This is an example network drawing for a typical campus location with main data center hosting hundreds of rack mounted servers (LAN) connected to many buildings in with Long Range fiber optic cables (MAN).
Uplink to the WAN supports BGP with multiple links up to 100 Gbps.
The data center switches are low latency with 10Gbps for servers including VXLAN protocol support to work with VMware NSX SDN network overlays.
At the edge there are thousands of 2.5Gbps ports with Power Over Ethernet using 802.1x EAP-PEAP and EAP-TLS for Certificate based Network Access Control.
Enterprise RADIUS with Guest access is supported for the high speed Wireless Network using 802.11ax (Wi-Fi 6) APs.
Using a design from 2018 before Brocade was sold off and broken apart here is a parts list to consider. We are looking for similar solutions from major network suppliers today.
This drawing has the following sections:
- External WAN connections with multiple 1,10, 40, and 100 gbps uplinks
- 1 pair of MLXe-4 switches for Border Router cluster
- 1 pair of PAN PA-7080 firewall HA cluster
- 1 pair of MLXe-32 switches for Internal Router cluster
- 1 pair of RUCKUS ICX 7850 switches for core distribution to each area using 100 GbE links
- 10 pairs of VDX 6740 data center top of rack switches with 10GbE on all ports and multiple 40GbE uplinks
- 1 pair of RUCKUS ICX 7850 aggregation switches to each using 100 GbE links
- 10 stacks of RUCKUS ICX 7550 access switches for edge with POE and 2.5GbE on all ports. Stack has from 2 to 12 units.
- Over 100 WiFi access Points would be needed with multiple gigabit connections.
- All devices have redundant power supplies and fans with 40gbps QSFP interconnections.
- Network setup, automation, and monitoring would be considered part of the solution.
- Controller machines would be deployed with Cloud based or Virtual Machines minimizing dependencies on physical hardware deployment.
PAN FW example OSPF with Active/Active High Availability
In this scenario, the firewalls are deployed in Active/Active HA. This design supports asymmetric traffic, traffic engineering, and consistent deterministic failover behavior. In testing, this design proved to be highly resilient and fast to recover. This design can tolerate the loss of any two network connections without degrading performance or availability.
Following is a diagram of what will be implemented:
Set the link costs such that certain routes will be preferred over other routes. The link costs are specified to keep the traffic routing symmetric. This also simplifies troubleshooting, packet captures, and firewall log monitoring.
Note: Floating IP addresses (“Virtual Address”) are typically used when the firewall is adjacent to end hosts. In this scenario, the firewall is directly connected to routers, so floating IP addresses are not used.
Configure HA as Active/Active. For details on the meanings of the settings, refer to the following article on Active/Active HA in the Palo Alto Networks Knowledge base: https://live.paloaltonetworks.com/docs/DOC-1765
Note: The path monitoring and link monitoring configurations are not shown below. Make sure that you configure those appropriately. Refer to the document above for help on configuring those settings.