The Routing section provides the following options:
- Routing Policies
- Route Summarization
- Routing Domains
- Import Route Profiles
- Export Route Profiles
- Transit Nodes
Routing policies help to enable traffic steering. Based on the selection (Application routes and IP Routes) you can use different ways to steer traffic.
Click + Application Route to create an application route.
Custom Application Match Criteria:
- Match Type: Select the match type as Apps & Domains/Custom Application/Application Group from the drop-down list.
- Application: Choose one application from the list.
- Routing Domain: Select a routing domain.
Scope: You can scope the application route at the global level or site and group specific level.
- Delivery Service: Choose one delivery service from the list.
- Cost: Reflects the relative priority of each route. Lower the cost, the higher the priority.
Eligibility Based on Path:
- Add Path: Choose a site and WAN links. If the chosen path goes down, then the application route does not receive any traffic.
If a new application route gets added, then the route cost must be in the following range:
- Custom application: 1–20
- Application: 21–40
- Application group: 41–60
Office 365 optimization
The Office 365 Optimization features adhere to the Microsoft Office 365 Network Connectivity Principles, to optimize Office 365. Office 365 is provided as a service through several service endpoints (front doors) located globally.
To achieve optimal user experience for Office 365 traffic, Microsoft recommends redirecting Office365 traffic directly to the Internet from branch environments and avoiding practices such as backhauling to a central proxy. This is because Office 365 traffic such as Outlook, Word are sensitive to latency and backhauling traffic introduces more latency resulting in poor user experience. Citrix SD-WAN allows you to configure policies to break out Office 365 traffic to the Internet. For more information, see Office 365 Optimization.
In Citrix SD-WAN Orchestrator service, by-default every network have the office 365 rule under Application Group. To navigate, go to Network Configuration > Routing > Routing Policies > Application Routes.
You cannot delete the rule but can configure the settings as required.
Click the office 365 rule to view the default settings Match Type, Application Group, Delivery Service, and so on. You cannot modify these default settings.
Office 365 endpoints are a set of network addresses and subnets. From Citrix SD-WAN 11.4.0 onwards, Office 365 endpoints are classified into Optimize, Allow, and Default categories. Citrix SD-WAN provides a more granular classification of the Optimize and Allow categories, enabling selective bookending to improve the performance of network-sensitive Office 365 traffic. Directing network-sensitive traffic to SD-WAN in the cloud (Cloud Direct or an SD-WAN VPX on Azure), or from an at-home SD-WAN device to an SD-WAN at a nearby location with more reliable Internet connectivity, enables QoS and superior connection resilience compared to simply steering the traffic to the nearest Office 365 front door, at the cost of an increase in latency. A bookended SD-WAN solution with QoS reduces VoIP dropouts and disconnects, reduces jitter and improves media-quality mean opinion scores for Microsoft Teams. Endpoints are segregated into the following three categories:
Optimize - These endpoints provide connectivity to every Office 365 service and feature, and are sensitive to availability, performance, and latency. It represents over 75% of Office 365 bandwidth, connections, and volume of data. All the Optimize endpoints are hosted in Microsoft data centers. Service requests to these endpoints must be breakout from the branch to the Internet and must not go through the data center.
The Optimize category is classified into the following subcategories:
- Teams Realtime
- Exchange Online
- SharePoint Optimize
Allow - These endpoints provide connectivity to specific Office 365 services and features only, and are not so sensitive to network performance and latency. The representation of Office 365 bandwidth and connection count is also lower. These endpoints are hosted in Microsoft data centers. Service requests to these endpoints might be breakout from the branch to the Internet or might go through the data center.
The Allow category is classified into the following subcategories:
- Teams TCP Fallback
- Exchange Mail
- SharePoint Allow
- O365 Common
The Teams Realtime subcategory uses the UDP real-time transport protocol to manage Microsoft Teams traffic, whereas the Teams TCP Fallback subcategory uses the TCP transport layer protocol. As media traffic is highly latency sensitive, you might prefer this traffic to take the most direct path possible and to use UDP instead of TCP as the transport layer protocol (most preferred transport for interactive real-time media in terms of quality). While UDP is a preferred protocol for Teams media traffic, it requires certain ports to be allowed in the firewall. If the ports are not allowed, Teams traffic uses TCP as a fallback, and enabling optimization for Teams TCP Fallback ensures better delivery of the Teams application in this scenario. For more information, see Microsoft Teams call flows.
