Citrix SD-WAN

Gateway mode

August 24, 2022

Contributed by:

Gateway mode places the SD-WAN appliance physically in the path (two-arm deployment) and requires changes in the existing network infrastructure to make the SD-WAN appliance the default gateway for the entire LAN network for that site. Gateway mode used for new networks and router replacement. Gateway mode allows SD-WAN appliances:

To view all traffic to and from the WAN
To perform local routing

Gateway deployment mode is supported on Citrix SD-WAN Orchestrator service. For more information, see Interfaces.

Gateway mode

Note

An SD-WAN deployed in Gateway mode acts as a Layer 3 device and cannot perform fail-to-wire. All interfaces involved will be configured for Fail-to-block. In the event of appliance failure, the default gateway for the site will also fail, causing an outage until the appliance and default gateway are restored.

In the Inline mode, the SD-WAN appliance appears to be an Ethernet bridge. Most of the SD-WAN appliance models include a fail-to-wire (Ethernet bypass) feature for inline mode. If power fails, a relay closes and the input and output ports become electrically connected, allowing the Ethernet signal to pass through from one port to another. In the fail-to-wire mode, the SD-WAN appliance looks like a cross-over cable connecting the two ports. Inline mode used to integrate into already well-defined networks.

Inline mode workflow

This article provides step-by-step procedure to configure an SD-WAN appliance in Gateway mode in a sample network setup. Inline deployment is also described for the branch side to complete the configuration. A network can continue to function if an Inline device is removed, but loses all access if the Gateway device is removed.

Topology

The following illustrations describe the topologies supported in an SD-WAN network.

Data Center in gateway deployment

Data center gateway mode

Branch in inline deployment

Branch inline deployment

Data center site gateway mode configuration

Following are the high-level configuration steps to configure data center site Gateway deployment:

Create a DC site.
Populate Interface Groups based on connected Ethernet interfaces.
Create Virtual IP address for each virtual interface.
Populate WAN links based on physical rate and not burst speeds using Internet and MPLS Links.
Populate Routes if there are more subnets in the LAN infrastructure.

To create Virtual IP (VIP) address for each virtual interface

Create a VIP on the appropriate subnet for each WAN Link. VIPs are used for communication between two SD-WAN appliances in the Virtual WAN environment.
Create a Virtual IP Address to be used as the Gateway address for the LAN network.

To populate WAN links based on physical rate and not on burst speeds using Internet link:

Navigate to WAN Links, click the + Add Link button to add a WAN Link for the Internet link.
Populate Internet link details, including the supplied Public IP address as shown below. AutoDetect Public IP cannot be selected for SD-WAN appliance configured as MCN.
Navigate to Access Interfaces, from the section drop-down menu, and click the + Add button to add interface details specific for the Internet link.
Populate Access Interface for IP and gateway addresses as shown below.

To create MPLS Link

Navigate to WAN Links, click the + button to add a WAN Link for the MPLS link.
Populate MPLS link details as shown below.
Navigate to Access Interfaces, click the + button to add interface detail specific for the MPLS link.
Populate Access Interface for IP and gateway addresses as shown below.

To populate Routes

Routes are auto-created based on the above configuration. The DC LAN sample topology shown above has an extra LAN subnet which is 192.168.31.0/24. A route needs to be created for this subnet. Gateway IP address must be in the same subnet as the DC LAN VIP as shown below.

MPLS routes gateway mode

Branch site inline deployment configuration

Following are the high-level configuration steps to configure Branch site for Inline deployment:

Create a Branch site.
Populate Interface Groups based on connected Ethernet interfaces.
Create Virtual IP address for each virtual interface.
Populate WAN links based on physical rate and not burst speeds using Internet and MPLS Links.
Populate Routes if there are more subnets in the LAN infrastructure.

To create Virtual IP (VIP) address for each virtual interface

Create a Virtual IP address on the appropriate subnet for each WAN Link. VIPs are used for communication between two SD-WAN appliances in the Virtual WAN environment.

To populate WAN links based on physical rate and not on burst speeds using Internet link:

Navigate to WAN Links, click the + button to add a WAN Link for the Internet link.
Populate Internet link details, including the Auto Detect Public IP address as shown below.
Navigate to Access Interfaces, click the + button to add interface details specific for the Internet link.
Populate Access Interface for IP address and gateway as shown below.

To create MPLS link

Navigate to WAN Links, click the + button to add a WAN Link for the MPLS link.
Populate MPLS link details as shown below.
Navigate to Access Interfaces, click the + button to add interface details specific for the MPLS link.
Populate Access Interface for IP address and gateway as shown below.

To populate routes

Routes are auto-created based on above configuration. In case there are more subnets specific to this remote branch office, then specific routes need to be added identifying which gateway to direct traffic to reach those back-end subnets.

MPLS routes gateway mode branch

Resolve audit errors

After completing configuration for DC and Branch sites, you will be alerted to resolve audit error on both DC and BR sites.

By default, the system generates paths for WAN Links defined as access type Public Internet. You would be required to use the auto-path group function or enable paths manually for WAN Links with an access type of Private Internet. Paths for MPLS links can be enabled by clicking Add operator (in the green rectangle).

Default WAN links

After completing all the above steps, proceed to Preparing the SD-WAN Appliance Packages.–>

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Gateway mode

August 24, 2022

Contributed by:

August 24, 2022

Contributed by:

Topology
Data Center in gateway deployment
Branch in inline deployment
Data center site gateway mode configuration
To create Virtual IP (VIP) address for each virtual interface
To create MPLS Link
To populate Routes
Branch site inline deployment configuration
To create Virtual IP (VIP) address for each virtual interface
To create MPLS link
To populate routes
Resolve audit errors

Gateway mode

Topology

Data Center in gateway deployment

Branch in inline deployment

Data center site gateway mode configuration

To create Virtual IP (VIP) address for each virtual interface

To create MPLS Link

To populate Routes

Branch site inline deployment configuration

To create Virtual IP (VIP) address for each virtual interface

To create MPLS link

To populate routes

Resolve audit errors

In this article