Hi Jon, thanks for the response !!!

The remote site is connected via MPLS and an IPSEC VPN tunnel between the two Palo Alto firewalls, please see attached diagram. I guess my question is how to get dynamic routing working between the Palo Alto firewall and Cisco where traffic will failover and failback dynamically.

Thanks Jon !!

Danny

Yes, I follow you Jon. I understand what you're saying.

I guess using a default route to the firewalls at each site would be the simplest way but only in an Active / Standby scenario where the IPSec VPN tunnel is only used for backup correct ?

I am thinking enable dynamic routing on the Palo Alto firewalls to exchange routes with Cisco where I can use the IPSec VPN tunnel for none time sensitive traffic and for backup. How do I best accomplish this ?

Thanks Jon !! very much appreciate your inputs !!

Danny

Yes the default route solution would be a backup solution only.

If you want to use the VPN for certain traffic then you could use a routing protocol but it could not be EIGRP obviously which means you have to factor in different ADs for routing protocols.

If, as an example, there was a destination IP subnet you wanted to send all traffic via the VPN then you could simply make sure it is not advertised by EIGRP across MPLS but I suspect it won't be as simple as that

So say you wanted to send some traffic via MPLS and different traffic via the VPN but to the same destination IP subnet then routing protocols won't help here.

A better solution would then be PBR if your internal switches supported it where you direct specific traffic via the VPN.

It's difficult to be more precise without knowing exactly what you want.

Jon

I understand it could get messy when you start pick and choose traffic to route.

Ideally, I would like to route voice, video and SAP traffic across MPLS and things like file sharing, email across VPN. And be able to failover and failback between MPLS and VPN dynamically.

Thanks Jon !!!

Danny

In terms of routing protocols it all comes down to destination IPs.

So the key thing is do you need to route traffic to the same destination IPs via both links for different traffic.

If you do then routing protocols are not the answer.

One thing I mentioned in my last response which was incorrect is the example where you only need to advertise a route via the VPN assuming no traffic to that destination subnet went via MPLS but of course that would not account for backup ie. if the VPN fails you want to fail back to MPLS.

And the other issue is that your firewalls won't support EIGRP.

Before you decide on a solution I would work out exactly what traffic in terms of source and destination IPs you want to via which link.

If you find that traffic for the same IPs needs to go via both links then PBR may well be the best choice.

If you can separate traffic in terms of IPs then you may be able to use a routing protocol but like I say it gets more complicated because of EIGRP so there may not be an obvious or simple solution.

Jon

Hi Jon,

I am not sure if it's all doable but the end goal is I would like to be able to route traffic on both links.

The Palo Alto firewall does not support EIGRP, so if I want to exchange routes between the Palo Alto firewall and Cisco I would need to enable BGP between the two environments.

Do you have a few minutes for a quick phone call Jon ? if you don't mind. You can email me your number to dtran@behr.com and I'll call you, only if you don't mind.

Thanks Jon !!! I appreciate your time !!!

Danny

Danny

I can e-mail you my mobile number but I am based in UK so don't know how expensive it would be.

It is 23:30 here but I am up for a while yet so happy to discuss if you want.

If you can respond to this and if you want to I can send you an e-mail.

Jon