Routing

The Routing section provides the following options:

  • Routing Policies
  • Routing Domains
  • Import Route Profiles
  • Export Route Profiles
  • Transit Nodes

Routing policies

Routing policies help to enable traffic steering. Based on the selection (Application routes and IP Routes) you can use different ways to steer traffic.

Routing policy

Click + Application Route to create application route.

  • Custom Application Match Criteria:

    • Match Type: Select the match type as Application/Custom Application/Application Group from the drop-down list.
    • Application: Choose one application from the list.
    • Routing Domain: Select a routing domain.
  • Scope: You can scope the application route at the global level or site and group specific level.

  • Traffic Steering;

    • Delivery Service: Choose one delivery service from the list.
    • Cost: Reflects the relative priority of each route. Lower the cost, higher the priority.

Application route

If a new application route gets added, then the route cost must be in the following range:

  • Custom application: 1–20
  • Application: 21–40
  • Application group: 41–60

Office 365 optimization

The Office 365 Optimization features adhere to the Microsoft Office 365 Network Connectivity Principles, to optimize Office 365. Office 365 is provided as a service through several service endpoints (front doors) located globally.

To achieve optimal user experience for Office 365 traffic, Microsoft recommends redirecting Office365 traffic directly to the Internet from branch environments and avoiding practices such as backhauling to a central proxy. This is because Office 365 traffic such as Outlook, Word are sensitive to latency and backhauling traffic introduces more latency resulting in poor user experience. Citrix SD-WAN allows you to configure policies to break out Office 365 traffic to the Internet. For more information, see Office 365 Optimization.

In SD-WAN Orchestrator, by-default every network have the office 365 rule under Application Group. To navigate, go to Network Configuration > Routing > Routing Policies > Application Routes.

O365

You cannot delete the rule but can configure the settings as required.

O365 detail

Click the office 365 rule to view the default settings Match Type, Application Group, Delivery Service, and so on. You cannot modify these default settings.

Office 365 endpoints are a set of network addresses and subnets. Endpoints are segregated into the following three categories:

  • Optimize - These endpoints provide connectivity to every Office 365 service and feature, and are sensitive to availability, performance, and latency. It represents over 75% of Office 365 bandwidth, connections, and volume of data. All the Optimize endpoints are hosted in Microsoft data centers. Service requests to these endpoints must be breakout from the branch to the Internet and must not go through the data center.

  • Allow - These endpoints provide connectivity to specific Office 365 services and features only, and are not so sensitive to network performance and latency. The representation of Office 365 bandwidth and connection count is also lower. These endpoints are hosted in Microsoft data centers. Service requests to these endpoints might be breakout from the branch to the Internet or might go through the data center.

  • Default - These endpoints provide Office 365 services that do not require any optimization, and can be treated as normal Internet traffic. Some of these endpoints might not be hosted in Microsoft data centers. The traffic in this category is not susceptible to variations in latency. Therefore, direct breaking out of this type of traffic does not cause any performance improvement when compared to Internet breakout. In addition, the traffic in this category may not always be Office 365 traffic, hence it is recommended to disable this option when enabling the Office 365 breakout in your network.

    NOTE

    By-default, the Optimize, Allow, and Default options are disabled. You cannot delete these settings but can enable as needed.

  • Enable Beacon Service - Citrix SD-WAN allows you to perform beacon probing and determines the latency to reach Office 365 endpoints through each WAN link. Office 365 Beacon services are enabled by default. You can disable it by clearing this option. For more information, see Office 365 Beacon service.

    You can view the beacon probing availability and latency reports at Network level and Site level.

IP Routes

Go to IP Routes tab and click + IP Route to IP Route policy to steer traffic.

IP route

  • IP Protocol Match Criteria:

    • Destination Network: Add the destination network that helps to forward the packets.
    • Use IP Group: You can add a destination network or enable the Use IP Group check box to select any IP group from the drop-down list.
    • Routing Domain: Select a routing domain from the drop-down list.
  • Scope: You can scope the IP route at the global level or site and group specific level.

