Configure Branch HA with Gen-2 Platforms (3200, 5200, and 9200)

Where Can I Use This?	What Do I Need?
Prisma SD-WAN	Active Prisma SD-WAN license

The example showcases two ION 5200 devices equipped with two pairs of hardware bypass functionality. Furthermore, it accommodates the integration of 3200 models with one pair of hardware bypass, as well as 9200 models equipped with four pairs of hardware bypass capability. These ION devices mark a significant advancement in software-defined enterprise technology, leveraging software bypass to enable elastic WAN network connectivity, enhancing both performance and adaptability.

The topology has the following features:

• The active device has two Internet connections.
• The backup device has one MPLS/Private connection.
• The ION devices operate in an active/backup configuration, and through fail-to-wire functionality, the active ION constantly maintains complete control and utilizes the full capacity of all the WAN circuits.
• The devices establish a connection through a trunk, facilitating both data connectivity and enabling High Availability (HA) via device heartbeat monitoring.

  The High Availability (HA) connection needs to be established with a south-bound switch, the devices cannot be directly connected to each other.
• The LAN addressing is identical on both devices, permitting only the active device to use Address Resolution Protocol (ARP) and communicate with hosts and network devices in the LAN.
• The High Availability (HA) addressing is unique, enabling the backup device to communicate with the controller through the active device for connectivity.
• Prisma SD-WAN facilitates the utilization of both the fabric overlay and the underlay (private MPLS). If you opt for the underlay, it's imperative to configure the necessary routing exchange between the ION device and the PE (peer edge) router.

1. Create physical connections between the interfaces of the active and backup ION device.

   1. Connect Port 4 of ION 1 to Port 1 of ION 2. (Internet 1).
   2. Connect Port 4 of ION 2 to Port 1 of ION 1. (MPLS).
   3. Connect Port 6 of ION 1 to Port 3 of ION 2. (Internet 2).

   This ensures that the Internet and MPLS circuits are available to both the ION devices.
2. Configure bypass pairs for each ION device.

   • Between Ports 3 and 4 of the active ION device. (Port 3—WAN (Internet-1), Port 4—LAN)
   • Between Ports 3 and 4 of the standby ION device. (Port 3—WAN (MPLS), Port 4—LAN)
   • Between Ports 5 and 6 of the active ION device. (Port 5—WAN (Internet-2), Port 6—LAN)

   Prisma SD-WAN facilitates the utilization of both the fabric overlay and the underlay (private MPLS). If you opt for the underlay, it's imperative to configure the necessary routing exchange between the ION device and the PE router.
3. Configure a High Availability (HA) also known as Used-for-HA subinterface.

   In this example, we are configuring a subinterface on port 7 with VLAN tag 130 as the Used-for-HA interface for heartbeat exchange between the devices.

   The interface designated for handling High Availability (HA) will be responsible for establishing connections between the devices and the controller. Consequently, it is crucial that these interfaces possess external reachability (direct or via overlay) and are configured with DNS servers capable of resolving public addresses.
4. Configure an interface for LAN connectivity.

   In this example, we are configuring port 7 with VLAN tag 150 for LAN connectivity to enable data exchange between devices.

   This can involve a single subinterface used as a transit to a layer 3 switch below, or alternatively, you can create multiple LAN subinterfaces and ports to communicate directly with different host subnets.

   If using a transit LAN to a layer 3 switch, you must also set up routing accordingly.

   The LAN addressing is identical on both devices, permitting only the active device to use Address Resolution Protocol (ARP) and communicate with hosts and network devices below.
5. Add the ION Devices to the HA Groups.