Comprehensive and Detailed Explanation
In Prisma SD-WAN (formerly CloudGenix), the establishment ofSecure Fabric(VPN) tunnels is automated but relies heavily on the correct definition of theNetwork Contextfor each interface. If a tunnel fails to form on a newly added s2econdary circuit, it is typically due to a misconfiguration in how the interface is defined in the ION portal.
1. Interface Scope (Statement D):
The Scope setting on an interface determines its function in the network topology.
Global Scope:This defines the interface as aWAN-facingport. The ION device will only attempt to build VPN tunnels (overlay) on interfaces configured with Global scope.
Local Scope:This defines the interface as aLAN-facingport (for users, switches, or APs). If the administrator mistakenly sets the scope to "Local" for the new internet line, the ION treats it as a private LAN segment and willnotinitiate any tunnel negotiation or WAN signaling on that port.
2. Interface Role/Circuit Category (Statement A):
Prisma SD-WAN uses Circuit Categories (often referred to as Interface Roles in general networking terms, or specifically "Circuit Category" in the ION UI) to determine peering logic.
To form a tunnel over a public internet link to a Data Center, the circuit attached to the interface must be categorized as"Internet".
The controller uses this category to match compatible endpoints. It knows that a "Private WAN" (MPLS) link cannot directly tunnel to an "Internet" link without a gateway. If the new circuit is not correctly selected/categorized as "Internet" (e.g., left undefined or set to a different category), the system will not attempt to build the standard IPSec overlay to the Data Center's public IP address.
Submit