Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
09-11-2023 12:44 AM
Hi team,
Will ISP failover work, if 2 ISPs are mapped to two different VR routes? If no please say the workaround apart from changing the VR route to single.
Thanks and regards,
Akash Thangavel
Network Security Engineer
09-14-2023 02:04 AM
Hi @AkashThangavel ,
Having separate Virtual-Routers for the two ISP should work for Internet failover.
As @ozheng and @149999mah3 already mentioned you don't really need to have two separate VRs, but it should still work.
Main VR:
- Assign primary ISP interface in main-vr
- Assign ISP interface to "Internet/Outside" zone
- Assign LAN (to your internal networks) interface in main-vr
- Create static default route pointing to primary ISP. Enable path-monitor on this static route
- Create second static default route pointing to "next-vr secondary-vr". Set metric higher than the default (let say 50)
Secondary VR:
- Assing secondary ISP interface in secondary-vr
- Assign ISP interface to the same "Internet/Outside" zone
- Create static default route pointing to secondary ISP. (optional enable path-monitor on this static route)
- Create static route for your internal summarized subnet (/8, /12, /16) pointing to next-vr main-vr.
NAT Policy
- Create rule:
- Source Zone "LAN/Internal" and source summairized internal subnet
- Destination Zone "Internet/Outside" and dest address any
- (Must) select egress interface to be the interface connected to primary ISP
- Enable Source translation to public from primary ISP
- Create second NAT rule:
- Same source lan zone and subnet
- Same destination internet zone and any address
- (Must) Select egress interface to be interface connected to secondary ISP
- Enable source translation to public IP from secondary ISP
When using primary ISP:
- Traffic from internal users will enter main-vr
- Traffic will follow default route with lower metric and egress to primary ISP
- First NAT rule will be used, because traffic will match the egress interface and apply translation to public IP from primary ISP
When primary ISP is down:
- Path-monitor will detect issues and "deactivate" the static route to primary ISP
- Traffic from internal users will enter main-vr
- Traffic will follow second default route pointing to next-vr (because it is currently only default available)
- Traffic will enter secondary-vr and follow default route pointing to secondary ISP (as only availalbe default in that vr)
- Second NAT rule will be applied, because traffic is now egressing via interface that does not match first NAT. This will apply translation to public IP from secondary ISP
When primary ISP is restored:
- Path-monitor will detect the availability of the monitored IP and will restore the default route
- Traffic from users will follow restored route to primary ISP
- First NAT will be applied as it will match the egress interface
09-11-2023 01:02 AM
Hello AkashThangavel,
How's the routing between the main VR and second VR?
How's the failover supposed to be done when the link on the main VR is down?
Any specific reason to have 2 VRs?
There is a documented configuration for 1VR only.
Olivier
PCSNE - CISSP
Best Effort contributor
Check out our PANCast Channel
Disclaimer : All messages are my personal ones and do not represent my company's view in any way.
09-11-2023 01:12 AM
Customer setup, will this set up work?
09-12-2023 05:17 AM
Im pretty sure both internet lines needs to be in the same VR. As far as i know, path monitoring only fails over inside the same VR.
/M
09-14-2023 12:21 AM - edited 09-14-2023 12:24 AM
I need a PA document to share with the customer to accept as a SOLUTION.
regards,
Akash Thangavel
Network Security Engineer
09-14-2023 02:04 AM
Hi @AkashThangavel ,
Having separate Virtual-Routers for the two ISP should work for Internet failover.
As @ozheng and @149999mah3 already mentioned you don't really need to have two separate VRs, but it should still work.
Main VR:
- Assign primary ISP interface in main-vr
- Assign ISP interface to "Internet/Outside" zone
- Assign LAN (to your internal networks) interface in main-vr
- Create static default route pointing to primary ISP. Enable path-monitor on this static route
- Create second static default route pointing to "next-vr secondary-vr". Set metric higher than the default (let say 50)
Secondary VR:
- Assing secondary ISP interface in secondary-vr
- Assign ISP interface to the same "Internet/Outside" zone
- Create static default route pointing to secondary ISP. (optional enable path-monitor on this static route)
- Create static route for your internal summarized subnet (/8, /12, /16) pointing to next-vr main-vr.
NAT Policy
- Create rule:
- Source Zone "LAN/Internal" and source summairized internal subnet
- Destination Zone "Internet/Outside" and dest address any
- (Must) select egress interface to be the interface connected to primary ISP
- Enable Source translation to public from primary ISP
- Create second NAT rule:
- Same source lan zone and subnet
- Same destination internet zone and any address
- (Must) Select egress interface to be interface connected to secondary ISP
- Enable source translation to public IP from secondary ISP
When using primary ISP:
- Traffic from internal users will enter main-vr
- Traffic will follow default route with lower metric and egress to primary ISP
- First NAT rule will be used, because traffic will match the egress interface and apply translation to public IP from primary ISP
When primary ISP is down:
- Path-monitor will detect issues and "deactivate" the static route to primary ISP
- Traffic from internal users will enter main-vr
- Traffic will follow second default route pointing to next-vr (because it is currently only default available)
- Traffic will enter secondary-vr and follow default route pointing to secondary ISP (as only availalbe default in that vr)
- Second NAT rule will be applied, because traffic is now egressing via interface that does not match first NAT. This will apply translation to public IP from secondary ISP
When primary ISP is restored:
- Path-monitor will detect the availability of the monitored IP and will restore the default route
- Traffic from users will follow restored route to primary ISP
- First NAT will be applied as it will match the egress interface
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
