Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 6 subscribers
  • Views 1656 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Backup Internet route over MPLS

Temples90

Hi All,

Our ISP is in the process of setting up a new WAN link which has automatic BGP failover for us and i need to work out the configurations need on our UTMs in order to get internal traffic to route properly in the event of failover.

The way the new link will work is 1 connection will be install in our primary site which will be the active link and the redundant link will be install in our backup site. The 2 sites are connected via an MPLS link as per the below diagram.

In the event the primary link fails the ISP will automatically route incoming traffic via the secondary link but we are responsible for ensuring that outgoing traffic works as needed.

Reading up on this i believe that the best way to achieve this would be to add a Default Gateway to the interface on the UTM in site A which will activate uplink balancing and then use multipath routes to route the traffic. The complication is that the MPLS is currently use for traffic destined for site B and this need to continue to work.

With this in mind I'm not sure if i set the Uplink Balancing as Active\Stand By or Active\Active and what the best way configuring any multipath riles would be.

Any assistance would be greatly appreciated.

Thanks,

Andrew



This thread was automatically locked due to age.
Parents
  • 0

    Hi Andrew,

    In Site A, I prefer Active/Active with a Multipath rule that binds the outbound traffic to the interface of the Primary Line.  You will need a firewall rule in UTM B that allows traffic from Site A to reach Internet IPv4.

    Any reason to not provide the same fail over for Site B?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Thanks for coming back to me on this, it is greatly appreciated.

    OK that all make sense to me. I have configured the firewall up in site B ready it was just the multipath rules I was trying to get my head around. With that in mind these are the multipath rules I have devised for the setup. Will they do what I need?

    Rule 1

    • Name: Internal to Site B
    • Source: All Internal LANs (Network group object containing all internal LAN network objects)
    • Service: Any
    • Destination: Site B
    • Itf. Persistence: By Interface
    • Bind Interface – MPLS Link

    Rule 2

    • Name: Internal to Active WAN
    • Source: All Internal LANs (Network group object containing all internal LAN network objects)
    • Service: Any
    • Destination: Internet (Group object containing Internet IPv4 and IPv6)
    • Itf. Persistence: By Interface
    • Bind Interface – WAN Link

    Rule 3

    • Name: Internal to Failover WAN via Site B
    • Source: All Internal LANs (Network group object containing all internal LAN network objects)
    • Service: Any
    • Destination: Internet (Group object containing Internet IPv4 and IPv6)
    • Itf. Persistence: By Interface
    • Bind Interface – MPLS

    We will also be looking at doing the reverse for traffic in site B which I am guessing would be the above rules in reverse (and the same firewalls rules for site A to Site B traffic in reserve).

    I hope this make sense.

    Many Thanks,

    Andrew

  • 0 in reply to Temples90

    Looks good, Andrew.  Note that Rule 3 is redundant because the UTM will automatically move the traffic to the MPLS connection if the Primary goes down.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Thanks for your continued help with this.

    Understood on rule 3. I was thinking more on this last night and 2 things came to my mind.

    With rule one i'm guessing i need to ensure i untick the option "Skip rule on interface error" on rule 1 as i don't want that traffic to fail over if the MPLS link goes down.

    Also is rule 1 actually needed as traffic destined for site B is routed by a static route on the UTM in site A pointing it via the MPLS and so never uses the WAN interface which is what the "Uplink Balancing" affects from what i understand?

    Many Thanks,
    Andrew

Reply
  • 0 in reply to BAlfson

    Hi Bob,

    Thanks for your continued help with this.

    Understood on rule 3. I was thinking more on this last night and 2 things came to my mind.

    With rule one i'm guessing i need to ensure i untick the option "Skip rule on interface error" on rule 1 as i don't want that traffic to fail over if the MPLS link goes down.

    Also is rule 1 actually needed as traffic destined for site B is routed by a static route on the UTM in site A pointing it via the MPLS and so never uses the WAN interface which is what the "Uplink Balancing" affects from what i understand?

    Many Thanks,
    Andrew

Children
Unfiltered HTML