Dual ISP mapped to two different VR route, ISP Failover is not working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Dual ISP mapped to two different VR route, ISP Failover is not working

L3 Networker

Hi team,

 Will ISP failover work, if 2 ISPs are mapped to two different VR routes? If no please say the workaround apart from changing the VR route to single.

 

 

Thanks and regards,

Akash Thangavel

Network Security Engineer

Akash Thangavel, Network Security Engineer
1 accepted solution

Accepted Solutions

Hi @AkashThangavel ,

 

Having separate Virtual-Routers for the two ISP should work for Internet failover.

As @ozheng and @149999mah3 already mentioned you don't really need to have two separate VRs, but it should still work.

 

Main VR:

- Assign primary ISP interface in main-vr

- Assign ISP interface to "Internet/Outside" zone

- Assign LAN (to your internal networks)  interface in main-vr

- Create static  default route pointing  to primary ISP. Enable path-monitor on this static route

- Create second static default route pointing to "next-vr secondary-vr".  Set metric higher than the default (let say 50)

Secondary VR:

- Assing secondary ISP  interface in secondary-vr

- Assign ISP interface to the same "Internet/Outside" zone

- Create static default route pointing to secondary  ISP. (optional enable path-monitor on this  static route)

- Create static route for your internal summarized subnet (/8, /12, /16) pointing to next-vr main-vr.

 

NAT Policy

- Create rule:

   - Source Zone "LAN/Internal" and source summairized internal subnet

   - Destination Zone "Internet/Outside" and dest address  any

   - (Must) select egress interface to be the interface connected to primary ISP

 

   - Enable  Source translation to public from primary ISP

 

- Create second NAT rule:

   - Same source  lan zone  and subnet

   - Same destination  internet zone and any address

   - (Must) Select egress interface to be interface connected to secondary ISP

 

   - Enable source translation to public IP from secondary ISP

 

 

When using primary ISP:

- Traffic from internal users will enter main-vr

- Traffic will follow  default route with lower metric and  egress  to primary ISP

- First NAT rule will be used, because traffic will match the egress interface and  apply translation to public IP from primary ISP

 

When primary ISP is down:

- Path-monitor will detect issues and "deactivate"  the static route to primary ISP

- Traffic from internal users will enter main-vr

- Traffic  will follow second default  route pointing to next-vr (because it is currently only default available)

- Traffic will enter secondary-vr and follow default route pointing to secondary ISP (as only availalbe default in that vr)

- Second NAT rule will be applied, because traffic is now egressing via interface that does not match first NAT.  This will apply translation to public IP from secondary ISP

 

When primary ISP is restored:

- Path-monitor will detect the availability of the  monitored IP and will restore the  default  route

- Traffic from users will follow restored route to primary ISP

- First NAT will be applied as it will match the egress interface

 

View solution in original post

5 REPLIES 5

L4 Transporter

Hello AkashThangavel,

 

How's the routing between the main VR and second VR?
How's the failover supposed to be done when the link on the main VR is down?

 

Any specific reason to have 2 VRs?

There is a documented configuration for 1VR only.

 

Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

Customer setup, will this set up work?

Akash Thangavel, Network Security Engineer

L2 Linker

Im pretty sure both internet lines needs to be in the same VR. As far as i know, path monitoring only fails over inside the same VR.

 

/M

I need a PA document to share with the customer to accept as a SOLUTION.

 

regards,

Akash Thangavel

Network Security Engineer

Akash Thangavel, Network Security Engineer

Hi @AkashThangavel ,

 

Having separate Virtual-Routers for the two ISP should work for Internet failover.

As @ozheng and @149999mah3 already mentioned you don't really need to have two separate VRs, but it should still work.

 

Main VR:

- Assign primary ISP interface in main-vr

- Assign ISP interface to "Internet/Outside" zone

- Assign LAN (to your internal networks)  interface in main-vr

- Create static  default route pointing  to primary ISP. Enable path-monitor on this static route

- Create second static default route pointing to "next-vr secondary-vr".  Set metric higher than the default (let say 50)

Secondary VR:

- Assing secondary ISP  interface in secondary-vr

- Assign ISP interface to the same "Internet/Outside" zone

- Create static default route pointing to secondary  ISP. (optional enable path-monitor on this  static route)

- Create static route for your internal summarized subnet (/8, /12, /16) pointing to next-vr main-vr.

 

NAT Policy

- Create rule:

   - Source Zone "LAN/Internal" and source summairized internal subnet

   - Destination Zone "Internet/Outside" and dest address  any

   - (Must) select egress interface to be the interface connected to primary ISP

 

   - Enable  Source translation to public from primary ISP

 

- Create second NAT rule:

   - Same source  lan zone  and subnet

   - Same destination  internet zone and any address

   - (Must) Select egress interface to be interface connected to secondary ISP

 

   - Enable source translation to public IP from secondary ISP

 

 

When using primary ISP:

- Traffic from internal users will enter main-vr

- Traffic will follow  default route with lower metric and  egress  to primary ISP

- First NAT rule will be used, because traffic will match the egress interface and  apply translation to public IP from primary ISP

 

When primary ISP is down:

- Path-monitor will detect issues and "deactivate"  the static route to primary ISP

- Traffic from internal users will enter main-vr

- Traffic  will follow second default  route pointing to next-vr (because it is currently only default available)

- Traffic will enter secondary-vr and follow default route pointing to secondary ISP (as only availalbe default in that vr)

- Second NAT rule will be applied, because traffic is now egressing via interface that does not match first NAT.  This will apply translation to public IP from secondary ISP

 

When primary ISP is restored:

- Path-monitor will detect the availability of the  monitored IP and will restore the  default  route

- Traffic from users will follow restored route to primary ISP

- First NAT will be applied as it will match the egress interface

 

  • 1 accepted solution
  • 1718 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!