Basic settings

You can add new sites from the Network Dashboard and configure your SD-WAN network.

To create a site, click + New site on the Network Dashboard. Provide a name and location for the site.

Site level configuration new site

You can create a site from scratch, or use a site profile to configure a site quickly.

A graphical display to the right of the screen provides a dynamic topology diagram as you proceed with the configuration.

To view basic settings, select site and navigate to Configuration > Basic Settings.

Site level basic setting

Site details

The first step involves entering the site, device, advanced settings, and site contact details.

Site details

  • Choosing a Site Profile auto-populates the site, interface, and WAN links parameters based on the site profile configuration.
  • Site Address and Site Name are auto-populated based on the details provided in the previous step.
  • Device Model and Sub-Model can be picked based on the hardware model or virtual appliance used at a given site.
  • Device Edition reflects automatically based on the selected device model. Currently, Standard Edition (SE) is supported.
  • Site Role defines the role of the device. You can assign one of the following roles to a site:

    • MCN: Master Control Node (MCN) serves as the controller of the network, and only one active device in a network can be designated as the MCN.
    • Branch: Appliances at the branch sites that receive configuration from the MCN and participate in establishing virtual WAN functionalities to the branch offices. There can be multiple branch sites.
    • RCN: Regional Control Node (RCN) supports hierarchical network architecture, enabling multi-region network deployment. MCN controls multiple RCNs and each RCN, in turn, controls multiple branch sites.
    • Geo-redundant MCN: A site in a different location, that takes over the management functions of the MCN, if it is not available, ensuring disaster recovery. Note the geo-redundant MCN does not provide High Availability or failover capabilities for the MCN.
    • Geo-Redundant RCN: A site in a different location, that takes over the management functions of the RCN, if it is not available, ensuring disaster recovery. Note the geo-redundant RCN does not provide High Availability or failover capabilities for the RCN.
  • Bandwidth Tier is the billable bandwidth capacity you can configure on any device, depending on the device model. For instance, the SD-WAN 410 Standard Edition (SE) appliance supports 20, 50, 100, 150, and 200 Mbps bandwidth tiers. Depending on your bandwidth needs for a given site, you can select the desired tier. Each site is billed for the configured bandwidth tier.

  • Gateway ARP Timer (ms): The time, (range: 100–20000 milliseconds), between Address Resolution Protocol (ARP) requests for configured Gateway IP addresses.
  • Host ARP Timer (ms): The time, (range: 1000–180000 milliseconds), between ARP requests for configured Host IP addresses.
  • Enable Source MAC Learning: Stores the source MAC address of received packets so that outgoing packets to the same destination can be sent to the same port.

  • Preserve route to Internet from link even if all associated paths are down: When enabled, the packets destined for the internet service continue to choose the internet service even if all WAN Links for the internet service are unavailable.

  • Preserve route to Intranet from link even if all associated paths are down: When enabled, the packets destined for the intranet service continue to choose the intranet service even if all WAN Links for the intranet service are unavailable.

  • Contact details of the admin available at the site.

A dynamic network diagram to the right of the configuration panel, provides visual feedback on an ongoing basis, as you go through the configuration process.

Device details

The device details section allows you to configure and enable High Availability (HA) at a site. With HA, two appliances can be deployed at a site as an active primary and a passive secondary. The secondary appliance takes over when the primary fails. For more information, see High Availability.

Site level configuration device details

Device information

Enable HA and enter the serial number and a short name for the primary and the secondary appliances.

  • Serial Number: The Serial Number of a virtual SD-WAN instance (VPX) can be accessed from the VPX web console, as highlighted in the following screen-shot. A serial number of a hardware appliance can be found on the device label too.

    Serial number

  • Short Name: The Short Name field is used to specify an easily identifiable short name for a site or to tag a site if desired.

