Prisma Access
Create a High-Bandwidth Remote Network Connection
Table of Contents
Create a High-Bandwidth Remote Network Connection
Where Can I Use
This? | What Do I Need? |
|---|---|
|
|
To create a high-bandwidth remote network connection,
complete the following task.
- in Panorama, configure the Prisma Access remote network tunnels.
- (Optional) if you haven’t already, set up IKE gateways, IKE crypto and IPSec crypto profiles, and IPSec tunnels for the remote network connections you create.Make a note of the IKE and IPSec cryptographic profiles; you specify the same settings on the CPE you use to terminate the remote network connection in the remote network location.
- Determine the type of remote network deployment you have.Prisma Access deployments allocate bandwidth by allocating bandwidth per compute location or by allocating bandwidth by location.
- Onboard the remote network.
- To onboard the remote network that allocates bandwidth by compute location:
- Allocate bandwidth for the locations that you want to onboard by clicking the gear icon in theBandwidth Allocationarea.
- Enter theBandwidth Allocationyou want for eachCompute Locationthat is associated with thePrisma Access Locationsyou want to onboard.
- Wait for the bandwidth to be reflected in theAllocated Totalfield at the top of the page; then, clickOK.
- To onboard the remote network that allocates bandwidth by location, continue to the next step; you allocate bandwidth during remote network onboarding.
- Select and create four remote networks connections, specifying the following settings:
- Select the sameLocationfor each connection.
- Select theIPSec Termination Node.Select a separate IPSec termination node for each remote network connection.If you have a deployment that allocates bandwidth by location, select aBandwidthof500 Mbps.The bandwidth you select cannot exceed the total amount of bandwidth you have licensed. Use this setting to define the amount of the total licensed bandwidth you want to allocate to this location.
- EnableBGP,Advertise Default Route, andDon’t Advertise Prisma Access Routes.
- Specify the samePeer ASfor all remote network connections.This example shows aPeer ASof 2000; in this example, you select aPeer ASof 2000 for all four connections.
- (Optional) if you want to create a backup remote network, create one by selectingEnable Secondary WAN; then, select theIPSec Tunnelyou created for the backup tunnel.
Configuring a Secondary WAN is not supported in the following deployments:- If your secondary WAN is set up in active-active mode with the Primary IPSec tunnel.
- If your customer premises equipment (CPE) is set up in an Equal Cost Multipath (ECMP) configuration with the Primary and Secondary IPSec tunnel.
When complete, you have four 1000 Mbps remote network connections for the same location.Since deployments that allocate bandwidth by location have a maximum bandwidth of 500 Mbps, this configuration would provide you with 500 Mbps for each location.If you configured backup tunnels, you also have four secondary tunnels to be used for failover purposes.
- Select and make a note of theService IP AddressandEBGP Routeraddresses.You use theService IP Addressas the peer IP address when you configure the IPSec tunnel on the CPE in the remote network site, and you use these addresses and theEBGP Routeraddresses when you create static routes on the CPE.
- On the CPE in the remote network site, configure the remote network tunnels.
- The configuration in these steps use Palo Alto Networks next-generation firewalls; you can use any CPE device that supports IPSec tunnels and ECMP for this deployment.
- Bandwidth balancing depends on CPE hashing for ECMP. However, Prisma Access ensures symmetrical return of traffic.
- Create four active tunnels from the active CPE to each of the four network connections. For thePeer IPaddress, enter theService IP Addressof the remote network you received from Prisma Access in Step 5.
- (Optional) If you create backup tunnels, create them from the active CPE to each of the four network connections. For thePeer IPaddress, enter theService IP Addressof the remote network you received from Prisma Access in Step 5.
- Configure ECMP on the CPE in the remote network site.
- Select .
- Select thedefaultvirtual router, orAdda new virtual router.
- Select , thenEnableECMP with aMax Pathof4and a load balanceMethodofBalanced Round Robin.
- On the CPE in the remote network site, create static routes to the Prisma AccessService IP AddressandEBGP RouterIP addresses you retrieved in Step 5.As previously stated, dynamic routing with BGP is required for this configuration. To facilitate BGP connection between the CPE and Prisma Access’ eBGP router, you need to add a static route for the eBGP router IP address on the CPE, and the next-hop must be the tunnel interface on the CPE. You must repeat this step for all other Remote Network eBGP router IP addresses on remaining tunnels.The following example shows the route on the active CPE. If you created backup tunnels on a standby CPE, create the same routing on the standby CPE.If you are configuring a Palo Alto Networks next-generation firewall, select to add the static routes.
- Enable route redistribution on the CPE by selecting , thenAddan IPv4 route redistribution profile.
- Select ,EnableBGP on the virtual router instance, thenAddRemote Network BGP peers.
- Select , then attach the route redistribution profile you created in Step 5.
- Validate that the CPE is passing traffic on all four of its tunnels.
- Check the status of the ECMP-enabled connections from Prisma Access.
- Select , select the region where you deployed the ECMP connections, then selectStatus.
- In this area,ECMPdisplays asNo. This is expected because you are not configuring the Prisma Access ECMP load balancing feature.
- ECMP is directional from CPE to Prisma Access and Prisma Access ensures symmetrical return of the traffic from the CPE.
- SelectStatisticsto see that traffic is passing through each remote network tunnel.
When you have completed this workflow, you have created a high-bandwidth configuration for the remote network. Keep in mind that this solution is supported for outbound traffic only.