Citrix SD-WAN Orchestrator service allows you to manage the SD-WAN appliance in two ways, out-of-band management and in-band management. Out-of-band management allows you to create a management IP using a port reserved for management, which carries management traffic only. In-band management allows you to use the SD-WAN data ports for management. It carries both data and management traffic, without having to configure an addition management path.
In-band management allows virtual IP addresses to connect to management services such as web UI and SSH. You can enable in-band management on a trusted interface that is enabled to be used for IP services. You can access the web UI and SSH using the management IP and in-band virtual IPs.
In-band management in Citrix SD-WAN Orchestrator service is supported for Citrix SD-WAN 11.1.1 and higher.
To enable in-band management on a virtual IP, at the site level, navigate to Configuration > Site Configuration > Interfaces. Select the virtual IP to be used as the In-band management port. You can use the InBand Management IP to access the web UI and SSH.
In-band management is supported on LAN ports only.
For detailed procedure on configuring a virtual IP address, see Interfaces.
The In-band management IP also acts as a back-up management IP. It is used as the management IP address if the management port is not configured with a default gateway. Select the DNS proxy to which all DNS requests over the in-band management plane is forwarded to. For information on configuring DNS, see DNS settings.
For use cases where the appliance connectivity to Citrix SD-WAN Orchestrator service toggles between management and in-band ports, configure InBand Management DNS to ensure un-interrupted Citrix SD-WAN Orchestrator service connectivity.
The need to deploy SD-WAN appliances in simpler environments like home or small branches has increased significantly. Configuring separate management access for simpler deployments is an added overhead. Zero-touch deployment along with the in-band management feature enables provisioning and configuration management through designated data ports. Zero-touch deployment is supported on the designated data ports and there is no need to use a separate management port for Zero-touch deployment.
You can provision an appliance in the factory shipped state, that supports in-band provisioning by connecting the data or management port to the internet. The appliances that support in-band provisioning have specific ports for LAN and WAN. The appliance in the factory reset state has a default configuration that allows to establish a connection with the zero-touch deployment service. The LAN port acts as the DHCP server and assigns a dynamic IP to the WAN port that acts as a DHCP client. The WAN links monitor the Quad 9 DNS service to determine WAN connectivity.
Once the IP address is obtained and a connection is established with the zero-touch deployment service the configuration packages are downloaded and installed on the appliance. For information on zero-touch deployment through the Citrix SD-WAN Orchestrator service, see Zero Touch Deployment.
- In-band provisioning is applicable to all the platforms. However, default configuration is enabled only on Citrix SD-WAN 110 and VPX platforms because the other platforms are shipped with an older software version.
- For day-0 provisioning of SD-WAN appliances through the data ports, the appliance software version must be Citrix SD-WAN 11.1.1 or higher.
The default configuration of an appliance in factory reset state includes the following configurations:
- DHCP Server on LAN port
- DHCP client on WAN port
- QUAD9 configuration for DNS
- Default LAN IP is 192.168.101.1/24 for Citrix SD-WAN appliances with factory image 220.127.116.11.
- Default LAN IP is 192.168.0.1/24 for Citrix SD-WAN 110 appliance with factory image 11.0.4.
- Grace License of 35 days.
- Interface 1/1 as LAN port.
- Interface 1/2 and LTE as WAN port
Once the appliance is provisioned, the default configuration is disabled and overridden by the configuration received from the zero-touch deployment service. If an appliance license or grace license expires, the default configuration is activated, ensuring that the appliance remains connected to the zero-touch deployment service and receives the license managed service.
Fallback configuration ensures that the appliance remains connected to the zero-touch deployment service if there is a link failure, configuration mismatch, or software mismatch. Setting up a fallback configuration through Citrix SD-WAN Orchestrator service is currently not supported. However, you can set up a fallback configuration through the Citrix SD-WAN appliance GUI. For more information, see Fallback configuration.
Citrix SD-WAN Orchestrator service also allows to fail over management traffic seamlessly to the management port when the data port goes down and conversely. If an appliance can connect to the internet through both the management and in-band ports, the management port is chosen for zero-touch deployment.
On rebooting the appliance, if internet is available over the in-band port and not the management port, the appliance is connected to the Citrix SD-WAN Orchestrator service immediately.
Once the connection is established, a service agent running on the appliance sends the heartbeat information to the Citrix SD-WAN Orchestrator service every 10 seconds. If the Citrix SD-WAN Orchestrator service does not receive the heartbeat for 5 minutes, the In-band port failover is activated. Citrix SD-WAN Orchestrator service reports the appliance as offline during this period.
On rebooting the appliance, if internet is not available over both the management and in-band port and once internet connection is re-established, the service agent takes about 5 minutes to restart and establish a connection.
Ensure that the Preserve route to internet from link even if all associated paths are down option is enabled at the network level, Configuration > Delivery Services > Internet. Ensuring that the connectivity to the Citrix SD-WAN Orchestrator service is maintained even if the virtual path is down.
Configurable management or data port
In-band management allows the data ports to carry both data and management traffic, eliminating the need for a dedicated management port. It leaves the management port unused on the low end appliances, which already have low port density. Citrix SD-WAN allows you to configure the management port to operate as either a data port or a management port.
You can convert the management port to data port only on the following platforms.
- Citrix SD-WAN 110 SE/LTE
- Citrix SD-WAN 210 SE/LTE
While configuring a site, use the management port in your configuration. After the configuration is activated, the management port is converted to a data port.
You can configure a management port only when in-band management is enabled on other trusted interfaces on the appliance.
To configure a management interface, at the site level, navigate to Configuration > Site Configuration > Interfaces and select the MGMT interface. For more information on configuring interface groups, see Interfaces.
To reconfigure the management port to perform management functionality, remove the configuration. Create a configuration without using the management port and activate it.