  • Traffic Steering:
    • Delivery Service: Choose one delivery service from the drop-down list.
    • Cost: Reflects the relative priority of each route. Lower the cost, higher the priority.

    If a new IP route gets added, then the route cost must be in 1-20 range.

  • Eligibility Criteria:
    • Export Route: If the Export Route check box is cleared the local route is not eligible to be exported to other SD-WAN and has local significance. If the Export Route is checked, then it is eligible to be exported by default if it is a local route. If it is an INTRANET/INTERNET based route, then for the export to work, WAN to WAN forwarding has to be enabled.

Click Verify Config to validate any audit error.

Routing domains

Routing Domains are used for segregate traffic through VLAN. Once the routing domains are created, you can reference them at the global level (for Intranet services) or interface level.

To match routes from a specific routing domain, choose one of the configured Routing Domains from the list.

Network segmentation routing domains

Click Verify Config to validate any audit error.

For more information, see Routing Domain.

Inter-routing domain service

Citrix SD-WAN Orchestrator provides Static Inter-Routing Domain Service, enabling route leaking between Routing Domains within a site or between different sites. This eliminates the need for an edge router to handle route leaking. The Inter-VRF routing service can further be used to set up routes, firewall policies, and NAT rules.

For more information see, Inter-routing domain service.

To configure the Inter-Routing Domain service through the SD-WAN Orchestrator:

  1. At the network level, navigate to Configuration > Routing > Routing Domains > Inter-Routing Domain Service.

  2. Click + Inter-Routing Domain and enter values for the following parameters:

  • Name: The name of the Inter-Routing Domain Service.
  • Routing Domain 1: The first Routing Domain of the pair.
  • Routing Domain 2: The second Routing Domain of the pair.
  • Firewall Zone: The Firewall Zone of the Service.
    • Default: The Inter_Routing_Domain_Zone firewall zone is assigned.
    • None: The service behaves like a conduit, which has no Zone and maintains the original zone of the packet.
    • All Zones configured in the network might be selected.

    Inter-routing domain service

To create routes using the Inter-routing domain service, create a route with Service type as Inter-Routing Domain Service and select the inter-routing domain service. For more information on configuring Routes, see Routing policies.

Routing policies

Also add a route from the other Routing Domain pair, to establish connection to and fro between the two routing domains.

You can also configure firewall policies to control the flow of traffic between routing domains. In the firewall policies, select Inter-Routing domain service for the source and destination services and select the required firewall action. For information on configuring Firewall Policies, see Firewall policies.

Firewall policies

You can also choose Intranet service type to configure Static and Dynamic NAT policies. For More information on configuring NAT policies, see Network Address Translation.

Import route profiles

You can configure Filters to fine-tune how route-learning takes place.

Import filter rules are rules that have to be meet before importing dynamic routes into the SD-WAN route database. By default, no routes are imported.

Import route profiles

Add an Import Filter Profile with the Import Profile Name, Profile Availability, and Import Filters along with the following fields:

  • Protocol - Select the protocol from the list.
  • Routing Domain - To match routes from a specific routing domain, choose one of the configured Routing Domains from the list.
  • Source Router - Enter the IP address and netmask of the configured network object that describes the route’s network.
  • Destination IP - Enter the destination IP address.
  • Prefix - To match routes by prefix, choose a match predicate from the list and enter a Route prefix in the adjacent field.
  • Next Hop - Enter the next hop destination.
  • Route Tag - Fill the route tag.
  • Cost - The method (predicate) and the SD-WAN Route Cost that are used to narrow the selection of routes exported.

 Import route profile details

Click Verify Config to validate any audit error.

Export route profiles

Define the rules that have to meet when advertising SD-WAN routes over dynamic routing protocols. By default, all routes are advertised to peers.

