Prisma SD-WAN
Prisma SD-WAN Branch and Data Center Routing
Table of Contents
Expand All
|
Collapse All
Prisma SD-WAN Docs
-
-
- Prisma SD-WAN Key Elements
- Prisma SD-WAN Releases and Upgrades
- Use Copilot in Prisma SD-WAN
- Prisma SD-WAN Summary
- Prisma SD-WAN Application Insights
- Device Activity Charts
- Site Summary Dashboard
- Prisma SD-WAN Predictive Analytics Dashboard
- Prisma SD-WAN Link Quality Dashboard
- Prisma SD-WAN Subscription Usage
-
-
- Add a Branch
- Add a Data Center
- Add a Branch Gateway
- Secure Group Tags (SGT) Propagation
- Configure Circuits
- Configure Internet Circuit Underlay Link Aggregation
- Configure Private WAN Underlay Link Quality Aggregation
- Configure Circuit Categories
- Configure Device Initiated Connections for Circuits
- Add Public IP LAN Address to Enterprise Prefixes
- Manage Data Center Clusters
- Configure Secure SD-WAN Fabric Tunnels between Data Centers
- Configure a Site Prefix
- Configure Ciphers
- Configure a DHCP Server
- Configure NTP for Prisma SD-WAN
- Configure the ION Device at a Branch Site
- Configure the ION Device at a Data Center
- Switch a Site to Control Mode
- Allow IP Addresses in Firewall Configuration
-
- Configure a Controller Port
- Configure Internet Ports
- Configure WAN/LAN Ports
- Configure a Sub-Interface
- Configure a Loopback Interface
- Add and Configure Port Channel Interface
- Configure a PoE Port
- Configure and Monitor LLDP Activity and Status
- Configure a PPPoE Interface
- Configure a Layer 3 LAN Interface
- Configure Application Reachability Probes
- Configure a Secondary IP Address
- Configure a Static ARP
- Configure a DHCP Relay
- Configure IP Directed Broadcast
- VPN Keep-Alives
-
- Configure Prisma SD-WAN IPFIX
- Configure IPFIX Profiles and Templates
- Configure and Attach a Collector Context to a Device Interface in IPFIX
- Configure and Attach a Filter Context to a Device Interface in IPFIX
- Configure Global and Local IPFIX Prefixes
- Flow Information Elements
- Options Information Elements
- Configure the DNS Service on the Prisma SD-WAN Interface
- Configure SNMP
-
-
- Prisma SD-WAN Branch Routing
- Prisma SD-WAN Data Center Routing
-
- Configure an OSPF in Prisma SD-WAN
- Enable BGP for Private WAN and LAN
- Configure BGP Global Parameters
- Global or Local Scope for BGP Peers
- Configure a Route Map
- Configure a Prefix List
- Configure an AS Path List
- Configure an IP Community List
- View Routing Status and Statistics
- Distribution to Fabric
- Host Tracking
-
- Configure Multicast
- Create, Assign, and Configure a WAN Multicast Configuration Profile
- Configure Global Multicast Parameters
- Configure a Multicast Static Rendezvous Point (RP)
- Learn Rendezvous Points (RPs) Dynamically
- View LAN Statistics for Multicast
- View WAN Statistics for Multicast
- View IGMP Membership
- View the Multicast Route Table
- View Multicast Flow Statistics
- View Routing Statistics
-
- Prisma SD-WAN Branch HA Key Concepts
-
- Configure Branch HA with Gen-1 Platforms (2000, 3000, 7000, and 9000)
- Configure Branch HA with Gen-2 Platforms (3200, 5200, and 9200)
- Configure Branch HA with Gen-2 Embedded Switch Platforms (1200-S or 3200-L2)
- Configure Branch HA for Devices with Software Cellular Bypass (1200-S-C-5G)
- Configure Branch HA for Platforms without Bypass Pairs
- Configure Branch HA in a Hybrid Topology with Gen-1 (3000) and Gen-2 (3200) Platforms
- Configure HA Groups
- Add ION Devices to HA Groups
- Edit HA Groups and Group Membership
- Prisma SD-WAN Clarity Reports
-
-
CloudBlade Integrations
- CloudBlade Integrations
- CloudBlades Integration with Prisma Access
-
-
-
-
- clear app-engine
- clear app-map dynamic
- clear app-probe prefix
- clear connection
- clear device account-login
- clear dhcplease
- clear dhcprelay stat
- clear flow and clear flows
- clear flow-arp
- clear qos-bwc queue-snapshot
- clear routing
- clear routing multicast statistics
- clear routing ospf
- clear routing peer-ip
- clear switch mac-address-entries
- clear user-id agent statistics
-
- arping interface
- curl
- ping
- ping6
- debug bounce interface
- debug bw-test src-interface
