CNS 200W en StudentManual v03

•
CITRIX®
N
•
ot
Education
fo
rr
es
al
CNS-200W:
e
or
NetScaler SD-WAN Hands-on

d
Workshop
is
t
rib
ut
io
n
Table of Contents
Table of Contents
Module 0 - Course Overview..........................................................................................................1
Module 1 - SD-WAN Overview.....................................................................................................16
Module 2 - SD-WAN Provisioning and Change Management......................................................74
Module 3 - Quality of Service.....................................................................................................124
Module 4 - Deployment and Configuration.................................................................................169
Module 5 - SD-WAN 9.0 Features..............................................................................................252
Module 6 - 9.1 Feature Release.................................................................................................276
Module 7 - SD-WAN 9.2 Features..............................................................................................322
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n
•
CITRIX
•
NetScaler SD-WAN
Hands-on Workshop
Course Overview
N
CNS-200W
Version: 1.3
ot
fo
201 ... IX A. 0 ._ .0 te t
rr
es
al
e
or
d
is
t
rib
ut
io
n
1 © 2018 Citrix Authorized Content

• Provide an overview of the Citrix SD-WAN.
• Perform initial setup and configuration.
• Discuss and evaluate the different deployment modes and

use cases.
Learning • Evaluate and identify upgrade procedures.
Objectives • Identify and configure many of the Features of SD-WAN
Standard, Enterprise and WANOP editions.
• Evaluate the monitoring and management tools allocated
with the Citrix SD-WAN solution.
N
ot
fo
2 201 ... IX A. 0 ._ .0 te t CiTR!X

rr
es
al
e
or
d is
t rib
ut
io
n

Introduce yourself to the class.
Include the following information:
• Name and company
• Job title
Student
Introductions • Job responsibility
• Networking and virtualization experience
• Citrix hardware and software experience
• Class expectations
N
ot
fo
:i, 201 ... IX A. 0 ._ .0 te t CiTR!X

rr
es
al
e
or
d is
trib
ut
io
n

Review:
• Parking and transportation information
Facilities • Class policies
• Break and lunch schedules
• Emergencycontactinformation
N
ot
fo
CiTRJX
rr
es
al
e
or
d is
t
rib
ut
io
n

• Understanding of different computer networks such as
local area network (LAN) and wide area network (WAN)
• Familiarity with data-carrying techniques, including
Multiprotocol Label Switching (MPLS), Metro Ethernet, and
Course • VPN tunneling
Prerequisites • Understanding of techniques for increasing data transfer
efficiencies I WAN optimization
• General understanding of branch network technologies;
Routing, Firewall, DHCP,Internet control, Quality of Service
N
ot
fo
5 201 ... IX A. 0 ._ .0 te t CiTR!X

rr
es
al
e
or
d is
trib
ut
io
n

Day One
CNS-200W • Module 1: SD-WAN Overview
Course Outline • Module 2: Provisioning and Change Management
• Module 3: Quality of Service

N
ot
fo
6 CiTR!X
rr
es
al
e
or
d is
trib
ut
io
n

Day Two • Module 4: Deployment Modes and Configuration
CNS-200W • Module 5: SD-WAN 9.0 Features
Course Outline
• Module 6: SD-WAN 9.1 Features
• Module 7: SD-WAN 9.2 Features
N
ot
fo
7 201 '"' IX A, O ._ .0 te t CiTR!X

rr
es
al
e
or
d is
t
rib
ut
io
n

••H~
-·-
E.!!.I
...-.11,~~
-1'1..I0.21
Lab ~--
---=-fJiiJ
_,__,_ .. 00JU.U.1D:11
Requirements
llt:l.•io.ill
• Check connectivity to
the environment and
report any issues.
• All lab environment
details are also
-- §;)= :::::---_
provided in the lab
guide. Q .. o,o,..,_.......,
.....,. :i...,
:,:;~~':.~ ciTRf
N
ot
fo
2017"' IX A. O ._ .0 te t CiTR!X
rr
es
al
e
or
d
is
t
rib
ut
io
n

