Prisma SD-WAN Branch Routing
Learn more about the Prisma SD-WAN branch routing.
| Where Can I Use
This? | What Do I Need? |
|---|
You can configure static and dynamic
routing in a branch for internet, private WAN underlays, and standard
VPN tunnels.
Configure static routing on a branch ION device to support topologies
with one or more LAN-side Layer 3 devices to forward traffic destined
for subnets that are more than one hop away. Use static routes to
configure next hops to subnets behind a Layer 3 switch on the LAN-side
or destinations reachable over a WAN network underlay or a standard
VPN. You can add static routes on an ION device that point to the
standard VPN interface or the standard VPN peer IP address.
Configure dynamic Border Gateway Protocol (BGP) routing on a
branch ION device for internet, private WAN underlays, and standard
VPNs. The ION device learns routes dynamically over the internet,
private WAN, and standard VPNs and advertises global branch prefixes
on these routes.
By default, ION devices use a bypass pair for private WAN underlay
traffic. If you use a Layer 3 interface, you must explicitly enable L3
Direct Private WAN Forwarding for the private WAN underlay.
The ION device uses the bypass pair only to bridge traffic.
Starting with device software version 5.2.1, ION devices support
dynamic LAN routing in branch sites. To use LAN routing, you must
explicitly enable L3 Direct Private WAN Forwarding and L3
LAN forwarding. You can enable L3 LAN Forwarding only
when there are no Private Layer 2 bypass pairs associated with any
of the interfaces on the device. Starting with device software version
5.2.3, if there are Private Layer 2 interfaces on the device, the
device displays a message to first remove any Private Layer 2 interfaces
associated with the device and then enable L3 LAN Forwarding.
A branch ION device supports only classic peers. It can support
multiple BGP peers and also peer with multiple BGP peers on the same
interface. The device treats each underlay and Standard VPN as a
separate domain. The routes learned from one domain are not advertised
to another domain, thus preventing the branch ION device from dynamically
becoming a transit point.
At a branch site, configure the routing for a link or a routing
instance per link. The following topologies illustrate private WAN
and third-party routing in a branch.
Private WAN Dynamic Border Gateway Protocol (BGP)
Routing
In this scenario, the branch ION device participates
in dynamic BGP routing by peering with a private WAN peer edge router or
an internet router, or standard VPNs. There maybe more than one
link, and you can enable dynamic routing on each.
Private WAN Static Routing
In this scenario,
the branch ION device has a default static route pointing to the
peer edge router. On behalf of the ION device, the peer edge router
will advertise routes for branch prefixes. There may be more than
one private WAN link.
Standard VPNs to Cloud Security Services or Data Centers
In
this scenario, the branch ION has a standard VPN connection to a
cloud security service. This VPN has a static default route, or
optionally, can have a BGP adjacency configured with the standard
endpoint.
You can deploy the ION at a branch site as follows:
Layer 2-only Deployment Model—You do not need
to configure routing when the ION is deployed in-line between the
switch and a branch router. In this deployment, the internet links
terminate on the branch ION device and the private wide area network
(WAN) link terminates on the WAN router.
The branch ION device
dynamically steers traffic directly to the private WAN via the WAN
router it is connected to, or to a public WAN or VPN on public WAN
for each application based on path policies and network and application
performance characteristics.
Layer 2 / Layer 3 Deployment Model—Deploy the Prisma
SD-WAN ION device in-line between the switch and a branch router,
with the added facility of routing via a separate Layer 3 WAN interface
on the ION device. In this deployment, you can configure an Layer
3 WAN interface (WAN 2) as the source for a private WAN VPN to another
Prisma SD-WAN branch or data center site.
For example, configure
LAN 1 and WAN 1 as an Layer 3 bypass pair, but configure WAN 2 to
BGP peer with the router. The ION device then advertises prefixes
to the router and learns routes from the router.
Router Replacement Model—In this model, the branch
ION device terminates both private WAN and internet links. When
terminating the private WAN links, the branch ION device participates
in dynamic routing with the peer edge router. The device advertises
prefixes present in the branch and learns the prefixes reachable
through the MPLS core.
LAN-Side BGP Routing—On the LAN side, the ION device
can be the default gateway for all branch subnets or can participate
in static or dynamic routing with an Layer 3 device. The branch
ION device in conjunction with the Layer 3 switch participates in
routing as follows:
Learns the prefixes behind the
Layer 3 device and forwards traffic to those prefixes.
Advertises BGP learned prefixes from the WAN side (e.g. MPLS
peer edge router) or a default route to the LAN Layer 3 device.
Advertises prefixes learned from the Layer 3 device to other
branches and data centers.
