PANCast™ Episode 48: Prisma SD-WAN Branch Gateway

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L4 Transporter
No ratings

 

Episode Transcript:

 

John: 

Hello PANCasters. Today we have a special guest who is going to talk to us about the new Branch Gateway mode in Prisma SD-WAN. We have with us Sunil Cherukuri from the Prisma SD-WAN team. Welcome Sunil. To start with, can you tell us a bit about yourself?
 
Sunil:
I am Sunil Cherukuri, a Technical Marketing Engineer from the SASE team, based in the US. I have been in this role for about 4 years now, andSunil Cherukuri brings 20+ years of experience in networking, with the last eight spent at Palo Alto (four at CloudGenix, acquired by Palo). Prior to that, he worked at Cisco as a TME and Solution Architect spanning MPLS, Security, DC/Cloud and NFV solutions. At Palo Alto, Sunil is a Principal Technical Marketing Engineer for SASE and focuses on SD-WAN and MSP’s. In this role, Sunil helps customers with SD-WAN and SASE designs and deployments, helps them with solutions to meet their requirements or issues encountered.Sunil Cherukuri brings 20+ years of experience in networking, with the last eight spent at Palo Alto (four at CloudGenix, acquired by Palo). Prior to that, he worked at Cisco as a TME and Solution Architect spanning MPLS, Security, DC/Cloud and NFV solutions. At Palo Alto, Sunil is a Principal Technical Marketing Engineer for SASE and focuses on SD-WAN and MSP’s. In this role, Sunil helps customers with SD-WAN and SASE designs and deployments, helps them with solutions to meet their requirements or issues encountered. focus on Prisma SD-WAN and MSP’s. I came into Palo Alto via the CloudGenix SD-WAN acquisition. Prior to CloudGenix, I worked at Cisco for 15 years, across Service Provider, Security, DC/Cloud solutions.
 

John: 

Thank you, Sunil. So, tell us about the different approaches in deploying Prisma SD-WAN.
 
Sunil:
Until recently, a Prisma SD-WAN site could be deployed in two ways - as a Branch site or a DC site. The Branch mode of operation provides the full SD-WAN functionality and is typically deployed for branch office locations. The DC mode provides higher VPN scale and throughput, but does not provide some functionality like Link Quality Metrics (LQM), Path/QoS/NAT/Security policies, Analytics etc. The DC mode is deployed as a Hub, typically at Data Centers hosting Applications.

With the 6.4.1 release, we have introduced a new mode of operation called Branch Gateway which provides architectural flexibility for customers in deploying Prisma SD-WAN. 
 

John: 

Can you elaborate on this new Branch Gateway mode?
 

What is the Branch Gateway Mode?

 
Sunil:
Branch Gateway mode is like a hybrid of Branch and DC modes. You deploy the Branch Gateway just like a Branch site, with Active/Standby IONs, and can make use of the Fail-to-Wire capabilities on the IONs. You get all the SD-WAN functionality like a Branch site, and in addition can also do WAN-WAN forwarding, meaning the Branch Gateway can act as transit for other Branch locations. In this sense, the Branch Gateway is like the DC mode and acts like a Hub for transit to other branches. This fits the use case of hybrid DC locations with both Users and Applications. The Branch Gateway mode is supported on ION 3200, 5200, 9000, 9200 and the virtual ION models, with release 6.4.1 and above.
 

John: 

Thanks Sunil, can you shed some light on why we implemented this Branch gateway mode?
 
Sunil:
Some customers have Hybrid DC/Office locations hosting Users and Applications, or require SD-WAN VPN functionality for interconnecting Data Center locations. The DC mode does not fit these scenarios. We introduced the Branch Gateway mode to address such use cases, where customers require to host Users and Apps at DC locations or require DC Interconnect capabilities.

The Branch Gateway is similar to the DC mode, as in it acts like a VPN Hub and transit for other branch sites. It is similar to the Branch mode, as it provides Network and Application visibility, Link Quality Metrics, and Path/Security/NAT/QoS/Perf policies for forwarding traffic. Thus it is the best of both modes and can support Users and Applications in the site, with transit capabilities for other branches, and DC Interconnect; all with full SD-WAN capabilities.
 

John: 

Looks like a great addition to Prisma SD-WAN capabilities. You mentioned similarities between DC and Branch Gateway modes. What are the differences?
 

What are the Differences with Other Modes?

 
Sunil:
Unlike DC mode, the Branch Gateway can also act as Internet transit for other Branches. While the DC mode automatically builds SD-WAN fabric VPNs to all other branches; the Branch-Gateway automatically builds the above SD-WAN fabric VPNs to all Branches in the same Domain as itself. SD-WAN fabric VPNs between branches in one domain to Branch Gateway in another domain can be triggered by an admin from the UI or via API. Similarly, SD-WAN fabric VPNs between Branch Gateway sites can be triggered from the UI/API. This addresses the use case of SD-WAN Data Center Interconnect. Branch Gateway mode can also help in other scenarios like Regional DC’s where Branches need to build tunnels only to their local DC’s not to all DC’s. Or in Hierarchical scenarios where Branches need to send all traffic to a local DC in order to reach other DC’s or Branches.