• Some module contain Self-paced Bonus Exercises that will
allow students to continue their learning outside of class
hours.
Self-Paced • There is no dedicated in class time to complete these

modules but students and instructors are welcome to make
Bonus Exercise adjustments as time allows.
• Lab access is granted

for 30 days from the
first day of class
--~- .. <Q-· -~--
• These additional labs --1 - - •.
are designed to be Fr- '•I:';:!• :_$:_""-..:-<Q-""'""-~ ~~.

completed outside of
class time '"
N
ot
fo
2017"' IX A. 0 ._ .0 te t CiTR!X
rr
es
al
e
or
d is
t rib
ut
io
n

Visit http://training.citrix.com/checklist to learn how to:
• Access your student materials
• Complete the course survey
Visit http://elearning.citrix.com to learn how to:

Student Resource
• Access your Lab guide
Checklist • Access your Lab environment
Have more questions?
Browse our FAQ at:
http://training.citrix.com/cms/ed ucation/faq
N
ot
fo
10 201 ... IX A. 0 ._ .0 te t CiTR!X

rr
es
al
e
or
d is
t rib
ut
io
n

• You can download, save, and print electronic courseware.
Printing • Follow these steps to print to a PDF file:

- Student Resources> Courseware > Student Manual> Launch
N
ot
fo
201 ... IX A. 0 Z .0 te t CiTR!X

rr
es
al
e
or
d is
t rib
ut
io
n

• • • < ID
CfTlfX'
Education
Classroom Support
How do I open a
Classroom Support ticket?
......
Cli<1N•t10<.,1•uu,11ry
0 ()
N
ot
fo
.i2 20 1 ... IX A. 0 ._ .0 te t CiTR!X

rr
es
al
e
or
d is
t
rib
ut
io
n

1'2] Help shape the next course.
Looking ahead -
End of
Course Survey ... Tell us what you liked!
Your opinion matters!
qO What can we do better?

N
ot
fo
CiTRJX
rr
es
al
e
or
dis
t
rib
ut
io
n

Citrix Measures your Feedback with NPS
How is Net Promoter Score Calculated?
Extremely
How likely is it you would recommend Citrix Courses to a friend? Not at all
Likely Likely
Promoter Passive Detractor

N
ot
fo
14 2017"' IXA. Q,_ onter t CiTR!X

rr
es
al
e
or
d is
t rib
ut
io
n

Connect with Citrix Education
Face book Twitter Linked In

Become a fan of Citrix Services Follow @citrixservices Join the Citrix Education group
Visit http://training.citrix.com to find more information on training, certifications, and exams.

N
ot
fo
15 201 '"' IX A. O ._ .0 te t CiTR!X

rr
es
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
NetScaler SD-WAN Hands-

on Workshop
SD-WAN Overview
N
CNS-200w
Version: 1.3
ot
fo
6 @20 C IXAUth .. ~ .... le I

rr
es
al
e
or
d
is
t
rib
ut
io
n

• Provide an overview of SD-WAN
• Describe the Citrix NetScaler SD-WAN

solution and platforms
Learning • Identify the Licensing options.
Objectives • Identify the steps necessary in the Initial Configuration
• Identify features of NetScaler SD-WAN editions
• Utilize management tools for NetScaler SD-WAN

N
ot
fo
17 201 ... IX A. 0 ._ .0 te t CiTR!X

rr
es
al
e
or
d is
t rib
ut
io
n

SD-WAN Overview N
ot
8 i t it oc:A zed e
fo
CiTRJX
rr
Key Notes:
es
• SD-WAN stands for Software Defined Wide Area Networking and it is a combination of SDN,
al
Software Defined Networking (which was created for use in cloud datacenters), and WAN, Wide
Area Networking (which is the network outside of your office, for example the Internet, or site-to-
e
site networks most commonly MPLS or Metro Ethernet). You might even say that SD-WAN is
or
SDN’s newly-born sibling!

