Create a High-Bandwidth Connection to a Headquarters or Data Center Location

To configure multiple service connections to a single headquarters or data center location, complete the following steps.

The steps in this section use a deployment example as shown in the following diagram. In this example, the London headquarters location connects to two different service connections (London 1 and London 2) using two different IPSec tunnels that are terminated on two different customer premises equipment (CPE) interfaces (tunnel.1 and tunnel.2).

This example, and the steps in this section, use a next-generation firewall to terminate the service connections on the CPE; however, you can use any CPE that supports symmetric routing and PBF or policy-based routing as the CPE.

Use these steps for guidance; each use case could require additional design and planning that are beyond the scope of this document.

1. Before you deploy multiple service connections from a single Prisma Access location to a single site, make sure that your network has the following prerequisites:

   • You must divide the subnets in the headquarters or data center location and advertise a unique subnet on each service connection.
   • Your customer premises equipment (CPE) must support, and you must be able to configure, the following networking features:
     • Policy-based forwarding (PBF) or policy-based routing—Your CPE must be able to selectively pick a specific path for a specific local source IP address and subnet.
     • Symmetric return—You must be able to configure your CPE to ensure symmetric traffic flows to and from a specific IP address and subnet, and configure symmetric return for failover tunnels if one of the tunnels goes down.
2. Create the service connections and establish connectivity for the IPSec tunnels used for the service connections.

   1. On the Panorama that manages Prisma Access, Create a service connection, including creating a new IPSec Tunnel configuration, IKE Gateway, IPSec Crypto Profile, and Tunnel Monitoring settings.

      Prisma Access offers predefined IPSec templates that you can use to simplify the IPSec tunnel creation process.
   2. Find the IP address to use as the remote side of the IPSec tunnel from your CPE to Prisma Access by selecting PanoramaCloud ServicesStatusNetwork Details, clicking the Service Connection radio button, and noting the Service IP Address for the site.

   3. On your CPE, create an IPSec tunnel to the service connections

      1. Verify that the IKE and IPSec tunnels use the same cryptographic profiles for authentication and encryption between the peers.
      2. Use the Service IP Address as the peer address for the tunnel.

      If you use a next-generation firewall as the CPE, select NetworkIPSec Tunnels and create two tunnels for the service connections (tunnel.1 and tunnnel.2 in the following screenshot).

3. Create virtual router settings for the CPE.

   You create BGP routing instances that advertise one subnet on one tunnel and the other subnet on another tunnel, which ensures load balancing on the two active tunnels.

   If you are using a next-generation firewall as the CPE, select NetworkVirtual Routers, Add virtual router settings, then Add a BGP Peer Group for each tunnel, specifying the following settings:

   • Specify a Router ID and AS Number of the CPE router (10.177.177.20 and 65517, respectively, in this example).
   • Specify the EBGP Router address of the service connections (PanoramaCloud ServicesStatusNetwork DetailsService ConnectionEBGP Router) as the Peer Address for the service connections (10.0.2.12 for Service Connection 1 and 10.0.2.6 for Service Connection 2 in this example).
   • For the Local Address, you can specify the loopback address of the CPE (192.168.177.20 in this example).

4. Create a summarized subnet for the IP addresses used for both tunnels.

   Providing a summarized subnet guarantees redundancy. When both tunnels are up, the traffic uses the most specific routes to reach their destination; for example, 192.168.171.0/24 uses tunnel.1 to reach its destination. Adding a summarized subnet that covers all advertised subnets (192.168.168.0/21 in this example) ensures that traffic from 192.168.171.0/24 is reachable from tunnel.2 if tunnel.1 goes down and traffic from 192.168.172.0/24 is reachable from tunnel.1 if tunnel.2 goes down.

   If you are using a next-generation firewall as the CPE, complete the following steps.

   1. Continue to modify the virtual router profile and Add route aggregation parameters (NetworkVirtual RoutersBGPAggregate).
   2. Enter summary subnets for the subnets you are advertising for the service connections.

      In this example, enter a Prefix of 192.168.168.0/21, which summarizes the two data center subnets.

   3. Enter Export settings to ensure that the tunnels advertise the correct subnets.

      In this example, you specify an Action of deny and allow for the subnets so that the first subnet (192.168.171.0/24) is reachable from tunnel.1 and the second subnet (192.168.172.0/24) is reachable from tunnel.2.

5. (Deployments with more than two service connections only) If you require more than two service connections to connect the users to private resources for more than 2 Gbps bandwidth, add AS-PATH prepends for the exported routes so that the service connections use symmetric routing to and from the data center in the event of a failover. See Configure More than Two Service Connections to a Headquarters or Data Center Location for details.
6. To ensure symmetric return (to make sure that traffic from 192.168.171.0/24 always uses tunnel.1 and traffic from 192.168.172.0 always uses tunnel.2), enter PBF or policy-based routing rules.

   By default, BGP installs routes in the routing table for all different destinations regardless of the preferred tunnel. The following screenshot shows that BGP advertises all destinations from the 192.168.168.0/21 subnet for tunnel.2, which might cause asymmetric routing for traffic from 192.168.171.0/24.

   To ensure symmetric routing, configure a set of PBF or route-based forwarding rules. If you are using a next-generation firewall as the CPE, complete the following steps.

   1. Select PoliciesPolicy Based Forwarding and Add a PBF policy rule.

   2. Select Source and Add a Source Address to use for the PBF.

      In this case, you want to create a PBF for tunnel.1, so you enter the 192.168.171.0/24 subnet.

   3. Select Destination/Application/Service and select Any Destination Address and Any application.

   4. Select Forwarding and specify the following parameters; then, click OK:

      • Select an Action of Forward.
      • Select an Egress Interface of the tunnel to which you want to forward the IP subnet (tunnel.1 in this case).
      • Select Monitor and select the following monitoring profiles:
        • Select a Profile of default.
        • Select Disable this rule if nexthop/monitor ip is unreachable.
        • Specify an IP Address of the service connection’s EBGP Router address (PanoramaCloud ServicesStatusNetwork DetailsService ConnectionEBGP Router).
        Enabling monitoring and selecting the EBGP router address of the service connection ensures that, if tunnel.1 goes down, the firewall disables the PBF policy and routes the traffic on the tunnel that is still up (tunnel.2).

   5. Repeat Step 6, substituting the EBGP Router address of Service Connection 1 with the EBGP Router address of Service Connection 2 and the subnet of tunnel.1 with the subnet of tunnel.2.

      When complete, you have two PBF policies, one for tunnel.1 and one for tunnel.2.

7. Select NetworkVirtual RoutersStatic Routes and assign the EBGP Router address of Service Connection 1 to the Interface of tunnel.1; then, assign the EBGP Router address of Service Connection 2 to the Interface of tunnel.2

   Entering specific static routes for each of the router BGP addresses ensures that tunnel monitoring functions correctly, because the EBGP Router IP address of Service Connection 1 is reachable only by tunnel.1 and the EBGP Router IP address of Service Connection 2 is reachable only by tunnel.2.