Branch HA with Dual Internet and a Layer 3 LAN Switch-Topology 3

Learn more about Branch HA with Dual Internet and a Layer 3 LAN Switch-Topology 3 in Prisma SD-WAN.
In this topology, both WAN routers have VPNs built to other corporate locations, allowing internet-bound traffic to go out directly. The LAN side is most likely a routing protocol that runs between the Layer 3 switches and routers. It is either configured for equal-cost load balancing or primary secondary. Finally, remove the internet routers, and one internet circuit terminates on each ION device, respectively.
The Layer 3 switches only need to configure a default route pointing to the LAN IP address of the ION devices. The devices have the same LAN IP addresses configured, but only the active ION device will respond to ARP requests. As such, all traffic from the LAN to the WAN will flow through the active device. On the ION devices, global static routes for the LAN subnets are defined to point to the Layer 3 switches. Depending on how the ION devices are configured, this can be an HSRP/VRRP address if the interfaces connected to the ION devices are in the same VLAN and an SVI is configured. Otherwise, each ION device will have a different next-hop configured for the LAN subnet static routes if these are routed ports.

Traffic Flow in Steady-State and Failure Scenarios

Assume the switch and the ION device on the left is the active path. Then, as illustrated, in steady-state traffic to and from the LAN flows through the button on the left to the ION device on the left, which then, based on policy, will send traffic out the internet port (direct or VPN) or out the private WAN port (direct or VPN) through the ION device on the right.
In steady-state, the ION device on the left has the higher priority; it will answer ARP requests for the LAN 1 port IP, build Prisma SD-WAN and Standard VPN tunnels out of Internet ports, Internet 1 directly. Internet 2 through the bypass pair of the Backup ION device on the right, which effectively has all interfaces (except the controller port) held down at Layer 3 and bridges any traffic received on either of the bypass pair ports. As such, the Backup ION device will not build VPNs from its internet WAN ports, nor will it answer ARP requests for the internet ports or LAN 1 port IP addresses.
In a failure scenario, the ION device on the left reduces its priority to less than the priority of the ION device on the right; since preempt is enabled on this HA group, traffic will flow as depicted below after the ION device on the right becomes active.
Some example failure scenarios could include the ION device’s loss of power or if it has a critical process failure. For example, interface tracking is enabled for the LAN 1 port; if that port went down because of a cable or switch failure, the priority would be reduced to 0, causing a switchover.

Recommended For You