You can add new sites from the Network Dashboard and configure your SD-WAN network.
To create a new site, click + New site on the Network Dashboard. Provide a name and location for the site.
You can create a new site from scratch, or use a site profile to configure a site quickly.
A graphical display to the right of the screen provides a dynamic topology diagram as you proceed with the configuration.
To view basic settings, select site and navigate to Configuration > Basic Settings.
The first step involves entering the site, device, and site contact details.
- Choosing a Site Profile auto-populates the site, interface, and WAN links parameters based on the site profile configuration.
- Site Address and Site Name are auto-populated based on the details provided in the previous step.
- Device Model can be picked based on the hardware model or virtual appliance used at a given site.
- Device Edition reflects automatically based on the selected device model. Currently, Standard Edition (SE) is supported.
Site Role defines the role of the device. You can assign one of the following roles to a site:
- MCN: Master Control Node (MCN) serves as the controller of the network, and only one active device in a network can be designated as the MCN.
- Branch: Appliances at the branch sites that receive configuration from the MCN and participate in establishing virtual WAN functionalities to the branch offices. There can be multiple branch sites.
- RCN: Regional Control Node (RCN) supports hierarchical network architecture, enabling multi-region network deployment. MCN controls multiple RCNs and each RCN, in turn, controls multiple branch sites.
- Geo-redundant MCN: A site in a different location, that takes over the management functions of the MCN, if it is not available, ensuring disaster recovery. Note geo-redundant MCN does not provide High Availability or failover capabilities for the MCN.
- Geo-Redundant RCN: A site in a different location, that takes over the management functions of the RCN, if it is not available, ensuring disaster recovery. Note geo-redundant RCN does not provide High Availability or failover capabilities for the RCN.
- Bandwidth Tier is the billable bandwidth capacity you can configure on any device, depending on the device model. For instance, SD-WAN 410 Standard Edition (SE) appliance supports 20, 50, 100, 150, and 200 Mbps bandwidth tiers. Depending on your bandwidth needs for a given site, you can select the desired tier. Each site is billed for the configured bandwidth tier.
- Contact details of the admin available at the site.
A dynamic network diagram to the right of the configuration panel, as shown in the image above, provides visual feedback on an ongoing basis, as you go through the configuration process.
Enter the serial number and a short name for the appliance.
Serial Number of a virtual SD-WAN instance (VPX) can be accessed from the VPX web console, as highlighted in the screen-shot below.
A serial number of a hardware appliance can be found on the device label too.
Short Name is an optional field that can be used to specify an easily identifiable short name for a site or tag a site if desired.
You can also specify the serial number and a short name of a secondary appliance to enable High Availability (HA). With HA, two appliances can be deployed in a site: an active primary and a passive secondary. The secondary is expected to take over when the primary fails. Set the HA failover time and enable primary reclaim, and HA fail-to-Wire mode as required.
The next step is to add and configure the interfaces. Click Add Interface to start configuring the interface.
Interface configuration involves selecting the deployment mode and setting the interface level attributes. This configuration is applicable to both LAN and WAN links.
The following deployment modes are supported:
- Edge (Gateway)
- Inline – Fail-to-wire, Fail-to-block, and Virtual inline.
Deployment Mode: Select one of the following deployment modes.
Gateway Mode implies SD-WAN serves as the “gateway” to the WAN for all the LAN traffic. This is the default mode. You can deploy the appliance as a gateway on the LAN side or the WAN side.
When SD-WAN is deployed in-line between a LAN switch and a WAN router, SD-WAN is expected to “bridge” LAN and WAN. All the Citrix SD-WAN appliances have pre-defined bridge-paired interfaces. With “Bridge” option enabled, selection of any interface on the LAN end automatically highlights the paired interface that is reserved for the WAN end of the bridge. For example, physical interfaces 1 and 2 are a bridged pair.
