Product Documentation

Deploying SD-WAN in Gateway Mode

To deploy SD-WAN in a Gateway Mode:

This article provides step-by-step procedure to configure a SD-WAN appliance in Gateway mode in a sample network setup. Inline deployment is also described for the branch side to complete the configuration.

Gateway mode places the SD-WAN appliance physically in the path (two-arm deployment) and requires changes in the existing network infrastructure to make the SD-WAN appliance the default gateway for the entire LAN network for that site.

Note

An SD-WAN deployed in Gateway mode acts as a Layer 3 device and cannot perform fail-to-wire. All interfaces involved will be configured for “Fail-to-block”. In the event of appliance failure, the default gateway for the site will also fail, causing an outage until the appliance and default gateway are restored.

Topology

DataCenter in Gateway Deployment

localized image

Branch in Inline Deployment

localized image

Deployment Requirements

Deployment requirements and related information is described below to assist you in building the configuration.

Site Name DataCenter Site Branch Site  
Appliance Name A_DC1 A_BR1   
Management IP 172.30.2.10/24 172.30.2.20/24  
Security Key If any If any  
Model/Edition 4000 2000  
Mode Gateway Inline  
Topology 2 x WAN Path 2 x WAN Path  
VIP Address 192.168.10.9/24 – MPLS, 10.0.10.9/24 – Internet (Public IP – A.B.C.D), 192.168.30.1/24 - LAN 192.168.20.9/24 - MPLS, 10.0.20.9/24 – Internet (Public IP – W.X.Y.Z)  
Gateway MPLS 192.168.10.1 192.168.20.1  
Gateway Internet 10.0.10.1 10.0.20.1   
Link Speed MPLS – 100 Mbps, Internet – 20 Mbps MPLS – 10 Mbps, Internet – 2 Mbps 
Route Network IP Address - 192.168.31.0/24, Service Type - Local, Gateway IP Address - 192.168.30.2 If any  
VLANs If any If any  

Configuration Pre-requisites

  • Enable SD-WAN appliance as a Master Control Node.
  • Configuration is done only on the Master Control Node (MCN) of the SD-WAN appliance.

To enable an appliance as a Master Control Node:

  1. In the NetScaler SD-WAN web management interface, navigate to Configuration > Appliance Settings > Administrator Interface > Miscellaneous tab > Switch Console.

    Note

    If “Switch to Client Console” is displayed, then the appliance is already in MCN mode. There should only be one active MCN in a SD-WAN network.

  2. Start Configuration by navigating to Configuration > Virtual WAN > Configuration Editor. Click the New to begin configuration.

Datacenter Site Gateway Mode Configuration

Following are the high-level configuration steps to configure Datacenter site Gateway deployment:

  1. Create a new DC site.

  2. Populate Interface Groups based on connected Ethernet interfaces.

  3. Create Virtual IP address for each virtual interface.

  4. Populate WAN links based on physical rate and not burst speeds using Internet and MPLS Links.

  5. Populate Routes if there are additional subnets in the LAN infrastructure.

To create a new DC site

  1. Navigate to Configuration Editor > Sites, and click the “+” Add button.
  2. Populate the fields as shown below.
  3. Keep default settings unless instructed to change.

    localized image

    localized image

To configure interface groups based on connected Ethernet interfaces

  1. In the Configuration Editor, navigate to Sites > [Site Name] > Interface Groups. Click “+” to add interfaces intended to be used. For Gateway Mode, each Interface Group is assigned a single Ethernet interface.
  2. Bypass mode is set to fail-to-block since only one Ethernet/physical interface is used per virtual interface. There are also no Bridge Pairs.
  3. In this example three Interfaces Groups are created, one facing the LAN and two others facing each respective WAN Link. Refer to the sample “DC Gateway Mode” topology above and populate the Interface Groups fields as shown below.