d
• SD-WAN takes some of the similar software-defined concepts used in the data plane, and
is
leverages them on the WAN. By doing this, it is simplifying branch-office connectivity, ongoing
t
management, and reducing hardware sprawl while significantly improving enterprise application
rib
performance and visibility.

ut
• We all know how important it is to have solutions in place for businesses that connect through
the cloud and on private networks. Solutions, that allow businesses to monitor their networks
io
and ensure performance and reliability to remote applications.

n
• We’ve seen several new trends in solutions, some suggest reverting to massive centralized
infrastructure for application delivery. Others suggest that businesses enable requirements to
offset the use of expensive MPLS networks for cheaper, more cost-effective options like internet
transport. And we’ve also seen suggestions for shifting requirements from hardware-centric
models to software and application-driven ones.
• While some of these trends offer valuable solutions, they also bring new complexity to
businesses that may not be prepared to enable them.
• Perhaps because of these rapidly developing technological needs, Software Defined Wide Area
Network, or SD-WAN, is becoming the go-to option for companies both large and small who
want to increase their WAN throughput and branch-office application reliability and security, all
while improving the end-user experience.

NetScaler SD-WAN Solution
Better User Simplify Branch Centralize Control

Always on Branch Reduce Cost
Experience Infrastructure and Management
N
ot
fo
CiTR!X
rr
Key Notes:
es
• These are 5 major values NetScaler SD-WAN solution brings to the table.
al
• Always on Branch
e
• Better User Experience

or
• Reduce Cost
• Simplify Branch Infrastructure
d
• Centralize Control and Management

is
t rib
ut
io
n

8
I
Always on Branch
N
ot
fo
CiTR!X
rr
Key Notes:
es
• These are 5 major values NetScaler SD-WAN solution brings to the table.
al
• Always on branch – Reliability is one of the primary values. NetScaler SD-WAN ensures
e
continuous access to applications, even when a network link is lost. This keeps business
operating.
or
d is
trib
ut
io
n

Better User
Always on Branch
Experience
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Better user experience –

al
• Through features such as TCP flow control, data compression, de-duplication and protocol
e
optimization, NetScaler SD-WAN can improve the end-user experience as well as provide a
reduction in WAN bandwidth expenses. And with video usage on the rise, NetScaler SD-WAN
or
can optimize video delivery within Citrix XenDesktop environments as well as for popular
d
websites and internal video content repositories.

is
• Beyond just availability, the solution makes sure that applications are responsive. Virtual
t
applications perform consistently, voice calls are clear, videos aren’t pixelated, websites are
rib
responsive, and data moves quickly.

ut
io
n

Better User
Experience
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Reduce cost – By making broadband networks viable for enterprise use, companies can spend
al
less on their network, often a very large expense. If companies can decommission MPLS in
e
favor of broadband, they will dramatically reduce costs and have more bandwidth. But even if
they don’t stop using MPLS, they can accommodate bandwidth growth through broadband,
or
receiving more bandwidth per dollar.

d is
t rib
ut
io
n

Better User Simplify Branch

Experience Infrastructure
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Simplify branch infrastructure – NetScaler SD-WAN combines SD-WAN, WAN Optimization,

al
Routing, and Firewall. With this solution companies can radically simplify their network,
e
eliminating hardware and the cost of support. Companies with lots of locations and limited IT
resources at each location will particularly benefit from the hardware consolidation capability.
or
d is
t rib
ut
io
n

Better User Simplify Branch Centralize Control

Experience Infrastructure and Management
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Centralize control and management – NetScaler SD-WAN Center with eventually migrate into
al
NetScaler Management Analytics System (MAS) and will act as a single centralized system for
e
configuring the network and application policies, in addition to monitoring and reporting. With
version 10.0 you can now configure NetScaler SD-WAN Center to act as the remote license
or
server for centralized license management. NetScaler SD-WAN is Zero Touch deployment
d
capable. Zero Touch Service makes it simple to send a new appliance to a site with no technical
is
personnel on location and quickly bring up appliances to join the SD-WAN environment.
t rib
ut
io
n