With Branch Gateway (and Branch) mode, you can only have 2 IONs in a Site, in Active/Standby fashion. Whereas with DC mode, you deploy Active/Active IONs in one Cluster, and can deploy multiple clusters in a Site for scale-out. We are looking into future enhancements to support scale-out models for Branch Gateway deployments.
 

John: 

Great. Are there any differences in performance between DC and Branch Gateway modes?
 
Sunil:
Glad you asked this question. A key difference between DC mode and Branch Gateway mode is in the VPN performance. Since the Branch Gateway mode provides full SD-WAN functionality like the Branch mode, the VPN performance will be lower than DC mode. For example, an ION 9200 can do 15 Gbps encrypted throughput in DC mode of operation, and about 8 Gbps encrypted throughput in Branch mode of operation. The encrypted throughput of the ION 9200 in Branch Gateway mode of operation will be in between Branch and DC modes, depending on the traffic patterns.
 

John: 

Any other enhancements that go along with the Branch Gateway?
 
Sunil:
In Strata Cloud Manager, in all places where you can select Branch or DC, you have the new option of Branch Gateway. In the Overlay Connections screen, you can see new sections for visualizing Branch-BranchGateway and BranchGateway-BranchGateway tunnels. Just like Branch sites, the Branch Gateway sites can be onboarded to Prisma Access through the native integration provided by a single-vendor SASE solution. Since the Branch Gateway can do WAN-WAN forwarding, the Flow Browser in Strata Cloud Manager has been enhanced to show the ingress and egress paths for a WAN-WAN flow. This makes troubleshooting and analytics easier.
 

John: 

Thanks Sunil. How do you go about creating a Branch Gateway site?
 
Sunil:
When creating a new site, you can create it as a Branch Gateway. Or you can also convert an existing Branch site to Branch Gateway mode, simply by enabling a checkbox in the UI. The conversion does not require any physical connectivity changes since the Branch and Branch Gateway HA topology and configurations are the same. You would see a brief interruption in service since all the VPNs need to be re-established. You can also convert an existing DC site to Branch Gateway, but this is not hit-less. You would need to change the physical connectivity and IP addressing, so this requires more time and should be done in a longer maintenance window.
 

John: 

All of this sounds great. Are there any caveats with this new Branch Gateway functionality?
 
Sunil:
For Standard VPN tunnels from a Branch Gateway, they currently can only be established on the WAN interfaces. Future enhancements will allow these tunnels to be established from the LAN interfaces. Routing wise, Branch Gateway is similar to Branch mode, you can do Static or BGP or OSPF on the LAN and WAN. Multicast is currently not supported in Branch Gateway mode. While Performance Policy is supported for Branch Gateway, using FEC and Packet Duplication in the Performance Policies for Branch Gateway will be available in a future release. When deploying Branch Gateway, keep in mind that you cannot have the same LAN prefix configured (or learnt via BGP) on 2 Branch Gateway sites.
 

John: 

Thanks Sunil. Let’s shift to virtualization and cloud. Can you deploy Branch Gateway in these environments?
 
Sunil:
Absolutely. You can deploy Virtual IONs in your on-prem hypervisor or in the Cloud Service Providers like AWS, Azure, GCP, OCI etc. We support active/standby HA for physical and virtual IONs. Our HA model leverages VRRP protocol for HA heartbeat communication, which utilizes multicast traffic. However, the major Cloud Providers do not support multicast traffic, so our Branch HA model will not work. Active/Standby HA is possible with physical ION devices deployed in Branch Gateway mode, but not with virtual IONs in CSP’s. However, to achieve redundancy there are a variety of options customers could employ depending on which CSP and the surrounding CSP configurations. Please consult with your account team for design assistance. If requiring native ION HA in CSP’s, DC mode would be recommended. We are looking at future enhancements to support active/standby Branch Gateway in Cloud providers.
 

John: 

Thanks again Sunil. What are the key takeaways from this Branch Gateway discussion?
 

Episode Key Takeaways

 
Sunil:
  • The Branch Gateway functionality provides architectural flexibility for customers in deploying Prisma SD-WAN sites. Branch Gateway mode provides a mix of the functionality of Branch and DC modes.
  • The Branch Gateway mode is supported on ION platforms 3200, 5200, 9000, 9200 and Virtual IONs; with software release 6.4.1 and above
  • For all new SD-WAN deployments for Hub or DC locations, we suggest considering the Branch gateway mode as long as the VPN throughput and scale requirements are not close to DC mode levels & the limitations such as no Multicast in this first release are not show stoppers.

For more details you can refer to the Prisma SD-WAN admin guide, links provided at the end of the transcript.

Thank you for listening to this PANCast™ episode. Please let us know what other Prisma SD-WAN topics you would like us to cover in future PANCast™ episodes. You can submit your ideas at the Live Community PANCast™ website.
 

John: 

Thanks Sunil. PANCasters, as always the transcript and additional links can be found at live.paloaltonetworks.com and as Sunil mentioned, remember to submit your ideas.
 
Rate this article:
Comments
L2 Linker

This brings new capabilities I never realised were possible. Learning these new functionalities before deploying to production is worth a test drive!

  • 379 Views
  • 1 comments
  • 1 Likes
Register or Sign-in
Contributors
Article Dashboard
Version history
Last Updated:
‎11-27-2024 12:29 PM
Updated by: