Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
05-12-2017 05:37 AM
Hi
First time here, so after some advice.
We have a Palo Alto 3020 providing internet access and DMZ, all is running fine.
I have to order another internet circuit, which is the best way to connect / configure this?
1. Create an LACP port channel on the inside and use 2 Gig interfaces as the new inside (traffic will go up to 2GB).
Create a second outside interface and let the Palo do PBF to forward specific traffic over the second internet connection.
Can Palo Alto do Port Aggregation forwarding over both ports?
2. Have a seperate Inside interface (seperate ip), seperate Outside interface to the new internet access cct, create Policy Based Routing on the Cisco Edge to route specific traffic to the new inside interface and through to the new outside interface?
Just thought i would ask in case anyone has done this before
thanks
Simon
05-13-2017 07:04 AM
You basically have two options when using the multiple upstream and you outline the one here which is PBR.
The other option is to place the new ISP in a separate virtual router and then connect the downstream users up to this separate feed. So if you have a clear set of routing rules to fork the traffic into the PA on a separate LAG or interface, the VR option can be easier to setup and maintain.
05-15-2017 04:05 PM
Hello,
I guess it really depends on what you are attempting to accomplish. I have configured systems to be failover, 1 ISP fails to all traffic goes over the other. I have also split traffic, Say VPN traffic over 1 ISP and browsing traffic to the other.
https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-Multiple-ISPs/ta-p/67831
However of your two options, I would say I would go with 2. That way you wont run into any asymentric routing issues and keeps life simple.
Hope that helps.
05-13-2017 07:04 AM
You basically have two options when using the multiple upstream and you outline the one here which is PBR.
The other option is to place the new ISP in a separate virtual router and then connect the downstream users up to this separate feed. So if you have a clear set of routing rules to fork the traffic into the PA on a separate LAG or interface, the VR option can be easier to setup and maintain.
05-15-2017 05:37 AM
@Simon.Cardman what's the desire in the second ISP?
Really if you had one or 20 ISP circuits into your network it should have no bearing on your firewall.
ISP circuits should be terminating on an edge router. The edge router connects to a switch. Your 3020 HA pair should connect into that switch.
If you configure your edge routers to share routes via BGP your DMZ FW could send traffic up to any edge router and the routers would properly forward the firewall traffic to it's destination.
05-15-2017 04:05 PM
Hello,
I guess it really depends on what you are attempting to accomplish. I have configured systems to be failover, 1 ISP fails to all traffic goes over the other. I have also split traffic, Say VPN traffic over 1 ISP and browsing traffic to the other.
https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-Multiple-ISPs/ta-p/67831
However of your two options, I would say I would go with 2. That way you wont run into any asymentric routing issues and keeps life simple.
Hope that helps.
05-17-2017 05:05 AM - edited 05-17-2017 05:06 AM
Hi Thanks for your response. I totally agree if you have a multi homed design.
unfortunately we haven't and can't re engineer the edge at the moment.
This is just a separate circuit to upload specific source vlans (subnets) to a customer.
thanks
Simon
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
