Configure Data Center (DC-DC) Interconnectivity
Table of Contents
Expand all | Collapse all
-
-
- Add a Branch
- Add a Data Center
- Add a Branch Gateway
- Configure Circuits
- Configure Internet Circuit Underlay Link Aggregation
- Configure Private WAN Underlay Link Quality Aggregation
- Configure Circuit Categories
- Configure Device Initiated Connections for Circuits
- Add Public IP LAN Address to Enterprise Prefixes
- Manage Data Center Clusters
- Configure a Site Prefix
- Configure a DHCP Server
- Configure NTP for Prisma SD-WAN
- Configure the ION Device at a Branch Site
- Configure the ION Device at a Data Center
- Switch a Site to Control Mode
- Allow IP Addresses in Firewall Configuration
-
- Configure a Controller Port
- Configure Internet Ports
- Configure WAN/LAN Ports
- Configure a Loopback Interface
- Configure a PoE Port
- Configure and Monitor LLDP Activity and Status
- Configure a PPPoE Interface
- Configure a Layer 3 LAN Interface
- Configure Application Reachability Probes
- Configure a Secondary IP Address
- Configure a Static ARP
- Configure a DHCP Relay
- Configure IP Directed Broadcast
- VPN Keep-Alives
-
- Configure Prisma SD-WAN IPFIX
- Configure IPFIX Profiles and Templates
- Configure and Attach a Collector Context to a Device Interface in IPFIX
- Configure and Attach a Filter Context to a Device Interface in IPFIX
- Configure Global and Local IPFIX Prefixes
- Flow Information Elements
- Options Information Elements
- Configure the DNS Service on the Prisma SD-WAN Interface
- Configure SNMP
-
-
- Prisma SD-WAN Branch Routing
- Prisma SD-WAN Data Center Routing
-
- Configure Multicast
- Create a WAN Multicast Configuration Profile
- Assign WAN Multicast Configuration Profiles to Branch Sites
- Configure a Multicast Source at a Branch Site
- Configure Global Multicast Parameters
- Configure a Multicast Static Rendezvous Point (RP)
- Learn Rendezvous Points (RPs) Dynamically
- View LAN Statistics for Multicast
- View WAN Statistics for Multicast
- View IGMP Membership
- View the Multicast Route Table
- View Multicast Flow Statistics
- View Routing Statistics
- Prisma SD-WAN Incident Policies
-
- Prisma SD-WAN Branch HA Key Concepts
- Configure Branch HA
- Configure HA Groups
- Add ION Devices to HA Groups
- View Device Configuration of HA Groups
- Edit HA Groups and Group Membership
-
- Configure Branch HA with Gen-1 Platforms (2000, 3000, 7000, and 9000)
- Configure Branch HA with Gen-2 Platforms (3200, 5200, and 9200)
- Configure Branch HA with Gen-2 Embedded Switch Platforms (1200-S or 3200-L2)
- Configure Branch HA for Devices with Software Cellular Bypass (1200-S-C-5G)
- Configure Branch HA for Platforms without Bypass Pairs
- Prisma SD-WAN Clarity Reports
- Prisma SD-WAN Incidents and Alerts
Configure Data Center (DC-DC) Interconnectivity
Prisma SD-WAN
ION data center devices can communicate each other using
standard VPN IPsec tunnels. Learn how to configure DC-DC tunnels in Prisma SD-WAN
.Where Can I Use
This? | What Do I
Need? |
---|---|
|
|
Prisma SD-WAN
supports standard VPN for connection between
two Data Center ION devices. Both the DC ION devices may try to initiate a tunnel,
in which case, the tunnel will not be established. To overcome this issue, Prisma SD-WAN
supports the responder-only mode for the DC ION
devices, so that the ION device only responds to the IKE connection and does not
initiate it.Prisma SD-WAN
currently supports this
feature only for IPsec VPNs and not for GRE VPNs. Prisma SD-WAN
supports both IKEv1 and IKEv2.- Select.ManageWorkflowsDevicesClaimed Devices
- From the ellipsis menu, selectConfigure the device.
- On theConfigure Interface: New Standard VPNscreen, set up theMain Configurationfor the new interface.
- ForAdmin Up, selectYes.
- (Optional)Enter aName,Description, andTags.
- SelectIPsecas theStandard VPN Type.TheInterface Typemust display asStandard VPN.
- Select aParent Interfaceto establish the GRE tunnel.For a data center ION device, any of the following ports can be used as a parent interface:
- AnyConnect to Internetport
- AnyConnect to Peer Networkport
- ToggleScopetoLocalorGlobal.
- Enter anInner Tunnel IP AddressorMask.
- For theEndpointname, add the name of the connected Data Center site.Note that although configured, theEndpointwill not be pushed to the DC ION device, since theEndpointapplies only for a branch ION device. Hence, you have to enter aPeer IPfor the tunnel to be established.
- Enter aPeer IPof the connected DC site.The Peer IP is mandatory for a DC-DC tunnel.
- Select anIPsec Profile.Select a created IPsec profile.
- UnderAdvanced Options, navigate toPassive Mode.By default,Passive ModeisNo, which means that the device can act as a responder and an initiator.(Optional)SelectYesforPassive Modeto have the ION device in the responder-only mode. Set one end of the tunnel toYesand the other end toNo.
- ClickCreate Standard VPN.You can view the DC-DC tunnels on theOverlays Connectionpage for a DC site.Port Translation between Data CentersIf one of the ION devices is behind a NAT device, you need to configure an inbound DNAT rule for port translation for the receiving ION device, so that port 4500 is translated to port 4501 for a given IP address.