Advanced HA settings

  • Failover Time (ms): The wait time after contact with the primary appliance is lost, before the standby appliance becomes active.
  • Shared base MAC: The shared MAC address for the high availability pair appliances. When a failover occurs, the secondary appliance has the same virtual MAC addresses as the failed primary appliance.
  • Disable Shared Base MAC: This option is available on hypervisor and cloud based platforms only. Choose this option to disable the shared virtual MAC address.
  • Primary Reclaim: The designated primary appliance reclaims control upon restart after a failover event.
  • HA Fail-to-Wire Mode: The HA Fail-to-wire mode is enabled. For more details, see HA deployment modes.
  • Enable Y-Cable Support: The Small Form-factor Pluggable (SFP) ports can be used with a fiber optic Y-Cable to enable the high availability feature for Edge Mode deployment. This option is available on Citrix SD-WAN 1100 SE/PE appliances only. For more information, see Enable Edge Mode High Availability Using Fiber Optic Y-Cable.

Interfaces

The next step is to add and configure the interfaces. Click + Interface to start configuring the interface. Click + HA Interface to start configuring HA interface. The + HA Interface option is available only if you have configured a secondary appliance for high availability.

Interface configuration involves selecting the deployment mode and setting the interface level attributes. This configuration is applicable to both LAN and WAN links.

Site level configuration interface

In-band management

In-band management allows you to use the SD-WAN data ports for management. It carries both data and management traffic, without having to configure an extra management path. In-band management allows virtual IP addresses to connect to management services such as web UI and SSH. You can access the web UI and SSH using the management IP and in-band virtual IPs.

To enable in-band management, choose an IP address from the InBand Management IP drop-down list. Select the DNS proxy to which all DNS requests over the in-band and backup management plane is forwarded to from the InBand Management DNS drop-down list.

For more information on in-band management, see In-band management.

The IP addresses configured for interfaces get listed under the InBand Management IP drop-down list. The DNS proxy services configured under Advanced Settings > DNS get listed in the InBand Management DNS drop-down list.

Interface attributes

The following deployment modes are supported:

  1. Edge (Gateway)
  2. Inline – Fail-to-wire, Fail-to-block, and Virtual inline.
  • Deployment Mode: Select one of the following deployment modes.

    • Edge (Gateway):

      Edge

      Gateway Mode implies SD-WAN serves as the “gateway” to the WAN for all the LAN traffic. The Gateway Mode is the default mode. You can deploy the appliance as a gateway on the LAN side or the WAN side.

    • Inline:

      When SD-WAN is deployed in-line between a LAN switch and a WAN router, SD-WAN is expected to “bridge” LAN and WAN.

      All the Citrix SD-WAN appliances have pre-defined bridge-paired interfaces. With “Bridge” option enabled, selection of any interface on the LAN end automatically highlights the paired interface that is reserved for the WAN end of the bridge. For example, physical interfaces 1 and 2 are a bridged pair.

      • Fail-To-Wire: Enables a physical connection between the bridged pair of interfaces, allowing traffic to bypass SD-WAN and flow directly across the bridge in the event of appliance restart or failure.

        Note

        Inline (Fail-to-Wire) option is available only on hardware appliances and not on virtual appliances (VPX / VPXL).

        Inline fail to wire

      • Fail-to-Block: This option disables the physical connection between the bridged pair of interfaces on hardware appliances, preventing traffic from flowing across the bridge in the event of appliance restart or failure.

        Note

        Inline (Fail-to-Block) is the only bridge mode option available on virtual appliances (VPX / VPXL).

        Inline fail to block

      • Virtual Inline (One-Arm):

        Virtual inline

        When SD-WAN is deployed in this mode, it has a single arm connecting it to the WAN router, LAN, and WAN sharing the same interface on SD-WAN. Therefore, the interface settings are shared between the LAN and WAN links.

  • Interface Type: Select the interface type from the drop-down list.
  • Security (Trusted / Untrusted): Specifies the security level of the interface. Trusted segments are protected by a Firewall.
  • Interface Name: Based on the selected deployment mode, the Interface Name field is auto filled.

Physical interface

  • Select Interface: Select the configurable Ethernet port that is available on the appliance.

