Prisma Access Hot Potato Routing
Focus
Focus

Prisma Access Hot Potato Routing

Table of Contents

Prisma Access Hot Potato Routing

Learn about how hot potato routing works for Prisma Access service connections.
When you select Hot Potato Routing, Prisma Access egresses the traffic bound to service connections/data centers from its internal network as quickly as possible.
With hot potato routing, Prisma Access prepends the AS path (AS-PATH) to the BGP prefix advertisements sent from gateways. This prepending is performed when the prefixes are advertised out of the service connection to your organization’s on-premises CPE. Prisma Access prepends the AS-PATHs so that your CPE gives the correct preference to the primary and secondary tunnels, so that if the primary tunnel goes down, your CPE chooses the secondary tunnel as the backup.
If you specified a different IP address for the secondary (backup) BGP peer, Prisma Access adds more prepends based on the tunnel type, as shown in the following table.
Prefix Type Service Connection Tunnel Type Number of As-Path Prepends Total AS-PATHs Seen on the CPE
Gateway prefixes from primary service connection Primary or Secondary tunnel with the same BGP peer IP address 01
Gateway prefixes from backup service connection Primary or Secondary tunnel with the same BGP peer IP address 34
Gateway prefixes from all other service connections Primary or Secondary tunnel with the same BGP peer IP address 67
Gateway prefixes from primary service connection Secondary tunnel with a different BGP peer IP address 12
Gateway prefixes from backup service connection Secondary tunnel with a different BGP peer IP address 45
Gateway prefixes from all other service connections Secondary tunnel with a different BGP peer IP address 78
In hot potato routing mode, Prisma Access allows you to specify a backup service connection (Backup SC) during onboarding. Specifying a Backup SC informs Prisma Access to use that service connection as the backup when a service connection link fails.
The following figure shows a hot potato routing configuration for traffic between the US service connection and AS 200, with the EU service connection configured as the Backup SC of the US connection. Using hot potato routing, Prisma Access sends the traffic from its closest exit path through the US service connection. The return traffic takes the same path through AS100 because this path has a shorter AS-PATH to the mobile user pool in the US location. Prisma Access prepends the AS-PATH to its prefix advertisements depending on whether the tunnel is a primary tunnel, a backup tunnel, or not used for either primary or backup.
Because you have set up a backup service connection, if the link to the US service connection goes down, hot potato routing sends the traffic out using its shortest route through the EU service connection. This routing scenario also applies to networks that use route aggregation.
You can also use backup service connections for multiple service connections in a single region. The following figure shows a Prisma Access deployment with two service connections in the North America region. In this case, you specify a Backup SC of US-E for the US-W service connection, and vice versa, to ensure symmetric routing.