09-19-2018 06:04 PM
I'm working on configuring a branch office firewall with two ISPs and Site-to-Site VPN to our data center. The data center side has only 1 ISP connection
I'm reviewing this article again, as I've used it in the past.
It's been a while since I've done this setup, but something doesn't seem right. I get the two VR idea, since the traffic sourcing from the firewall does not use PBR. My issue is with the default route.
Let's examine
Interface configuration:
Configure two interfaces:
Eth 1/3: 10.185.140.138/24 (connection to ISP1) in the untrust zone
Eth 1/4: 10.80.40.38/24 (connection to ISP2) in the untrust zone
Virtual routers:
There are two virtual routers:
VR1: Primary (ISP1) (Ethernet1/3)
VR2: Secondary (ISP2) (Ethernet1/4)
On Primary VR1, they have a default route pointing to the gateway of ISP1 0.0.0.0/0 10.185.140.1. Then, on Secondary VR2, they do not add a default route. I also saw a post in the comments that you need a static default route configured on both VR1 and VR2
I believe both are incorrect, unless I'm missing something. If you add a static route pointing to Primary ISP1 on VR1, it will cause issues with failover, even if you also have a default route on VR2.
I'm thinking they meant to create the default route to the next hope for ISP2. If correct, wouldn't that be on VR2?
