PBR with 2 ISP's

Unanswered Question
May 17th, 2010

I would like to get a consensus about the best way to utilize 2 ISPs on the same Internet router.  We currently have an Internet router that connects 1 ISP via a multi-link across our Serial interfaces.  We now have a new ISP that we would like to begin utilizing for outbound connectivity from the trusted side of the firewall.  The firewall currently has an outside interface (current ISP), DMZ interface and a trusted interface.  Since we will have 2 ISP's for a short while, I'd like to go ahead and design the network to utilize both ISP's.  Our external DNS resides on our current ISP for all inbound traffic, we will eventually move everything to the new ISP, but until we migrate everything over to this ISP, transitional is the key.


I've looked at PBR to do this, but not sure this will give me what I truly want.  Does anyone have a suggestion for the best solution to implement this?


Thanks for all your assistance and guidance.


Current design

ISP1

  |

  |

  |

Rtr_Inet

  |

  |

  |

Firewall

  |

  |

Trusted



Desired design


ISP1 ISP2

  |      |

  |      |

  |      |

Rtr_Inet

  |

  |

  |

Firewall

  |

  |

Trusted

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Mon, 05/17/2010 - 08:33

I have read your post several times and am still not clear what you are asking for. It is clear that you want to utilize both ISPs and that at some point the new ISP will replace the old ISP. But beyond that there is not a clear description of what you really want. One of the things that you say is:"We now have a new ISP that we would like to begin utilizing for outbound connectivity from the trusted side of the firewall." But is it not clear whether this is different from what you do with the old ISP or is the same.


There are several alternatives that you could consider on the Internet facing router to use both ISP:
- you might run some dynamic routing protocol with the providers to learn some routes from each provider and achieve utilization of both providers. This might also provide the ability to fail over to the other provider if there were some problem with one of the providers.

- you might configure two static default routes, or perhaps a static default route to one and some specific static routes to the other, which would achieve utilization of both providers.

- you might configure Policy Based Routing to send certain types of traffic through one provider and the rest of the traffic through the other provider. (I have done that for a customer and it worked quite well for them.)


There is an aspect of this design which you have not mentioned and which will impact your options for using both providers. I assume that network address translation is  being done. Is it done on the firewall or is it done on the router? If it is done on the firewall then you need to devise a way that the firewall will do one set of translations for traffic to one provider and a different set of translations for the other provider.


HTH


Rick

Steve Graham Mon, 05/17/2010 - 09:32

To answer some of the unknowns referenced in your response:

"But is it not clear whether this is different from what you do with the old ISP or is the same."


Currently, all outbound and inbound traffic traverse ISP1, since it is the only ISP in our environment.  The idea is to design a way to have both ISP's connected to the router.  1. Allow outbound traffic to use ISP2 (currently the default route is set to ISP1).  2. Allow a transition to move Internet hosts located in the DMZ area of the firewall to ISP2 (we are implementing a new domain name for this connection that allows us to move piece by piece versus all at once).


"There is an aspect of this design which you have not mentioned and which will impact your options for using both providers. I assume that network address translation is  being done.   Is it done on the firewall or is it done on the router?"


All NATs are being done on the firewall currently.  I'd like to keep this function on the firewall and just allow the router to determine which ISP traffic is sent outbound.  But if needed, I can move the NAT to the router.  On the firewall I will create a second NAT group for the new ISP.  The firewall will have the same default gateway (the router).


I appreciate your response.


HTH,

Steve

Attachment: 

Actions

This Discussion