Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Julio_Rugel
Participant

Use two internet links in a Virtual System using a virtual router

I have a VSX cluster, with two VS, one VS as internal firewall and another VS as external firewall.

In the external VS I need to connect two internet links, although ISP redundancy is not supported for VSX, I would like to use my second internet link using PBR, for which I must configure a virtual router that receives both public interfaces and configure the advance routing for the VR. I would create a new segment between the VR and the external VS.

Is this possible??

Can I configure the NATs that I currently have in the external VS in the new VR?

If I can configure NATs on the virtual router, can I do a NAT and keep the S2S VPNs that I have on the external VS?

Your help please

0 Kudos
1 Reply
Wolfgang
Leader
Leader

Julio,

if you want to  use a virtual-router you have to dig a little bit deeper how it works and some limitation.

PBR with virtual-router in a VSX environment does not fully support all normal PBR features.

some things to decide:

- virtual-router is only supported on VSX HA, no VSLS

- PBR routes are only possible for IP-subnets, not for TCP/UDP-services ( this is available in one of the newest or future releases, I’m not sure at the moment which)

- PBR routes can have only other virtual-systems as gateway, no gateway IP address possible

- you can‘t configure firewalls or NAT rules on a virtual-router, it‘s only a router

- you can attach a virtual-router unnumbered to the virtual systems, you don‘t need to have a network segment or virtual switch for these connection

We had a customer with a similar  requirement, we used the virtual-router and PBR. We had one VS as main firewall, and two other VS with the ISP connections. VS1 with ISP1 and VS2 with ISP2. They all are connected via the virtual-router.

The main Firewall has a default-Route pointing to the virtual-router and on the virtual-router there are PBR-routes sending packets out to VS1 or VS2 (ISP1 and ISP2) regarding of the source IP subnets.

On the external VS1 and VS2 we have only limited firewall rules. They are used mainly for NAT to the ISPs and VPN entry point. Using of these scenario has some overhead and has to be really good developed before going in production. 

The requirement for the two external VS is the limitation of not having the possibility to define an IP-address as gateway  in a PBR-route.

Wolfgang