PANs as internal routers?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PANs as internal routers?

L1 Bithead

We are planning to make our Palo Alto (pair) into the main internal router for a decent sized enterprise data center and about 300 users. A pair of Arista routers will be our external WAN/BGP routers.

 

Is using the PAN as a router considered a best practice? Is it an acceptable practice from a speed/performance perspective? We plan to hairpin a lot of the DC traffic into the PAN in order to segretate the various VLANs. Only iSCSI traffic will stay on the top-of-rack switches.

 

Thoughts?

1 accepted solution

Accepted Solutions

L4 Transporter

Hi,

 

Just need to size up the box correctly.  How many VLANs are you planning to setup, grown rate.  Also, expected traffics (Gbit/sec, new session rate, packets rate), type of traffics (http, https, SMB, AD, mysql, oracle, SIP, dns )   .   Also, what features are you planning to enable?  Are you planning to use threat protection, URL filtering, etc ?   

 

It will be helpful to have some baseline numbers (throughput, type of traffics, new session per second, packet rate) from the current setup.  That will help..  Also, check out how to monitor running resource-monitor  https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Interpret-show-running-resource-monito...

 

setup netflow, snmp (not on the PAN side, on the switch side.  Since PAN snmp value is not accurate)

 

Learn how to use ACC https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-FAQ-ACC-PAN-OS-7-0/ta-p/70860

 

Best of luck,

 

 

View solution in original post

5 REPLIES 5

L2 Linker

If you can afford large enough appliances for your throughput requirements, get it done! Huge amount of visbility and control is then at your fingertips.

 

Do check the ARP table limitations of your appliance(s) though, ensure you dont have more hosts than the firewall can handle.

 

 

L3 Networker

We're using our PA-5050 as main router for 30000 users. Nothing but good things to say about it. We also use it as BGP router.

 

L4 Transporter

Hi,

 

Just need to size up the box correctly.  How many VLANs are you planning to setup, grown rate.  Also, expected traffics (Gbit/sec, new session rate, packets rate), type of traffics (http, https, SMB, AD, mysql, oracle, SIP, dns )   .   Also, what features are you planning to enable?  Are you planning to use threat protection, URL filtering, etc ?   

 

It will be helpful to have some baseline numbers (throughput, type of traffics, new session per second, packet rate) from the current setup.  That will help..  Also, check out how to monitor running resource-monitor  https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Interpret-show-running-resource-monito...

 

setup netflow, snmp (not on the PAN side, on the switch side.  Since PAN snmp value is not accurate)

 

Learn how to use ACC https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-FAQ-ACC-PAN-OS-7-0/ta-p/70860

 

Best of luck,

 

 

L4 Transporter

We use a pair of PA-5060 (active / passive) firewalls in layer 3 mode in our datacenter and it's working well for us. As @nextgenhappines said, make sure to size up your box properly.

 

Benjamin

We are looking at getting a pair of the new 5200 series 🙂

  • 1 accepted solution
  • 4704 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!