In Prisma SD-WAN you can configure routing on branch and data center ION
devices. Based on the deployment, WAN routing behavior differs between branch and data
center sites.
Where Can I Use
This?
What Do I Need?
Prisma SD-WAN
Prisma SD-WAN license
Prisma SD-WAN supports both static and dynamic routing on the internet, private WAN
underlays, LAN, and Standard Virtual Private Network (VPN) tunnels in a branch; and
private WAN underlays, LAN, and Standard VPNs in a data center.
Learn more about the Prisma SD-WAN branch routing. You can configure
static and dynamic routing in a branch for internet, private WAN underlays, and standard VPN
tunnels.
Where Can I Use
This?
What Do I Need?
Prisma SD-WAN
Prisma SD-WAN license
You can configure static and dynamic routing in a branch for Internet, private WAN
underlays, LAN and standard VPN tunnels.
Configure static routing on a branch ION device to support topologies
with one or more LAN-side Layer 3 devices to forward traffic destined
for subnets that are more than one hop away. Use static routes to
configure next hops to subnets behind a Layer 3 switch on the LAN-side
or destinations reachable over a WAN network underlay or a standard
VPN. You can add static routes on an ION device that point to the
standard VPN interface or the standard VPN peer IP address.
Configure dynamic Border Gateway Protocol (BGP) routing on a branch ION device for Internet,
private WAN underlays, LAN, and standard VPNs. The ION device learns routes dynamically
from private WAN and standard VPN BGP peers and distributes to the LAN BGP peers. Routes
learnt from LAN peers can be sent to the Prisma SD-WAN controller via API and to other
LAN and private WAN BGP peers.
Starting with device software version 6.4.1, OSPF is supported on the LAN in branch mode
IONs. Routes learnt from LAN OSPF neighbors can be sent to the SD-WAN controller via API
and to other LAN neighbors. Routes can also be distributed between BGP and OSPF
peers/neighbors.
By default, ION devices use a bypass pair for private WAN underlay traffic. If you use a Layer 3
private WAN interface, you must explicitly enable L3 Direct Private WAN
Forwarding for the private WAN underlay. The ION device uses the bypass
pair only to bridge traffic.
Starting with device software version 5.2.1, ION devices support
dynamic LAN routing in branch sites. To use LAN routing, you must
explicitly enable L3 Direct Private WAN Forwarding and L3
LAN forwarding. You can enable L3 LAN Forwarding only
when there are no Private Layer 2 bypass pairs associated with any
of the interfaces on the device. Starting with device software version
5.2.3, if there are Private Layer 2 interfaces on the device, the
device displays a message to first remove any Private Layer 2 interfaces
associated with the device and then enable L3 LAN Forwarding.
A branch ION device supports only classic BGP peers. It can support multiple BGP peers and also
peer with multiple BGP peers on the same interface. The device treats each underlay and
Standard VPN as a separate domain. The routes learned from one domain are not advertised
to another domain, thus preventing the branch ION device from dynamically becoming a
transit point.
At a branch site, configure the routing for a link or a routing
instance per link. The following topologies illustrate private WAN
and third-party routing in a branch.
Private WAN Dynamic Border Gateway Protocol (BGP)
Routing
In this scenario, the branch ION device participates in dynamic BGP routing by peering with a
private WAN peer edge router. There maybe more than one link, and you can enable
dynamic routing on each.
Private WAN Static Routing
In this scenario,
the branch ION device has a default static route pointing to the
peer edge router. On behalf of the ION device, the peer edge router
will advertise routes for branch prefixes. There may be more than
one private WAN link.
Standard VPNs to Cloud Security Services or Data Centers
In
this scenario, the branch ION has a standard VPN connection to a
cloud security service. This VPN has a static default route, or
optionally, can have a BGP adjacency configured with the standard
endpoint.
You can deploy the ION at a branch site as follows:
Layer 2-only Deployment Model—You do not need
to configure routing when the ION is deployed in-line between the
switch and a branch router. In this deployment, the internet links
terminate on the branch ION device and the private wide area network
(WAN) link terminates on the WAN router.
The branch ION device
dynamically steers traffic directly to the private WAN via the WAN
router it is connected to, or to a public WAN or VPN on public WAN
for each application based on path policies and network and application
performance characteristics.
Layer 2 / Layer 3 Deployment Model—Deploy the Prisma
SD-WAN ION device in-line between the switch and a branch router,
with the added facility of routing via a separate Layer 3 WAN interface
on the ION device. In this deployment, you can configure an Layer
3 WAN interface (WAN 2) as the source for a private WAN VPN to another
Prisma SD-WAN branch or data center site.
For example, configure LAN 1 and WAN 1 as a private WAN Layer 2 bypass pair, but configure WAN 2
as a L3 interface to BGP peer with the router. The ION device then advertises
prefixes to the router and learns routes from the router. You need to enable ‘L3
Private WAN Forwarding” configuration knob on the ION in this scenario.
