Create a high-bandwidth network for a remote site by
combining multiple Prisma Access remote network connections.
If you want to secure your branch office or
site for outbound internet access with a high-bandwidth connection
to Prisma Access, you can load balance traffic from your branch
office or site using multiple IPSec tunnels by completing the steps in this section.
The
following diagram shows four remote network connections that use
the same remote site. Before onboarding, assign 2 Gbps to the compute location,
which is South Korea in this example and corresponds to the remote
site. 2 Gbps provides four IPSec termination nodes and each IPSec
termination node provides a maximum of 500 Mbps of bandwidth. Assign
each remote network connection its own IPSec termination node during
the onboarding process to utilize the complete bandwidth.
This
example shows four tunnels. The maximum number of tunnels you can
use for a high-bandwidth connection in Prisma Access is based on
the maximum number of IPSec tunnels your customer premises equipment
(CPE) support with the load balancing protocol you use.
Consider
the following restrictions and recommendations before you deploy
this configuration:
Use BGP routing for the IPSec
tunnels; static routing is not supported.
Use this configuration for outbound internet access only.
Do not use tunnel monitoring on either Prisma Access or the
CPE. Availability of the IPSec tunnel is determined by BGP peering
between the CPE and Prisma Access’ remote network. If an IPSec tunnel
goes down and BGP connection is interrupted, the routes learned
over BGP on that tunnel are automatically removed from ECMP.
Because you use BGP to determine when a tunnel goes down,
consider the HoldTime value you have configured on your CPE. The
hold timer determines the amount of time that the tunnel is down
before removing the route. Prisma Access uses the default BGP HoldTime
value of 90 seconds as defined by RFC 4271. If you configure a lower
hold time for the BGP CPE in the remote network site, BGP uses the
lower hold time value. Palo Alto Networks recommends a KeepAlive
value of 10 seconds and a HoldTime value of 30 seconds for your
CPE with this deployment.