Citrix SD-WAN Orchestrator for On-premises allows you to manage the SD-WAN appliance in two ways, out-of-band management and in-band management. Out-of-band management allows you to create a management IP using a port reserved for management, which carries management traffic only. In-band management allows you to use the SD-WAN data ports for management. It carries both data and management traffic, without having to configure an addition management path.
In-band management allows virtual IP addresses to connect to management services such as web UI and SSH. You can enable in-band management on a trusted interface that is enabled to be used for IP services. You can access the web UI and SSH using the management IP and in-band virtual IPs.
In-band management in Citrix SD-WAN Orchestrator for On-premises is supported for Citrix SD-WAN 11.1.1 and higher.
To enable in-band management on a virtual IP, at the site level, navigate to Configuration > Site Configuration > Interfaces. Select the virtual IP to be used as the In-band management port. You can use the InBand Management IP or InBand Management IPv6 to access the web UI and SSH.
In-band management is supported on LAN ports only.
For detailed procedure on configuring a virtual IP address, see Interfaces.
The In-band management IP also acts as a back-up management IP. It is used as the management IP address if the management port is not configured with a default gateway. Select the DNS proxy to which all DNS requests over the in-band management plane is forwarded to. For information on configuring DNS proxy, see DNS proxy.
For use cases where the appliance connectivity to Citrix SD-WAN Orchestrator for On-premises toggles between management and in-band ports, configure InBand Management DNS or InBand Management DNS V6 to ensure uninterrupted Citrix SD-WAN Orchestrator for On-premises connectivity.
The need to deploy SD-WAN appliances in simpler environments like home or small branches has increased significantly. Configuring separate management access for simpler deployments is an added overhead. Zero-touch deployment along with the in-band management feature enables provisioning and configuration management through designated data ports. Zero-touch deployment is supported on the designated data ports and there is no need to use a separate management port for Zero-touch deployment.
You can provision an appliance in the factory shipped state, that supports in-band provisioning by connecting the data or management port to the internet. The appliances that support in-band provisioning have specific ports for LAN and WAN. The appliance in the factory reset state has a default configuration that allows to establish a connection with the zero-touch deployment service. The LAN port acts as the DHCP server and assigns a dynamic IP to the WAN port that acts as a DHCP client. The WAN links monitor the Quad 9 DNS service to determine WAN connectivity.
Once the IP address is obtained and a connection is established with the zero-touch deployment service the configuration packages are downloaded and installed on the appliance. For information on zero-touch deployment through the Citrix SD-WAN Orchestrator for On-premises, see Zero Touch Deployment.
- In-band provisioning is applicable to all the platforms. However, default configuration is enabled only on Citrix SD-WAN 110 and VPX platforms because the other platforms are shipped with an older software version.
- For day-0 provisioning of SD-WAN appliances through the data ports, the appliance software version must be Citrix SD-WAN 11.1.1 or higher.
The default configuration of an appliance in factory reset state includes the following configurations:
- DHCP Server on LAN port
- DHCP client on WAN port
- QUAD9 configuration for DNS
- Default LAN IP is 192.168.101.1/24 for Citrix SD-WAN appliances with factory image 220.127.116.11.
- Default LAN IP is 192.168.0.1/24 for Citrix SD-WAN 110 appliance with factory image 11.0.4.
- Grace License of 35 days.
Once the appliance is provisioned, the default configuration is disabled and overridden by the configuration received from the zero-touch deployment service. If an appliance license or grace license expires, the default configuration is activated, ensuring that the appliance remains connected to the zero-touch deployment service and receives the license managed service.
Fallback configuration ensures that the appliance remains connected to the zero-touch deployment service if there is a link failure, configuration mismatch, or software mismatch. Fallback configuration is enabled by default on the appliances that have a default configuration profile. You can also edit the fallback configuration as per your existing LAN network settings.
The fallback configuration retains the connectivity to appliance through the appliance in-band management IP and Citrix SD-WAN Orchestrator service in the following scenarios:
- Where the t2_app crashes
- you attempt to perform the configuration reset
In a scenario, where an appliance has in-band management configured and you perform manual configuration reset or the t2_app crashes more than four times in 120 seconds due to user configuration. In such framework, the service gets disabled and hence you lose connectivity to Citrix SD-WAN Orchestrator service and the appliance.
But if you had fallback configuration enabled, then you get below features:
- Basic in-band access to management features (Web UI/SSH/SNMP)
- Ability for appliance connects to outside services over an in-band port (Citrix SD-WAN Orchestrator service/ZTD)
For such scenarios, instead of disabling the service appliance comes back with fallback configuration with service enabled. The connectivity to Citrix SD-WAN Orchestrator service and the appliance through the in-band management IP remains intact as long as the link has internet connectivity.
After the initial appliance provisioning, ensure that the fallback configuration is enabled for zero-touch deployment service connectivity.
