Prisma SD-WAN Branch Routing
Table of Contents
Expand all | Collapse all
-
-
- Configure Circuits
- Configure Internet Circuit Underlay Link Aggregation
- Configure Private WAN Underlay Link Quality Aggregation
- Configure Circuit Categories
- Configure Device Initiated Connections for Circuits
- Add Public IP LAN Address to Enterprise Prefixes
- Manage Data Center Clusters
- Configure a Site Prefix
- Configure a DHCP Server
- Configure NTP for Prisma SD-WAN
- Enable IoT Device Visibility in Prisma SD-WAN
- Configure the ION Device at a Branch Site
- Configure the ION Device at a Data Center
- Switch a Site to Control Mode
- Allow IP Addresses in Firewall Configuration
-
- Configure a Controller Port
- Configure Internet Ports
- Configure WAN/LAN Ports
- Configure a Loopback Interface
- Prisma SD-WAN Standard VPN
- Configure a PoE Port
- Configure and Monitor LLDP Activity and Status
- Configure a PPPoE Interface
- Configure a Layer 3 LAN Interface
- Configure Application Reachability Probes
- Configure a Secondary IP Address
- Configure a Static ARP
- Configure a DHCP Relay
- Configure IP Directed Broadcast
- VPN Keep-Alives
-
- Configure Prisma SD-WAN IPFIX
- Configure IPFIX Profiles and Templates
- Configure and Attach a Collector Context to a Device Interface in IPFIX
- Configure and Attach a Filter Context to a Device Interface in IPFIX
- Configure Global and Local IPFIX Prefixes
- Flow Information Elements
- Options Information Elements
- Configure the DNS Service on the Prisma SD-WAN Interface
- Configure SNMP
-
-
- Prisma SD-WAN Branch Routing
- Prisma SD-WAN Data Center Routing
-
- Configure Multicast
- Create a WAN Multicast Configuration Profile
- Assign WAN Multicast Configuration Profiles to Branch Sites
- Configure a Multicast Source at a Branch Site
- Configure Global Multicast Parameters
- Configure a Multicast Static Rendezvous Point (RP)
- Learn Rendezvous Points (RPs) Dynamically
- View LAN Statistics for Multicast
- View WAN Statistics for Multicast
- View IGMP Membership
- View the Multicast Route Table
- View Multicast Flow Statistics
- View Routing Statistics
- Prisma SD-WAN Incident Policies
-
- Prisma SD-WAN Branch HA Key Concepts
- Configure Branch HA
- Configure HA Groups
- Add ION Devices to HA Groups
- View Device Configuration of HA Groups
- Edit HA Groups and Group Membership
-
- Configure Branch HA with Gen-1 Platforms (2000, 3000, 7000, and 9000)
- Configure Branch HA with Gen-2 Platforms (3200, 5200, and 9200)
- Configure Branch HA with Gen-2 Embedded Switch Platforms (1200-S or 3200-L2)
- Configure Branch HA for Devices with Software Cellular Bypass (1200-S-C-5G)
- Configure Branch HA for Platforms without Bypass Pairs
- Prisma SD-WAN Clarity Reports
-
- Native SASE Integration with Prisma SD-WAN
- Connect a Single Prisma SD-WAN Site to Prisma Access
- Connect Multiple Prisma SD-WAN Sites to Prisma Access
- Edit Application Policy Network Rules
- Understand Service and Data Center Groups
- Verify Standard VPN Endpoints
- Configure Standard Groups
- Assign Domains to Sites
- Prisma SD-WAN Incidents and Alerts
Prisma SD-WAN Branch Routing
Prisma SD-WAN
Branch RoutingLearn more about the
Prisma SD-WAN
branch routing.You can configure static and dynamic
routing in a branch for internet, private WAN underlays, and standard
VPN tunnels.
Configure static routing on a branch ION device to support topologies
with one or more LAN-side Layer 3 devices to forward traffic destined
for subnets that are more than one hop away. Use static routes to
configure next hops to subnets behind a Layer 3 switch on the LAN-side
or destinations reachable over a WAN network underlay or a standard
VPN. You can add static routes on an ION device that point to the
standard VPN interface or the standard VPN peer IP address.
Configure dynamic Border Gateway Protocol (BGP) routing on a
branch ION device for internet, private WAN underlays, and standard
VPNs. The ION device learns routes dynamically over the internet,
private WAN, and standard VPNs and advertises global branch prefixes
on these routes.
By default, ION devices use a bypass pair for private WAN underlay
traffic. If you use a Layer 3 interface, you must explicitly enable
L3
Direct Private WAN Forwarding
for the private WAN underlay.
The ION device uses the bypass pair only to bridge traffic.Starting with device software version 5.2.1, ION devices support
dynamic LAN routing in branch sites. To use LAN routing, you must
explicitly enable
L3 Direct Private WAN Forwarding
and L3
LAN forwarding
. You can enable L3 LAN Forwarding
only
when there are no Private Layer 2 bypass pairs associated with any
of the interfaces on the device. Starting with device software version
5.2.3, if there are Private Layer 2 interfaces on the device, the
device displays a message to first remove any Private Layer 2 interfaces
associated with the device and then enable L3 LAN Forwarding
.A branch ION device supports only classic peers. It can support
multiple BGP peers and also peer with multiple BGP peers on the same
interface. The device treats each underlay and Standard VPN as a
separate domain. The routes learned from one domain are not advertised
to another domain, thus preventing the branch ION device from dynamically
becoming a transit point.
At a branch site, configure the routing for a link or a routing
instance per link. The following topologies illustrate private WAN
and third-party routing in a branch.
- Private WAN Dynamic Border Gateway Protocol (BGP) RoutingIn this scenario, the branch ION device participates in dynamic BGP routing by peering with a private WAN peer edge router or an internet router, or standard VPNs. There maybe more than one link, and you can enable dynamic routing on each.
- Private WAN Static RoutingIn this scenario, the branch ION device has a default static route pointing to the peer edge router. On behalf of the ION device, the peer edge router will advertise routes for branch prefixes. There may be more than one private WAN link.
- Standard VPNs to Cloud Security Services or Data CentersIn this scenario, the branch ION has a standard VPN connection to a cloud security service. This VPN has a static default route, or optionally, can have a BGP adjacency configured with the standard endpoint.
You can deploy the ION at a branch site as follows:
- Layer 2-only Deployment Model—You do not need to configure routing when the ION is deployed in-line between the switch and a branch router. In this deployment, the internet links terminate on the branch ION device and the private wide area network (WAN) link terminates on the WAN router.The branch ION device dynamically steers traffic directly to the private WAN via the WAN router it is connected to, or to a public WAN or VPN on public WAN for each application based on path policies and network and application performance characteristics.
- Layer 2 / Layer 3 Deployment Model—Deploy the Prisma SD-WAN ION device in-line between the switch and a branch router, with the added facility of routing via a separate Layer 3 WAN interface on the ION device. In this deployment, you can configure an Layer 3 WAN interface (WAN 2) as the source for a private WAN VPN to anotherPrisma SD-WANbranch or data center site.For example, configure LAN 1 and WAN 1 as an Layer 3 bypass pair, but configure WAN 2 to BGP peer with the router. The ION device then advertises prefixes to the router and learns routes from the router.
- Router Replacement Model—In this model, the branch ION device terminates both private WAN and internet links. When terminating the private WAN links, the branch ION device participates in dynamic routing with the peer edge router. The device advertises prefixes present in the branch and learns the prefixes reachable through the MPLS core.
- LAN-Side BGP Routing—On the LAN side, the ION device can be the default gateway for all branch subnets or can participate in static or dynamic routing with an Layer 3 device. The branch ION device in conjunction with the Layer 3 switch participates in routing as follows:
- Learns the prefixes behind the Layer 3 device and forwards traffic to those prefixes.
- Advertises BGP learned prefixes from the WAN side (e.g. MPLS peer edge router) or a default route to the LAN Layer 3 device.
- Advertises prefixes learned from the Layer 3 device to other branches and data centers.