Prisma SD-WAN Branch HA Key Concepts
Let us understand the Prisma SD-WAN branch HA key concepts.
| Where Can I Use
This? | What Do I Need? |
|---|
Prisma SD-WAN enables the election of an active or backup device
through Priority and Preemption configuration.
Priority is assigned to devices to dictate preference during election. For example,
certain topologies may require that a particular device be active while the other
remains as a backup device. In such cases, an administrator can assign a higher priority
to the device with higher preference to dictate which device becomes active during
election, with the highest priority being 255. It is recommended to have a minimum
difference of at least 40 between the priorities of an active ION device and a backup
ION device.
Preemption is enabled at the HA group level to automatically
force a switchover to the device with a higher priority.
Advertisement Interval—Prisma SD-WAN uses VRRP to determine HA peer liveliness at
specified intervals. At the HA group level, an administrator will specify the interval
in which the active device will advertise its priority to the other members of the HA
group. This can be a value between 1 - 10 seconds. If no advertisement is received by
the backup device for 3 consecutive advertisement intervals, it assumes that the active
device is unavailable and will begin its transition to the active state.
Interface Tracking—Each device will automatically track
the state of the HA-control interface, and upon a failure of the
interface, the device will immediately transition to a failed state,
giving way to the other device in the HA group to become active.
In addition, an administrator can optionally configure up to four
non-HA control interfaces to track, and for each interface that
goes down the HA priority of the device will be reduced by the configured
value.
Administration—The devices in an HA group can be administratively
disabled from participating in an HA group for operational reasons.
When a device is disabled in a group, it will withdraw from the
group and become a passive device. For example, in Returned Merchandise
Authorization (RMA) scenarios, an administrator can administratively
bring down and bring up a device. Similarly, before a software upgrade,
an administrator can mark the device as disabled to perform the
software upgrade and then enable the device in the HA group after
the software upgrade is complete.
DHCP Server—The devices will automatically synchronize
DHCP server leases from active to backup, so that the backup device,
when active, can continue to perform all the functions of an active
device.
HA Status—HA group status can be displayed for current
active and backup devices with the last switchover time and the
reason for the switchover.
Configuration Management—The device configuration may
need to be identical on both devices, depending on the topology.
If the configuration is applied at the site level (For
example, network path policy, QoS policy, etc.), the same policy
is applied to both the devices.
- If the configuration was executed at the device level (For example,
NAT port forwarding, security zone binding at the interface level,
etc.) the policy/configuration needs to be applied to both the devices.
This applies to other configurations as well.