If the fallback configuration is disabled, you can enable it through Citrix SD-WAN Orchestrator service at the site level by navigating to Configuration > Appliance Settings > Fallback and click Enable Fallback Configuration.
To customize the fallback configuration as per your LAN network, edit the values for the following LAN settings as per your network requirements. This is the minimum configuration required to establish a connection with the zero-touch deployment service.
- VLAN ID: The VLAN ID to which the LAN port must be grouped.
- IP Address: The virtual IP address assigned to the LAN port.
- Enable DHCP Server: Enables the LAN port as the DHCP server. The DHCP server assigns dynamic IP addresses to the WAN port.
- DHCP Start and DHCP End: The range of IP addresses which DHCP uses to assign an IP to the WAN port dynamically.
- Dynamic DNS Server: Enables the LAN port as the domain name server.
- DNS Server: The IP address of the primary DNS server.
- Alt DNS Server: The IP address of the secondary DNS server.
- Internet Access: Permit internet access to all LAN clients without other filtering.
Configure the mode for each port. The port can be a LAN port or a WAN port or can be disabled. The ports displayed depend on the appliance model. Also, set the port bypass mode to Fail-to-Block or Fail-to-wire.
The following table provides the details of pre-designated WAN and LAN ports for fallback configuration on different platforms:
|Platform||WAN Ports||LAN Ports|
|210-LTE||1/4, 1/5, LTE-1||1/3|
|410||1/4, 1/5, 1/6||1/3 (FTB)|
|1100||1/4, 1/5, 1/6||1/3 (FTB)|
The WAN ports can be configured as independent WAN Links using the DHCP client and monitor the Quad9 DNS service to determine WAN connectivity. You can configure WAN IPs/static IPs for the WAN ports in the absence of DHCP to use In-band management for initial provisioning.
You can only configure the Ethernet ports with the static IPs. The static IPs are not configurable with LTE-1 and LTE-E1 ports. Though you can add the LTE-1 and LTE-E1 port as WAN, the configuration fields remain non-editable.
When you add a WAN port, it is added under the WAN Settings (Port: 2) section with the Enable DHCP check box selected by default. If the DHCP Mode check box is selected, the IP Address, Gateway IP Address, and the VLAN ID text fields are grayed out. Clear the Enable DHCP check box, if you want to configure static IP.
By default, the WAN Tracking IP Address field is auto filled with the 18.104.22.168. You can change the address as needed.
If you are selecting the Dynamic DNS Servers check box, ensure to add/configure at least one WAN port with the DHCP Mode selected.
To reset the fallback configuration to default configuration at any time, click Reset.
It is recommended to enable fallback configuration on all appliances that are connected to Orchestrator through the In-band/Management Port connected to LAN subnet. Ensure that the default fall-back configuration is set up as per your network subnet requirements.
Citrix SD-WAN Orchestrator for On-premises also allows to fail over management traffic seamlessly to the management port when the data port goes down and conversely. If an appliance can connect to the internet through both the management and in-band ports, the management port is chosen for zero-touch deployment.
On rebooting the appliance, if internet is available over the in-band port and not the management port, the appliance is connected to the Citrix SD-WAN Orchestrator for On-premises immediately.
Once the connection is established, a service agent running on the appliance sends the heartbeat information to the Citrix SD-WAN Orchestrator for On-premises every 10 seconds. If the Citrix SD-WAN Orchestrator for On-premises does not receive the heartbeat for 5 minutes, the In-band port failover is activated. Citrix SD-WAN Orchestrator for On-premises reports the appliance as offline during this period.
On rebooting the appliance, if internet is not available over both the management and in-band port and once internet connection is re-established, the service agent takes about 5 minutes to restart and establish a connection.
Ensure that the Preserve route to internet from link even if all associated paths are down option is enabled at the network level, Configuration > Delivery Services > Internet. Ensuring that the connectivity to the Citrix SD-WAN Orchestrator for On-premises is maintained even if the virtual path is down.
Configurable management or data port
In-band management allows the data ports to carry both data and management traffic, eliminating the need for a dedicated management port. It leaves the management port unused on the low end appliances, which already have low port density. Citrix SD-WAN allows you to configure the management port to operate as either a data port or a management port.
You can convert the management port to data port only on the following platforms.
- Citrix SD-WAN 110 SE/LTE
- Citrix SD-WAN 210 SE/LTE
While configuring a site, use the management port in your configuration. After the configuration is activated, the management port is converted to a data port.
You can configure a management port only when in-band management is enabled on other trusted interfaces on the appliance.
To configure a management interface, at the site level, navigate to Configuration > Site Configuration > Interfaces and select the MGMT interface. For more information on configuring interface groups, see Interfaces.
To reconfigure the management port to perform management functionality, remove the configuration. Create a configuration without using the management port and activate it.