provide both the redundancy and load balancing the customer wants, since it will use all of the available routes and distribute the load between them, and will drop, as you mentioned, any route from a downed ISP and keep balancing the load between the available ones.
09-05-2018 07:59 AM
If you use ECMP just with static routes, it won't fail over to the other ISP if one goes down. Half the traffic will get dropped. You'll need something to determine if the path is valid, whether it's path monitoring on the static or some kind of PBF.
09-05-2018 08:02 AM - edited 09-05-2018 08:12 AM
It won't fail over to the other ISP even if it determines that the routes from the downed ISP are not valid? (using static routes).
I mean, I thought it didn't matter how the VR acquired the routes (dinamically or statically).
09-05-2018 08:47 AM
The firewall needs to be told that the static route is no longer valid. If the interface is up but the next hop is down, then the firewall has no way to know that the route is no longer valid. Or if the next hop is up but another hop further upstream is down, then the route will no longer be valid.
Path monitoring is probably the easiest way to determine a next hop is no longer valid. It's configured on the static route and pings some destination that you specify. If the ping to that destination fails, then the route is considered invalid and is removed from the routing table.
09-06-2018 08:53 AM
Oohhh, I see it now.
Thanks! I'll try it and let you know.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
