Create a High-Bandwidth Network for a Remote Site
Focus
Focus

Create a High-Bandwidth Network for a Remote Site

Table of Contents

Create a High-Bandwidth Network for a Remote Site

Create a high-bandwidth network for a remote site by combining multiple Prisma Access remote network connections.
If you want to secure your branch office or site for outbound internet access with a high-bandwidth connection to Prisma Access, you can load balance traffic from your branch office or site using multiple IPSec tunnels by completing the steps in this section.
The following diagram shows four remote network connections that use the same remote site. Before onboarding, assign 2 Gbps to the compute location, which is South Korea in this example and corresponds to the remote site. 2 Gbps provides four IPSec termination nodes and each IPSec termination node provides a maximum of 500 Mbps of bandwidth. Assign each remote network connection its own IPSec termination node during the onboarding process to utilize the complete bandwidth.
This example shows four tunnels. The maximum number of tunnels you can use for a high-bandwidth connection in Prisma Access is based on the maximum number of IPSec tunnels your customer premises equipment (CPE) support with the load balancing protocol you use.
Consider the following restrictions and recommendations before you deploy this configuration:
  • Use BGP routing for the IPSec tunnels; static routing is not supported.
  • Use this configuration for outbound internet access only.
  • Do not use tunnel monitoring on either Prisma Access or the CPE. Availability of the IPSec tunnel is determined by BGP peering between the CPE and Prisma Access’ remote network. If an IPSec tunnel goes down and BGP connection is interrupted, the routes learned over BGP on that tunnel are automatically removed from ECMP.
  • Because you use BGP to determine when a tunnel goes down, consider the HoldTime value you have configured on your CPE. The hold timer determines the amount of time that the tunnel is down before removing the route. Prisma Access uses the default BGP HoldTime value of 90 seconds as defined by RFC 4271. If you configure a lower hold time for the BGP CPE in the remote network site, BGP uses the lower hold time value. Palo Alto Networks recommends a KeepAlive value of 10 seconds and a HoldTime value of 30 seconds for your CPE with this deployment.