Virtual interface

  • VLAN ID: The ID for identifying and marking traffic to and from the interface.
  • DHCP Client: When enabled on the virtual interfaces, the DHCP Server assigns dynamic IP addresses to the connected client.
  • IPv4: The virtual IP address and netmask of the interface.
  • Private: When enabled, the Virtual IP Address is only routable on the local appliance.
  • Identity: Choose an identity to be used for IP services. For example, Identity is used as the Source IP Address to communicate with BGP neighbors.
  • Directed Broadcast: When the Directed Broadcast check box is selected, the directed broadcasts are sent to the virtual IP subnets on the virtual interface.
  • Virtual Interface Name: Based on the selected deployment mode, the Virtual Interface Name field is auto filled.
  • Routing Domain: The routing domain that provides a single point of administration of the branch office network, or a data center network.
  • Firewall Zones: The firewall zone to which the interface belongs. Firewall zones secure and control the interfaces in the logical zone.
  • Client Mode: Select Client Mode from the drop-down list. On selection of PPPoE Static displays more settings.

    Note:

    When the Site mode (under Site Details tab) is selected as Branch and the Security field (under Interface tab) is selected as Untrusted, the PPPoE Dynamic option is available under Client Mode.

Citrix SD-WAN act as a PPPoE client. It authenticates with the PPPoE server and obtains dynamic IP address, or uses static IP address to establish PPPoE connections.

  • Enable HA Heartbeat: Enable syncing of HA heartbeats over this interface. This option is enabled if you have configured a secondary appliance for HA. Select this option to allow primary and secondary appliances to synchronize the HA heartbeats over this interface. Specify the IP address of the primary and secondary appliance.

PPPoE credentials

Point-to-Point Protocol over Ethernet (PPPoE) connects multiple computer users on an Ethernet LAN to a remote site through common customer premises appliances.

Citrix SD-WAN appliances use PPPoE to provide support to the ISP to have ongoing and continuous DSL and cable modem connections unlike dialup connections. For more information, see PPPoE configuration.

PPPoE credentials

  • AC Name: Provide the Access Concentrator (AC) name for the PPPoE configuration.
  • Service Name: Enter a service name.
  • Reconnect Hold Off (s): Enter the reconnect attempt hold off time.
  • User Name: Enter the user name for the PPPoE configuration.
  • Password: Enter the password for the PPPoE configuration.
  • Auth: Select the authorization protocol from the drop-down list.
    • When the Auth option is set to Auto, the SD-WAN appliance honors the supported authentication protocol request received from the server.
    • When the Auth option is set to PAP/CHAP/EAP, then only specific authentication protocols are honored. If PAP is in the configuration and the server sends an authentication request with CHAP, the connection request is rejected. If the server does not negotiate with PAP, an authentication failure occurs.

Tip

Optionally, create subinterfaces to add multiple VLANs.

Continue to add interfaces as per your network requirement.

The next step is to configure WAN links. Click + WAN Link to start configuring a WAN link.

WAN link configuration involves setting up the WAN link access type and access interface attributes.

You can configure the WAN link attribute from scratch, or use a WAN link profile to configure WAN link attributes quickly. If you have already used a site profile, the WAN link attributes auto-populate.

Wan link attributes

  • Access Type: Specifies the WAN connection type of the link.
    • Public Internet: Indicates the link is connected to the Internet through an ISP.
    • Private Intranet: Indicates the link is connected to one or more sites within the SD-WAN network and cannot connect to locations outside the SD-WAN network.
    • MPLS: Specialized variant of Private Intranet. Indicates the link uses one or more DSCP tags to control the Quality of Service between two or more points on an Intranet and cannot connect to locations outside of the SD-WAN network.
  • ISP Name: The name of the service provider.
  • Link Name: Auto-populated based on the previous inputs.
  • Tracking IP Address: The Virtual IP Address on the Virtual Path that can be pinged to determine the state of the path.
  • Public IPv4 Address and Public IPv6 Address: The IP address of the NAT or DNS Server. This address is applicable and exposed, only when the WAN link access type is Public Internet or Private Intranet in Serial HA deployment. Public IP can either be manually configured or auto-learned using the Auto Learn option.
  • Auto Detect: When enabled, the SD-WAN appliance automatically detects the public IP address. This option is available only when the device role is a branch and not the Master Control Node (MCN).
  • Egress Speed: The WAN to LAN speed.
    • Speed: The available or allowed speed of the WAN to LAN traffic in Kbps or Mbps.
    • Permitted Rate: In cases where the entire WAN link capacity is not supposed to be used by the SD-WAN appliance, change the permitted rate accordingly.
    • Auto Learn: When you are unsure of the bandwidth and if the links are non-reliable, you can enable the Auto Learn feature. The Auto Learn feature learns the underlying link capacity only, and uses the same value in the future.
    • Physical Rate: The actual bandwidth capacity of the WAN link.
  • Ingress Speed: The LAN to WAN speed.
    • Speed: The available or allowed speed of the LAN to WAN traffic in Kbps or Mbps.
    • Permitted Rate: In cases where the entire LAN link capacity is not supposed to be used by the SD-WAN appliance, change the permitted rate accordingly.
    • Auto Learn: When you are unsure of the bandwidth and if the links are non-reliable, you can enable the Auto Learn feature. The Auto Learn feature learns the underlying link capacity only, and uses the same value in the future.
    • Physical Rate: The actual bandwidth capacity of the LAN link.

