Branch HA for ION Devices without Bypass Pairs

Lets learn more about the Branch HA for ION Devices without Bypass Pairs in Prisma SD-WAN.
This topology follows the hybrid internet and MPLS topology in which the MPLS path is the active path, and the internet path is the backup path for all traffic. In this topology, the ION device does not have hardware bypass pairs. Instead, both the active and backup ION devices must have separate physical connections to the WAN circuits.
The example here shows an ION 1000, a compact WAN edge device designed for retail and small office environments. It has four standard Ethernet interfaces. Since the ION 1000 does not have hardware bypass pairs, both the active and backup ION 1000s must have separate physical connections to the WAN circuits. Ensure that both circuits are available to each device as the topology will have no reliance on hardware bypass ports.

Traffic Flow in Steady-State and Failure Scenarios

Assume the switch and the ION device on the left are the active paths. Then, as illustrated, steady-state traffic to and from the LAN flows through the switch on the left to the ION device.
Since the ION device on the left has the higher priority in a steady-state, it will answer ARP requests for the LAN port IP, build Prisma SD-WAN, or Standard VPN tunnels from the internet/private WAN ports. Optionally, the private WAN port will also have a BGP relationship established with the MPLS peer edge router from the private WAN port.
The backup ION device, as such, will build VPNs from its internet or private WAN ports, but they will remain unusable. BGP neighborship with the MPLS peer edge router remains down, and the backup ION will not answer ARP requests on the LAN port.
Failure Scenario—A failure scenario causes the ION device on the left to reduce its priority to less than the priority of the ION device on the right. Enable preemption on this HA group; traffic will flow as depicted below after the ION device on the right becomes active.
Sample failure scenarios include ION device loss of power or critical process failures. If interface tracking is enabled for the LAN port, and if that port goes down because of a cable or switch failure, the priority will be reduced to 0, causing a switchover. When a switchover occurs, the ION device on the right will bring up all previously unusable tunnels. The LAN interfaces will send out Gratuitous ARPs and will respond to future ARP requests for their IP addresses. Now, use the Private WAN interface for BGP establishment with the provider edge routers.

Recommended For You