Product Documentation

Gateway mode

This article provides step-by-step procedure to configure an SD-WAN appliance in Gateway mode in a sample network setup. Inline deployment is also described for the branch side to complete the configuration.  

Gateway mode places the SD-WAN appliance physically in the path (two-arm deployment) and requires changes in the existing network infrastructure to make the SD-WAN appliance the default gateway for the entire LAN network for that site.

Note

An SD-WAN deployed in Gateway mode acts as a Layer 3 device and cannot perform fail-to-wire. All interfaces involved will be configured for “Fail-to-block”.  In the event of appliance failure, the default gateway for the site will also fail, causing an outage until the appliance and default gateway are restored.

Topology

The following illustrations describe the topologies supported in an SD-WAN network.

DataCenter in gateway deployment

localized image

Branch in inline deployment

localized image

Deployment requirements

Deployment requirements and related information are described below to assist you in building the configuration.

Site Name DataCenter Site Branch Site  
Appliance Name A_DC1 A_BR1   
Management IP 172.30.2.10/24 172.30.2.20/24  
Security Key If any If any  
Model/Edition 4000 2000  
Mode Gateway Inline  
Topology 2 x WAN Path 2 x WAN Path  
VIP Address 192.168.10.9/24 – MPLS, 10.0.10.9/24 – Internet (Public IP – A.B.C.D), 192.168.30.1/24 - LAN 192.168.20.9/24 - MPLS, 10.0.20.9/24 – Internet (Public IP – W.X.Y.Z)  
Gateway MPLS 192.168.10.1 192.168.20.1  
Gateway Internet 10.0.10.1 10.0.20.1   
Link Speed MPLS – 100 Mbps, Internet – 20 Mbps MPLS – 10 Mbps, Internet – 2 Mbps 
Route Network IP Address - 192.168.31.0/24, Service Type - Local, Gateway IP Address - 192.168.30.2 If any  
VLANs If any If any  

Configuration pre-requisites

  • Enable SD-WAN appliance as a Master Control Node.

  • Configuration is done only on the Master Control Node (MCN) of the SD-WAN appliance.

To enable an appliance as a Master Control Node:

  1. In the SD-WAN web management interface, navigate to Configuration > Appliance Settings > Administrator Interface > Miscellaneous tab > Switch Console.

    Note

    If “Switch to Client Console” is displayed, then the appliance is already in MCN mode. There should only be one active MCN in an SD-WAN network.

  2. Start Configuration by navigating to Configuration > Virtual WAN > Configuration Editor. Click the New to begin configuration.

Datacenter site gateway mode configuration

Following are the high-level configuration steps to configure Datacenter site Gateway deployment:

  1. Create a DC site.

  2. Populate Interface Groups based on connected Ethernet interfaces.

  3. Create Virtual IP address for each virtual interface.

  4. Populate WAN links based on physical rate and not burst speeds using Internet and MPLS Links.  

  5. Populate Routes if there are more subnets in the LAN infrastructure.

To create a DC site

  1. Navigate to Configuration Editor - > Sites, and click the “+” Add button.

  2. Populate the fields as shown below.

  3. Keep default settings unless instructed to change.

    localized image

    localized image

To configure interface groups based on connected Ethernet interfaces

  1. In the Configuration Editor, navigate to Sites > View Site[Site Name] > Interface Groups. Click “+” to add interfaces intended to be used. For Gateway Mode, each Interface Group is assigned a single Ethernet interface.

  2. Bypass mode is set to fail-to-block since only one Ethernet/physical interface is used per virtual interface.  There are also no Bridge Pairs.

  3. In this example three Interfaces Groups are created, one facing the LAN and two others facing each respective WAN Link.  Refer to the sample “DC Gateway Mode” topology above and populate the Interface Groups fields as shown below.

    localized image

To create Virtual IP (VIP) address for each virtual interface

  1. Create a VIP on the appropriate subnet for each WAN Link. VIPs are used for communication between two SD-WAN appliances in the Virtual WAN environment.

  2. Create a Virtual IP Address to be used as the Gateway address for the LAN network.

    localized image

To populate WAN links based on physical rate and not on burst speeds using Internet link:

  1. Navigate to WAN Links, click the “+ Add Link” button to add a WAN Link for the Internet link.

  2. Populate Internet link details, including the supplied Public IP address as shown below. AutoDetect Public IP cannot be selected for SD-WAN appliance configured as MCN.

  3. Navigate to Access Interfaces, from the section drop-down menu, and click the “+ Add” button to add interface details specific for the Internet link.

  4. Populate Access Interface for IP and gateway addresses as shown below.

    localized image

    localized image

  1. Navigate to WAN Links, click the “+” button to add a WAN Link for the MPLS link.

  2. Populate MPLS link details as shown below.

  3. Navigate to Access Interfaces, click the “+” button to add interface detail specific for the MPLS link.

  4. Populate Access Interface for IP and gateway addresses as shown below.

    localized image

    localized image

To populate Routes

Routes are auto-created based on the above configuration. The DC LAN sample topology shown above has an extra LAN subnet which is 192.168.31.0/24. A route needs to be created for this subnet. Gateway IP address must be in the same subnet as the DC LAN VIP as shown below.

localized image

Branch site inline deployment configuration

Following are the high-level configuration steps to configure Branch site for Inline deployment:

  1. Create a Branch site.

  2. Populate Interface Groups based on connected Ethernet interfaces.

  3. Create Virtual IP address for each virtual interface.

  4. Populate WAN links based on physical rate and not burst speeds using Internet and MPLS Links.  

  5. Populate Routes if there are more subnets in the LAN infrastructure.

To create a Branch site

  1. Navigate to Configuration Editor - > Sites, and click the “+” Add button.

  2. Populate the fields as shown below.

  3. Keep default settings unless instructed to change.

    localized image

    localized image

To populate interface groups based on connected Ethernet interfaces

  1. In the Configuration Editor, navigate to Sites > View Site > [Client Site Name] > Interface Groups. Click “+” to add interfaces intended to be used. For Inline Mode, each Interface Group is assigned two Ethernet interfaces.

  2. Bypass mode is set to fail-to-wire and Bridge Pair is created using the two Ethernet interfaces.

  3. Refer to the sample “Remote Site Inline Mode” topology above and populate the Interface Groups fields as shown below.

    localized image

To create Virtual IP (VIP) address for each virtual interface

  1. Create a Virtual IP address on the appropriate subnet for each WAN Link.  VIPs are used for communication between two SD-WAN appliances in the Virtual WAN environment.

    localized image

To populate WAN links based on physical rate and not on burst speeds using Internet link:

  1. Navigate to WAN Links, click the “+” button to add a WAN Link for the Internet link.

  2. Populate Internet link details, including the Auto Detect Public IP address as shown below.

  3. Navigate to Access Interfaces, click the “+” button to add interface details specific for the Internet link.

  4. Populate Access Interface for IP address and gateway as shown below.

    localized image

    localized image

  1. Navigate to WAN Links, click the “+” button to add a WAN Link for the MPLS link.

  2. Populate MPLS link details as shown below.

  3. Navigate to Access Interfaces, click the “+” button to add interface details specific for the MPLS link.

  4. Populate Access Interface for IP address and gateway as shown below.

    localized image

    localized image

To populate routes

Routes are auto-created based on above configuration. In case there are more subnets specific to this remote branch office, then specific routes need to be added identifying which gateway to direct traffic to to reach those backend subnets.  

localized image

Resolve audit errors

After completing configuration for DC and Branch sites, you will be alerted to resolve audit error on both DC and BR sites.  

By default, the system generates paths for WAN Links defined as access type Public Internet. You would be required to use the auto-path group function or enable paths manually for WAN Links with an access type of Private Internet. Paths for MPLS links can be enabled by clicking Add operator (in the green rectangle).  

localized image

After completing all the above steps, proceed to Preparing the SD-WAN Appliance Packages.