I've started working for a new company who uses only static routing. We just turned up a second ISP at one site, but I noticed an issue with failover which is expected. When ISP 1 fails, local traffic at the site routes out ISP 2, but site to site traffic doesn't failover because of the metrics on the site-to-site VPNs at the other sites. At my last job we used OSPF routing, so I didn't have these issues. My problem here is that we aren't really hub and spoke to a data center, more so just spokes interconnecting sites with VPNs for communication between the sites when needed. Our traffic is mainly internet traffic. Since we don't really have an area 0 to pass through, can I instead put each site network, for example 192.168.1.0, area 1, 192.168.2.0, area 2, 192.168.3.0, area 3 etc.. and have the tunnel interfaces tunnel.1, tunnel.2 tunnel.3 in area 0. Sort of the idea placing everything physical in a site based area, but the interconnecting tunnel interfaces in area 0. It's a strange idea/concept, but I'm not sure how else to achieve separate areas. I could put everything in big area, but I feel like that's worse and less flexible for down the road where we might have a daca center with centralized resources. I also found this option below, but it'll be a lot of administrative overhead to set up: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Firewall-with-Dual-ISPs/ta-p/59774 Would love to hear some feedback and suggestions!
... View more