- debug cellular stats
- debug controller reachability
- debug flow
- debug ipfix
- debug log agent eal file log
- debug logging facility
- debug logs dump
- debug logs follow
- debug logs tail
- debug performance-policy
- debug poe interface
- debug process
- debug reboot
- debug routing multicast log
- debug routing multicast pimd
- debug servicelink logging
- debug tcpproxy
- debug time sync
- dig dns
- dig6
- file export
- file remove
- file space available
- file tailf log
- file view log
- ssh6 interface
- ssh interface
- tcpdump
- tcpping
- traceroute
- traceroute6
-
- dump appdef config
- dump appdef version
- dump app-engine
- dump app-l4-prefix table
- dump app-probe config
- dump app-probe flow
- dump app-probe prefix
- dump app-probe status
- dump auth config
- dump auth status
- dump banner config
- dump bfd status
- dump bypass-pair config
- dump cellular config
- dump cellular stats
- dump cellular status
- dump cgnxinfra status
- dump cgnxinfra status live
- dump cgnxinfra status store
- dump config network
- dump config security
- dump controller cipher
- dump controller status
- dump device accessconfig
- dump device conntrack count
- dump device date
- dump device info
- dump device status
- dump dhcp-relay config
- dump dhcprelay stat
- dump dhcp-server config
- dump dhcp-server status
- dump dhcpstat
- dump dnsservice config all
- dump dpdk cpu
- dump dpdk interface
- dump dpdk port status
- dump dpdk stats
- dump flow
- dump flow count-summary
- dump interface config
- dump interface status
- dump interface status interface details
- dump interface status interface module
- dump intra cluster tunnel
- dump ipfix config collector-contexts
- dump ipfix config derived-exporters
- dump ipfix config filter-contexts
- dump ipfix config ipfix-overrides
- dump ipfix config prefix-filters
- dump ipfix config profiles
- dump ipfix config templates
- dump lldp
- dump lldp config
- dump lldp info
- dump lldp stats
- dump lldp status
- dump log-agent eal conn
- dump log-agent eal response-time
- dump log-agent eal stats
- dump log-agent config
- dump log-agent iot snmp config
- dump log-agent iot snmp device discovery stats
- dump log-agent ip mac bindings
- dump log-agent neighbor discovery stats
- dump log-agent status
- dump ml7 mctd counters
- dump ml7 mctd session
- dump ml7 mctd version
- dump nat counters
- dump nat6 counters
- dump nat summary
- dump network-policy config policy-rules
- dump network-policy config policy-sets
- dump network-policy config policy-stacks
- dump network-policy config prefix-filters
- dump overview
- dump performance-policy config policy-rules
- dump performance-policy config policy-sets
- dump performance-policy config policy-set-stacks
- dump performance-policy config threshold-profile
- dump poe system config
- dump poe system status
- dump priority-policy config policy-rules
- dump priority-policy config policy-sets
- dump priority-policy config policy-stacks
- dump priority-policy config prefix-filters
- dump probe config
- dump probe profile
- dump radius config
- dump radius statistics
- dump radius status
- dump reachability-probe config
- dump qos-bwc config
- dump reachability-probe status
- dump routing aspath-list
- dump routing cache
- dump routing communitylist
- dump routing multicast config
- dump routing multicast igmp
- dump routing multicast interface
- dump routing multicast internal vif-entries
- dump routing multicast mroute
- dump routing multicast pim
- dump routing multicast sources
- dump routing multicast statistics
- dump routing multicast status
- dump routing ospf
- dump routing peer advertised routes
- dump routing peer config
- dump routing peer neighbor
- dump routing peer received-routes
- dump routing peer routes
- dump routing peer route-via
- dump routing peer status
- dump routing peer route-json
- dump routing prefixlist
- dump routing prefix-reachability
- dump routing route
- dump routing routemap
- dump routing running-config
- dump routing summary
- dump routing static-route reachability-status
- dump routing static-route config
- dump routing vpn host tracker