    localized image

To create Virtual IP (VIP) address for each virtual interface

  1. Create a VIP on the appropriate subnet for each WAN Link. VIPs are used for communication between two SD-WAN appliances in the Virtual WAN environment.
  2. Create a Virtual IP Address to be used as the Gateway address for the LAN network

localized image

  1. Navigate to WAN Links, click the “+” button to add a WAN Link for the Internet link.
  2. Populate Internet link details, including the supplied Public IP address as shown below. Note that AutoDetect Public IP cannot be selected for SD-WAN appliance configured as MCN.
  3. Navigate to Access Interfaces, click the “+” button to add interface details specific for the Internet link.
  4. Populate Access Interface for IP and gateway addresses as shown below.

    localized image

  1. Navigate to WAN Links, click the + button to add a WAN Link for the MPLS link.
  2. Populate MPLS link details as shown below.
  3. Navigate to Access Interfaces, click the “+” button to add interface detail specific for the MPLS link.
  4. Populate Access Interface for IP and gateway addresses as shown below.

    localized image

To populate Routes

Routes are auto-created based on the above configuration. The DC LAN sample topology shown above has an additional LAN subnet which is 192.168.31.0/24. A route needs to be created for this subnet. Gateway IP address must be in the same subnet as the DC LAN VIP as shown below.

localized image

Branch Site Inline Deployment Configuration

Following are the high-level configuration steps to configure Branch site for Inline deployment:

  1. Create a new Branch site.

  2. Populate Interface Groups based on connected Ethernet interfaces.

  3. Create Virtual IP address for each virtual interface.

  4. Populate WAN links based on physical rate and not burst speeds using Internet and MPLS Links.

  5. Populate Routes if there are additional subnets in the LAN infrastructure.

To create a new Branch site

  1. Navigate to Configuration Editor > Sites, and click the “+” Add button.
  2. Populate the fields as shown below.
  3. Keep default settings unless instructed to change.

    localized image

    localized image

To populate interface groups based on connected Ethernet interfaces

  1. In the Configuration Editor, navigate to Sites > [Client Site Name] > Interface Groups. Click “+” to add interfaces intended to be used. For Inline Mode, each Interface Group is assigned two Ethernet interfaces.
  2. Bypass mode is set to fail-to-wire and Bridge Pair is created using the two Ethernet interfaces.
  3. Refer to the sample “Remote Site Inline Mode” topology above and populate the Interface Groups fields as shown below.

    localized image

To create Virtual IP (VIP) address for each virtual interface

  1. Create a Virtual IP address on the appropriate subnet for each WAN Link. VIPs are used for communication between two SD-WAN appliances in the Virtual WAN environment.

    localized image

  1. Navigate to WAN Links, click the “+” button to add a WAN Link for the Internet link.
  2. Populate Internet link details, including the AutoDetect Public IP address as shown below.
  3. Navigate to Access Interfaces, click the “+” button to add interface details specific for the Internet link.
  4. Populate Access Interface for IP address and gateway as shown below.

    localized image

  1. Navigate to WAN Links, click the “+” button to add a WAN Link for the MPLS link.
  2. Populate MPLS link details as shown below.
  3. Navigate to Access Interfaces, click the “+” button to add interface details specific for the MPLS link.
  4. Populate Access Interface for IP address and gateway as shown below.

    localized image

To populate Routes

Routes are auto-created based on above configuration. In case there are additional subnets specific to this remote branch office, then specific routes need to be added identifying which gateway to direct traffic to in order to reach those backend subnets.

localized image

Resolving Audit Errors

After completing configuration for DC and Branch sites, you will be alerted to resolve audit error on both DC and BR sites.

localized image

By default, the system will generate paths for WAN Links defined as access type Public Internet. You would be required to use the auto-path group function or enable paths manually for WAN Links with an access type of Private Internet. Paths for MPLS links can be enabled by clicking on the Add operator (in the green rectangle).

localized image

After completing all the above steps, proceed to Preparing the SD-WAN Appliance Packages on the MCN topic.