Router Replacement Model—In this model, the branch
ION device terminates both private WAN and internet links. When
terminating the private WAN links, the branch ION device participates
in dynamic routing with the peer edge router. The device advertises
prefixes present in the branch and learns the prefixes reachable
through the MPLS core.
LAN-Side BGP Routing—On the LAN side, the ION device can be the default gateway for all
branch subnets or can participate in static or dynamic routing with a Layer 3
device. The branch ION device in conjunction with the Layer 3 switch
participates in routing as follows:
Learns the prefixes behind the Layer 3 device and forwards traffic to those prefixes.
Advertises BGP learned prefixes from the private WAN side (e.g. MPLS peer edge router) or a
default route to the LAN Layer 3 device.
Advertises prefixes learned from the Layer 3 device to the private WAN BGP peer.
Advertises prefixes learned from the Layer 3 device to the Prisma SD-WAN
controller via API, so the controller can distribute to ION devices at other
branches and data centers.
LAN-Side OSF Routing—On the LAN side, the ION device can be the default
gateway for all branch subnets or can participate in static or dynamic routing
with a Layer 3 device. The branch ION device in conjunction with the Layer 3
switch participates in routing as follows:
Learns the prefixes behind the Layer 3 device and forwards traffic to
those prefixes.
Advertises BGP learned prefixes from the private WAN side (e.g. MPLS peer
edge router) or a default route to the LAN Layer 3 device.
Advertises prefixes learned from the Layer 3 device to the private WAN
BGP peer.
Advertises prefixes learned from the Layer 3 device to the Prisma SD-WAN
controller via API, so the controller can distribute to ION devices at other
branches and data centers.
Learn more about the Prisma SD-WAN data center routing. The ION device
supports static routing on all its interfaces.
Where Can I Use
This?
What Do I Need?
Prisma SD-WAN
Prisma SD-WAN license
Configure static and dynamic routing
on data center ION devices. The ION device supports static routing
on all its interfaces. You may configure dynamic routing only on
those interfaces of the ION device, which are configured as—Peer with
a Network or a standard VPN interface. ION devices in
data centers do not support routing on interfaces configured as Use
to Connect to Internet. Device interfaces configured
as standard VPN interfaces in data centers learn routes dynamically
from standard VPNs and advertise data center prefixes on standard
VPNs.
When you deploy the ION device in a BGP based data center deployment, you place the device
off-path for a seamless integration with the existing environment. The data center ION
device connects with the data center core router, and optionally, the WAN edge router.
The data center ION device only attracts the traffic destined to branches where Prisma SD-WAN ION devices are deployed and where there is an active VPN
tunnel to that remote ION device. The data center ION device accomplishes this by
injecting more specific or preferred routes via BGP towards the core router for Prisma SD-WAN-deployed site prefixes.
The data center ION device supports three types of peers—core,
edge, and classic. These BGP peers are contained in a single routing
domain. At a data center, configure routing per peer.
You can configure an ION device in the data center for core and
edge peering. You have to configure BGP peering information, such
as local and remote AS #, peer IP, and options like MD5 and timers
on the device. The device automatically takes care of other configurations,
such as route-map generation, updates, and filtering.
You can add entries to track LAN reachability beyond the
core-peer. The VPN tunnels on the ION remain active and attract traffic from Branches as
long as the DC ION can reach the IP address. If the Host tracking fails, the tunnels are
made inactive and the system will switch to the other DC ION in the HA pair.
The Distribute to Fabric allows prefixes learned on
the Data Center LAN (via LAN routing protocols) to be selectively advertised to specific
branch sites. This ensures that branches prefer the appropriate Data Center for those
prefixes, helping maintain optimal traffic paths and adherence to security policies.
OSPF based DC DeploymentStarting with device software version 6.4.1, OSPF is
supported on the LAN in DC mode IONs. When you deploy the ION device in an OSPF based
data center deployment, you place the device in-path between the private WAN (if any)
router and the DC Core/LAN router.
You can configure an ION device to perform classic BGP peering,
just like any other Layer 3 networking device for more complex topologies
or scenarios.
The following topologies illustrate private WAN and third-party
routing in a data center.
Edge and Core
In this scenario, the data
center ION device peers with one or more edge BGP peers and with
one or more core BGP peers.
Core only
In this scenario, the data center
ION device peers only with core peers. No private WAN underlay path
exists for traffic to exit from the data center.
Core and Data Center ION Device as the WAN Edge
In
this scenario, data center ION device becomes the WAN edge, and
peers with the core and the PE in the provider cloud. This is equivalent
to router replacement in the branch.
Core and Standard VPN Peers
In this scenario,
the data center ION device peers with core and third-party peers.