- dump security-policy config policy-rules
- dump security-policy config policy-set
- dump security-policy config policy-set-stack
- dump security-policy config prefix-filters
- dump security-policy config zones
- dump sensor type
- dump sensor type summary
- dump serviceendpoints
- dump servicelink summary
- dump servicelink stats
- dump servicelink status
- dump site config
- dump snmpagent config
- dump snmpagent status
- dump software status
- dump spoke-ha config
- dump spoke-ha status
- dump standingalarms
- dump static-arp config
- dump static host config
- dump static routes
- dump support details
- dump-support
- dump switch fdb vlan-id
- dump switch port status
- dump switch vlan-db
- dump syslog config
- dump syslog-rtr stats
- dump syslog status
- dump time config
- dump time log
- dump time status
- dump troubleshoot message
- dump user-id agent config
- dump user-id agent statistics
- dump user-id agent status
- dump user-id agent summary
- dump user-id groupidx
- dump user-id group-mapping
- dump user-id ip-user-mapping
- dump user-id statistics
- dump user-id status
- dump user-id summary
- dump user-id useridx
- dump vlan member
- dump vpn count
- dump vpn ka all
- dump vpn ka summary
- dump vpn ka VpnID
- dump vpn status
- dump vpn summary
- dump vrf
- dump waninterface config
- dump waninterface summary
-
- inspect app-flow-table
- inspect app-l4-prefix lookup
- inspect app-map
- inspect certificate
- inspect certificate device
- inspect cgnxinfra role
- inspect connection
- inspect dhcplease
- inspect dhcp6lease
- inspect dpdk ip-rules
- inspect dpdk vrf
- inspect fib
- inspect fib-leak
- inspect flow-arp
- inspect flow brief
- inspect flow-detail
- inspect flow internal
- inspect interface stats
- inspect ipfix exporter-stats
- inspect ipfix collector-stats
- inspect ipfix app-table
- inspect ipfix wan-path-info
- inspect ipfix interface-info
- inspect ip-rules
- inspect ipv6-rules
- inspect lqm stats
- inspect memory summary
- inspect network-policy conflicts
- inspect network-policy dropped
- inspect network-policy hits policy-rules
- inspect network-policy lookup
- inspect performance-policy fec status
- inspect policy-manager status
- inspect policy-mix lookup-flow
- inspect priority-policy conflicts
- inspect priority-policy dropped
- inspect priority-policy hits default-rule-dscp
- inspect priority-policy hits policy-rules
- inspect priority-policy lookup
- inspect performance-policy incidents
- inspect performance-policy lookup
- inspect performance-policy hits analytics
- inspect process status
- inspect qos-bwc debug-state
- inspect qos-bwc queue-history
- inspect qos-bwc queue-snapshot
- inspect routing multicast fc site-iface
- inspect routing multicast interface
- inspect routing multicast mroute
- inspect security-policy lookup
- inspect security-policy size
- inspect switch mac-address-table
- inspect system arp
- inspect system ipv6-neighbor
- inspect system vrf
- inspect vrf
- inspect wanpaths
-
-
5.6
- 5.6
- 6.1
- 6.2
- 6.3
- 6.4
- 6.5
- New Features Guide
- On-Premises Controller
- Prisma SD-WAN CloudBlades
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed
-
- Features Introduced in Prisma SD-WAN ION Release 5.6
- Changes to Default Behavior in Prisma SD-WAN ION Release 5.6
- Upgrade ION 9000 Firmware for Device Version 5.6.x
- CLI Commands in Prisma SD-WAN ION Release 5.6
- Addressed Issues in Prisma SD-WAN ION Release 5.6
- Known Issues in Prisma SD-WAN ION Release 5.6
Prisma SD-WAN Branch and Data Center Routing
In Prisma SD-WAN you can configure routing on branch and data center ION
devices. Based on the deployment, WAN routing behavior differs between branch and data
center sites.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Prisma SD-WAN supports both static and
dynamic routing in a branch on internet, private WAN underlays,
and Standard Virtual Private Network (VPN) tunnels in a branch,
and private WAN underlays and Standard VPNs in a data center. You
can configure routing on branch and data center ION devices. Based
on the deployment, WAN routing behavior differs between branch and
data center sites.