Default - These endpoints provide Office 365 services that do not require any optimization, and can be treated as normal Internet traffic. Some of these endpoints might not be hosted in Microsoft data centers. The traffic in this category is not susceptible to variations in latency. Therefore, direct breaking out of this type of traffic does not cause any performance improvement when compared to Internet breakout. In addition, the traffic in this category may not always be Office 365 traffic, hence it is recommended to disable this option when enabling the Office 365 breakout in your network.
By default, options of the Default category and the Optimize and Allow subcategories are disabled. You cannot delete these settings but can enable as needed.
Enable Beacon Service - Citrix SD-WAN allows you to perform beacon probing and determines the latency to reach Office 365 endpoints through each WAN link. Office 365 Beacon services are enabled by default. You can disable it by clearing this option. For more information, see Office 365 Beacon service.
Enable O365 Intelligent Path Selection - Citrix SD-WAN allows you to choose the best available WAN link to manage Office 365 traffic. For example, if there are 2 WAN links configured for an Internet service, out of which one WAN link has a higher latency and the other WAN link has a lower latency, enabling intelligent path selection would select the WAN link with the lowest latency provided, the probes from the WAN link are not lossy.
You can view details about the WAN links with lowest latency and the total decisions taken at O365 Metrics.
If probes are lossy, Citrix SD-WAN uses the default Internet load-balancing logic to select the best WAN link although intelligent path selection is enabled.
SD-WAN appliance upgrade considerations
Optimize and Allow category:
If you have enabled the Internet breakout policy for the Optimize and Allow Office 365 categories, Citrix SD-WAN automatically enables the Internet breakout policy for the corresponding subcategories upon upgrade to Citrix SD-WAN 11.4.0.
When you downgrade to a software version older than Citrix SD-WAN 11.4.0, you must manually enable Internet breakout for the Optimize or Allow Office 365 category irrespective of whether you enabled the corresponding subcategories in the Citrix SD-WAN 11.4.0 version or not.
Office 365 application objects:
If you have created rules/routes using the O365Optimize_InternetBreakout and O365Allow_InternetBreakout auto-generated application objects, ensure to delete the rules/routes before upgrading to Citrix SD-WAN 11.4.0. After the upgrade, you can create rules/ routes using the corresponding new application objects.
If you proceed with Citrix SD-WAN 11.4.0 upgrade without deleting the rules/routes, you see an error and thus, the upgrade will not be successful. In the below example, a user has configured an Application QoE profile and is seeing an error while trying to upgrade to Citrix SD-WAN 11.4.0 without deleting the rules/routes.
This upgrade is not required for auto-created rules/routes. It applies only to rules/ routes that you have created.
If you have created DNS Proxy rules or DNS transparent forwarder rules using the Office 365 Optimize and Office 365 Allow applications, ensure to delete the rules before upgrading to Citrix SD-WAN 11.4.0. After the upgrade, you can create the rules again using the corresponding new applications.
If you proceed with Citrix SD-WAN 11.4.0 upgrade without deleting the old DNS proxy or transparent forwarder rules, you do not see any error and the upgrade will be successful too. However, the DNS proxy rules and transparent forwarding rules will not take effect in Citrix SD-WAN 11.4.0.
This activity does not apply to auto-created DNS rules. It applies only to DNS rules that you have created.
Go to IP Routes tab and click + IP Route to IP Route policy to steer traffic.
IP Protocol Match Criteria:
- Destination Network: Add the destination network that helps to forward the packets.
- Use IP Group: You can add a destination network or enable the Use IP Group check box to select any IP group from the drop-down list.
- Routing Domain: Select a routing domain from the drop-down list.
Scope: You can scope the IP route at the global level or site and group specific level.
- Delivery Service: Choose one delivery service from the drop-down list.
- Cost: Reflects the relative priority of each route. Lower the cost, higher the priority.
