ION 1000 HA Topology

Learn more about the ION 1000 HA topology in Prisma SD-WAN.
The ION 1000 is a compact WAN edge device designed for retail and small office environments. It has four standard Ethernet interfaces. Since the ION 1000 does not have hardware bypass pairs, the active and backup ION 1000s must have separate physical connections to the WAN circuits. Ensure that both circuits are available to each device as the topology will have no reliance on hardware bypass ports.

ION 1000 Branch HA Physical Topology

The image below displays physical wiring of the ION 1000 devices with an example IP address scheme:
The active ION device terminates the Internet circuit on Port 2. The backup ION device terminates an MPLS Private WAN circuit on Port 2. There are no controller ports on ION 1000; you must use a dedicated port. For example, Port 3 is used as the HA control interface. Both the IONs are attached to the LAN on Port 4. To enable the LAN interface for LAN traffic forwarding, make sure to enable L3 LAN forwarding on each ION device.
Never connect the HA devices back to back, as a link failure will cause the priority of both the devices to be reduced to zero, and both will be in a backup state, thus impacting HA at that site.
Active ION Device Port Configuration
Backup ION Port Configuration
Once all interfaces are configured and cabled as described, the devices can be added to an HA group that is configured at the site to which both of these devices are assigned. See Configuring HA Groups for steps on configuring HA groups and assigning devices. Proceed to the next section to understand traffic flow in both steady-state and failure scenarios.
Consider, the switch on the left and the ION device on the left is the active path. Thus, as indicated by the image below, traffic to and from the LAN will flow through the switch to the ION device on the left in a steady state. In a steady-state, since the ION device on the left has the higher priority, it will answer ARP requests for the LAN port IP, build Prisma SD-WAN, and standard VPN tunnels from the internet/private WAN ports. Optionally, the private WAN port will also have a BGP relationship established with the MPLS PE from the private WAN port.The backup ION device, as such, will build VPNs from its internet or private WAN ports, but they will remain unusable. BGP neighborship with the MPLS PE will remain down, and the backup ION will not answer ARP requests on the LAN port. Failure Scenario, a failure scenario causes the ION device on the left to reduce its priority to less than the priority of the ION device on the right. Since preemption is enabled on this HA group, traffic will flow as depicted below after the ION device on the right becomes active.
Sample failure scenarios include ION device loss of power or critical process failures. If interface tracking is enabled for the LAN port, and if that port goes down because of a cable or switch failure, the priority will be reduced to zero, causing switchover. When a switchover occurs, the ION device on the right will bring up all previously unusable tunnels. The LAN interfaces will send out Gratuitous ARPs and respond to future ARP requests for their IP addresses. BGP establishment with the provider edge routers can now use the Private WAN interfaces.

Recommended For You