Why is there a need for SD-WAN?
Downtime
Which Portion of Your Access Type
Typical
Per Month
Availability
Network Is Most Expensive? Per Circuit
Network Security Consumer-grade DSL 98.0% 15 Hrs.
WAN 6 %
Business DSL 99.0% 7 Hrs.
~
Data Center
Metro Ethernet 99.5% 4 Hrs.
Campus/User Edge
MPLS Leased Line 99.9% 1 Hrs.
N
()",.(, 10% 20% 30% 40% 50% 60% 70%

ot
fo
25 @20 C IXAUth ·""" le I ciTR!X

rr
Key Notes:
es
• The network links that compose the Wide Area Network (WAN) is generally the largest expense
al
in the network. These links have traditionally been MPLS, which is expensive, is a fixed monthly
e
expense and generally requires a 3 year commitment.

• At the same time, even the most reliable WAN service, Multi-Protocol Label Switching more
or
commonly known as MPLS, will likely have an hour of downtime per month per line.
d
• MPLS: Multiprotocol Label Switching (MPLS) is a type of data-carrying technique for high-
is
performance telecommunications networks. MPLS directs data from one network node to the
t
next based on short path labels rather than long network addresses, avoiding complex lookups
rib
in a routing table.
ut
• Gartner Data Center Conference Dec 2015: Top 10 Ways to reduce Network/Telecom Budget
io
presentation
n
• Source: Gartner (July 2013)

Corporate WAN traffic to grow at
15% per year through 2018
Corporate WAN Traffic

Digital Signage
35,000
30,000
Web Applications 25,000
20,000
Video-Based Content 15,000
10,000
Guest WiFi 5,000
0
HD Photos/Videos
N
• PB/Month
ot
Source: Cisco Visual Networking Index: Forecast and Methodology, 2013 - 2018
fo
26 @20 C IXAUth .. ~ .... le I CiTR!X

rr
Key Notes:
es
• Even with the weaknesses Admins see with their networks bandwidth demands continue to rise
al
year over year.

e
• Let’s take a look how enterprise bandwidth needs are changing. Each year, WAN traffic volume
is growing by 15%. This is driven by a number of factors:
or
• Apps are migrating to the cloud, which drives data volumes over the WAN
d
• Apps are becoming more feature rich, which drives each application to generate higher
is
bandwidth
t rib
• Video usage…the average employee watches almost 16 hours of video content per month,
and this figure is growing as companies leverage video for more effective communications
ut
and productivity.
io
• The net of it all is that corporate WAN bandwidth requirements are forecasted to grow by
n
15% per year…

• Which if not managed, means costs must increase as well, and not always proportionately.

SD-WAN Bandwidth
Optimization The SD-WAN can assist in:
• Compression
• Citrix XenApp/XenDesktop
(HDX}
• TCP Flow-Control
Acceleration
• Traffic Shaping
N
ot
fo
27 CiTR!X
rr
Key Notes:
es
• Compression with SD-WAN uses breakthrough technology to provide transparent multilevel

al
compression. It is true compression that acts on arbitrary byte streams. It is not application-
e
aware, is indifferent to connection boundaries, and can compress a string optimally the second
time it appears in the data. SD-WAN compression works at any link speed. The compression
or
engine is very fast, allowing the speedup factor for compression to approach the compression
d
ratio. For example, a bulk transfer monopolizing a 1.5 Mbps T1 link and achieving a 100:1
is
compression ratio can deliver a speedup ratio of almost 100x, or 150 Mbps, provided that the
t
WAN bandwidth is the only bottleneck in the transfer.