If a new IP route gets added, then the route cost must be in 1-20 range.
- Export Route: If the Export Route check box is selected and if the route is a local route, then the route is eligible to be exported by default. If the route is an INTRANET/INTERNET based route, then for the export to work, WAN to WAN forwarding has to be enabled. If the Export Route check box is cleared, then the local route is not eligible to be exported to other SD-WAN and has local significance.
Eligibility based on Path:
- Add Path: Choose a site and WAN links. If the added path goes down, then the IP route does not receive any traffic.
Click Verify Config to validate any audit error.
Route summarization reduces the number of routes that a router must maintain. A summary route is a single route that is used to represent multiple routes. It saves bandwidth by sending a single route advertisement, reducing the number of links between routers. It saves memory because only one route address is maintained. The CPU resources are used more efficiently by avoiding recursive lookups. You have an option to add summary routes without specifying the gateway IP address.
Routing Domains are used for segregate traffic through VLAN. Once the routing domains are created, you can reference them at the global level (for Intranet services) or interface level.
You can also select the default routing domain that applies to all the sites.
To match routes from a specific routing domain, click + Routing Domain and choose one of the configured Routing Domains from the drop-down list. Click Save.
Click Verify Config to validate any audit error.
For more information, see Routing Domain.
Inter-routing domain service
Citrix SD-WAN Orchestrator service provides Static Inter-Routing Domain Service, enabling route leaking between Routing Domains within a site or between different sites. This eliminates the need for an edge router to handle route leaking. The Inter-VRF routing service can further be used to set up routes, firewall policies, and NAT rules.
For more information see, Inter-routing domain service.
To configure the Inter-Routing Domain service through the Citrix SD-WAN Orchestrator service:
At the network level, navigate to Configuration > Routing > Routing Domains > Inter-Routing Domain Service.
Click + Inter-Routing Domain and enter values for the following parameters:
- Name: The name of the Inter-Routing Domain Service.
- Routing Domain 1: The first Routing Domain of the pair.
- Routing Domain 2: The second Routing Domain of the pair.
Firewall Zone: The Firewall Zone of the Service.
- Default: The Inter_Routing_Domain_Zone firewall zone is assigned.
- None: The service behaves like a conduit, which has no Zone and maintains the original zone of the packet.
- All Zones configured in the network might be selected.
To create routes using the Inter-routing domain service, create a route with Service type as Inter-Routing Domain Service and select the inter-routing domain service. For more information on configuring Routes, see Routing policies.
Also add a route from the other Routing Domain pair, to establish connection to and fro between the two routing domains.
You can also configure firewall policies to control the flow of traffic between routing domains. In the firewall policies, select Inter-Routing domain service for the source and destination services and select the required firewall action. For information on configuring Firewall Policies, see Firewall policies.
You can also choose Intranet service type to configure Static and Dynamic NAT policies. For More information on configuring NAT policies, see Network Address Translation.
Import route profiles
You can configure Filters to fine-tune how route-learning takes place.
Import filter rules are rules that have to be meet before importing dynamic routes into the SD-WAN route database. By default, no routes are imported.
Add an Import Filter Profile with the Import Profile Name, Profile Availability, and Import Filters along with the following fields:
- Protocol - Select the protocol from the list.
- Routing Domain - To match routes from a specific routing domain, choose one of the configured Routing Domains from the list.
- Source Router - Enter the IP address and netmask of the configured network object that describes the route’s network.
- Destination IP - Enter the destination IP address.
- Prefix - To match routes by prefix, choose a match predicate from the list and enter a Route prefix in the adjacent field.
- Next Hop - Enter the next hop destination.
- Route Tag - Fill the route tag.
- Cost - The method (predicate) and the SD-WAN Route Cost that are used to narrow the selection of routes exported.
Click Verify Config to validate any audit error.
Export route profiles
Define the rules that have to meet when advertising SD-WAN routes over dynamic routing protocols. By default, all routes are advertised to peers.
Click Verify Config to validate any audit error.
Virtual overlay Transit Node
Transit nodes are the sites that are able to forward traffic between one or more branches within a region.
