We’re in the process of setting up a geographically diverse backup site for all of our operations. We currently get an internet service into our head office which connects to a Palo Alto NGFW. All of the remote offices then connect back to HO through a variety of private links. We want to setup one of these sites which is connected by dark fibre as a redundancy site in the event of failures at HO. This site has an internet service with the same provider as the HO.
We’d like to install a second Palo Alto at the new site to connect to that internet service and run them as active/active. What I’m stuck on is how we will handle the /29 public block that we own which is currently statically routed to us through the HO internet service. We don’t talk BGP to the ISP and we run OSPF internally.
Am I correct in assuming that the provider can just put another static route on their edge to point our /29 towards the second internet link and it will just work through ECMP? The Palo Alto’s being active/active should then be able to handle any issues with asymmetric routing. Ideal scenario is that we can lose an internet connection or a firewall can die and everything will work without manual intervention.
No comments:
Post a Comment