- Configure Static Routing
- Configure Dynamic Routing
- Prisma SD-WAN
- Prisma SD-WAN VRF
- Configure a VRF Profile in Prisma SD-WAN
Prisma SD-WAN Branch Routing
Learn more about the Prisma SD-WAN branch routing. You can configure
static and dynamic routing in a branch for internet, private WAN underlays, and standard VPN
tunnels.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
You can configure static and dynamic
routing in a branch for internet, private WAN underlays, and standard
VPN tunnels.
Configure static routing on a branch ION device to support topologies
with one or more LAN-side Layer 3 devices to forward traffic destined
for subnets that are more than one hop away. Use static routes to
configure next hops to subnets behind a Layer 3 switch on the LAN-side
or destinations reachable over a WAN network underlay or a standard
VPN. You can add static routes on an ION device that point to the
standard VPN interface or the standard VPN peer IP address.
Configure dynamic Border Gateway Protocol (BGP) routing on a
branch ION device for internet, private WAN underlays, and standard
VPNs. The ION device learns routes dynamically over the internet,
private WAN, and standard VPNs and advertises global branch prefixes
on these routes.
By default, ION devices use a bypass pair for private WAN underlay
traffic. If you use a Layer 3 interface, you must explicitly enable L3
Direct Private WAN Forwarding for the private WAN underlay.
The ION device uses the bypass pair only to bridge traffic.
Starting with device software version 5.2.1, ION devices support
dynamic LAN routing in branch sites. To use LAN routing, you must
explicitly enable L3 Direct Private WAN Forwarding and L3
LAN forwarding. You can enable L3 LAN Forwarding only
when there are no Private Layer 2 bypass pairs associated with any
of the interfaces on the device. Starting with device software version
5.2.3, if there are Private Layer 2 interfaces on the device, the
device displays a message to first remove any Private Layer 2 interfaces
associated with the device and then enable L3 LAN Forwarding.
A branch ION device supports only classic peers. It can support
multiple BGP peers and also peer with multiple BGP peers on the same
interface. The device treats each underlay and Standard VPN as a
separate domain. The routes learned from one domain are not advertised
to another domain, thus preventing the branch ION device from dynamically
becoming a transit point.
At a branch site, configure the routing for a link or a routing
instance per link. The following topologies illustrate private WAN
and third-party routing in a branch.
- Private WAN Dynamic Border Gateway Protocol (BGP) RoutingIn this scenario, the branch ION device participates in dynamic BGP routing by peering with a private WAN peer edge router or an internet router, or standard VPNs. There maybe more than one link, and you can enable dynamic routing on each.
- Private WAN Static RoutingIn this scenario, the branch ION device has a default static route pointing to the peer edge router. On behalf of the ION device, the peer edge router will advertise routes for branch prefixes. There may be more than one private WAN link.
- Standard VPNs to Cloud Security Services or Data CentersIn this scenario, the branch ION has a standard VPN connection to a cloud security service. This VPN has a static default route, or optionally, can have a BGP adjacency configured with the standard endpoint.
You can deploy the ION at a branch site as follows:
- Layer 2-only Deployment Model—You do not need to configure routing when the ION is deployed in-line between the switch and a branch router. In this deployment, the internet links terminate on the branch ION device and the private wide area network (WAN) link terminates on the WAN router.The branch ION device dynamically steers traffic directly to the private WAN via the WAN router it is connected to, or to a public WAN or VPN on public WAN for each application based on path policies and network and application performance characteristics.
