- Release notes
- What's new
- Updating and Upgrading to NetScaler SD-WAN 9.3
- Single-Step Upgrade for SD-WAN Appliances
- Before You Begin
Getting Started by Using NetScaler SD-WAN
- NetScaler SD-WAN Management Web Interface
- One Touch Start
- Installing the SD-WAN Appliance Packages on the Clients
- Preparing the SD-WAN Appliance Packages on the MCN
- Connecting the Client Appliances to Your Network
Setting up the SD-WAN Appliances
- Setting up the Appliance Hardware
- Setting the Management IP Addresses for the Appliances
- Setting the Management IP Address for a SD-WAN Appliance
- Setting the Date and Time on an SD-WAN Appliance
- Setting the Console Session Timeout Interval (Optional)
- Uploading and Installing the SD-WAN Software License File
- Troubleshooting DHCP Management IP Address Configuration
- Configuring Alarms
- Configuration Rollback
- About SD-WAN VPX Standard Edition
- Installing and Deploying a SD-WAN VPX Standard Edition on VMware ESXi
Setting up the Master Control Node (MCN) Site
- Master Control Node (MCN)
- How to Switch the Management Web Interface to MCN Console Mode
- How to Add the MCN Site
- How to Configure Virtual Interface Groups for the MCN Site
- How to Configure Virtual IP Addresses for the MCN Site
- How to Configure GRE Tunnels for the MCN Site (Optional)
- How to Configure WAN Links for the MCN Site
- How to Configure Routes for the MCN Site
- How to Configure High Availability (HA) for the MCN Site (Optional)
- How to Enable and Configure Virtual WAN Security and Encryption (Optional)
- Naming, Saving, and Backing Up the MCN Site Configuration
Adding and Configuring the Branch Sites
- How to Add the Branch Site
- How to Configure Virtual Interface Groups for the Branch Site
- How to Configure Virtual IP Addresses for the Branch Site
- How to Configure GRE Tunnels for the Branch Site
- How to Configure WAN Links for the Branch Site
- How to Configure Routes for the Branch Site
- How to Configure High Availability (HA) for the Branch Site (Optional)
- How to Clone the Branch Site (Optional)
- How to Resolve Configuration Audit Alerts
- How to Save the Completed Sites Configuration
Deployment use Cases
- Deploying SD-WAN in Gateway Mode
- Deploying SD-WAN in PBR mode (Virtual Inline Mode)
- Building a SD-WAN Network
- Dynamic Paths for Branch to Branch Communication
- Configuring Static WAN Paths
- Routing Support for LAN Segmentation
- Utilizing Enterprise Edition Appliance to Provide WAN Optimization Services Only
- SD-WAN SE/EE Appliance in Hairpin Deployment Mode
- Two Box Mode
- SD-WAN Overlay Routing
- High Availability Deployment
- Basic Configuration Mode
Virtual Routing and Forwarding
- How To Configure Routing Domain
- How To Configure Routes
- How To Select Routing Domain for Intranet Service
- How To Configure Interface Groups
- How To Configure Virtual IP Addresses
- How To Configure Virtual IP Address Identity
- How To Configure GRE Tunnels
- How To Configure Access Interface
- How to Customize Classes
- How to Add Rule Groups and Enable MOS
- How to Create Rules
- How To Configure Firewall Segmentation
- Dynamic routing
- Route Filtering
- Network Objects
- Application Classification
- QoS Fairness With Random Early Detection (RED)
- Application QoS Rules
- MPLS QoS Queues
- Application Quality of Experience (QoE)
- Link State Propagation
- Metering and Standby WAN Links
- Multiple Net Flow collectors
- IPSec Tunnel Termination
- Stateful Firewall and NAT Support
- Configuring Multicast Groups
- NetScaler SD-WAN and Zscaler - Using GRE Tunnels and IPsec Tunnels
- Enabling FIPS Compliance Mode in NetScaler SD-WAN
