DUAL ISP and PFB with single or multiple Virtual Routers

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

DUAL ISP and PFB with single or multiple Virtual Routers

L1 Bithead

Hello Palo Alto Community! I am reaching out because I am stuck and a bit confused about what I've seen online when it comes to configuring dual ISP and PFB (which that part I understand) but when configuring the Virtual Routers section. Some only create a single VR with both ISP and their next hops and others create their ISP each VRs and then there is a return internal network and their next hop is a VR. Here's what I have done so far:

 

We have two ISPs (Comcast & AT&T) and would like for both of these ISP links to be routing traffic. I have read and reviewed a few Palo Alto-supported documentation & blogs from other sites. I've configured a few things on our firewall but I am not 100% clear on a few configurations that I have done to make sure it will work properly before going live.

Here's what I've done so far:

• Interfaces:
o Eth. 1/1 (native VLAN) and along subinterfaces for LAN
o Eth. 1/10 for AT&T ISP Link
o Eth. 1/12 for Comcast ISP Link

 

• Zones:
o Created ISP_ATT & assigned Eth 1/9 to it
o Created ISP_Comcast & have not assigned eth 1/12 yet
o Created Trust for LAN networks
o Created Azure-S2S with Tunnel.1 & .2 (for failover)

 

• Created two virtual routers one for each ISP link:
o Primary-ISP-Comcast (will have ethernet 1/12 assigned)
o Secondary-ISP-ATT
 Eth 1/9 is for AT&T ISP/Link
 Eth 1/10 is for PC connected directly
 Tunnnel.2 for Asure S2S VPN (as a backup route)

 

o For Statis Routes for Primary-ISP-Comcast, do I create just Comcast’s network with its next-hop IP (which is already created)? And what about the other internal networks? Do I need to create for each internal/LAN network a route to point to the next VR, which in this case is AT&T ISP or Comcast?


o For the static routes for Secondary-ISP-ATT, besides configuring AT&T's next-hop IP address, what else would I need to do?

• Also, for the static route in IPv4, do I need to enable “Path Monitoring”?
• Finally, the PBF, is my understanding is that in the “Forwarding” tab, I need to enter Comcast’s IP address and monitor it as well so that if it fails, all traffic is routed out of the AT&T ISP link, right?

 

Thank you all!

 

#dualisp #PFB #virtualrouters #staticRoutes

1 REPLY 1

Cyber Elite
Cyber Elite

the design depends on what you need

if you simply want to double your bandwidth while providing redundancy, you can simply put everything on one VR and enable ECMP on both ISP links

 

it gets a little more difficult once you start hosting services or need to set up redundant ipsec tunnels on both ISPs

for hosted internal services you can keep using ECMP but you will need to create PBF rules that enable symmetric return, for fully redundant ipsec tunnels you'll want the multi-VR setup so the VPN traffic is more easily controlled

 

lastly if you want to control which traffic is sent over each ISP, you can also use single VR with PBF rules sending trqffic to the appropriate ISP

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 2766 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!