Learn about how hot potato routing works for Prisma Access
service connections.
When you select Hot Potato Routing,
Prisma Access egresses the traffic bound to service connections/data
centers from its internal network as quickly as possible.
With hot potato routing, Prisma Access prepends the AS path (AS-PATH)
to the BGP prefix advertisements sent from gateways. This prepending
is performed when the prefixes are advertised out of the service
connection to your organization’s on-premises CPE. Prisma Access
prepends the AS-PATHs so that your CPE gives the correct preference
to the primary and secondary tunnels, so that if the primary tunnel
goes down, your CPE chooses the secondary tunnel as the backup.
If you specified a different IP address for the secondary (backup)
BGP peer, Prisma Access adds more prepends based on the tunnel type,
as shown in the following table.
Prefix Type
Service Connection Tunnel Type
Number of As-Path Prepends
Total AS-PATHs Seen on the CPE
Gateway prefixes from primary service connection
Primary or Secondary tunnel with the same BGP
peer IP address
0
1
Gateway prefixes from backup service connection
Primary or Secondary tunnel with the same BGP
peer IP address
3
4
Gateway prefixes from all other service connections
Primary or Secondary tunnel with the same BGP
peer IP address
6
7
Gateway prefixes from primary service connection
Secondary tunnel with a different BGP peer
IP address
1
2
Gateway prefixes from backup service connection
Secondary tunnel with a different BGP peer
IP address
4
5
Gateway prefixes from all other service connections
Secondary tunnel with a different BGP peer
IP address
7
8
In hot potato routing mode, Prisma Access allows you to specify
a backup service connection (Backup SC)
during onboarding. Specifying a Backup SC informs Prisma
Access to use that service connection as the backup when a service
connection link fails.
The following figure shows a hot potato routing configuration
for traffic between the US service connection and AS 200, with the
EU service connection configured as the Backup SC of
the US connection. Using hot potato routing, Prisma Access sends
the traffic from its closest exit path through the US service connection.
The return traffic takes the same path through AS100 because this
path has a shorter AS-PATH to the mobile user pool in the US location.
Prisma Access prepends the AS-PATH to its prefix advertisements
depending on whether the tunnel is a primary tunnel, a backup tunnel,
or not used for either primary or backup.
Because you have set up a backup service connection, if the link
to the US service connection goes down, hot potato routing sends
the traffic out using its shortest route through the EU service
connection. This routing scenario also applies to networks that
use route aggregation.
You can also use backup service connections for multiple service
connections in a single region. The following figure shows a Prisma
Access deployment with two service connections in the North America region.
In this case, you specify a Backup SC of
US-E for the US-W service connection, and vice versa, to ensure
symmetric routing.