Branch HA with Dual Internet and a Layer 2 LAN Switch-Topology 4

Lets learn more about Branch HA with Dual Internet and a Layer 2 LAN Switch-Topology 4 in Prisma SD-WAN.
This topology uses two internet links terminating on the ION devices and Layer 2 switches on LAN. Topology 4 is the same as topology 2, except this is a dual internet site. In all likelihood, there is more than one subnet, where the uplink from the switches to the routers will be a dot1q trunk. Most likely, the LAN side is an HSRP/VRRP running between the routers per sub-interface, and the clients in each subnet point their default gateway to the HSRP/VRRP address. Both WAN routers have VPNs built to other corporate locations, and optionally, allow internet-bound traffic to go out directly.
In the Prisma SD-WAN HA topology, remove the internet routers, and each internet circuit terminates on each ION device. The HSRP/VRRP IP addresses configured on each router sub-interface will be configured as the IP address for each LAN sub-interface configured on both ION devices. Thus, the devices will have the same LAN IP addresses configured, but only the active ION will respond to ARP requests. As such, all traffic from the clients to their default gateway will flow through the active device.

Traffic Flow in Steady-State and Failure Scenarios

Assume the switch and the ION device on the left is the active path. The image below shows a sample configuration for traffic flow in steady-state and failure directions. Then, as illustrated, in steady-state traffic to and from the LAN flows through the switch on the left to the ION device on the left, which then, based on policy, will send traffic out the Internet 1 port (direct or VPN) or out the Internet 2 port (direct or VPN) through the ION on the right.
In steady-state, since the ION on the left has the higher priority, it will answer ARP requests for the LAN 1 port IP, build Prisma SD-WAN or standard VPN tunnels out of Internet ports, Internet 1 directly. Internet 2 through the bypass pair of the Backup ION on the right, which effectively has all interfaces (except the controller port) held down at Layer 3 and bridges any traffic received on either of the bypass pair ports. The Backup ION device, as such, will not build VPNs out of its Internet WAN ports, nor will it answer ARP requests for the Internet ports or LAN 1 port IP addresses.
In a failure scenario that causes the ION device on the left to reduce its priority to less than the priority of the ION device on the right, since preempt is enabled on this HA group, traffic will flow as depicted below after the ION device on the right becomes active.
Sample failure scenarios include the ION device’s loss of power or a critical process failure. For example, since interface tracking is enabled for the LAN 1 port, if that port goes down because of a cable or switch failure, the priority will be reduced to 0, causing a switchover.
When the switchover occurs, the ION device on the right brings up all previously held-down Layer 3 interfaces. The Internet 1 port is up, and the IP address becomes active because the bypass pair on the failed ION device becomes a bridge. Also, the Internet 2 and LAN ports IP addresses automatically become active. These interfaces send out Gratuitous ARPs and respond to future ARP requests for their IP addresses. Once the internet interfaces come up, the ION device builds any VPN tunnels configured.

Recommended For You