Fail-To-Wire: This option enables a physical connection between the bridged pair of interfaces, allowing traffic to bypass SD-WAN and flow directly across the bridge in the event of appliance restart or failure.
Inline (Fail-to-Wire) option is available only on hardware appliances and not on virtual appliances (VPX / VPXL).
Fail-to-Block: This option disables the physical connection between the bridged pair of interfaces on hardware appliances, preventing traffic from flowing across the bridge in the event of appliance restart or failure.
Inline (Fail-to-Block) is the only bridge mode option available on virtual appliances (VPX / VPXL).
Virtual Inline (One-Arm):
When SD-WAN is deployed in this mode, it has a single arm connecting it to WAN router, LAN, and WAN share the same interface on SD-WAN. Therefore, the interface settings are shared between the LAN and WAN links.
- Interface Type: Select the interface type from the drop-down list.
- Security (Trusted / Untrusted): This specifies the security level of the interface. Trusted segments are generally protected by a Firewall.
- Interface Name: Based on the selected deployment mode, the Interface Name field is auto filled.
- Select Interface: Select the configurable ethernet port that is available on the appliance.
- VLAN ID: The ID for identifying and marking traffic to and from the interface.
- IP Address/Prefix: The virtual IP address and netmask of the interface.
- Virtual Interface Name: Based on the selected deployment mode, the Virtual Interface Name field is auto filled.
- Routing Domain: The routing domain that provides a single point of administration of branch office network, or a data center network.
- Firewall Zones: The firewall zone to which the interface belongs. Firewall zones secure and control the interfaces in the logical zone.
Client Mode: Select Client Mode from the drop-down list. On selection of PPPoE Static displays more settings.
When the Site mode or role (under Site Details tab) is selected as Branch and Security field (under Interface tab) is selected as Untrusted PPPoE Dynamic option will be available under Client Mode.
Citrix SD-WAN act as a PPPoE client. It authenticates with PPPoE server and obtains dynamic IP address, or uses static IP address to establish PPPoE connections.
- Enable HA IP Interface: Enable syncing of HA heartbeats over this interface. This option is enabled if you have configured a secondary appliance for HA. Select this to allow primary and secondary appliances to synchronize the HA heartbeats over this interface. Specify the IP address of the primary and secondary appliance.
Point-to-Point Protocol over Ethernet (PPPoE) connects multiple computer users on an Ethernet LAN to a remote site through common customer premises appliances. Citrix SD-WAN appliances use PPPoE to provide support Internet service provider (ISP) to have ongoing and continuous DSL and cable modem connections unlike dialup connections. For more information, see PPPoE configuration.
- AC Name: Provide the Access Concentrator (AC) name for PPPoE configuration.
- Service Name: Enter a service name.
- Reconnect Hold Off (s): Enter the reconnect attempt hold off time.
- User Name: Enter the user name for PPPoE configuration.
- Password: Enter the password for PPPoE configuration.
Auth: Select the authorization protocol from the drop-down list.
- When Auth option is set to Auto, the SD-WAN appliance honors the supported authentication protocol request received from the server.
- When Auth option is set to PAP/CHAP/EAP, then only specific authentication protocols are honored. If PAP is in the configuration and server sends an authentication request with CHAP, the connection request is rejected. If server does not negotiate with PAP, an authentication failure occurs.
Optionally, create subinterfaces to add multiple VLANs.
Continue to add interfaces as per your network requirement.
The next step is to configure WAN links. Click Add WAN Link to start configuring a WAN link.
WAN link configuration involves setting up the WAN link access type and access interface attributes. You can choose to configure a new WAN link or choose an existing WAN link template.
You can configure WAN link attribute from scratch, or use a WAN link profile to configure WAN link attributes quickly. If you have already used a site profile, the WAN link attributes will auto-populate.
WAN link attributes
Access Type: This specifies the WAN connection type of the link.
- Public Internet: Indicates the link is connected to the Internet via an Internet Service Provider (ISP).
