ISP redundancy and route load balancing.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ISP redundancy and route load balancing.

L2 Linker

Hi, Community!

 

I'm looking for some help with a customer today 🙂

 

Here's the situation:  a customer has a dual ISP configuration and wants the traffic both to be balanced between the routes of the two providers and that a redundancy scheme is put in place, so that in the case one ISP fails, users can go out to the internet through the other one.

 

I enabled ECMP on the router with the routes with the same metric, which was successful in balancing the load between the routes of the two providers. But when I tried using PBF for a kind of active/passive redundancy, not only it invalidated the effect of ECMP (understandable, since I'm forcing traffic through a specific interface), but it didn't work. I followed the guidelines here: https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/policy/policy-based-forwarding/use-c... but when we did the test deactivating the interface for the main ISP, the other didn't "become active" (my users lost internet access).

 

Thoughts?

1 accepted solution

Accepted Solutions

The firewall needs to be told that the static route is no longer valid. If the interface is up but the next hop is down, then the firewall has no way to know that the route is no longer valid. Or if the next hop is up but another hop further upstream is down, then the route will no longer be valid.

Path monitoring is probably the easiest way to determine a next hop is no longer valid. It's configured on the static route and pings some destination that you specify. If the ping to that destination fails, then the route is considered invalid and is removed from the routing table. 

View solution in original post

8 REPLIES 8

Cyber Elite
Cyber Elite

you'll either want to use balancing through ECMP or redundancy through PBF

 

did you disable ECMP to perform the PBF test? without ECMP the pbf configuration should work like a charm (with ecmp results may be unpredictable)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hey, Reaper.

 

Thanks for replying.

 

1. I actually didn't disable ECMP for the tests, now that I think about it. Could we then say ECMP and PBF (for this use case) are mutually exclusive?

 

2. Is there a way to achieve both results? ISP redundancy in case any of the ISPs fail, but load balancing when both of them are ok.

 

I guess the real question is, if ECMP is balancing the load between routes, would it be able to assign the complete load to a surviving route in the case one of the ISPs fail?

@CMachado

Have you looked at using BGP instead of PBF?  You could have each ISP send you provider prefixes plus the default; or just the default if your PA is too small or improved path selection isn't important.

ECMP will use routes learned through a dynamic routing protocol. If one ISP goes down, then that learned route just drops out and the path through the other ISP is taken.

Appreciate your reply!

 

I looked into some other routing protocols, but the customer wants to work with only certain established routes.

 

Reading more into ECMP, I think it will provide both the redundancy and load balancing the customer wants, since it will use all of the available routes and distribute the load between them, and will drop, as you mentioned, any route from a downed ISP and keep balancing the load between the available ones.

If you use ECMP just with static routes, it won't fail over to the other ISP if one goes down. Half the traffic will get dropped. You'll need something to determine if the path is valid, whether it's path monitoring on the static or some kind of PBF. 

It won't fail over to the other ISP even if it determines that the routes from the downed ISP are not valid? (using static routes).

 

I mean, I thought it didn't matter how the VR acquired the routes (dinamically or statically).

The firewall needs to be told that the static route is no longer valid. If the interface is up but the next hop is down, then the firewall has no way to know that the route is no longer valid. Or if the next hop is up but another hop further upstream is down, then the route will no longer be valid.

Path monitoring is probably the easiest way to determine a next hop is no longer valid. It's configured on the static route and pings some destination that you specify. If the ping to that destination fails, then the route is considered invalid and is removed from the routing table. 

Oohhh, I see it now.

 

Thanks! I'll try it and let you know.

  • 1 accepted solution
  • 8131 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!