Citrix SD-WAN basic deployment part 1

In this blog I will show you how to deployed basic Citrix SD-WAN. To demonstrate this I am going to use simple below topology.

First you have to create new configuration and to do so go to Configuration->Virtual WAN->Configuration Editor and press New to start new configuration. Then you can save this configuration file with default name or you can create your own.

The next step is to define new Sites and in this example for simplicity one site is called DC and the other is called Branch. Navigate to Configuration Editor – > Sites, and click the “+” Add button to create new sites. First lets start with DC. This example is based on the virtual appliance VPX but in real scenario you have to pickup your specific model. DC site is configured as primary MCN and branch as client.

The Next step is to create interface group to do so go to Sites->Interface Groups and create required interfaces. In my example these links are define as below:
– interface 1 – Internet
– interface 2 – MPLS
– interface 3 – LAN
Below image shows how Interface Groups are created.

The next step is to create a VIP on the appropriate subnets for each above WAN Link. These VIP’s are used for communication between two SD-WAN appliances in the Virtual WAN environment. Go to Sites->Virtual IP Address and press “+” sign to add VIP’s.

Next step is to create WAN Links, go to Sites->WAN Links->Add Link and add new WAN links. Below screens shows how Internet link is created. You have to repeat this step for all your WAN links such MPLS, 4G etc.

Next specify link seeped which should reflect physical rate. Go to the WAN Link->Settings and setup appreciate speed. Because this is an lab I am going to use 1G. Similar setting must be done for other WAN link’s.

Then go to the WAN Links->Access Interfaces and populate required information such as IP address, default gateway, and Virtual Interface. In, addition you can specify if WAN link is primary, secondary or exclude.

Next go to Connections-WAN Links->Virtual Paths and make sure that both WAN links are permitted to be used. That check box need to be enable for DC and Branches.

At this point after completing configuration for DC and Branch sites, you will be alerted to resolve audit error on both DC and Branch sites. When you press red exclamation mark you will be redirected to specific configuration which indicates the error. In this example configuration complains about MPLS Queues which says that MPLS must have one Class of Service enabled.

I created default default class as shown below.

When basic configuration is ready we can save the config and export it to the Change Management inbox.

Next go to the Change Management and push the config to SD-WAN appliances, press Begin button as shown below.

Before we actually push the config first we have to upload SD-WAN Standard Edition Software Package for VPX cb-vw_CBVPX_10.2.2.14.tar as shown below.

Now we can press Stage Appliances button to push the config and accept the License

When staging is finished we can download branch config and install it on the branch appliance because at this stage there is no configuration on this box at all. To do so access branch management IP through the web browser upload and install config as shown below.

When installation is completed and everything was configured correctly you should see all your WAN paths as green under Monitoring->Statistics-Path. Both MPLS and Internet paths are successful setup and marked as “GOOD”

Lest do some ping test to verify if there is a communication between sites. Below is the ping from DC LAN segment 172.16.1.0/24 to Branch LAN segment 172.16.2.0/24.

So far so good as you can see in the above ping and traceroute output, packet first hits NetSceler where traffic was encapsulated and send over overlay network. That can be concluded because the second hop is the Netsceler (10.1.61.254) at branch site . The last hop is final destination of the LAN segment at remote location (172.16.2.1). In this example traffic between both location took the path over MPLS cloud. Lets look at NetSceler routing table to see how it looks like. Routes Statistics at DC NetSceler indeed indicates that remote LAN segment 172.16.2.0/24 is learned through the Branch and is marked as dynamic.

I am going to shutdown the MPLS link to verify if traffic will reach remote destination over Internet path. After the MPLS link was shutdown the MPLS path statistics marked that path as “DEAD”

Lets make another ping and traceroute from DC to the Branch to see if there is end-to-end connectivity. It seems like Internet path is working as desired. The traceroute indicates that first hop is Netsceler (172.161.254) at DC site where traffic is encapsulated and sent over an Overlay network to the next hop (10.1.1.254) which is the NetSceler at Branch site. Traffic is decapsulated at NetSceler and sent to the final destination of LAN segment 172.16.2.0/24.

If you deployed your SD-WAN appliance behind the firewall you need to configure appreciate NAT translation rule to allow communication over the Internet. In addition, you need to allow UDP traffic on port 4980, as that port is used by Citrix SD-WAN appliance to build overlay network as shown below.

Lets do final verification and lets check if we can access internet from the DC LAN segment. I did ping to the ISP router and as you can see below the local internet breakout is working as expected.

My final thought is that basic Citrix SD-WAN deployment is straight forward and does not required a let of efforts to be deployed, however in this example everything was setup based on static routes just to show you basic idea and concept of that solution. Despite that static routes are fine for small deployment they are not scalable and it can introduce a lot of labour work for bigger customer with hundreds of location or big branches where dynamic routing is better choice. In next part I will look at BGP configuration and application routes which is the power of SD-WAN solution.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s