Prisma SD-WAN Administrator’s Guide
    : Virtual Interface
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma SD-WAN
    4. Prisma SD-WAN Administrator’s Guide
    5. Prisma SD-WAN Sites and Devices
    6. Prisma SD-WAN Ports and Interfaces
    7. Virtual Interface
    Download PDF

    Prisma SD-WAN Administrator’s Guide

    Virtual Interface

    Table of Contents

    Virtual Interface

    A Virtual Interface enables the combination of two physical ports into one logical interface. Lets learn the deployment topologies of the virtual interface in Prisma SD-WAN.
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN
    • Active Prisma SD-WAN license
    A Virtual Interface enables the combination of two physical ports into one logical interface. Virtual Interfaces provide increased redundancy in areas of the network where uptime is critical and additional design flexibility is needed.
    A Virtual Interface can contain a maximum of two member interfaces and is used to ensure redundant physical connectivity from a device to one or more switches, routers, or firewalls. For example, two controller ports may be connected to two Layer 2 switches for physical redundancy of controller port connectivity.
    In order for a port to be an eligible Virtual Interface member it must be a:
    • Physical port—Cannot be a bypass pair nor a logical interface.
    • Similar port type—For example, a controller port can only be added to a virtual interface with another controller port.
    • Default configuration—The interface cannot have any type of IP, sub-interface, used-for, circuit label, nor PPPoE configuration.
    A virtual interface can be created, updated, or deleted. It displays as Down if both the member interfaces are operationally down, and Up if at least one of the member interfaces is operationally up.

    Deployment Topologies of Virtual Interface

    Virtual Interfaces can be configured on both branch and data center ION devices. A few sample deployment topologies are discussed below.

    Controller Port Redundancy

    Controller port redundancy is enabled for both branch and data center ION devices where applicable.
    In this scenario, the virtual interface is used to provide physical redundancy from a single Prisma SD-WAN ION device with dual controller ports to two Layer 2 switches in the event of a port failure between the ION devices and one of the switches.
    The ION device has each controller port physically connected to two different switches. A new virtual interface is configured with the two member interfaces, controller ports 1 and 2. IP address information is configured on the virtual interface controller port. In the event of a loss of a switch or controller port, controller connectivity remains uninterrupted.

    Branch Deployments

    Branch site deployments shown below include scenarios where a virtual interface is configured for port redundancy when an ION device is connected to a LAN switch or when a firewall is present.
    Branch ION Device LAN Port Redundancy
    In this scenario, the virtual interface is used to provide physical redundancy from a single ION device to two Layer 2 switches in the event of an uplink failure between the ION device and one of the switches.
    The ION device is physically connected to two Layer 2 switches with VLAN 100 defined on each switch. A new virtual interface is configured with two member interfaces, ports 1 and 2. A sub-interface for VLAN 100 is created on the new virtual interface and the appropriate IP information is configured.
    Once configured, the application traffic from clients connected to VLAN 100 is sent to the IP address (and corresponding MAC address) bound to the VLAN 100 sub-interface of the virtual interface. In the event of a physical interface failure, the other interface assumes the forwarding role for the failed interface.
    Branch ION Device Internet Port Redundancy
    In this scenario, a virtual interface is used to provide internet uplink port redundancy between a single branch ION device and an active / backup firewall pair. The firewall pair is responsible for inspecting untrusted internet traffic that is sent direct on the internet by the ION device.
    The ION device is physically connected directly to each firewall. A new virtual interface is configured with two member interfaces, ports 1 and 2. Since a VLAN tag is not required for this configuration, the IP address information is configured directly on the virtual interface along with 'Used For Internet.' Corresponding port tracking should be configured on the firewall pair to ensure that a unit goes inactive or standby in the event of a failure of the port connected to the ION device.
    For purposes of load-balancing or redundancy, these firewalls can be configured in an active-active or active-standby mode.

    Data Center Deployments

    Data Center deployments include scenarios where an ION device is deployed with two core peers in the same subnet with a firewall for internet circuits.
    Redundancy in Data Center ION Device Deployment with 2 Core Peers in the Same Subnet
    In this scenario, a virtual interface is used to provide redundant physical connections to a pair of Layer 3 core switches. The ION device is peering via BGP with both switches in the same IP network.
    The Data Center ION device is physically connected to each of the Layer 3 Core switches with VLAN 10 defined on each switch. A new virtual interface is configured with two member interfaces, ports 1 and 2. A sub-interface for VLAN 10 is created on the new virtual interface and the appropriate IP information is configured. Corresponding BGP Peers are configured on both the ION device and the core switches.
    The configured traffic forwards in an active-active fashion based upon the route table of the devices. In the event of an interface or core switch failure, continuous data center connectivity is enabled.
    This scenario is applicable to both dual core control plane designs as depicted as well as single core control plane designs such as a switch stack.
    Redundancy in Data Center ION Device Deployment with Internet Circuits and Firewall
    In this scenario, a virtual interface is used to provide redundant physical connections to a pair of Layer 2 switches that are connected to an internet facing firewall pair. The ION device uses the firewall for the default gateway for the redundant internet facing ports.
    The Data Center ION device is physically connected to each of the Layer 2 switches through an untagged switch interface. A new virtual interface is configured with two member interfaces, ports 1 and 2. Since a VLAN tag is not required for this configuration, the IP address information is configured directly on the virtual interface along with 'Connect to Internet' configuration. Configure the corresponding port tracking on the firewall pair to ensure that a unit goes inactive or standby in the event of a failure of the port connected to the ION device.

    © 2024 Palo Alto Networks, Inc. All rights reserved.