Meraki and Palo side by side with Palo using BGP

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
qdimclark
L1 Bithead

Meraki and Palo side by side with Palo using BGP

We currently have this setup in our datacenter. The Meraki HA pair is the VPN endpoint for our 120+ remote sites.

 

setup.jpg

In a DR situation the datacenter has IP mobility, where our current static IPs will failover. This setup uses BGP through the Palo. With BGP enabled on the Palo HA Pair and datacenter’s internet the Meraki HA pair is inaccessible, which means the remote sites have no connectivity to the data center. The BGP config is exporting the 1.1.1.0/27 subnet, which obviously includes the Meraki IPs

 

Can we configure a rule on the Palo to allow traffic destined for the Meraki HA Pair to go to the Merakis without any other cabling or configuration changes? The rule would look like this. Additionally it would allow only specific ports and protocols as needed.

Screenshot 2021-03-02 132554.jpg

 

To makes any other changes would require re-designing our current topology. We're trying to avoid that scenario for now.

 

Thanks in advance!


Accepted Solutions
reaper
L7 Applicator

the merakis will need to talk BGP as well to pick up their own IP addresses, else they'll need to be conected directly to the palo alto as a DMZ device so the palo can collect all ip's on the outside and forward the ones needed on the inside, to the merakis

 

in this configuration you'll need to set up Uturn NAT which is probably going to interfere with ipsec performance

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374

View solution in original post


All Replies
reaper
L7 Applicator

the merakis will need to talk BGP as well to pick up their own IP addresses, else they'll need to be conected directly to the palo alto as a DMZ device so the palo can collect all ip's on the outside and forward the ones needed on the inside, to the merakis

 

in this configuration you'll need to set up Uturn NAT which is probably going to interfere with ipsec performance

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374

View solution in original post

qdimclark
L1 Bithead

That's what I suspected. But with limited BGP knowledge I thought I'd ask.

 

Thanks!

 

qdimclark
L1 Bithead

Also, just and FYI Merakis can only use BGP within their AutoVPN (SD-WAN) feature. They can not use it in the scenario shown above.

reaper
L7 Applicator

Your best bet would be to attach the merakis as DMZ devices so only the pan needs to BGP, and then forward ipsec to the merakis

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
qdimclark
L1 Bithead

That's the solution we're going to implement once I get the config changes to the PA, the Merakis and our Core finalized.

 

Thanks again for your help Tom.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!