Export route profile

Click Verify Config to validate any audit error.

Transit nodes

Virtual overlay Transit Node

You can reduce the cost of routing by configuring a site to route data via a virtual overlay transit node. Transit nodes are used to route data to non-adjacent nodes. For example, if three nodes are connected in series A-B-C, then data from A to C can be routed via B. You can specify the transit node and the sites to be routed via the transit node in the SD-WAN orchestrator. The virtual paths are chosen in the ascending order of cost. Lower the cost, higher the priority.

Default global virtual overlay transit nodes

The control nodes (MCN/RCN) and the geo-control nodes (Geo-MCN/RCN) are the default global virtual overlay transit nodes in a network. Enabling hub-and-spoke communication as part of global settings allows all the sites to use the control nodes as transit nodes, by default, for site-to-site communication. If you disable hub-and-spoke communication, ensure that there are site-specific rules that enable the non-control node to act as transit nodes.

Virtual overlay transit node

Add the control node and geo-control nodes that you want to use as virtual overlay transit nodes and specify the virtual path cost. The control nodes and geo-control nodes have 6 and 7 as the respective default virtual path costs. You can choose to change the virtual path cost as per your network requirement. Click Restore Default to restore the default virtual path costs for the default transit nodes.

Note

You can add a maximum of 3 control nodes and 3 geo-control nodes as transit nodes.

By default, WAN-to-WAN forwarding is enabled on all the paths associated with the selected control and geo-control nodes. WAN-to-WAN forwarding allows a site to act as an intermediate hop between two adjacent sites for any site-to-site, internet or intranet traffic and to act as a mediator for Dynamic Virtual Paths.

Site specific preferences for virtual overlay transit nodes

Site-specific preferences for virtual overlay transit nodes allow you to override the global virtual overlay transit node settings for all the sites in your network. You can also choose a non-control node as the primary transit node for a site. Choose a control node or geo-control node as the secondary and the tertiary transit nodes. If the primary transit node is down, the sites use the secondary transit node. If both primary and secondary transit nodes are down, the sites use the tertiary transit node. Specify the cost for the transit nodes and select the sites to which the site-specific virtual overlay transit node settings are applied.

Site specific transit node

Internet Transit Node

You can add sites as Internet transit sites to enable Internet access to the sites. Sites that need direct internet connectivity, must have at least one link with Internet service enabled. That means, at least one link set to a non-zero bandwidth share %.

Each transit site can be assigned a route cost. The sites with internet service available access the internet directly since the direct route would be the lowest cost routing path. Sites without internet service can route to the internet through the configured transit sites. When the internet transit sites are configured, routes to the internet through these transit sites are automatically pushed to all the sites. Internet transit sites are the sites with Internet service enabled.

For example, if San Francisco and New York are configured as internet transit sites. Routes to the internet via San Francisco and New York automatically get pushed to all the sites.

The virtual overlay transit node with Internet service enabled acts as the primary internet transit node. If internet service is not enabled on the virtual overlay transit node the secondary / backup internet transit node provides a route to the internet.

Internet Transit Node

Intranet Transit Node

The intranet transit node enables all the non-intranet sites to access the configured intranet networks. Each transit site can be assigned a route cost. The available sites with intranet service, accesses the intranet networks directly since the direct route would be the lowest cost routing path. Sites without intranet service can route to the intranet networks through the configured transit sites. When the transit sites are configured, routes to intranet networks through these transit sites are automatically pushed to all the sites. For example, if 10.2.1.0/24 is an intranet network, and Austin and Dallas are the configured transit sites. Routes to that network address through Austin and Dallas automatically get pushed to all the sites. The virtual overlay transit node with Intranet service enabled acts as the primary intranet transit node. If intranet service is not enabled on the virtual overlay transit node the secondary / backup intranet transit node provides a route to the intranet.

Intranet Transit Node

Routing