Meraki and Palo side by side with Palo using BGP

cancel
Showing results for 
Search instead for 
Did you mean: 

Meraki and Palo side by side with Palo using BGP

L2 Linker

We currently have this setup in our datacenter. The Meraki HA pair is the VPN endpoint for our 120+ remote sites.

 

setup.jpg

In a DR situation the datacenter has IP mobility, where our current static IPs will failover. This setup uses BGP through the Palo. With BGP enabled on the Palo HA Pair and datacenter’s internet the Meraki HA pair is inaccessible, which means the remote sites have no connectivity to the data center. The BGP config is exporting the 1.1.1.0/27 subnet, which obviously includes the Meraki IPs

 

Can we configure a rule on the Palo to allow traffic destined for the Meraki HA Pair to go to the Merakis without any other cabling or configuration changes? The rule would look like this. Additionally it would allow only specific ports and protocols as needed.

Screenshot 2021-03-02 132554.jpg

 

To makes any other changes would require re-designing our current topology. We're trying to avoid that scenario for now.

 

Thanks in advance!

1 ACCEPTED SOLUTION

Accepted Solutions

Cyber Elite
Cyber Elite

the merakis will need to talk BGP as well to pick up their own IP addresses, else they'll need to be conected directly to the palo alto as a DMZ device so the palo can collect all ip's on the outside and forward the ones needed on the inside, to the merakis

 

in this configuration you'll need to set up Uturn NAT which is probably going to interfere with ipsec performance

Tom Piens
PANgurus

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

the merakis will need to talk BGP as well to pick up their own IP addresses, else they'll need to be conected directly to the palo alto as a DMZ device so the palo can collect all ip's on the outside and forward the ones needed on the inside, to the merakis

 

in this configuration you'll need to set up Uturn NAT which is probably going to interfere with ipsec performance

Tom Piens
PANgurus

That's what I suspected. But with limited BGP knowledge I thought I'd ask.

 

Thanks!

 

Also, just and FYI Merakis can only use BGP within their AutoVPN (SD-WAN) feature. They can not use it in the scenario shown above.

Your best bet would be to attach the merakis as DMZ devices so only the pan needs to BGP, and then forward ipsec to the merakis

Tom Piens
PANgurus

That's the solution we're going to implement once I get the config changes to the PA, the Merakis and our Core finalized.

 

Thanks again for your help Tom.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!