This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Meraki and Palo side by side with Palo using BGP

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Meraki and Palo side by side with Palo using BGP

Go to solution
qdimclark
L2 Linker

‎03-02-2021 10:38 AM

We currently have this setup in our datacenter. The Meraki HA pair is the VPN endpoint for our 120+ remote sites.

 

setup.jpg

In a DR situation the datacenter has IP mobility, where our current static IPs will failover. This setup uses BGP through the Palo. With BGP enabled on the Palo HA Pair and datacenter’s internet the Meraki HA pair is inaccessible, which means the remote sites have no connectivity to the data center. The BGP config is exporting the 1.1.1.0/27 subnet, which obviously includes the Meraki IPs

 

Can we configure a rule on the Palo to allow traffic destined for the Meraki HA Pair to go to the Merakis without any other cabling or configuration changes? The rule would look like this. Additionally it would allow only specific ports and protocols as needed.

Screenshot 2021-03-02 132554.jpg

 

To makes any other changes would require re-designing our current topology. We're trying to avoid that scenario for now.

 

Thanks in advance!

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
reaper
Cyber Elite
Cyber Elite

‎03-03-2021 04:50 AM

the merakis will need to talk BGP as well to pick up their own IP addresses, else they'll need to be conected directly to the palo alto as a DMZ device so the palo can collect all ip's on the outside and forward the ones needed on the inside, to the merakis

 

in this configuration you'll need to set up Uturn NAT which is probably going to interfere with ipsec performance

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

0 Likes Likes
5 REPLIES 5

Go to solution
reaper
Cyber Elite
Cyber Elite

‎03-03-2021 04:50 AM

the merakis will need to talk BGP as well to pick up their own IP addresses, else they'll need to be conected directly to the palo alto as a DMZ device so the palo can collect all ip's on the outside and forward the ones needed on the inside, to the merakis

 

in this configuration you'll need to set up Uturn NAT which is probably going to interfere with ipsec performance

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

Go to solution
qdimclark
L2 Linker
In response to reaper

‎03-03-2021 08:11 AM

That's what I suspected. But with limited BGP knowledge I thought I'd ask.

 

Thanks!

 

0 Likes Likes

Go to solution
qdimclark
L2 Linker
In response to qdimclark

‎03-03-2021 12:05 PM

Also, just and FYI Merakis can only use BGP within their AutoVPN (SD-WAN) feature. They can not use it in the scenario shown above.

0 Likes Likes

Go to solution
reaper
Cyber Elite
Cyber Elite
In response to qdimclark

‎03-03-2021 12:07 PM

Your best bet would be to attach the merakis as DMZ devices so only the pan needs to BGP, and then forward ipsec to the merakis

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

Go to solution
qdimclark
L2 Linker
In response to reaper

‎03-03-2021 12:18 PM

That's the solution we're going to implement once I get the config changes to the PA, the Merakis and our Core finalized.

 

Thanks again for your help Tom.

0 Likes Likes
  • 1 accepted solution
  • 4609 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks