This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Terminating Service Connection on SD-WAN IONs

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Terminating Service Connection on SD-WAN IONs

KPatel12
L2 Linker

on ‎09-29-2024 09:55 PM

No ratings

1.  Recommended Design

 

In this section, we outline the recommended design for terminating Service Connection with Prisma SD-WAN, emphasizing traffic symmetry.

 

KPatel12_0-1727669515823.png

 

The above design includes the following components and connections as depicted in the reference network diagram:

 

Prisma SD-WAN IONs: Two ION devices in each data center to handle SD-WAN functionality.

Core Router: The central router within the data center for core network routing.

 

  • The service connection from Prisma Access terminates on the SD-WAN IONs in the data center.
  • The Service Connection is connected to both Prisma SD-WAN IONs using Edge BGP peer configuration. This peer type allows the data-center ION to learn IP prefixes from the Prisma Access and split the prefixes if needed (if we are learning the same prefixes from remote branches) when advertising back to the Core Router.
  • Each ION device is connected to the Core Router using Core Peer configuration. This configuration enables the automatic generation of route-maps by the Cloud Manager to control route advertisement and learning.

 2. Configuration

 

2.1. Edge Peer

When setting up service connections on Prisma SD-WAN ION devices, you may need to ensure that all necessary routes are advertised back to Prisma Access over Service Connection. By default, an outbound route-map on the edge peer will restrict route advertisements.

To advertise routes to Prisma Access over the service connection, remove the outbound route-map from the edge peer configuration. This allows the edge peer to send all routes without filtering.

KPatel12_1-1727669726451.png

2.2. Service Connection

To maintain symmetry of return traffic from IONs in the data center to the service connection, you need to modify the default Prisma Access routing behavior to allow asymmetric flows. By default, Prisma Access requires symmetric routing for traffic flows on service connections, which can lead to asymmetric flows being dropped at the corporate-access nodes. Adjusting your Prisma Access settings to permit asymmetric flows ensures proper handling of return traffic between the data center IONs and the service connection. 

KPatel12_2-1727669837993.png

 

3. Traffic Flow Scenarios

 

The following scenarios illustrate how traffic flows in the recommended network design.

 

3.1. Mobile User Accessing Private Application in Data Center

 

3.1.1. Inbound Traffic

  • A mobile user attempts to access a private application hosted in the data center.
  • The traffic is routed through Prisma Access and reaches the data center via the service connection.
  • The service connection terminates at the SD-WAN ION.
  • As shown above in the configuration, we have changed the outbound route-map for the edge peer so that the ION device will advertise the routes to the Service Connection.
  • Service Connection, which has learned the routes from the SD-WAN ION, forwards the traffic to the ION device and ION device will forward the traffic to the Core Router.
  • The Core Router sends the traffic to the destined application.

 

3.1.2. Return Traffic

  •  The return traffic from the application is sent back to the Core Router.
  • The Core Router forwards the return traffic to the SD-WAN ION.
  • The SD-WAN sends the traffic back to Prisma Access over the service connection.
  • Finally, Prisma Access routes the return traffic back to the mobile user.

  

3.2. Remote Branch User Accessing Private Application in Data Center via Prisma Access

 

3.2.1. Inbound Traffic

  •  A remote branch user attempts to access a private application in the data center.
  • Depending on the policy configuration at the remote branch, the traffic is routed through Prisma Access via the Prisma Access tunnel from the branch.
  • The traffic reaches the data center's SD-WAN IONs via the service connection.
  • The DC ION Devices, having learned the routes from the Core Router, forwards the traffic to the Core Router.
  • The Core Router sends the traffic to the destined application.

3.2.2. Return Traffic

  • The return traffic from the application is sent back to the Core Router.
  • The Core Router forwards the return traffic to the SD-WAN ION..
  • The return traffic reaches the ION device. The ION device forwards the traffic back to Prisma Access over the service connection  because when we receive the inbound flow, the session was recorded and we follow the same path for the outbound flow for the existing session.
  • Prisma Access routes the return traffic back to the remote branch over the Prisma Access tunnel.

3.3. Remote Branch User Accessing Private Application in Data Center over Secure Fabric Tunnels

 

3.3.1. Inbound Traffic

  • A remote branch user attempts to access a private application in the data center directly (depending on policy configuration) over secure fabric tunnels.
  • The traffic is received by the ION device in the data center.
  • The ION device sends the traffic to the Core Router.
  • The Core Router forwards the traffic to the destined application.

3.3.2. Return Traffic

  • The return traffic from the application is sent back to the Core Router.
  • The Core Router forwards the return traffic to the ION device 
  • The ION device in the data center sends the traffic back to the remote site over the secure fabric tunnel because when we receive the inbound flow, the session was recorded and we follow the same path for the outbound flow for the existing session.

 

 

Rate this article:
0 Likes Likes
  • 453 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Contributors
Article Dashboard
Version history
Last Updated:
‎09-29-2024 09:54 PM
Updated by:
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks