Prisma SD-WAN
Virtual Interface
Table of Contents
Virtual Interface
A Virtual Interface enables the combination of two physical ports into one logical
interface. Lets learn the deployment topologies of the virtual interface in Prisma
SD-WAN.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
A Virtual Interface enables the combination
of two physical ports into one logical interface. Virtual Interfaces
provide increased redundancy in areas of the network where uptime
is critical and additional design flexibility is needed.
A Virtual Interface can contain a maximum of two member interfaces
and is used to ensure redundant physical connectivity from a device
to one or more switches, routers, or firewalls. For example, two
controller ports may be connected to two Layer 2 switches for physical
redundancy of controller port connectivity.
In order for a port to be an eligible Virtual Interface member
it must be a:
- Physical port—Cannot be a bypass pair nor a logical interface.
- Similar port type—For example, a controller port can only be added to a virtual interface with another controller port.
- Default configuration—The interface cannot have any type of IP, sub-interface, used-for, circuit label, nor PPPoE configuration.
A virtual interface can be created, updated, or deleted. It displays
as Down if both the member interfaces are operationally down, and
Up if at least one of the member interfaces is operationally up.
Switch ports on any ION device cannot function as Virtual
Interface (VI) members.
Deployment Topologies of Virtual Interface
Virtual Interfaces can be configured on both branch and data center ION
devices. A few sample deployment topologies are discussed below.
Controller Port Redundancy
Controller port redundancy is enabled for both branch and data center ION devices
where applicable.
In this scenario, the virtual interface is used to provide physical redundancy from a
single Prisma SD-WAN ION device with dual controller ports to two
Layer 2 switches in the event of a port failure between the ION devices and one of
the switches.
The ION device has each controller port physically connected to two different
switches. A new virtual interface is configured with the two member interfaces,
controller ports 1 and 2. IP address information is configured on the virtual
interface controller port. In the event of a loss of a switch or controller port,
controller connectivity remains uninterrupted.
Branch Deployments
Branch site deployments shown below include scenarios where a virtual interface is
configured for port redundancy when an ION device is connected to a LAN switch or
when a firewall is present.
Branch ION Device LAN Port Redundancy
In this scenario, the virtual interface is used to provide physical redundancy from a
single ION device to two Layer 2 switches in the event of an uplink failure between
the ION device and one of the switches.
The ION device is physically connected to two Layer 2 switches with VLAN 100 defined
on each switch. A new virtual interface is configured with two member interfaces,
ports 1 and 2. A sub-interface for VLAN 100 is created on the new virtual interface
and the appropriate IP information is configured.
Once configured, the application traffic from clients connected to VLAN 100 is sent
to the IP address (and corresponding MAC address) bound to the VLAN 100
sub-interface of the virtual interface. In the event of a physical interface
failure, the other interface assumes the forwarding role for the failed
interface.
Branch ION Device Internet Port Redundancy
In this scenario, a virtual interface is used to provide internet uplink port
redundancy between a single branch ION device and an active / backup firewall pair.
The firewall pair is responsible for inspecting untrusted internet traffic that is
sent direct on the internet by the ION device.
The ION device is physically connected directly to each firewall. A new virtual
interface is configured with two member interfaces, ports 1 and 2. Since a VLAN tag
is not required for this configuration, the IP address information is configured
directly on the virtual interface along with 'Used For Internet.' Corresponding port
tracking should be configured on the firewall pair to ensure that a unit goes
inactive or standby in the event of a failure of the port connected to the ION
device.
For purposes of load-balancing or redundancy, these firewalls can be configured
in an active-active or active-standby mode.
Data Center Deployments
Data Center deployments include scenarios where an ION device is deployed with two
core peers in the same subnet with a firewall for internet circuits.
Redundancy in Data Center ION Device Deployment with 2 Core Peers in the Same
Subnet
In this scenario, a virtual interface is used to provide redundant physical
connections to a pair of Layer 3 core switches. The ION device is peering via BGP
with both switches in the same IP network.
The Data Center ION device is physically connected to each of the Layer 3 Core
switches with VLAN 10 defined on each switch. A new virtual interface is configured
with two member interfaces, ports 1 and 2. A sub-interface for VLAN 10 is created on
the new virtual interface and the appropriate IP information is configured.
Corresponding BGP Peers are configured on both the ION device and the core
switches.
The configured traffic forwards in an active-active fashion based upon the route
table of the devices. In the event of an interface or core switch failure,
continuous data center connectivity is enabled.
This scenario is applicable to both dual core control plane designs as
depicted as well as single core control plane designs such as a switch
stack.
Redundancy in Data Center ION Device Deployment with Internet Circuits and
Firewall
In this scenario, a virtual interface is used to provide redundant physical
connections to a pair of Layer 2 switches that are connected to an internet facing
firewall pair. The ION device uses the firewall for the default gateway for the
redundant internet facing ports.
The Data Center ION device is physically connected to each of the Layer 2 switches
through an untagged switch interface. A new virtual interface is configured with two
member interfaces, ports 1 and 2. Since a VLAN tag is not required for this
configuration, the IP address information is configured directly on the virtual
interface along with 'Connect to Internet' configuration. Configure the
corresponding port tracking on the firewall pair to ensure that a unit goes inactive
or standby in the event of a failure of the port connected to the ION device.
Related CLIs
- config interface
- ping
- ping6
- debug bounce interface
- debug bw test src interface
- debug ipfix
- ssh interface
- tcp dump
- tcp ping
- trace route
- inspect interface stats
- inspect ipfix exporter stats
- inspect ipfix collector stats
- inspect ipfix app table
- inspect ipfix wan path info
- inspect ipfix interface info
- inspect wan paths
- dump cgnx infra status
- dump cgnx infra status live
- dump cgnx infra status store
- dump interface config
- dump interface status
- dump interface status interface details
- dump interface status interface module
- dump ipfix config collector contexts
- dump ipfix config filter contexts
- dump ipfix config derived exporters
- dump ipfix config templates
- dump ipfix config ipfix overrides
- dump ipfix config profiles
- dump ipfix config prefix filters
- dump wan interface config
- dump wan interface summary