Created On 09/25/18 18:59 PM - Last Modified 07/29/19 17:51 PM
ISP redundancy and sharing and balancing traffic (load sharing and load balancing) are the most common reasons for connectivity to multiple ISPs. ISP redundancy comes into play when the primary ISP goes down and all traffic needs to to be routed to the backup ISP in order to prevent a network down situation.
For ISP redundancy, Palo Alto Networks offers a solution through policy-based forwarding (PBF) using the following setup:
In the above scenario, a PBF rule with path monitoring routes all traffic to the primary ISP. If the path monitor finds the PBF path is no longer available, then traffic automatically begins flowing over the backup link.
Load sharing vs load balancing: These two terms are frequently misunderstood in networking. Often, load balancing is used when people are using load sharing.
Load sharing, as the term suggests, shares traffic across different links, but does not necessarily balance or evenly distribute the traffic.
Here's an example to clarify the difference between load sharing and load balancing:
PBF forces traffic from different subnets through the respective ISP. In this scenario, all traffic from subnet 192.168.1.0/24 is forwarded to ISP 1, and subnet 172.16.1.0/24 is forwarded to ISP 2.
Rule 1: Subnet 192.168.1.0/24 going to 0.0.0.0/0, next hop is ISP 1
Rule 2: Subnet 172.16.1.0/24 going to 0.0.0.0/0, next hop is ISP 2
Subnet 1, however, can be much busier than Subnet 2, meaning a lot more traffic goes out to ISP 1. Traffic is shared, in this case, over ISP 1 and ISP 2, but clearly not balanced, since more traffic goes out to ISP 1.
Load balancing, on the other hand, balances traffic evenly across different links.
Palo Alto Networks supports load balancing. Proper load balancing requires ECMP (Equal-Cost Multi-Path) or per-packet/per-flow load balancing. Beginning with PAN-OS 7.0, Palo Alto Networks supports ECMP, as offered by Community member adiazm in discussing ECMP availability in PAN-OS 7.0.3. Read the full discussion about Multiple Active ISPs here.
Enabling ECMP allows the firewall to have up to four equal-cost paths to a destination in its forwarding table, allowing the firewall to:
Load balance flows (sessions) to the same destination over multiple equal-cost links.
Efficiently use all available bandwidth on links to the same destination rather than leave some links unused.
Dynamically shift traffic to another ECMP member to the same destination if a link fails, rather than having to wait for the routing protocol or RIB table to elect an alternative path/route. This can help reduce downtime when links fail.
Read more about ECMP, load-balancing algorithms, and configuration: