Learn more about the ION 1000 HA topology in Prisma SD-WAN.
The ION 1000 is a compact WAN edge device
designed for retail and small office environments. It has four standard Ethernet
interfaces. Since the ION 1000 does not have hardware bypass pairs,
the active and backup ION 1000s must have separate physical connections
to the WAN circuits. Ensure that both circuits are available to
each device as the topology will have no reliance on hardware bypass
ION 1000 Branch HA Physical Topology
image below displays physical wiring of the ION 1000 devices with
an example IP address scheme:
ION device terminates the Internet circuit on Port 2. The backup
ION device terminates an MPLS Private WAN circuit on Port 2. There
are no controller ports on ION 1000; you must use a dedicated port.
For example, Port 3 is used as the HA control interface. Both the
IONs are attached to the LAN on Port 4. To enable the LAN interface
for LAN traffic forwarding, make sure to enable L3 LAN forwarding
on each ION device.
Never connect the HA devices back
to back, as a link failure will cause the priority of both the devices
to be reduced to zero, and both will be in a backup state, thus
impacting HA at that site.
Active ION Device Port
ION Port Configuration
interfaces are configured and cabled as described, the devices can
be added to an HA group that is configured at the site to which
both of these devices are assigned. See Configuring HA Groups for
steps on configuring HA groups and assigning devices. Proceed to
the next section to understand traffic flow in both steady-state
and failure scenarios.
Consider, the switch on the left and
the ION device on the left is the active path. Thus, as indicated
by the image below, traffic to and from the LAN will flow through
the switch to the ION device on the left in a steady state. In a
steady-state, since the ION device on the left has the higher priority,
it will answer ARP requests for the LAN port IP, build Prisma SD-WAN,
and standard VPN tunnels from the internet/private WAN ports. Optionally,
the private WAN port will also have a BGP relationship established
with the MPLS PE from the private WAN port.The backup ION device,
as such, will build VPNs from its internet or private WAN ports,
but they will remain unusable. BGP neighborship with the MPLS PE
will remain down, and the backup ION will not answer ARP requests
on the LAN port. Failure Scenario, a failure scenario causes the
ION device on the left to reduce its priority to less than the priority
of the ION device on the right. Since preemption is enabled on this
HA group, traffic will flow as depicted below after the ION device
on the right becomes active.
failure scenarios include ION device loss of power or critical process
failures. If interface tracking is enabled for the LAN port, and
if that port goes down because of a cable or switch failure, the
priority will be reduced to zero, causing switchover. When a switchover
occurs, the ION device on the right will bring up all previously
unusable tunnels. The LAN interfaces will send out Gratuitous ARPs
and respond to future ARP requests for their IP addresses. BGP establishment
with the provider edge routers can now use the Private WAN interfaces.