Branch HA with Internet, MPLS, and a Layer 3 LAN Switch-Topology 1

Let us learn more about Branch HA with Internet, MPLS, and a Layer 3 LAN Switch-Topology 1 in Prisma SD-WAN.
This topology is the traditional hybrid internet and MPLS topology in which the MPLS path is the active path, and the internet path is the backup path for all traffic, with the default route on the switch pointing to the internet router. In the Prisma SD-WAN HA topology, the ION device replaces the MPLS and internet routers and the internet and MPLS links terminate on each ION device, respectively.

Traffic Flow in Steady-State and Failure Scenarios

In this topology, the assumption is that the switch on the left and the ION device on the left is the active path. As indicated by the image below, in steady-state, traffic to and from the LAN flows through the switch on the left to the ION device on the left, which then based on policy, sends traffic out the internet port (direct or VPN) or out the private WAN port (direct or VPN) through the ION device on the right.
Steady State
In steady-state since the ION device on the left has the higher priority, it answers ARP requests for the LAN port IP and builds Prisma SD-WAN and/or Standard VPN tunnels out the internet port. Optionally, the private WAN port also has a BGP relationship established with the MPLS PE out the private WAN port through the bypass pair of the Backup ION device on the right, which effectively has all interfaces (except the controller port) held down at Layer 3 and bridges any traffic received on either of the bypass pair ports.
The Backup ION device, as such, does not build VPNs out its internet or private WAN ports, or establish a BGP relationship with the MPLS PE, nor does it answer ARP requests for the private WAN port or LAN port IP addresses.
Failure Scenario
In a failure scenario that causes the ION device on the left to reduce its priority to less than the priority of the ION device on the right, since preemption is enabled on this HA group, traffic flows as depicted below after the ION device on the right becomes active.
Sample failure scenarios include ION device loss of power or if it has a critical process failure. Or, since interface tracking has been enabled for the LAN port, if that port goes down because of a cable or switch failure, the priority is reduced to 0 causing a switchover.
When the switchover occurs, the ION device on the right brings up all previously-held-down Layer 3 interfaces. The Internet port is brought up and the IP address becomes active because the bypass pair on the failed ION device becomes a bridge. Also, the private WAN and LAN port IP addresses automatically become active. Each of these interfaces sends out Gratuitous ARPs and responds to future ARP requests for their IP addresses. Once the internet interface comes up, the ION builds any VPN tunnels that are configured. The same goes for the private WAN port – once the port is up at Layer 3, it can now be used for BGP establishment with the PE and to build VPN tunnels

Recommended For You