https://live.paloaltonetworks.com/t5/general-topics/meraki-and-palo-side-by-side-with-palo-using-bgp/m-p/388906#M90566 <P>That's the solution we're going to implement once I get the config changes to the PA, the Merakis and our Core finalized.</P><P>&nbsp;</P><P>Thanks again for your help Tom.</P> Wed, 03 Mar 2021 20:18:25 GMT qdimclark 2021-03-03T20:18:25Z https://live.paloaltonetworks.com/t5/general-topics/meraki-and-palo-side-by-side-with-palo-using-bgp/m-p/388659#M90525 <P>We currently have this setup in our datacenter. The Meraki HA pair is the VPN endpoint for our 120+ remote sites.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="setup.jpg" style="width: 849px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30130i1294079338DF37DE/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="setup.jpg" alt="setup.jpg" /></span></P><P>In a DR situation the datacenter has IP mobility, where our current static IPs will failover. This setup uses BGP through the Palo.&nbsp;With BGP enabled on the Palo HA Pair and datacenter’s internet the Meraki HA pair is inaccessible, which means the remote sites have no connectivity to the data center. The BGP config is exporting the 1.1.1.0/27 subnet, which obviously includes the Meraki IPs</P><P>&nbsp;</P><P>Can we configure a rule on the Palo to allow traffic destined for the Meraki HA Pair to go to the Merakis without any other cabling or configuration changes?&nbsp;The rule would look like this. Additionally it would allow only specific ports and protocols as needed.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2021-03-02 132554.jpg" style="width: 724px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30131iDFD398189CD5AF9C/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screenshot 2021-03-02 132554.jpg" alt="Screenshot 2021-03-02 132554.jpg" /></span></P><P>&nbsp;</P><P>To makes any other changes would require re-designing our current topology. We're trying to avoid that scenario for now.</P><P>&nbsp;</P><P>Thanks in advance!</P> Tue, 02 Mar 2021 18:38:52 GMT https://live.paloaltonetworks.com/t5/general-topics/meraki-and-palo-side-by-side-with-palo-using-bgp/m-p/388659#M90525 qdimclark 2021-03-02T18:38:52Z https://live.paloaltonetworks.com/t5/general-topics/meraki-and-palo-side-by-side-with-palo-using-bgp/m-p/388833#M90547 <P>the merakis will need to talk BGP as well to pick up their own IP addresses, else they'll need to be conected directly to the palo alto as a DMZ device so the palo can collect all ip's on the outside and forward the ones needed on the inside, to the merakis</P><P>&nbsp;</P><P>in this configuration you'll need to set up Uturn NAT which is probably going to interfere with ipsec performance</P> Wed, 03 Mar 2021 12:50:29 GMT https://live.paloaltonetworks.com/t5/general-topics/meraki-and-palo-side-by-side-with-palo-using-bgp/m-p/388833#M90547 reaper 2021-03-03T12:50:29Z https://live.paloaltonetworks.com/t5/general-topics/meraki-and-palo-side-by-side-with-palo-using-bgp/m-p/388858#M90553 <P>That's what I suspected. But with limited BGP knowledge I thought I'd ask.</P><P>&nbsp;</P><P>Thanks!</P><P>&nbsp;</P> Wed, 03 Mar 2021 16:11:40 GMT https://live.paloaltonetworks.com/t5/general-topics/meraki-and-palo-side-by-side-with-palo-using-bgp/m-p/388858#M90553 qdimclark 2021-03-03T16:11:40Z https://live.paloaltonetworks.com/t5/general-topics/meraki-and-palo-side-by-side-with-palo-using-bgp/m-p/388896#M90562 <P>Also, just and FYI Merakis can only use BGP within their AutoVPN (SD-WAN) feature. They can not use it in the scenario shown above.</P> Wed, 03 Mar 2021 20:05:01 GMT https://live.paloaltonetworks.com/t5/general-topics/meraki-and-palo-side-by-side-with-palo-using-bgp/m-p/388896#M90562 qdimclark 2021-03-03T20:05:01Z https://live.paloaltonetworks.com/t5/general-topics/meraki-and-palo-side-by-side-with-palo-using-bgp/m-p/388899#M90563 <P>Your best bet would be to attach the merakis as DMZ devices so only the pan needs to BGP, and then forward ipsec to the merakis</P> Wed, 03 Mar 2021 20:07:27 GMT https://live.paloaltonetworks.com/t5/general-topics/meraki-and-palo-side-by-side-with-palo-using-bgp/m-p/388899#M90563 reaper 2021-03-03T20:07:27Z https://live.paloaltonetworks.com/t5/general-topics/meraki-and-palo-side-by-side-with-palo-using-bgp/m-p/388906#M90566 <P>That's the solution we're going to implement once I get the config changes to the PA, the Merakis and our Core finalized.</P><P>&nbsp;</P><P>Thanks again for your help Tom.</P> Wed, 03 Mar 2021 20:18:25 GMT https://live.paloaltonetworks.com/t5/general-topics/meraki-and-palo-side-by-side-with-palo-using-bgp/m-p/388906#M90566 qdimclark 2021-03-03T20:18:25Z