Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Multiple acitve ISP's

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Multiple acitve ISP's

L2 Linker

We would like implement multiple active ISP's. There would be two ISP with each being a different provider.

It appears you can have a redundant setup with multiple ISP, but can you have two active?

1 accepted solution

Accepted Solutions

L6 Presenter

@bwilliams2:

You can certainly have two active ISP connections and route traffic to each ISP using Policy Based Forwarding and/or dynamic routing protocols.

What are you hoping to accomplish with your two ISP setup?

-Benjamin

View solution in original post

11 REPLIES 11

L6 Presenter

@bwilliams2:

You can certainly have two active ISP connections and route traffic to each ISP using Policy Based Forwarding and/or dynamic routing protocols.

What are you hoping to accomplish with your two ISP setup?

-Benjamin

L0 Member

Will you be setup on BGP multihoming or will you just have two 0.0.0.0/0 routes?

@bpappas:

The goal is to ensure we are "always" connected. With the shift to the cloud we do not want to limit our connection to one ISP.

@cityofkindsland

I am not sure about the routing at this point. I think I am going to push for a failover connection as apposed to an active-active connection. I am hoping to find an ISP that will allow us to use them on a retainer basis and only pay full price when we reach X amount of data or something along though lines.

Thanks.

failover is a great way to go!  cost savings are great compared to paying for another full service line.

to do this you will go to your virtual router, enter in a 0.0.0.0/0 route out to your failover line with a higher administrative distance than that of your existing link (which should be already set to be 1)

This tells the router use the primary link until it it no longer reachable, after that link goes down use backup link.

Good Luck, let me know if you need anymore help configuing this!

L2 Linker

The plan now is move forward with dual ISP's and have both active and load balanced.

Is it possible to load balance outgoing connections?

Currently there is no way to load balance outgoing connections.

You can use PBF for failover but nothing more.

I think with PBF you can only load-balance manually, e.g. choose which (apps/source/destinations) to send via which route. We looked into this in the past and realized that to do this properly you need another device, like an F5 box.

Retired Member
Not applicable

Proper load balancing would require ECMP or per-packet/per-flow load balancing. PAN does not support that at this time. So that means unless you want to use PBF to selectively route traffic over one link or the other, you cannot utilize both ISP links at same time.

-Richard

Helo rkim...

 

Is is still not possible to implement dynamic load balancing with PAN? What about ECMP in PAN OS 7.0.3?

 

Even when Palo Alto Networks is a visibly higher security solution,  many of our competitors offers load balancing and fault tolerance with their NGF boxes.

 

Best Regards

Community Team Member

Hi,

 

As of PanOS 7.0, ECMP is indeed supported :

 

https://paloaltonetworks.com/documentation/70/pan-os/newfeaturesguide/networking-features/ecmp.html#...

 

Regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

ECMP in OS 8 is good with path monitoring that can monitor heartbeat of multiple link .

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/networking/static-route-removal-base...

 

  • 1 accepted solution
  • 17453 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!