rib
• XenApp/XenDesktop (ICA/CGP) acceleration has three components:

ut
• Compression--The appliance cooperates with XenApp clients and servers to compress

io
XenApp data streams for interactive data (keyboard/mouse/display/audio) and batch data
(printing and file transfers). This interaction takes place transparently and requires no
n
configuration of the appliance. A small amount of configuration, described below, is required

on older XenApp servers (release 4.x).
• Multistream ICA--In addition to compression, CloudBridge appliances support the new
Multistream ICA protocol, in which up to four connections are used for the different ICA
priorities, instead of multiplexing all priorities over the same connection. This approach gives
interactive tasks greater responsiveness, especially when combined with the appliance’s
traffic shaping.Note: Multistream ICA is disabled by default. It can be enabled on
the Features page.
• Traffic shaping--The CloudBridge traffic shaper uses the priority bits in the XenApp data
protocols to modulate the connection’s priority in real time, matching the bandwidth share of
each connection to what the connection is transmitting at the moment.
• Flow-Control Acceleration—SD-WAN appliances become virtual gateways that control the

TCP traffic on the WAN link. Ordinary TCP is controlled on a per-connection
basis by the endpoint devices. Optimal control of link traffic is difficult, because
neither the endpoint devices nor individual connections have any knowledge of
the link speed or the amount of competing traffic. A gateway, on the other hand,
is in an ideal position to monitor and control link traffic. Ordinary gateways
squander this opportunity because they cannot supply the flow control that TCP
lacks. SD-WAN technology adds the intelligence that is missing in the network
equipment and the TCP connections alike. The result is greatly improved WAN
performance, even under harsh conditions such as high loss or extreme
distance.
• Traffic shaping allows you to regulate the network traffic flow to assure a certain
level of quality of service (QoS). You can regulate the flow of packets into a
network (bandwidth throttling) or out of a network (rate limiting). Using traffic
shaping policies you can set the priority of different link traffic and send traffic onto
N
the link at a rate close to, but no greater than, the link speed. Unlike acceleration,
ot
which applies only to TCP/IP traffic, the traffic shaper handles all traffic on the link.
fo
rr
• WAN virtualization. Ensure reliable delivery of high-priority application traffic, while

es
also providing more bandwidth available to applications. With the ability to bond
multiple WAN links, NetScaler SD-WAN creates a single, secure, logical link,
al
offering expanded WAN capacity that dynamically adapts to network conditions.

e
This ensures that applications perform during a blackout or brownout on a

or
particular WAN link.

• Application acceleration. By optimizing Citrix ICA traffic and storage
d is
replication, NetScaler SD-WAN supports up to four times as many virtual app and
desktop users. NetScaler SD-WAN accelerator technology also improves
t rib
performance of Microsoft apps such as Exchange, Skype for Business, and

SharePoint, as well as any TCP-based application.
ut
• Video optimization. Each year, video consumption grows by 25 percent within

io
enterprises. Through its caching capabilities, NetScaler SD-WAN can reduce WAN
n
bandwidth demand for internal and external video content at branch offices.
• Branch service delivery. The NetScaler SD-WAN product family offers features that
simplify branch office IT and allow IT to securely deploy an Active Directory
database at branch offices, using a read-only domain controller.
• Visibility and insight. NetScaler SD-WAN allows you to monitor application delivery
through reporting and measurement features. These tools help you understand
application performance to improve troubleshooting and bandwidth management,
and to accelerate application delivery.
•
27 © 2018 Citrix Authorized Content CITRIX
•
What are the available options?
New York London Singapore Mumbai

T1 MPLS: $381 E1 MPLS: $477 E1 MPLS: $775 MPLS: $878
Broadband: $ 90 Broadband: $ 70 Broadband: $ 80 Broadband: $ 45
' -~ 4
I
•,. ·•i'"'~"I,·....·
'_;-:_.
\
...
. ... .''}:
't_ J ,lfl.;-"".,_ .... .,- -
Mexico City Tokyo Sao Paolo Moscow

N
E1 MPLS: $951 J1 MPLS: $974 E1 MPLS: $1,034 E1 MPLS: $1,072

Broadband: $ 60 Broadband: $ 80 Broadband: $ 90 Broadband: $ 100
ot
~ TeleCeography
fo
2Q2015
e t CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
• Most Network Admins are tasked with making use of cheaper alternatives for building their Wide
e
Area Network. Primarily because, as we saw earlier, broadband internet is significantly less
reliable and because of that significantly less expensive! Here are some sample price points
or
that highlight this significant cost difference.