MPLS Queues

The MPLS queue settings are available for WAN link access type MPLS only. This option is meant to enable definition of queues corresponding to the Service Provider MPLS queues, on the MPLS WAN Link. For more information, see MPLS Queues.

MPLS queues

Following are the queue parameters:

  • Queue Name: The name of the MPLS queue.
  • DSCP Tag: The unique Differentiated Services Code Point(DSCP) tag of the MPLS queue.
  • LAN to WAN (%): The proportion (%) of bandwidth used for upload cannot exceed the defined physical upload rate.
  • WAN to LAN (%): The proportion (%) of bandwidth used for download cannot exceed the defined physical download rate.
  • Tracking IP Address: The Virtual IP Address on the Virtual Path that can be pinged to determine the state of the path.
  • Congestion Threshold: The amount of congestion (in microseconds) after which the MPLS Queue throttles packet transmission to avoid further congestion.
  • Unmatched option: If enabled, DCSP tags not matched by other MPLS Queues would use this Class. Only one MPLS Queue can be marked for use by unmatched tags.
  • No retag option: If enabled, the LAN to WAN intranet traffic retains the original tag and no retag with the default DSCP tag.
  • Eligibility: The eligibility settings for an MPLS Queue allow the user to add an extra penalty for using the MPLS Queue for certain Classes of traffic. When a Class of traffic is marked as not-eligible for the MPLS Queue, a penalty is added that makes the WAN Link unlikely to be used unless network conditions require it.

Access Interface

An Access Interface defines the IP Address and Gateway IP Address for a WAN Link. At least one Access Interface is required for each WAN Link. The following are the access interface parameters:

  • Access Interface Name: The name by which Access interface is referenced. The default uses the following naming convention: WAN_link_name-AI-number: Where WAN_link_name is the name of the WAN link you are associating with this interface, and number is the number of Access Interfaces currently configured for this link, incremented by 1.
  • Virtual Interface: The Virtual Interface that the Access Interface uses. Select an entry from the drop-down menu of Virtual Interfaces configured for the current branch site.
  • Virtual Path Mode: Specifies the priority for Virtual Path traffic on the current WAN link. The options are: Primary, Secondary, or Exclude. If set to Exclude, the Access Interface is used for Internet and Intranet traffic, only.
  • IP Address: The IP Address for the Access Interface endpoint from the appliance to the WAN. Select V4 (IPv4) or V6 (IPv6) as required.
  • Gateway IP Address: The IP Address for the gateway router.
  • Bind Access Interface to Gateway MAC: If enabled, the source MAC address of packets received on Internet or Intranet services must match the gateway MAC addressWANK links > Advances WAN Options.
  • Enable Proxy ARP: If enabled, the Virtual WAN Appliance replies to ARP requests for the Gateway IP Address, when the gateway is unreachable.
  • Enable Internet Access on Routing Domain(s): Auto-creates a DEFAULT route (0.0.0.0/0) in all the routing tables of the respective routing domains. You can enable for ALL routing domains or NONE. It avoids the need for creating exclusive static route across all the routing domains if they needed internet access.

