PANs as internal routers?

Announcements
Attention: The LIVEcommunity is experiencing an interruption with videos in some areas. We apologize for any inconvenience this may cause. Thank you for your patience as we work towards a solution to restore videos.
Reply
Highlighted
L1 Bithead

PANs as internal routers?

We are planning to make our Palo Alto (pair) into the main internal router for a decent sized enterprise data center and about 300 users. A pair of Arista routers will be our external WAN/BGP routers.

 

Is using the PAN as a router considered a best practice? Is it an acceptable practice from a speed/performance perspective? We plan to hairpin a lot of the DC traffic into the PAN in order to segretate the various VLANs. Only iSCSI traffic will stay on the top-of-rack switches.

 

Thoughts?


Accepted Solutions
Highlighted
L4 Transporter

Re: PANs as internal routers?

Hi,

 

Just need to size up the box correctly.  How many VLANs are you planning to setup, grown rate.  Also, expected traffics (Gbit/sec, new session rate, packets rate), type of traffics (http, https, SMB, AD, mysql, oracle, SIP, dns )   .   Also, what features are you planning to enable?  Are you planning to use threat protection, URL filtering, etc ?   

 

It will be helpful to have some baseline numbers (throughput, type of traffics, new session per second, packet rate) from the current setup.  That will help..  Also, check out how to monitor running resource-monitor  https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Interpret-show-running-resource-monito...

 

setup netflow, snmp (not on the PAN side, on the switch side.  Since PAN snmp value is not accurate)

 

Learn how to use ACC https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-FAQ-ACC-PAN-OS-7-0/ta-p/70860

 

Best of luck,

 

 

View solution in original post


All Replies
Highlighted
L2 Linker

Re: PANs as internal routers?

If you can afford large enough appliances for your throughput requirements, get it done! Huge amount of visbility and control is then at your fingertips.

 

Do check the ARP table limitations of your appliance(s) though, ensure you dont have more hosts than the firewall can handle.

 

 

Highlighted
L3 Networker

Re: PANs as internal routers?

We're using our PA-5050 as main router for 30000 users. Nothing but good things to say about it. We also use it as BGP router.

 

Highlighted
L4 Transporter

Re: PANs as internal routers?

Hi,

 

Just need to size up the box correctly.  How many VLANs are you planning to setup, grown rate.  Also, expected traffics (Gbit/sec, new session rate, packets rate), type of traffics (http, https, SMB, AD, mysql, oracle, SIP, dns )   .   Also, what features are you planning to enable?  Are you planning to use threat protection, URL filtering, etc ?   

 

It will be helpful to have some baseline numbers (throughput, type of traffics, new session per second, packet rate) from the current setup.  That will help..  Also, check out how to monitor running resource-monitor  https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Interpret-show-running-resource-monito...

 

setup netflow, snmp (not on the PAN side, on the switch side.  Since PAN snmp value is not accurate)

 

Learn how to use ACC https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-FAQ-ACC-PAN-OS-7-0/ta-p/70860

 

Best of luck,

 

 

View solution in original post

Highlighted
L4 Transporter

Re: PANs as internal routers?

We use a pair of PA-5060 (active / passive) firewalls in layer 3 mode in our datacenter and it's working well for us. As @nextgenhappiness said, make sure to size up your box properly.

 

Benjamin

Highlighted
L1 Bithead

Re: PANs as internal routers?

We are looking at getting a pair of the new 5200 series :-)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!