Configuring a Router
To support virtual inline mode, a router must forward incoming as well as outgoing WAN traffic to the SD-WAN appliance. After the appliance processes the traffic, the router must forward the incoming traffic from the appliance to the LAN and the outgoing traffic from the appliance to the WAN. You have to configure policy based rules to avoid routing loops. In addition, the router must monitor the health of the appliance so that the appliance can be bypassed if it fails.
If the router supports the Reverse Path Forwarding feature, you must disable the feature on the interfaces with policies to redirect traffic to an SD-WAN appliance, including the interface that is connected to the appliance. Otherwise, the router intermittently drops traffic. By default, the Reverse Path Forwarding feature is enabled on the router.
Note: If the network has two routers, configure the following procedures for each router using appropriate IP addresses identified in the worksheet.
In the virtual inline mode, the packet forwarding methods can create routing loops if the routing rules do not distinguish between a packet that has been forwarded by the appliance and one that has not. You can use any method that makes that distinction.
A typical method involves dedicating one of the Ethernet ports of the router to the appliance and creating routing rules based on the Ethernet port on which packets arrive. Packets that arrive on the interface dedicated to the appliance are never forwarded back to the appliance, but packets arriving on any other interface can be.
Traffic shaping is not effective unless all WAN traffic passes through the appliance. Following is the basic routing algorithm:
- Do not forward packets from the appliance back to the appliance.
- If the packet arrives from the WAN, forward the packet to the appliance.
- If the packet is destined for the WAN, forward the packet to the appliance.
- Do not forward LAN-to-LAN traffic to the appliance.
If the appliance fails, data should not be routed to it. By default, Cisco policy based routing does not perform health monitoring. To enable health monitoring, define a rule to monitor the availability of the appliance, and specify the “verify-availability” option for the “set ip next-hop” command. With this configuration, if the appliance is not available, the route is not applied, and the appliance is bypassed.
Note: Citrix recommends virtual inline mode only when used with health monitoring. Many routers that support policy based routing do not support health checking. The health-monitoring feature is relatively new. It was first available in Cisco IOS release 12.3(4)T.
Following is an example of a rule for monitoring the availability of the appliance by using Cisco Router model 7600 with IOS Software version:
``` pre codeblock !- Use a ping (ICMP echo) to see if appliance is in the connected track 123 rtr 1 reachability ! rtr 1 type echo protocol IpIcmpecho 184.108.40.206 schedule 1 life forever start-time now
This rule pings the appliance at 220.127.116.11 periodically. You can test against 123 to see if the unit is up. ## Example of router configuration Following is an example of configuring a Cisco router for virtual inline mode: ``` pre codeblock ! ! For health-checking to work, do not forget to start ! the monitoring process. ! ! Original configuration is in normal type. ! appliance-specific configuration is in bold. ! ip cef ! interface FastEthernet0/0 ip address 10.200.51.0 255.255.255.0 ip policy route-map server_side_map ! interface FastEthernet0/1 ip address 18.104.22.168 255.255.255.0! interface FastEthernet1/0 ip address 192.168.1.5 255.255.255.0 ip policy route-map wan_side_map ! ip classless ip route 0.0.0.0 0.0.0.0 22.214.171.124 ! ip access-list extended server_side permit ip 10.100.51.0 0.0.0.255 10.20.20.0 0.0.0.255 ip access-list extended wan_side permit ip 10.20.20.0 0.0.0.255 10.100.51.0 0.0.0.255 ! route-map wan_side_map permit 20 match ip address wan_side !- Now set the appliance as the next hop, if it’s up. set ip next-hop verify-availability 126.96.36.199 20 track 123 ! route-map client_side_map permit 10 match ip address client_side set ip next-hop verify-availability 188.8.131.52 10 track 123
This example applies an access list to a route map and attaches the route map to an interface. The access lists identify all traffic originating at one accelerated site and terminating at the other (A source IP address of 10.100.51.0/24 and destination IP address of 10.20.20.0/24 or conversely). See your router’s documentation for the details of access lists and route-maps.
This configuration redirects all matching IP traffic to the appliances. If you want to redirect only TCP traffic, you can change the access-list configuration as follows (only the remote side’s configuration is shown here):
ip access-list extended server_side
permit tcp 10.200.51.0 0.0.0.255 10.20.20.0 0.0.0.255
ip access-list extended wan_side
permit tcp 10.20.20.0 0.0.0.255 10.200.51.0 0.0.0.255
Configuring routers in a High Availability Setup
To configure high availability between routers, see the router-specific high availability configuration manual.