The traffic between two nodes can be influenced to pick transit node as an intermediate hop by adjusting the route cost. Transit nodes are used to route data to non-adjacent nodes. For example, if three nodes are connected in series A-B-C, then data from A to C can be routed via B. You can specify the transit node and the sites to be routed through the transit node in the Citrix SD-WAN Orchestrator service. The virtual paths are chosen in the ascending order of cost. Lower the cost, higher the priority.
Default global virtual overlay transit nodes
You can specify the control nodes (MCN/RCN) and the geo-control nodes (Geo-MCN/RCN) to act as the default global virtual overlay transit nodes in a network. Enabling spoke-and-spoke communication through Hub as part of global settings allows all the sites to use the configured control nodes as transit nodes, by default, for site-to-site communication.
Add the control node and geo-control nodes that you want to use as virtual overlay transit nodes and specify the virtual path cost. The control nodes and geo-control nodes have 6 and 7 as the respective default virtual path costs. You can choose to change the virtual path cost as per your network requirement. Click Restore Default to restore the default virtual path costs for the default transit nodes.
You can add a maximum of 3 control nodes and 3 geo-control nodes as transit nodes.
By default, WAN-to-WAN forwarding is enabled on all the paths associated with the selected control and geo-control nodes. WAN-to-WAN forwarding allows a site to act as an intermediate hop between two adjacent sites for any site-to-site, internet or intranet traffic and to act as a mediator for Dynamic Virtual Paths.
You can override the global transit node settings and choose to enable or disable spoke-to-spoke forwarding only on selected control transit nodes. When Spoke to Spoke Forwarding is enabled, the transit control node exports routes across the sites connected to it. Site-to-Site communication and Dynamic Virtual path across sites connected to the transit node alone gets enabled.
Enabling Route Export enables virtual path-to-virtual path forwarding and route exporting (WAN-to-WAN forwarding) on all the site paths. Disabling the toggle button enables only virtual path-to-virtual path forwarding and disables route exporting on all the site paths. Route Export can be enabled only when Spoke to Spoke Forwarding is enabled.
Site specific preferences for virtual overlay transit nodes
Site-specific preferences for virtual overlay transit nodes allow you to override the global virtual overlay transit node settings for all the sites in your network. You can also choose a non-control node as the primary transit node for a site. Choose a control node or geo-control node as the secondary and the tertiary transit nodes. If the primary transit node is down, the sites use the secondary transit node. If both primary and secondary transit nodes are down, the sites use the tertiary transit node. Specify the cost for the transit nodes and select the sites to which the site-specific virtual overlay transit node settings are applied.
Internet Transit Node
You can add sites as Internet transit sites to enable Internet access to the sites. Sites that need direct internet connectivity, must have at least one link with Internet service enabled. That means, at least one link set to a non-zero bandwidth share %.
Each transit site can be assigned a route cost. The sites with internet service available access the internet directly since the direct route would be the lowest cost routing path. Sites without internet service can route to the internet through the configured transit sites. When the internet transit sites are configured, routes to the internet through these transit sites are automatically pushed to all the sites. Internet transit sites are the sites with Internet service enabled.
For example, if San Francisco and New York are configured as internet transit sites. Routes to the internet via San Francisco and New York automatically get pushed to all the sites.
The virtual overlay transit node with Internet service enabled acts as the primary internet transit node. If internet service is not enabled on the virtual overlay transit node the secondary / backup internet transit node provides a route to the internet.
Intranet Transit Node
The intranet transit node enables all the non-intranet sites to access the configured intranet networks. Each transit site can be assigned a route cost. The available sites with intranet service, accesses the intranet networks directly since the direct route would be the lowest cost routing path. Sites without intranet service can route to the intranet networks through the configured transit sites. When the transit sites are configured, routes to intranet networks through these transit sites are automatically pushed to all the sites. For example, if 10.2.1.0/24 is an intranet network, and Austin and Dallas are the configured transit sites. Routes to that network address through Austin and Dallas automatically get pushed to all the sites. The virtual overlay transit node with Intranet service enabled acts as the primary intranet transit node. If intranet service is not enabled on the virtual overlay transit node the secondary / backup intranet transit node provides a route to the intranet.