d
• If you get creative enough, the task at hand in address increasing bandwidth needs without
is
driving up additional WAN costs is attainable. But the engineering and management to create a
t
solution like this from the ground up can be a nightmare. As we get into in more detail later in
rib
this module, we will educate you on how NetScaler SD-WAN is the solution that addresses this
ut
exact problem faced by many enterprise network admins.

io
n

ciTRIX'
NHScilef SO·W4N1nctta#S thr pfficrmanc, and miat,Uy ol

trdlONI tnltrpnst applic:.1t10t'6,SaaS appliations and 'llrtual
.. .....,,.
°""'
·-~._. , .__.,.tGll,lril
.ny ~wc:wt..
__ 5'),,llllr."I·~--"-~,.........
dnl:tops
...._,.., ... ~"""'"00 ......

~111---.. ..
..,._...,.._...,.....,_....,.,
~wblllll.llDl--
-.iw.·~~- . _,.- --
11e-
CDIW'wtlONdiMl, ....
_..1,.
....... .... _
.,,..,......111,.-.~.....,.
.. .,,.dllwtll!M1"'9"'IG ,.,..~--.-.-
~~~~m.
..,.~ .... --*'9 ........
,.._,.......,,_""_~ ---nl~IN.....,_d
NetScaler SD-WAN -.--

. _ __
-~,..._._,.._
,...
cntal.,aui: __ ,.....,Mt_.
-
... ~
Data Sheet _...
·~1119..,,h,lt~hCIIJoRfll;II•
......,ct., .. '°"""'""«P...
-
~~
~ .....,- ~,
-----. . . . .... -·-- ... ........
.[ ..... ~uo«itywCfl...U.
(!) --
-~ ....
,....... Q ....,..__,,,_..
·Swppo,tdtllll.. MIOll._.11 ICM
___
-*,IOll'Ol9d:-,....-..
...-...---c.oi-
- . _.....,..__. .....,_.. . ,.. _
•\otllclfJll..,...JIWll"9'ti!HIOl.t.,.W -·------ ......... __~so-
0,0,. C=.- ._.....,....,

. - .... .,. . _ . . . ., ......._
~o,e-.,--- ....... ~ ________ Cll,.. ~-·-· .. --
..,_ _,..._,,..._
-~----,
(j) _....._.
-----..--.
.s.: ...o.i1,.-t,..M!ll-lot
.. - . ...........
.. ... ,,,, ...,... __ o.,,r.-c ~.-
llwlW(loft)'~---
_~""'-
...............
._.
-· @ -~--- -- ....... .......

•Go.........,,.-...-,c-~ ..
______
-....--.-...-·------·--·---
=:--. : . . ,__ ........ _"' -""......,_'
__
"""
.... p,GK! .......... ~-
_... _,._
~. ~"'. :-...-"'. " _.,. _ _,,_, . . _,,__...,..

N
e·- . --. . . ~-._.... . ~~s.--·. . .

.... -..r.o, _.,._.
_ ....,__.. _..__, ~ u,.-... ......
ot
C-""*"'-.----.....---
a.t.11_,......,...__,,_ __ , ... ..,.._,....,._..·-·-
fo
CiTR!X
rr
Key Notes:
es
• The NetScaler SD-WAN product line is continuously growing and adapting to needs and
al
challenges seen in enterprise networks. Referencing the online NetScaler SD-WAN Data
e
Sheet will keep you updated on the latest in physical and virtual appliance availability and
performance capabilities.
or
d
Additional Resources:
is
• SD-WAN Data Sheet: https://www.citrix.com/content/dam/citrix/en_us/documents/data-

t rib
sheet/netscaler-sd-wan-datasheet.pdf
ut
io
n

NetScaler Platforms
NetScaler ADC NetScaler SD-WAN NetScaler Gateway
I- .... I
.... I- .... I
.... I- ....
. ... I
Standard Ed1t1on (SE) Enterprise Edition (EE) WANOP Edition (WO)
I- .... I
.... I- .... I
.... I- .....
... I
Multi Link aggregation Multi Link aggregation Single link QoS
WAN path resiliency WAN path resiliency Application optimization
WAN path visibility Application optimization Application visibility
N
Hardware consolidation Path/ Application visibility

Hardware consolidation
ot
fo
CiTR!X
rr
Key Notes:
es
• NetScaler ADC: is an application delivery controller that provides flexible delivery services for
al
traditional, containerized and micro service applications from your data center or any cloud. It
e
features unmatched security, superior L4-7 load balancing, reliable GSLB, and increased
uptime.
or
• NetScaler Gateway: Previously known as the CAG, (Citrix Access Gateway), or the CSG (Citrix
d
Secure Gateway) primarily is designed and used for secure remote access.
is
• The traditional WAN was not designed to tackle today’s application traffic. Our software-defined
t
