Focus

Prisma SD-WAN

Prisma SD-WAN Branch Routing

Table of Contents

Filter

Expand All | Collapse All

Prisma SD-WAN Docs

Activation & Onboarding
Administration
CloudBlades
Select a Document
- CloudBlade Integrations
- CloudBlades Integration with Prisma Access
Deployment
Incidents & Alerts
Reference
Release Notes
Select a Document
- 6.5
- 6.4
- 6.3
- 6.2
- 6.1
- 5.6
- New Features Guide
- On-Premises Controller
- Prisma SD-WAN CloudBlades
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed

Prisma SD-WAN Branch and Data Center Routing

Prisma SD-WAN Data Center Routing

Prisma SD-WAN Branch Routing

Learn more about the Prisma SD-WAN branch routing. You can configure static and dynamic routing in a branch for internet, private WAN underlays, and standard VPN tunnels.

Where Can I Use This?	What Do I Need?
Prisma SD-WAN	Prisma SD-WAN license

You can configure static and dynamic routing in a branch for Internet, private WAN underlays, LAN and standard VPN tunnels.

Configure static routing on a branch ION device to support topologies with one or more LAN-side Layer 3 devices to forward traffic destined for subnets that are more than one hop away. Use static routes to configure next hops to subnets behind a Layer 3 switch on the LAN-side or destinations reachable over a WAN network underlay or a standard VPN. You can add static routes on an ION device that point to the standard VPN interface or the standard VPN peer IP address.

Configure dynamic Border Gateway Protocol (BGP) routing on a branch ION device for Internet, private WAN underlays, LAN, and standard VPNs. The ION device learns routes dynamically from private WAN and standard VPN BGP peers and distributes to the LAN BGP peers. Routes learnt from LAN peers can be sent to the Prisma SD-WAN controller via API and to other LAN and private WAN BGP peers.

Starting with device software version 6.4.1, OSPF is supported on the LAN in branch mode IONs. Routes learnt from LAN OSPF neighbors can be sent to the SD-WAN controller via API and to other LAN neighbors. Routes can also be distributed between BGP and OSPF peers/neighbors.

By default, ION devices use a bypass pair for private WAN underlay traffic. If you use a Layer 3 private WAN interface, you must explicitly enable L3 Direct Private WAN Forwarding for the private WAN underlay. The ION device uses the bypass pair only to bridge traffic.

Starting with device software version 5.2.1, ION devices support dynamic LAN routing in branch sites. To use LAN routing, you must explicitly enable L3 Direct Private WAN Forwarding and L3 LAN forwarding. You can enable L3 LAN Forwarding only when there are no Private Layer 2 bypass pairs associated with any of the interfaces on the device. Starting with device software version 5.2.3, if there are Private Layer 2 interfaces on the device, the device displays a message to first remove any Private Layer 2 interfaces associated with the device and then enable L3 LAN Forwarding.

A branch ION device supports only classic BGP peers. It can support multiple BGP peers and also peer with multiple BGP peers on the same interface. The device treats each underlay and Standard VPN as a separate domain. The routes learned from one domain are not advertised to another domain, thus preventing the branch ION device from dynamically becoming a transit point.

At a branch site, configure the routing for a link or a routing instance per link. The following topologies illustrate private WAN and third-party routing in a branch.

Private WAN Dynamic Border Gateway Protocol (BGP) Routing
In this scenario, the branch ION device participates in dynamic BGP routing by peering with a private WAN peer edge router. There maybe more than one link, and you can enable dynamic routing on each.
Private WAN Static Routing
In this scenario, the branch ION device has a default static route pointing to the peer edge router. On behalf of the ION device, the peer edge router will advertise routes for branch prefixes. There may be more than one private WAN link.
Standard VPNs to Cloud Security Services or Data Centers
In this scenario, the branch ION has a standard VPN connection to a cloud security service. This VPN has a static default route, or optionally, can have a BGP adjacency configured with the standard endpoint.

You can deploy the ION at a branch site as follows:

Layer 2-only Deployment Model—You do not need to configure routing when the ION is deployed in-line between the switch and a branch router. In this deployment, the internet links terminate on the branch ION device and the private wide area network (WAN) link terminates on the WAN router.
The branch ION device dynamically steers traffic directly to the private WAN via the WAN router it is connected to, or to a public WAN or VPN on public WAN for each application based on path policies and network and application performance characteristics.
Layer 2 / Layer 3 Deployment Model—Deploy the Prisma SD-WAN ION device in-line between the switch and a branch router, with the added facility of routing via a separate Layer 3 WAN interface on the ION device. In this deployment, you can configure an Layer 3 WAN interface (WAN 2) as the source for a private WAN VPN to another Prisma SD-WAN branch or data center site.
For example, configure LAN 1 and WAN 1 as a private WAN Layer 2 bypass pair, but configure WAN 2 as a L3 interface to BGP peer with the router. The ION device then advertises prefixes to the router and learns routes from the router. You need to enable ‘L3 Private WAN Forwarding” configuration knob on the ION in this scenario.
Router Replacement Model—In this model, the branch ION device terminates both private WAN and internet links. When terminating the private WAN links, the branch ION device participates in dynamic routing with the peer edge router. The device advertises prefixes present in the branch and learns the prefixes reachable through the MPLS core.
LAN-Side BGP Routing—On the LAN side, the ION device can be the default gateway for all branch subnets or can participate in static or dynamic routing with a Layer 3 device. The branch ION device in conjunction with the Layer 3 switch participates in routing as follows:
- Learns the prefixes behind the Layer 3 device and forwards traffic to those prefixes.
- Advertises BGP learned prefixes from the private WAN side (e.g. MPLS peer edge router) or a default route to the LAN Layer 3 device.
- Advertises prefixes learned from the Layer 3 device to the private WAN BGP peer.
- Advertises prefixes learned from the Layer 3 device to the Prisma SD-WAN controller via API, so the controller can distribute to ION devices at other branches and data centers.
LAN-Side OSF Routing—On the LAN side, the ION device can be the default gateway for all branch subnets or can participate in static or dynamic routing with a Layer 3 device. The branch ION device in conjunction with the Layer 3 switch participates in routing as follows:
- Learns the prefixes behind the Layer 3 device and forwards traffic to those prefixes.
- Advertises BGP learned prefixes from the private WAN side (e.g. MPLS peer edge router) or a default route to the LAN Layer 3 device.
- Advertises prefixes learned from the Layer 3 device to the private WAN BGP peer.
- Advertises prefixes learned from the Layer 3 device to the Prisma SD-WAN controller via API, so the controller can distribute to ION devices at other branches and data centers.

Prisma SD-WAN Data Center Routing

Prisma SD-WAN Docs

Prisma SD-WAN Branch Routing

Prisma SD-WAN Docs

Prisma SD-WAN Branch Routing

Related CLIs

Activation & Onboarding

SASE

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

Prisma SD-WAN Integration

Prisma SD-WAN Experts Corner

Best Practices

Resources