Services

The Services section allows you to add service types and allocate the percentage of bandwidth to be used for each service type. You can define the service types and configure attributes for it from the Delivery services section. You can choose to use these global defaults or configure link specific service bandwidth settings from the Service Bandwidth Settings drop-down list. If you choose link specific, enter the following details:

  • Service Name: The name of the WAN link service.
  • Allocation %: The guaranteed fair share of bandwidth allocated to the service from the link’s total capacity.
  • Mode: The operation mode of the WAN Link, based on the service selected. For Internet, there is one of Primary, Secondary, and Balance and for Intranet there is Primary and Secondary.
  • LAN to WAN Tag: The DHCP tag to apply to LAN to WAN packets on the service.
  • WAN to LAN Tag: The DHCP tag to apply to WAN to LAN packets on the service.
  • WAN to LAN Match: The match criteria for Internet WAN to LAN packets to get assigned to the service.
  • LAN to WAN Delay: The maximum time, to buffer packets when the WAN Links bandwidth is exceeded.
  • Tunnel Header Size: The size of the tunnel header, in bytes.
  • WAN to LAN Grooming: If enabled, packets are randomly discarded to prevent WAN to LAN traffic from exceeded the Service’s provisioned bandwidth.

Services

The WAN Link Advanced Settings allows the configuration of the ISP specific attributes.

  • Congestion Threshold: The amount of congestion after which the WAN link throttles packet transmission to avoid further congestion.
  • Provider ID: Unique Identifier for the provider to differentiate paths when sending duplicate packets.
  • Frame Cost (Bytes): Additional header/trailer bytes added to every packet, such as for Ethernet IPG or AAL5 trailers.
  • MTU (Bytes): The largest raw packet size in bytes, not including the Frame Cost.
  • Active MTU detect: Actively probe MTU on all virtual paths.
  • Standby Mode: A standby link is not used to carry user traffic unless it becomes active.

    • Disabled: The standby mode of a WAN link is disabled by default.
    • On-Demand: An on-demand standby WAN link will also become active if all non-standby WAN links are dead or disabled.
    • Last-Resort: A last-resort standby WAN link becomes active only when all non-standby WAN links and all on-demand standby WAN links are dead or disabled.
  • Priority: The order in which a standby link becomes active if there are multiple standby links
  • Tunnel Header Size: The size of the tunnel header, in bytes

  • Active Heartbeat Interval: The heartbeat interval used when the standby path is active.
  • Standby Heartbeat Interval: The heartbeat interval used when the standby path is inactive.

    Advanced wan option

  • Enable Metering: Tracks usage on a WAN link and alerts the user when the link usage exceeds the configured data cap.
    • Data Cap (MB): The maximum data threshold in MB.
    • Billing Cycle: The billing frequency, weekly or monthly.
    • Starting From: The date from which the billing cycle starts.
    • Approximate Data Already Used: The approximate data already used in MB for the metered link. This is applicable only for the first cycle. To track the proper metered link usage, specify the approximate metered link usage, if the link has already been used for few days in the current billing cycle.
    • Disable link if Data Cap Reached: If the data usage reaches the specified data cap, the metered link and all its related paths are disabled until the next billing cycle. If this option is not selected, the metered link remains in the current state, after the data cap is reached, until the next billing cycle.

      Enable Metering

      For more information, see Metering and Standby WAN Links.

  • Adaptive Bandwidth Detection: Uses the WAN link at a reduced bandwidth rate when a loss is detected. When the available bandwidth is below the configured Minimum Acceptable Bandwidth, then the path marked as BAD. Use Custom Bad Loss Sensitivity under Path or Autopath group with Adaptive Bandwidth Detection.

    Note

    Adaptive Bandwidth Detection is available only for Client and not for MCN.

    • Minimum Acceptable Bandwidth: When there is varying bandwidth rate, the percentage of WAN to LAN permitted rate below which the path is marked as BAD. The minimum kbps is different on each side of a virtual path. The value can be in the range 10%-50% and the default being 30%.

Routes

The next step in the site configuration workflow is the configuration of routes.

Click + Route to add a new route.

Basic settings routes

Here are the parameters to be configured in each route:

  • Network IP Address / Prefix: The destination IP address and mask.
  • Cost: Route Cost. Higher the cost, the lower the priority.
  • Gateway IP Address: The gateway/router IP address to reach the destination.

Similarly, multiple routes can be added, as required.

Summary

This section provides a summary of the site configuration to enable a quick review before submitting the same.

Basic settings summary

Use the Save as Template option to save the site configuration as a template for reuse across other sites. Clicking Done marks completion of site configuration, and takes you to the Network Configuration – Home page to review all the sites configured. For more information, see Network Configuration.

Basic settings