Deployment Topologies of Virtual Interface
Table of Contents
Expand all | Collapse all
-
-
- Configure Circuits
- Configure Circuit Categories
- Configure Device Initiated Connections for Circuits
- Add Public IP LAN Address to Enterprise Prefixes
- Add a Branch
- Add a Data Center
- Manage Data Center Clusters
- Configure a Site Prefix
- Configure a DHCP Server
- Configure NTP for Prisma SD-WAN
- Enable IoT Device Visibility in Prisma SD-WAN
- Configure the ION Device at a Branch Site
- Configure the ION Device at a Data Center
- Switch a Site to Control Mode
- Allow IP Addresses in Firewall Configuration
-
- Configure a Controller Port
- Configure Internet Ports
- Configure WAN/LAN Ports
- Configure a Sub-Interface
- Configure a Loopback Interface
- Configure a PPPoE Interface
- Configure a Layer 3 LAN Interface
- Configure Application Reachability Probes
- Configure a Secondary IP Address
- Configure a Static ARP
- Configure a DHCP Relay
- Configure IP Directed Broadcast
-
-
- Configure IPFIX
- Configure IPFIX Profiles
- Configure IPFIX Templates
- Configure Collector Contexts
- Configure Filter Contexts
- Configure Global IPFIX Prefixes
- Configure Local IPFIX Prefixes
- Attach an IPFIX Profile to an ION Device
- Attach a Collector Context to a Device Interface
- Attach a Filter Context to a Device Interface
- Configure High Availability (HA) for IPFIX
- Flow Information Elements
- Options Information Elements
- Configure SNMP
-
-
-
- Prisma SD-WAN Branch Routing
- Prisma SD-WAN Data Center Routing
-
- Configure Multicast
- Create a WAN Multicast Configuration Profile
- Assign WAN Multicast Configuration Profiles to Branch Sites
- Configure a Multicast Source at a Branch Site
- Configure Global Multicast Parameters
- Configure a Multicast Static Rendezvous Point (RP)
- Learn Rendezvous Points (RPs) Dynamically
- View LAN Statistics for Multicast
- View WAN Statistics for Multicast
- View IGMP Membership
- View the Multicast Route Table
- View Multicast Flow Statistics
- Prisma SD-WAN Incident Policies
-
- Prisma SD-WAN Branch HA Key Concepts
- Configure Branch HA
- Configure HA Groups
- Add ION Devices to HA Groups
- View Device Configuration of HA Groups
- Edit HA Groups and Group Membership
-
- Configure Branch HA with Gen-1 Platforms (2000, 3000, 7000, and 9000)
- Configure Branch HA with Gen-2 Platforms (3200, 5200, and 9200)
- Configure Branch HA with Gen-2 Embedded Switch Platforms (1200-S or 3200-L2)
- Configure Branch HA for Devices with Software Cellular Bypass (1200-S-C-5G)
- Configure Branch HA for Platforms without Bypass Pairs
-
-
- Native SASE Integration with Prisma SD-WAN
- Connect a Single Prisma SD-WAN Site to Prisma Access
- Connect Multiple Prisma SD-WAN Sites to Prisma Access
- Edit Application Policy Network Rules
- Understand Service and Data Center Groups
- Verify Standard VPN Endpoints
- Configure Standard Groups
- Assign Domains to Sites
- Prisma SD-WAN Incidents and Alerts
Deployment Topologies of Virtual Interface
Let us learn about the deployment topologies of the virtual
interface.
Virtual Interfaces can be configured
on both branch and data center ION devices. A few sample deployment
topologies are discussed below.
Controller Port Redundancy
Controller
port redundancy is enabled for both branch and data center ION devices
where applicable.
In this scenario, the virtual interface
is used to provide physical redundancy from a single
Prisma SD-WAN
ION device with dual controller ports to two Layer 2 switches in
the event of a port failure between the ION devices and one of the
switches.The ION device has each controller port physically
connected to two different switches. A new virtual interface is
configured with the two member interfaces, controller ports 1 and
2. IP address information is configured on the virtual interface
controller port. In the event of a loss of a switch or controller
port, controller connectivity remains uninterrupted.
Branch Deployments
Branch site deployments
shown below include scenarios where a virtual interface is configured
for port redundancy when an ION device is connected to a LAN switch
or when a firewall is present.
Branch ION Device LAN Port
Redundancy
In this scenario, the virtual interface is
used to provide physical redundancy from a single ION device to
two Layer 2 switches in the event of an uplink failure between the
ION device and one of the switches.
The ION device is physically
connected to two Layer 2 switches with VLAN 100 defined on each
switch. A new virtual interface is configured with two member interfaces,
ports 1 and 2. A sub-interface for VLAN 100 is created on the new
virtual interface and the appropriate IP information is configured.
Once
configured, the application traffic from clients connected to VLAN
100 is sent to the IP address (and corresponding MAC address) bound
to the VLAN 100 sub-interface of the virtual interface. In the event
of a physical interface failure, the other interface assumes the
forwarding role for the failed interface.
Branch
ION Device Internet Port Redundancy
In this scenario,
a virtual interface is used to provide internet uplink port redundancy
between a single branch ION device and an active / backup firewall
pair. The firewall pair is responsible for inspecting untrusted
internet traffic that is sent direct on the internet by the ION
device.
The ION device is physically connected directly to
each firewall. A new virtual interface is configured with two member
interfaces, ports 1 and 2. Since a VLAN tag is not required for
this configuration, the IP address information is configured directly
on the virtual interface along with 'Used For Internet.' Corresponding
port tracking should be configured on the firewall pair to ensure
that a unit goes inactive or standby in the event of a failure of
the port connected to the ION device.
For purposes of
load-balancing or redundancy, these firewalls can be configured
in an active-active or active-standby mode.
Data Center Deployments
Data Center deployments
include scenarios where an ION device is deployed with two core
peers in the same subnet with a firewall for internet circuits.
Redundancy
in Data Center ION Device Deployment with 2 Core Peers in the Same
Subnet
In this scenario, a virtual interface is used to
provide redundant physical connections to a pair of Layer 3 core
switches. The ION device is peering via BGP with both switches in
the same IP network.
The Data Center ION device is physically
connected to each of the Layer 3 Core switches with VLAN 10 defined
on each switch. A new virtual interface is configured with two member
interfaces, ports 1 and 2. A sub-interface for VLAN 10 is created
on the new virtual interface and the appropriate IP information
is configured. Corresponding BGP Peers are configured on both the
ION device and the core switches.
The configured traffic forwards
in an active-active fashion based upon the route table of the devices.
In the event of an interface or core switch failure, continuous
data center connectivity is enabled.
This scenario
is applicable to both dual core control plane designs as depicted
as well as single core control plane designs such as a switch stack.
Redundancy
in Data Center ION Device Deployment with Internet Circuits and
Firewall
In this scenario, a virtual interface is used
to provide redundant physical connections to a pair of Layer 2 switches
that are connected to an internet facing firewall pair. The ION
device uses the firewall for the default gateway for the redundant
internet facing ports.
The Data Center ION device is physically
connected to each of the Layer 2 switches through an untagged switch
interface. A new virtual interface is configured with two member
interfaces, ports 1 and 2. Since a VLAN tag is not required for
this configuration, the IP address information is configured directly
on the virtual interface along with 'Connect to Internet' configuration.
Configure the corresponding port tracking on the firewall pair to
ensure that a unit goes inactive or standby in the event of a failure
of the port connected to the ION device.