WAN solution, NetScaler SD-WAN, offers a scalable, reliable, and cloud-ready approach.
rib
NetScaler SD-WAN combines packet-level, real-time path selection, WAN optimization, firewall,
ut
routing, and application analytics into one comprehensive solution. Whether accessing SaaS
io
applications, virtualized desktops, or traditional data centers, NetScaler SD-WAN ensures an

always-on, high-quality experience and a simpler, more agile branch network.
n
• It is important to note that the Citrix NetScaler product portfolio consists of NetScaler ADC,
NetScaler Gateway and NetScaler SD-WAN. Each product provides its own unique role in
application delivery and security, and each may reside in different parts of the network. Keep
note that even though the same hardware may be utilized across the board on the products,
software on the SD-WAN is uniquely different and requires deployment with partner device at
the remote site to provide the benefits of software defined wide area network. NetScaler ADC is
used for load balancing, NetScaler Gateway for enabling access to resources, and NetScaler
SD-WAN for virtualizing your wide area network.
• The SD-WAN product itself has several editions, each designed to address challenges typically
found in an enterprise network, such as congestion, unreliable WAN Links, and reliable delivery
of applications.
• Standard Edition provides a solution for multi link bandwidth aggregation, WAN path resiliency

and visibility for those paths. As well as hardware consolidation with built in
routing, firewall, VPN, and WAN optimization features.
• WANOP Edition provides a solution for optimizing a single link with application
classification, quality of service and WAN optimization techniques for application
optimization. With WANOP, application visibility is easily accomplished and proves
invaluable when troubleshooting.
• Enterprise Edition provides the all-in-one solution that takes the best of Standard
Edition and the best of what WANop Edition has to offer and provides a
consolidated platform to address any challenges a network administrator may face.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
•
NetScaler SD-WAN Editions
Standard Edition (SE) Enterprise Edition (EE) WANOP Edition (WO)
I- ....
... · 1
I- .... ,
.... I- ....
.... ,
I
'-----------·-····-_J L_ JI
Includes software-defined WAN Includes application

Integration of software-defined
features to create a highly reliable acceleration, data reduction
WAN with WAN optimization is
network from multiple network and protocol control to optimize
the best option to optimize branch
links and to ensure that each applications acrossthe
and mobile user experience and
N
application takes the best path to WAN. Can optionally include

to achieve fully resilient
achieve the highest application virtual Windows Server to
ot
applications regardlessof network

performance. simplify branch infrastructure
quality.
and mobile user PC plug-in.
fo
CiTRJX
rr
Key Notes:
es
• Enterprise Edition users will need one Standard appliance and one WANOP appliance in the
al
data center. In the branch office, you will need just one Enterprise Edition appliance, which
e
combines WAN optimization and virtual WAN functions into a single appliance for the branch.
or
d is
t rib
ut
io
n

NetScaler SD-WAN in the Cloud
:__I
NetScaler SD WAN on Azure NetScaler SD WAN on AWS
Microsoft amazon
web services
L_ ~
NetScaler SD-WANfor Azure The full suite of NetScalerSD-

enables organizations to have a WAN capabilities is available in a
direct, secure, and high quality AWS cloud environment to
connection from each branch to optimize and secure accessto
N
the applications hosted in

Saas applications and laaS
Azure, eliminatingthe need to
ot