- Configuring Virtual WAN IPsec for FIPS Compliant Operation
- Firewall Traffic Redirection Support by Using Forcepoint in NetScaler SD-WAN
- Internet Service
- DHCP Server and DHCP Relay Agent
- DHCP Client for Data Port (WAN Link IP Address Learning)
- Adaptive Bandwidth Detection
- Active Bandwidth Testing
- Diagnostic Tool
- Monitoring Your Virtual WAN
Auto Secure Peering and Manual Secure Peering
- Auto Secure Peering to an EE appliance from a Standalone WANOP / SDWAN SE/WANOP on the DC site
- Auto Secure Peering Initiated from EE Appliance at DC Site and Branch Site EE Appliance
- Auto Secure Peering Initiated from EE Appliance at DC Site and Branch with WANOP/SE Appliance
- Manual Secure Peering Initiated from EE Appliance at DC Site and Branch EE Appliance
- Manual Secure Peering initiated from EE appliance at DC site to Branch WANOP/SDWAN-SE Appliance
- Domain Join and Delegate User Creation
- SNMPv3 Polling and Trap Capability
- Zero Touch Deployment
- Configure 210-SE LTE
- NetScaler SD-WAN WANOP 9.3
The WANOP Client Plug-in
- Hardware and software requirements
- How the WANOP plug-in works
- Deploying appliances for use with plug-ins
- Customizing the plug-in MSI file
- Deploying plug-ins on Windows systems
- WANOP plug-in GUI commands
- Updating the WANOP plug-in
- Troubleshooting WANOP plug-in
- Configuring Service Class Association with SSL Profiles
- Standard MIB Support
- Best Practices - Security
- Reference Material
- Installing SD-WAN SE Virtual Appliances (VPX) in Linux-KVM Platform
- SD-WAN Standard Edition Virtual Appliance (VPX) HA Support for AWS
- SD-WAN Standard Edition Virtual Appliance (VPX) in Hypervisor on HyperV 2012 R2 and 2016
- SD-WAN Standard Edition Virtual Appliance (VPX) HA Support for Microsoft Azure
- XenServer 6.5 Upgrade for SD-WAN Standard Edition Appliances
MPLS QoS Queues
Aug 09, 2017
This feature simplifies creating SD-WAN configurations when adding a Multiprotocol Layer Switching (MPLS) WAN Link. Previously, each MPLS queue required one WAN Link to be created. Each WAN Link required a unique Virtual IP Address (VIP) to create the WAN Link and a unique Differentiated Services Code Point (DSCP) tag corresponding to the provider’s queuing scheme. After defining a WAN Link for each MPLS queue, the Intranet Service to map to a specific queue is defined.
Currently, a new MPLS specific WAN Link definition (i.e., Access Type) is available. When a new Private MPLS Access Type is selected, you can define MPLS queues associated with the WAN Link. This allows a single VIP with multiple DSCP tags that correspond to the provider’s queuing implementation for the MPLS WAN Link. This maps the Intranet Service to multiple MPLS Queues on a single MPLS WAN Link.
Allows MPLS providers to identify traffic based on DSCP markings so that class of service can be applied by the provider.
If you have existing MPLS configurations and would like to implement the Private MPLS Access Type, please contact Citrix Support for assistance.
- Define the WAN Link Access Type as Private MPLS.
- Define the MPLS Queues corresponding to the Service Provider MPLS queues.
- Enable the WAN Link for virtual path service (enabled by default for Private MPLS WAN Links).
- From the virtual path on a WAN Link, assign an Autopath group.
If the Autopath Group is assigned from the WAN Link level, SD-WAN creates paths automatically between the MCN and Client MPLS Queues based on matching DSCP tags. If the Autopath Group is assigned from the MPLS Queue level, SD-WAN creates paths automatically regardless of whether or not the DSCP tags match.