- Private Intranet: Indicates the link is connected to one or more sites within the SD-WAN network and cannot connect to locations outside the SD-WAN network.
- MPLS: This is a specialized variant of Private Intranet. Indicates the link uses one or more DSCP tags to control the Quality of Service between two or more points on an Intranet and cannot connect to locations outside of the SD-WAN network.
- ISP Name: Name of the service provider.
- Link Name: Auto-populated based on the previous inputs.
- Public IP Address: The IP address of the NAT or Proxy Server. This is applicable and exposed, only when the WAN link access type is Public Internet. Public IP can either be manually configured or auto-learned using the Auto Learn option.
- Auto Learn: When enabled, the SD-WAN appliance automatically detects the public IP address. This option is available only when the device role is a branch and not Master Control Node (MCN).
- Egress Speed: The WAN to LAN speed.
- Ingress Speed: The LAN to WAN speed.
MPLS Queues: The MPLS queue settings are available for WAN link access type MPLS only. This option is meant to enable definition of queues corresponding to the Service Provider MPLS queues, on the MPLS WAN Link.
Following are the queue parameters:
- DSCP Tag: The unique Differentiated Services Code Point(DSCP) tag of the MPLS queue.
- LAN to WAN (%): The proportion (%) of bandwidth used for upload cannot exceed the defined physical upload rate.
- WAN to LAN (%): The proportion (%) of bandwidth used for download cannot exceed the defined physical download rate.
- Unmatched option: If enabled, DCSP tags not matched by other MPLS Queues would use this Class. Only one MPLS Queue can be marked for use by unmatched tags.
- No retag option: If enabled, the LAN to WAN intranet traffic retains the original tag and will not retag with the default DSCP tag.
- Access Interface: An Access Interface defines the IP Address and Gateway IP Address for a WAN Link. At least one Access Interface is required for each WAN Link.
- Services: Allows you to add service types and allocate the percentage of bandwidth to be used for each service type. You can define the service types and configure attributes for it from the Delivery service set section.
Advanced WAN link settings
The WAN Link Advanced Settings allows the configuration of the ISP specific attributes.
- Congestion Threshold: The amount of congestion after which the WAN link will throttle packet transmission to avoid further congestion.
- Provider ID: Unique Identifier for the provider to differentiate paths when sending duplicate packets.
- Frame Cost: Additional header/trailer bytes added to every packet, such as for Ethernet IPG or AAL5 trailers.
- MTU: The largest raw packet size in bytes, not including the Frame Cost.
- Active MTU detect: Actively probe MTU on all virtual paths.
Standby Mode: A standby link is not used to carry user traffic unless it becomes active.
- Disabled: The standby mode of a WAN link is disabled by default.
- On-Demand: An on-demand standby WAN link will also become active if all non-standby WAN links are dead or disabled.
- Last-Resort: A last-resort standby WAN link becomes active only when all non-standby WAN links and all on-demand standby WAN links are dead or disabled.
- Priority: The order in which a standby link becomes active if there are multiple standby links
- Tunnel Header Size: The size of the tunnel header, in bytes
- Enable Metering: Tracks usage on a WAN link and alerts them when the link usage exceeds the configured data cap.
- Active Heartbeat Interval: The heartbeat interval used when the standby path is active.
Standby Heartbeat Interval: The heartbeat interval used when the standby path is inactive.
The next step in the site configuration workflow is the configuration of routes.
Click Add Route to add a new route.
Here are the parameters to be configured in each route:
- Network IP Address / Prefix: The destination IP address and mask.
- Cost: Route Cost. Higher the cost, lower the priority.
- Gateway IP Address: The gateway/router IP address to reach the destination.
Similarly, multiple routes can be added, as required.
This section provides a summary of the site configuration to enable a quick review before submitting the same.
Use the Save as Template option to save the site configuration as a template for reuse across other sites. Clicking Done marks completion of site configuration, and takes you to Network Configuration – Home page to review all the sites configured. For more information, see Network Configuration.