- Layer 2 / Layer 3 Deployment Model—Deploy the Prisma SD-WAN ION device in-line between the switch and a branch router, with the added facility of routing via a separate Layer 3 WAN interface on the ION device. In this deployment, you can configure an Layer 3 WAN interface (WAN 2) as the source for a private WAN VPN to another Prisma SD-WAN branch or data center site.For example, configure LAN 1 and WAN 1 as an Layer 3 bypass pair, but configure WAN 2 to BGP peer with the router. The ION device then advertises prefixes to the router and learns routes from the router.
- Router Replacement Model—In this model, the branch ION device terminates both private WAN and internet links. When terminating the private WAN links, the branch ION device participates in dynamic routing with the peer edge router. The device advertises prefixes present in the branch and learns the prefixes reachable through the MPLS core.
- LAN-Side BGP Routing—On the LAN side, the ION device can be the default gateway for all branch subnets or can participate in static or dynamic routing with an Layer 3 device. The branch ION device in conjunction with the Layer 3 switch participates in routing as follows:
- Learns the prefixes behind the Layer 3 device and forwards traffic to those prefixes.
- Advertises BGP learned prefixes from the WAN side (e.g. MPLS peer edge router) or a default route to the LAN Layer 3 device.
- Advertises prefixes learned from the Layer 3 device to other branches and data centers.
Prisma SD-WAN Data Center Routing
Learn more about the Prisma SD-WAN data center routing. The ION device
supports static routing on all its interfaces.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Configure static and dynamic routing
on data center ION devices. The ION device supports static routing
on all its interfaces. You may configure dynamic routing only on
those interfaces of the ION device, which are configured as—Peer with
a Network or a standard VPN interface. ION devices in
data centers do not support routing on interfaces configured as Use
to Connect to Internet. Device interfaces configured
as standard VPN interfaces in data centers learn routes dynamically
from standard VPNs and advertise data center prefixes on standard
VPNs.
When you deploy the ION device in a data center, you place the
device off-path for a seamless integration with the existing environment.
The data center ION device connects with the data center core router,
and optionally, the WAN edge router. The data center ION device
only attracts the traffic destined to branches where Prisma SD-WAN
ION devices are deployed and where there is an active VPN tunnel
to that remote ION device. The data center ION device accomplishes
this by injecting more specific or preferred routes via BGP towards
the core router for Prisma SD-WAN-deployed site prefixes.
The data center ION device supports three types of peers—core,
edge, and classic. These BGP peers are contained in a single routing
domain. At a data center, configure routing per peer.
You can configure an ION device in the data center for core and
edge peering. You have to configure BGP peering information, such
as local and remote AS #, peer IP, and options like MD5 and timers
on the device. The device automatically takes care of other configurations,
such as route-map generation, updates, and filtering.
You can add entries to track LAN reachability beyond the
core-peer; traffic remains on active links as long as the DC ION can reach the IP
address. If the Host tracking fails, the system will switch between active and backup paths
accordingly.
You can now automatically detect and correct asymmetry,
ensuring smoother, more balanced traffic flows and compliance with security protocols by
using Distribute to Fabric.
You can configure an ION device to perform classic BGP peering,
just like any other Layer 3 networking device for more complex topologies
or scenarios.
The following topologies illustrate private WAN and third-party
routing in a data center.
- Edge and CoreIn this scenario, the data center ION device peers with one or more edge BGP peers and with one or more core BGP peers.
- Core onlyIn this scenario, the data center ION device peers only with core peers. No private WAN underlay path exists for traffic to exit from the data center.
- Core and Data Center ION Device as the WAN EdgeIn this scenario, data center ION device becomes the WAN edge, and peers with the core and the PE in the provider cloud. This is equivalent to router replacement in the branch.
- Core and Standard VPN PeersIn this scenario, the data center ION device peers with core and third-party peers.