5. Ensure that the same Autopath Group is configured at the MCN and Client.
6. Verify that the Paths for the WAN Link are built automatically.
7. Assign Intranet Service to a specific queue, if needed.
The SD-WAN configuration may not have a one-to-one mapping for provider-based queues. This is based on specific deployment scenarios. You cannot create Autopath Groups between different Private Access Types. For instance, you cannot create Autopath Groups between a Private Internet Access Type and a Private MPLS Access Type.
To configure new WAN Link Access Type for Private MPLS
- In the Configuration Editor, click + (Add) under Sites > [Site Name] >WAN Links, the Add WAN Link pop-up appears.
2. Under the Basic Settings, there is now a new MPLS Queues tab. Click + ** Add to add specific MPLS Queues. These should correspond with the queues defined by the Service Provider.
MPLS Queue Name
The MPLS queue name
Service Provider’s DSCP tag setting for the queue.
When enabled, any frames arriving that do not match defined tags within the configuration file are mapped to this queue and the bandwidth defined for this queue.
LAN to WAN Permitted Rate (kbps)
The amount of bandwidth that SD-WAN devices are permitted to use for upload, which cannot exceed the defined physical upload rate of the WAN Link.
WAN to WAN Permitted Rate (kbps)
The amount of bandwidth that SD-WAN devices are permitted to use for download, which cannot exceed the defined physical download rate of the WAN Link.
Expand the MPLS Queue definition (by clicking the +), and additional options appear. These options include:
Tracking IP Address
WAN Link tracking address
The defined amount of time for congestion (in microseconds) after which the MPLS Queue will throttle packet transmission to avoid additional congestion. When congestion exceeds the set Threshold, SD-WAN backs off the sending rate.
The MPLS Queue’s eligibility to process specific classes of traffic. When eligibility is disabled for a specific class of traffic, that class of traffic is unlikely to route through the MPLS Queue unless network conditions require it.
Configure the MPLS Queues that correspond to the existing Service Provider WAN Link queue definitions.
Any existing MPLS WAN Links that are configured prior to SD-WAN 9.1 are not impacted.
Once the Private MPLS WAN Link with its MPLS Queues is defined, you should assign an Autopath Group for the WAN Link under a specific Virtual Path definition.
To assign autopath group
1. Go to Connections > [Site Name] > WAN Links >[MPLS WAN Link Name] > Virtual Paths > [Virtual Path Name] > [Local Site] > WAN Links and click Edit ().
2 . Click the Autopath Group drop-down menu and choose from the available groups. By default, MPLS Queues inherit the Autopath Group assigned to the MPLS WAN Link. You may choose to set the individual MPLS Queues to Inherit the chosen Autopath Group or choose an alternate from the Autopath Group drop-down menu for each MPLS Queue.
If there is no one-to-one mapping, based on DSCP tag, between queues at the local site and the remote site, you must map MPLS Queues to specific Autopath Groups. Inheriting an Autopath Group from the MPLS WAN Link will only automatically generate paths between queues with matching DSCP tags.
The Autopath Group defined is the same for the MCN and Client appliance. This allows the system to build the Paths automatically. At the MCN site you can also expand the WAN Link associated with the virtual path.
The SD-WAN web interface now allows you to view the permitted rate for WAN Links and WAN Link Usages and whether a WAN Link, Path, or Virtual Path may be in a congested state. In the previous releases, this information was only available in SD-WAN log files and through the CLI. These options are now available in the web interface to assist in troubleshooting.
View Permitted Rate
Permitted Rate is the amount of bandwidth that a particular WAN Link, Virtual Path Service, Intranet Service, or Internet Service is permitted to use at a given point in time. The permitted rate for a WAN Link is static, and is defined explicitly in the SD-WAN configuration. The permitted rate for a Virtual Path Service, Intranet Service, or Internet Service will fluctuate over time, in response to congestion, user demand, and Fair Shares, but will always be greater than or equal to the Minimum Reserved Bandwidth for the Service.
Go to Monitor > Statistics, and select WAN Link from the Show drop-down menu.
Go to Monitor > Statistics, and select MPLS Queues from the Show drop-down menu.