Hi,
I've been asked to assess if PA-820s could be used to support a smallish MSP environment and as I'm new to the PA world (and indeed MSP network design) I'm hopeful some of you can point me in the right direction. I may be going about the design wrong so do say if you think there are better/relatively cost free ways to acheive the desired outcome (i.e. utilizing existing Cisco routers for QoS).
Requirements:-
Support 10-20 clients. Each client could potentially have 3 security zones. So we naturally hit a limitation as the 820 only supports 30 zones.
Apply QoS per client AND combine QoS across each of the clients security zones, primarily for bandwidth limits per customer. The issue here is that the 820 only supports QoS applied to physcial interface and not the subs. i.e client would purchase x Mbps of bandwidth to be shared by all zones.
Initial idea:
PA has 4 ports and the zone outline would be:
1. Internet (Untrusted)
2. Internal zones (with each client having a tagged sub-int and associated security zone). This would connected to virtualisation platform.
3. DMZ zones (with each client having a tagged sub-int and associated security zone).
3. WAN zones (as above leading to customer site)
Issues with 820s as I initally look at it:
Security zone limit
No QoS on sub-interfaces
I could live with not having a combined QoS as customers would generally fall into two categories.
a. Those only needing a WAN zone
b. Those that have hosted environment typically utilise a terminal server solution so with management most traffci to/from internet can pass either through the Internal zone and/or web gateway within DMZ zone.
I've attached a high level overview of what I envisage a single customer would look like.
I know I'm asking a lot of you!
Interesting design. Why are you placing each client in it's own subinterface? To save on zones, you can also set all (or most) the subinterfaces on one physical to the same zone and then create an intra-zone policy to block/allow or simply scan. This woiuld spare you a bunch of zones as these 20*3 clients/zones could be served by 3 distinct zones.
QoS may not scale as there's only 8 classes (QoS is mostly geared toward controlling groups of applications rather than unique sources) but I guess you could if you wanted to by applying a profile to source interface or subnet:
Interesting design. Why are you placing each client in it's own subinterface? To save on zones, you can also set all (or most) the subinterfaces on one physical to the same zone and then create an intra-zone policy to block/allow or simply scan. This woiuld spare you a bunch of zones as these 20*3 clients/zones could be served by 3 distinct zones.
QoS may not scale as there's only 8 classes (QoS is mostly geared toward controlling groups of applications rather than unique sources) but I guess you could if you wanted to by applying a profile to source interface or subnet:
