In a typical enterprise network, the branch offices access applications on the on premise data center, the cloud data center, or the SaaS applications. The application routing feature, allows you to steer the applications through your network easily and cost-efficiently. For example, when a user on the branch site is trying to access a SaaS application the traffic can be routed such that the branch offices can access the SaaS applications on the internet directly, without having to go through the data center first.
Citrix SD-WAN allows you to define the application routes for the following services:
- Virtual Path: This service manages traffic across the Virtual Paths. A Virtual Path is a logical link between two WAN links. It comprises a collection of WAN Paths combined to provide high service-level communication between two SD-WAN nodes. The SD-WAN appliance measures the network on a per-path basis and adapts to changing application demand and WAN conditions. A Virtual Path can be static (always exists) or dynamic (exists only when traffic between two SD-WAN Appliances reaches a configured threshold).
- Internet: This service manages traffic between an Enterprise site and sites on the public Internet. Internet traffic is not encapsulated. When congestion occurs, the SD-WAN actively manages bandwidth by rate-limiting Internet traffic relative to the Virtual Path, and Intranet traffic.
- Intranet: This service manages Enterprise Intranet traffic that has not been defined for transmission across a Virtual Path. Intranet traffic is not encapsulated. The SD-WAN manages bandwidth by rate-limiting this traffic relative to other service types during times of congestion. Under certain conditions, and if Intranet Fallback is configured on the Virtual Path, traffic that ordinarily travels through Virtual Path can instead be treated as Intranet traffic.
- Local: This service manages traffic local to the site that matches no other service. SD-WAN ignores traffic sourced and destined to a local route.
- GRE Tunnel: This service manages IP traffic destined for a GRE tunnel, and matches the LAN GRE tunnel configured at the site. The GRE Tunnel feature enables you to configure SD-WAN appliances to terminate GRE tunnels on the LAN. For a route with service type GRE Tunnel, the gateway must reside in one of the tunnel subnets of the local GRE tunnel.
- LAN IPsec Tunnel: This service manages IP traffic destined for a LAN IPsec tunnel, and matches the LAN IPsec tunnel configured at the site. The LAN IPsec Tunnel feature enables you to configure SD-WAN Appliances to terminate IPsec tunnels on the LAN or WAN side.
To perform service steering for applications, it is important to identify an application on the first packet itself. Initially, the packets flow through the IP route once the traffic is classified and the application is known, the corresponding application route is used. First packet classification is achieved by learning the IP subnets and ports associated with application objects. These are obtained using historical classification results of the DPI classifier, and user configured IP port match types.
To configure application routing:
In the Configuration Editor, navigate to Connections > Application Routes, and click +.
On the Add page, set the following parameters:
Application Object: The application object, which you want to steer. The application objects created by you are listed here. For more information, see Application Objects section in Application Classification topic.
- Routing Domain: The routing domain to be used by the application route. Choose one of the configured routing domains.
- Cost: A weight to determine the route priority for this route. Lower-cost routes take precedence over higher-cost routes. The range is 1–65534. The default value is 5.
Service Type: Select one of the following services. This maps the application to a service.
Virtual Path: Identifies application traffic as Virtual Path traffic and matches a Virtual Path based on Virtual Path Rules. In the Next Hop Site field, enter the next-hop remote site to which Virtual Path packets are directed.
Any flow hitting the Virtual Path Application Routes does not go over dynamic virtual path.
Internet: Identifies application traffic as Internet traffic and matches the Internet Service.
Intranet: Identifies application traffic as Intranet traffic and matches an Intranet Service based on the Intranet Rules. In the Intranet Service field, select an intranet service to be used for the route.
Local: Identifies application traffic as local to the site and matches no service. Traffic sourced and destined to a local route is ignored.
For local service type, once the DPI classification is completed the configured IP routes take the routing decision.
GRE Tunnel: Identified the application traffic as destined for a GRE tunnel, and matches the LAN GRE tunnel configured at the site. In the Gateway IP Address field, enter the gateway IP Address that must be in the LAN GRE Tunnel’s subnet. Select Eligibility Based on Gateway to enable the route to not receive any traffic when the Gateway is not reachable.
LAN IPsec Tunnel: Identified the application traffic as destined for a LAN IPsec tunnel, and matches the LAN IPsec tunnel configured at the site. In IPsec Tunnel field, select one of the configured IPsec tunnels. Select Eligibility Based on Tunnel to enable the route to not receive any traffic when the tunnel is not reachable.
Once you have selected a service for a custom application, do not change it.
- Eligibility Based on Path: Select to enable the route not to receive traffic when the specified path is down. In the Path field, specify the path to be used for determining route eligibility.
To view the application routes configured on your SD-WAN appliance. In the SD-WAN GUI, navigate to Configuration > Virtual WAN > View configuration. Select Application Routes from the View drop-down menu.
To view statistics data for the application routes:
In the SD-WAN GUI, navigate to Monitoring > Statistics.
From the Show drop-down list, select Application Routes.
You can view the following statistics:
- Application Object: Name of the application object.
- Gateway IP Address: The gateway IP address used by application objects with GRE Tunnel service type.
- Service: The service type mapped to the application object.
- Firewall Zone: The firewall zone that this route falls in.
- Reachable: The status of the application route.
- Site: Name of the site.
- Type: Indicates if the route is static or dynamic.
- Cost: The priority of the route.
- Hit Count: The number of times the application route is used to steer the traffic.
- Eligible: Is the application route eligible to send the traffic.
- Eligibility Type: The type of route eligibility condition applied to this route. The eligibility type can be Path, Gateway, or Tunnel.
- Eligibility Value: The value specified for the route eligibility condition.
In the current release, applications that belong to application family, match type defined in application object, cannot be steered.