: Prisma SD-WAN Branch Routing

Prisma SD-WAN Branch Routing

Table of Contents

Prisma SD-WAN
Branch Routing

Learn more about the
Prisma SD-WAN
branch routing.
You can configure static and dynamic routing in a branch for internet, private WAN underlays, and standard VPN tunnels.
Configure static routing on a branch ION device to support topologies with one or more LAN-side Layer 3 devices to forward traffic destined for subnets that are more than one hop away. Use static routes to configure next hops to subnets behind a Layer 3 switch on the LAN-side or destinations reachable over a WAN network underlay or a standard VPN. You can add static routes on an ION device that point to the standard VPN interface or the standard VPN peer IP address.
Configure dynamic Border Gateway Protocol (BGP) routing on a branch ION device for internet, private WAN underlays, and standard VPNs. The ION device learns routes dynamically over the internet, private WAN, and standard VPNs and advertises global branch prefixes on these routes.
By default, ION devices use a bypass pair for private WAN underlay traffic. If you use a Layer 3 interface, you must explicitly enable
L3 Direct Private WAN Forwarding
for the private WAN underlay. The ION device uses the bypass pair only to bridge traffic.
Starting with device software version 5.2.1, ION devices support dynamic LAN routing in branch sites. To use LAN routing, you must explicitly enable
L3 Direct Private WAN Forwarding
L3 LAN forwarding
. You can enable
L3 LAN Forwarding
only when there are no Private Layer 2 bypass pairs associated with any of the interfaces on the device. Starting with device software version 5.2.3, if there are Private Layer 2 interfaces on the device, the device displays a message to first remove any Private Layer 2 interfaces associated with the device and then enable
L3 LAN Forwarding
A branch ION device supports only classic peers. It can support multiple BGP peers and also peer with multiple BGP peers on the same interface. The device treats each underlay and Standard VPN as a separate domain. The routes learned from one domain are not advertised to another domain, thus preventing the branch ION device from dynamically becoming a transit point.
At a branch site, configure the routing for a link or a routing instance per link. The following topologies illustrate private WAN and third-party routing in a branch.
  • Private WAN Dynamic Border Gateway Protocol (BGP) Routing
    In this scenario, the branch ION device participates in dynamic BGP routing by peering with a private WAN peer edge router or an internet router, or standard VPNs. There maybe more than one link, and you can enable dynamic routing on each.
  • Private WAN Static Routing
    In this scenario, the branch ION device has a default static route pointing to the peer edge router. On behalf of the ION device, the peer edge router will advertise routes for branch prefixes. There may be more than one private WAN link.
  • Standard VPNs to Cloud Security Services or Data Centers
    In this scenario, the branch ION has a standard VPN connection to a cloud security service. This VPN has a static default route, or optionally, can have a BGP adjacency configured with the standard endpoint.
You can deploy the ION at a branch site as follows:
  • Layer 2-only Deployment Model
    —You do not need to configure routing when the ION is deployed in-line between the switch and a branch router. In this deployment, the internet links terminate on the branch ION device and the private wide area network (WAN) link terminates on the WAN router.
    The branch ION device dynamically steers traffic directly to the private WAN via the WAN router it is connected to, or to a public WAN or VPN on public WAN for each application based on path policies and network and application performance characteristics.
  • Layer 2 / Layer 3 Deployment Model
    —Deploy the Prisma SD-WAN ION device in-line between the switch and a branch router, with the added facility of routing via a separate Layer 3 WAN interface on the ION device. In this deployment, you can configure an Layer 3 WAN interface (WAN 2) as the source for a private WAN VPN to another
    Prisma SD-WAN
    branch or data center site.
    For example, configure LAN 1 and WAN 1 as an Layer 3 bypass pair, but configure WAN 2 to BGP peer with the router. The ION device then advertises prefixes to the router and learns routes from the router.
  • Router Replacement Model
    —In this model, the branch ION device terminates both private WAN and internet links. When terminating the private WAN links, the branch ION device participates in dynamic routing with the peer edge router. The device advertises prefixes present in the branch and learns the prefixes reachable through the MPLS core.
  • LAN-Side BGP Routing
    —On the LAN side, the ION device can be the default gateway for all branch subnets or can participate in static or dynamic routing with an Layer 3 device. The branch ION device in conjunction with the Layer 3 switch participates in routing as follows:
    • Learns the prefixes behind the Layer 3 device and forwards traffic to those prefixes.
    • Advertises BGP learned prefixes from the WAN side (e.g. MPLS peer edge router) or a default route to the LAN Layer 3 device.
    • Advertises prefixes learned from the Layer 3 device to other branches and data centers.

Recommended For You