EasyManua.ls Logo

Alcatel-Lucent AOS-W 6.5.3.x - Page 228

Alcatel-Lucent AOS-W 6.5.3.x
1160 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
228| BranchSwitch Config for Cloud Services Switches AOS-W 6.5.3.x| User Guide
Figure 42 Palo Alto Networks Active Satellites List
.
5. The branch switch uses the Palo Alto Networks gateway list and credentials from the portal to contact all
PAN gateways. Each PAN gateway sends the branch switch information that allows the branch switch to
automatically create a secure IPsec tunnel and exchange branch subnet routes with each PAN gateway.
6. The branch switch maintains a priority list of IPsec tunnels to each PAN gateway to enable failover in the
event a PAN gateway becomes unreachable.
7. Policy-based routing access control lists (ACLs) on the branch switch selectively routes traffic to the PAN
gateways.
8. Traffic redirected from the branch switch is inspected via the Palo Alto Networks firewall.
Configuration Prerequisites
The Palo Alto Networks LSVPNframework can integrate with a branch switch by establishing an IPsec tunnels
between the firewall and the switch. Integrating a Palo Alto Networks firewall with a OAW-40xx Seriesswitch
requires that all user traffic is routed, so it can be managed by a policy-based routing access control list.
The following certificate requirements must be fulfilled before the branch switch can integrate with the Palo
Alto Networks Large-Scale VPN (LSVPN) framework:
n the LSVPN framework must be installed and active on your network. For more information on configuring
Palo Alto Networks products, refer to the Palo Alto Networks Technical Documentation portal.
n The CA certificate used by the Palo Alto portal must be installed on the master switch, so that it can be
pushed down to the branch switches.
n On the PAN gateway devices, you must enable the accept published routes option, and the devices must
install the server certificates derived from the management portal root CA.
In deployments with multiple PAN firewalls, you must configure the PAN management portal with a list of
gateways and the priorities for each PAN gateway. Even if the PAN management portal uses serial number
registration with preregistered serial numbers or MAC addresses, best practice is to configure LDAP, Radius,
Kerberos or Local Database authentication as well. This allows a switch to authenticate to the portal even if the
portal does not recognize the switch's MAC address.
For details on configuring this feature using the Smart Config WebUI, see WAN Configuration on page 251.

Table of Contents