https://live.paloaltonetworks.com/docs/DOC-4011
Here is the topology:
So, why did we change the topology? Because the Brocade Core Switch can handle a whole lot more ARP entries than the Palo Alto.
Wednesday, September 18, 2013
Palo Alto: What is the Maximum Number of ARP Entries The PA-3020 Firewall can Handle?
The quick answer is 1500. I was asked to go redo one of the school's topology where the "bring your own device" network was having problems. They had around 1700 devices that would attach to this network. So what happens when 1501 entries get put in the ARP table on the PA-3020? Nothing, except that 1501 cant be in the ARP table. The PA-3020 is limited to 1500 entries. Therefor, there will never be 1501 entries on this device. I verified this on Palo Alto's site:
https://live.paloaltonetworks.com/docs/DOC-4011
Here is the topology:
I had to do a few things to get this going. Create a vlan between the Palo Alto and the Brocade Core Switch. IP the wireless vlan to be the default gateway (that used to be the Palo Alto, now the Core Switch). Add a static route on the Palo Alto to point the wireless network to the Core Switch. And add a route-map on the Brocade Core Switch so that the wireless traffic wont take the default route, but the path of the Palo Alto.
So, why did we change the topology? Because the Brocade Core Switch can handle a whole lot more ARP entries than the Palo Alto.
https://live.paloaltonetworks.com/docs/DOC-4011
Here is the topology:
So, why did we change the topology? Because the Brocade Core Switch can handle a whole lot more ARP entries than the Palo Alto.
Subscribe to:
Post Comments (Atom)
Updated - With the release of 6.0, the 3020 can now support 3000 arp entries but you will need to issue an unlock command and restart the firewall for it to take effect.
ReplyDeleteVery good. Thanks for the update.
ReplyDeleteVery good. Thanks for the update.
ReplyDelete