Citrix SD-WAN

Rules by IP address and port number

Rules by IP address and port number feature helps you to create rules for your network and take certain Quality of Service (QoS) decisions based on the rules. You can create custom rules for your network. For example, you can create a rule as – If source IP address is 172.186.30.74 and destination IP address is 172.186.10.89, set Transmit mode as Persistent Path and LAN to WAN Class as 10(realtime_class)”.

Using the configuration editor, you can create rules for traffic flow and associate the rules with applications and classes. You can specify criteria to filter traffic for a flow, and can apply general behavior, LAN to WAN behavior, WAN to LAN behavior, and packet inspection rules.

You can create rules locally at a site level or at the global level. If more than one site requires the same rule, you can create a template for rules globally under Global > Virtual Path Default Sets > Rules. The template can then be attached to the sites where the rules need to be applied. Even if a site is associated with the globally created rule template, you can create site specific rules. In such cases, site specific rules take precedence and override the globally created rule template.

Create rules by IP address and port number

  1. In the SD-WAN Configuration Editor, navigate to Global > Virtual Path Default Sets.

    Note

    You can create rules at site level by navigating to Sites > Connections > Virtual Paths > Rules.

  2. Click Add Default Set, enter a name for the default set, and click Add. In the Section field, select Rules and click +.

  3. In the Order field, enter the order value to define when the rule is applied in relation to other rules.

  4. In the Rule Group Name field, select a rule group. The statistics for rules with the same rule group will be grouped and can be viewed together.

    For viewing rule groups, navigate to Monitoring > Statistics, and in the Show field select Rule Groups.

    You can also add custom applications. For more information, see Add Rule Groups and Enable MOS.

  5. In the Routing Domain field, choose one of the configured routing domains.

  6. You can define rule matching criteria to filter services based on the parameters listed as follows. After the filtering, the rule settings are applied to the services matching these criteria.

    • Source IP Address: Source IP address and the subnet mask to match against the traffic.

    • Destination IP Address: Destination IP address and the subnet mask to match against the traffic.

      Note

      If the Dest=Src check box is selected, the source IP address will also be used for the destination IP address.

    • Protocol: Protocol to match against the traffic.

    • Source Port: Source port number or port range to match against the traffic.

    • Destination Port: Destination port number or port range to match against the traffic.

      Note

      If the Dest=Src check box is selected, the source port will also be used for the destination port.

    • DSCP: The DSCP tag in the IP header to match against the traffic.

    • VLAN: The VLAN ID to match against the traffic.

  7. Click the add (+) icon next to the new rule.

  8. Click Initialize Properties Using Protocol to initialize the rule properties by applying the rule defaults and recommended settings for the protocol. This populates the default rule settings. You can also customize the settings manually, as shown in the following steps.

  9. Click the WAN General tile to configure the following properties.

    • Transmit Mode: Select one of the following transmit modes.

      • Load Balance Path: Traffic for the flow will be balanced across multiple paths for the service. Traffic is sent through the best path until that path is used. Leftover packets are sent through the next best path.

      • Persistent Path: Traffic for the flow remains on the same path until the path is no longer available.

      • Duplicate Path: Traffic for the flow is duplicated across multiple paths, increasing reliability.

      • Override Service: Traffic for the flow overrides to a different service. In the Override Service field, select the service type to which the service overrides. For example, a virtual path service can override to an intranet, internet, or pass-through service.

    • Retransmit Lost Packets: Send traffic that matches this rule to the remote appliance over a reliable service and retransmit lost packets.

    • Enable TCP Termination: Enable TCP termination of traffic for this flow. The round-trip time for acknowledgment of packets is reduced, and therefore improves throughput.

    • Preferred WAN Link: The WAN link that the flows should use first.

    • Persistent Impedance: The minimum time in milliseconds for which the traffic would remain in the same path, until the wait time on which the path is longer than the configured value.

    • Enable IP, TCP, and UDP: Compress headers in IP, TCP, and UDP packets.

      NOTE

      IPv6 packets do not support header compression.

    • Enable GRE: Compress headers in GRE packets.

    • Enable Packet Aggregation: Aggregate small packets into larger packets.

    • Track Performance: Records the performance attributes of this rule in a session data base (for example, loss, jitter, latency, and bandwidth).

      WAN general image

  10. Click the LAN to WAN tile, to configure LAN to WAN behavior for this rule.

    • Class: Select a class with which to associate this rule.

      Note

      You can also customize classes before applying rules, for more information, see How to Customize Classes.

    • Large Packet Size: Packets smaller than or equal to this size are assigned the Drop Limit and Drop Depth values specified in the fields to the right of the Class field.

      SD-WAN rules 4

      Packets larger than this size are assigned the values specified in the default Drop Limit and Drop Depth fields in the Large Packets section of the screen.

      SD-WAN rules 3

    • Drop Limit: Length of time after which packets waiting in the class scheduler are dropped. Not applicable for a bulk class.

    • Drop Depth: Queue depth threshold after which packets are dropped.

    • Enable RED: Random Early Detection (RED) ensures fair sharing of class resources by discarding packets when congestion occurs.

    • Reassign Size: Packet length that, when exceeded, causes the packet to be reassigned to the class specified in the Reassign Class field.

    • Reassign Class: Class used when the packet length exceeds the packet length specified in the Reassign Size field.

    • Disable Limit: Time for which duplication can be disabled to prevent duplicate packets from consuming bandwidth.

    • Disable Depth: The queue depth of the class scheduler, at which point the duplicate packets will not be generated.

    • TCP Standalone ACK class: High priority class to which TCP standalone acknowledgments are mapped during large file transfers.

      SD-WAN rules 5

  11. Click the WAN to LAN tile to configure WAN to LAN behavior for this rule.

    • Enable Packets Resequencing: Sequences the packets into the correct order at the destination.

    • Hold Time: Time interval for which the packets are held for resequencing, after which the packets are sent to the LAN.

    • Discard Late Resequencing Packets: Discard out-of-order packets that arrived after the packets needed for resequencing have been sent to the LAN.

    • DSCP Tag: DSCP tag applied to the packets that match this rule, before sending them to the LAN.

      SD-WAN rules 6

  12. Click Deep Packet Inspection tile and select Enable Passive FTP Detection to allow the rule to detect the port used for FTP data transfer and automatically apply the rule settings to the detected port.

  13. Click Apply.

Note

Save the configuration, export it to the change management inbox, and initiate the change management process.

Verify rules

In the Configuration Editor, navigate to Monitoring > Flows. Select Flow Type field located in the Select Flows section at the top of the Flows page. Next to the Flow Type field there is a row of check boxes for selecting the flow information you want to view. Verify if the flow information is according to the configured rules.

Example: The rule “If source IP address is 172.186.30.74 and destination IP address is 172.186.10.89, set Transmit mode as Persistent Path” shows the following Flows Data.

Verify rules flow data

In the Configuration Editor, navigate to Monitoring > Statistics and verify the configured rules.

Verify rules statistics

Rules by IP address and port number