Create a High-Bandwidth Network for a Remote Site
Table of Contents
Create a High-Bandwidth Network for a Remote Site
Create a high-bandwidth network for a remote site by
combining multiple Prisma Access remote network connections.
If you want to secure your branch office or
site for outbound internet access with a high-bandwidth connection
to Prisma Access, you can load balance traffic from your branch
office or site using multiple IPSec tunnels by completing the steps in this section.
The
following diagram shows four remote network connections that use
the same remote site. Before onboarding, assign 4 Gbps (4000 Mbps)
to the compute location, which is South Korea in this example and
corresponds to the remote site. 4000 Mbps provides four IPSec termination
nodes and each IPSec termination node provides a maximum of 1000
Mbps of bandwidth. Assign each remote network connection its own
IPSec termination node during the onboarding process to utilize
the complete bandwidth.
This example shows four tunnels.
The maximum number of tunnels you can use for a high-bandwidth connection
in Prisma Access is based on the maximum number of IPSec tunnels
your customer premises equipment (CPE) support with the load balancing
protocol you use.
Consider
the following restrictions and recommendations before you deploy
this configuration:
- Use BGP routing for the IPSec tunnels; static routing is not supported.
- Use this configuration for outbound internet access only.
- Do not use tunnel monitoring on either Prisma Access or the CPE. Availability of the IPSec tunnel is determined by BGP peering between the CPE and Prisma Access’ remote network. If an IPSec tunnel goes down and BGP connection is interrupted, the routes learned over BGP on that tunnel are automatically removed from ECMP.
- Because you use BGP to determine when a tunnel goes down, consider the HoldTime value you have configured on your CPE. The hold timer determines the amount of time that the tunnel is down before removing the route. Prisma Access uses the default BGP HoldTime value of 90 seconds as defined by RFC 4271. If you configure a lower hold time for the BGP CPE in the remote network site, BGP uses the lower hold time value. Palo Alto Networks recommends a KeepAlive value of 10 seconds and a HoldTime value of 30 seconds for your CPE with this deployment.