I'm trying to figure out the best way to use 2 ISP's at the same time for redundancy.
I believe ECMP will cause problems for me because I'm using NAT. Source routing will be problematic because I have multiple inside interfaces (internal subnets wouldn't be able to see each other). I could use PBR. But I think simple static routes could work.
Instead of using default routes, I'll do this:
0.0.0.0/2 to ISP a pref 1
0.0.0.0/2 to ISP b pref 2
64.0.0.0/2 to ISP b pref 1
64.0.0.0/2 to ISP a pref 2
128.0.0.0/2 to ISP a pref 1
128.0.0.0/2 to ISP b pref 2
192.0.0.0/2 to ISP b pref 1
192.0.0.0/2 to ISP a pref 2
(use IP tracking to fallback to secondary route in case ISP fails)
That leaves me with a few questions.
1. If I also host inbound services (a web server I give people access to from the internet), will asymmetric traffic give me problems? Ie, if somebody *from* ISP a connects to my web server, and my return route is to ISP b, will traffic break? Both ISP's will be in the same zone. Or do the interfaces actually have to be the same as well?
2. Or, when the return traffic flows through the netscreen (2nd packet of the tcp session) will the netscreen ignore the routing table and see that it had an existing session and send it back out the same interface the first packet came in on?