Controller port redundancy is enabled for both branch and data center ION devices where applicable.

In this scenario, the virtual interface is used to provide physical redundancy from a single Prisma SD-WAN ION device with dual controller ports to two Layer 2 switches in the event of a port failure between the ION devices and one of the switches.

The ION device has each controller port physically connected to two different switches. A new virtual interface is configured with the two member interfaces, controller ports 1 and 2. IP address information is configured on the virtual interface controller port. In the event of a loss of a switch or controller port, controller connectivity remains uninterrupted.

Branch site deployments shown below include scenarios where a virtual interface is configured for port redundancy when an ION device is connected to a LAN switch or when a firewall is present.

In this scenario, the virtual interface is used to provide physical redundancy from a single ION device to two Layer 2 switches in the event of an uplink failure between the ION device and one of the switches.

The ION device is physically connected to two Layer 2 switches with VLAN 100 defined on each switch. A new virtual interface is configured with two member interfaces, ports 1 and 2. A sub-interface for VLAN 100 is created on the new virtual interface and the appropriate IP information is configured.

Once configured, the application traffic from clients connected to VLAN 100 is sent to the IP address (and corresponding MAC address) bound to the VLAN 100 sub-interface of the virtual interface. In the event of a physical interface failure, the other interface assumes the forwarding role for the failed interface.

In this scenario, a virtual interface is used to provide internet uplink port redundancy between a single branch ION device and an active / backup firewall pair. The firewall pair is responsible for inspecting untrusted internet traffic that is sent direct on the internet by the ION device.

The ION device is physically connected directly to each firewall. A new virtual interface is configured with two member interfaces, ports 1 and 2. Since a VLAN tag is not required for this configuration, the IP address information is configured directly on the virtual interface along with 'Used For Internet.' Corresponding port tracking should be configured on the firewall pair to ensure that a unit goes inactive or standby in the event of a failure of the port connected to the ION device.

Data Center deployments include scenarios where an ION device is deployed with two core peers in the same subnet with a firewall for internet circuits.

In this scenario, a virtual interface is used to provide redundant physical connections to a pair of Layer 3 core switches. The ION device is peering via BGP with both switches in the same IP network.

The Data Center ION device is physically connected to each of the Layer 3 Core switches with VLAN 10 defined on each switch. A new virtual interface is configured with two member interfaces, ports 1 and 2. A sub-interface for VLAN 10 is created on the new virtual interface and the appropriate IP information is configured. Corresponding BGP Peers are configured on both the ION device and the core switches.

The configured traffic forwards in an active-active fashion based upon the route table of the devices. In the event of an interface or core switch failure, continuous data center connectivity is enabled.

In this scenario, a virtual interface is used to provide redundant physical connections to a pair of Layer 2 switches that are connected to an internet facing firewall pair. The ION device uses the firewall for the default gateway for the redundant internet facing ports.

The Data Center ION device is physically connected to each of the Layer 2 switches through an untagged switch interface. A new virtual interface is configured with two member interfaces, ports 1 and 2. Since a VLAN tag is not required for this configuration, the IP address information is configured directly on the virtual interface along with 'Connect to Internet' configuration. Configure the corresponding port tracking on the firewall pair to ensure that a unit goes inactive or standby in the event of a failure of the port connected to the ION device.