Branch HA with Internet, MPLS, and a Layer 2 LAN Switch-Topology 2

Let us learn more about Branch HA with Internet, MPLS, and a Layer 2 LAN Switch-Topology 2 in Prisma SD-WAN.
In this topology, the switches are Layer 2. There is more than one subnet, where the uplink from the switches to the routers would be a dot1q trunk. The MPLS router is the HSRP/VRRP master and default gateway for each user subnets / sub-interfaces in a steady state. The internet router is there for backup purposes only and has VPNs configured to the data center and potentially other remote locations to maintain branch-site connectivity in an MPLS failure event.
In the Prisma SD-WAN HA topology, when you remove the MPLS and internet routers, the internet and MPLS links terminate on each ION, respectively. The HSRP/VRRP IP addresses configured on each router sub-interface are configured as the IP address for each LAN sub-interface configured on both ION devices. The devices have the same LAN IP addresses configured, but only the active ION device will respond to ARP requests. As such, all traffic from the clients to their default gateway will flow through the active device.
Traffic Flow in Steady-State and Failure Scenarios
In this topology, the assumption is that the switch on the left and the ION device on the left is the active path. As indicated in the image below, in steady-state, traffic to and from the LAN will flow through the switch on the left to the ION device on the left, which then based on policy will send traffic out the internet port (direct or VPN) or out the private WAN port (direct or VPN) through the ION device on the right.
In steady state, since the ION device on the left has the higher priority, it will answer ARP requests for the LAN port IP, build Prisma SD-WAN and/or Standard VPN tunnels out the internet port and optionally, the private WAN port. Also optionally, the ION device will have a BGP relationship established with the MPLS PE out the private WAN port through the bypass pair of the Backup ION device on the right, which effectively has all interfaces (except the controller port) held down at Layer 3 and bridges any traffic received on either of the bypass pair ports. The Backup ION device as such will not build VPNs out its internet or private WAN ports, establish a BGP relationship with the MPLS PE, nor will it answer ARP requests for the private WAN port or LAN port IP addresses.
A failure condition will cause the ION device on the left to reduce its priority to less than the priority of the ION device on the right, since preempt is enabled on this HA group, Traffic then will flow as depicted below after the ION device on the right becomes active.

Recommended For You