We have multiple campuses that are in Fibre to the Node NBN service areas. The cost to upgrade these campuses to full fibre starts at around $15k per campus. In lieu of this cost we have rolled out multiple VDSL FTTN connections to each campus that requires more bandwidth.
To effectively load balance these VDSL circuits we use the Equal Cost Multi Pathing (ECMP) feature on the Palo Alto edge firewall. Each VDSL circuit has a static IPv4 address in different Internet routable subnets. We asked the ISP to make sure of this as the address is dynamically assigned (it is a reservation for each VDSL circuit).
Each ISP supplied modem should be in bridge mode so that the address is assigned to the PA designated WAN interface and Internet routable. There are several components to this setup as follows:
1. Configure each WAN interface on your PA (either dhcp or static) from your bridged modems. In this example we are load balancing across two circuits. Make sure each WAN circuit is in it’s own zone, for this example I am using WAN and WAN2.
2. Configure PA PAT rules for each source zone to WAN and WAN2. Port address translation will be in this example to dynamic-ip-and-port ethernet1/1 and ethernet1/8.
3. Enable ECMP on the virtual-router for your configuration. Enable symmetric return so that reply traffic goes out the wan interface it was received on. Set the load balancing algorithm, for this example we use “Balanced Round Robin”. Sessions not packets are equally balanced across the WAN circuits. In this example the Max Path is set to ‘2’. This is the number of default gateways that are the same. In this example it is 2 WAN circuits connected to the PA with 0.0.0.0/0 routes.
4. Configure your firewall policy to enable traffic to leave the WAN and WAN2 interfaces destined for the Internet:
5. Test your setup with the following CLI command:
show routing fib virtual-router default ecmp yes
Where “default” is the name of your Virtual Router. You should see the hit column increment evenly across the two links for the same path as below:
As many Australian IT professionals would know, NBN FTTN is a lottery. If you are more 500m away from a Node then the VDSL signal degrades. If the copper was existing then your really out of luck because its not just the distance, old copper and DSL don’t mix. In our case we are 400-600m away from the nodes and the copper was of OK quality. I did use L2 VLANs to link the MDF location back to the firewall so that I didn’t add L1 copper distance, which would effect the VDSL2 signal. With these locations now that we have 2 x VDSL circuits per site and they are session load balanced with ECMP and the PA firewalls we are seeing about double effective throughput. Approx 135/45 and 110/40 speeds using fast.com.
Palo Alto also have a really good KA for this configuration which is located here.