Seperate Internet Connections

Reply
Simon.Cardman
L1 Bithead

Seperate Internet Connections

Hi

First time here, so after some advice.

We have a Palo Alto 3020 providing internet access and DMZ, all is running fine.

I have to order another internet circuit, which is the best way to connect / configure this?

 

1. Create an LACP port channel on the inside and use 2 Gig interfaces as the new inside (traffic will go up to 2GB).

Create a second outside interface and let the Palo do PBF to forward specific traffic over the second internet connection.

Can Palo Alto do Port Aggregation forwarding over both ports?

 

2. Have a seperate Inside interface (seperate ip), seperate Outside interface to the new internet access cct, create Policy Based Routing on the Cisco Edge to route specific traffic to the new inside interface and through to the new outside interface?

 

Just thought i would ask in case anyone has done this before

 

thanks

 

Simon

Tags (2)

Accepted Solutions
pulukas
L7 Applicator

You basically have two options when using the multiple upstream and you outline the one here which is PBR.

 

The other option is to place the new ISP in a separate virtual router and then connect the downstream users up to this separate feed.  So if you have a clear set of routing rules to fork the traffic into the PA on a separate LAG or interface, the VR option can be easier to setup and maintain.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

OtakarKlier
Cyber Elite

Hello,

I guess it really depends on what you are attempting to accomplish. I have configured systems to be failover, 1 ISP fails to all traffic goes over the other. I have also split traffic, Say VPN traffic over 1 ISP and browsing traffic to the other.

 

https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-Multiple-ISPs/ta-p/67831

 

However of your two options, I would say I would go with 2. That way you wont run into any asymentric routing issues and keeps life simple.

 

Hope that helps.

View solution in original post


All Replies
pulukas
L7 Applicator

You basically have two options when using the multiple upstream and you outline the one here which is PBR.

 

The other option is to place the new ISP in a separate virtual router and then connect the downstream users up to this separate feed.  So if you have a clear set of routing rules to fork the traffic into the PA on a separate LAG or interface, the VR option can be easier to setup and maintain.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

Brandon_Wertz
Cyber Elite

@Simon.Cardman what's the desire in the second ISP?

 

Really if you had one or 20 ISP circuits into your network it should have no bearing on your firewall.

 

ISP circuits should be terminating on an edge router.  The edge router connects to a switch.  Your 3020 HA pair should connect into that switch.

 

If you configure your edge routers to share routes via BGP your DMZ FW could send traffic up to any edge router and the routers would properly forward the firewall traffic to it's destination.

OtakarKlier
Cyber Elite

Hello,

I guess it really depends on what you are attempting to accomplish. I have configured systems to be failover, 1 ISP fails to all traffic goes over the other. I have also split traffic, Say VPN traffic over 1 ISP and browsing traffic to the other.

 

https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-Multiple-ISPs/ta-p/67831

 

However of your two options, I would say I would go with 2. That way you wont run into any asymentric routing issues and keeps life simple.

 

Hope that helps.

View solution in original post

Simon.Cardman
L1 Bithead

@Brandon_Wertz

Hi Thanks for your response. I totally agree if you have a multi homed design.

unfortunately we haven't and can't re engineer the edge at the moment.

This is just a separate circuit to upload specific source vlans (subnets) to a customer.

 

thanks

 

Simon

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!