instances.
backhaul cloud bound traffic
through a data center.
fo
CiTR!X
rr
Key Notes:
es
• Microsoft Azure:
al
• Benefits Include:
e
• Create direct connections from every location to Azure

or
• Ensure an ongoing reliable connection to Azure

• Simplify your network without the need to provision VPNs
d
• Extend your secure perimeter to the cloud with a single click

is
• Amazon Web Services

t rib
• Specs:
ut
• Requires AWS EC2

• Requires AWS Elastic Block Storage (EBS)
io
• Available via AWS Marketplace or with Bring Your Own License

n
• Benefits Include:
• Create direct connections from every location to AWS
• Ensure an ongoing reliable connection to AWS
• Simplify your network without the need to provision VPNs
• Extend your secure perimeter to the cloud with a single click

SD-WAN LicensingN
ot
fo
CiTR!X
rr
es
al
e
or
d is
t
rib
ut
io
n

Version I WAN Optimization Standard Edition Enterprise Edition
Edition
Release I Yes - -
7.X
NetScaler SD- >-

Release - Yes -
WAN License 8.X
I
Options Release - Yes Yes
9.0
There are three NetScaler SD-
WAN Editions each with a Release
different set or subset of 9.1
Yes Yes Yes
NetScaler SD-WAN features.
The type of license you install Release
I Yes Yes Yes
determines the NetScaler SD- 9.2
WAN Standard Edition,

WAN OP, and Enterprise Release I Yes Yes Yes
Edition appliances. 9.3
I
N
ot
Reelase Yes Yes Yes

10.0
fo
CiTR!X
rr
Key Notes:
es
• The above table illustrates which NetScaler SD-WAN platforms are supported for each of the
al
available NetScaler SD-WAN software versions.

e
• When installing and applying a license, make sure that your specific appliance supports the SD-
WAN appliance edition you want to enable, and that you have the correct software version
or
available.
d
• Earlier version of licenses, including those compatible with release 7.x, are not supported with
is
the newer NetScaler SD-WAN release. The existing process to obtain NetScaler SD-WAN
t
licenses remains consistent with the CloudBridge 8.0.x, and 9.0.x releases. Once obtained, the
rib
licenses can be activated through the appliance’s management web interface.

ut
• Before you can download the software, you must obtain and register a NetScaler SD-WAN
io
software license. For instructions on obtaining a NetScaler SD-WAN software license, contact
Citrix NetScaler SD-WAN Customer Support. Before installing the license, you must first setup
n
the appliance hardware, and set the date and time for the appliance.

You can install and configure license for SD-WANappliances
Local Licensing using the SD-WANweb management interface.
With local license, you

are required to login to each tkense Configuration
appliance in the network and • Loa me•
upload the license file. Even
with the ZTD service, the Upload lKN!Se for tlvs Appliance
appliance becomes
available with only a grace
license. You will have
to upload a license file for Licenses Uploaded
network continuity. The
license files are generated
based on the host ids of the
individual appliances.
N
ot
ciTRfX
fo
rr
Key Notes:
es
• Importing licenses for SD-WAN appliances deployed on XenServer/ESXi/Hyper-V platforms:

al
• 1. In the SD-WAN web management interface, navigate to Configuration > Appliance Settings >
e
Licensing.
or
• 2. Select Local and upload the License. Click Upload and Install.
• 3. Save your changes by clicking Apply Settings.
d is
t rib
ut
io
n

Remote Licensing
License Configuration
If you want to install remote licenses for SD-WAN appliance
Loa • f'!'nC. I
using SD-WAN Center, ensure that you enable Centralized
licensing on the SD-WAN MCN appliance in the Global settings Configure Licensing Server
of the SD-WAN web management interface Configuration

Editor.
.
• Use Cases:
N
• Remote license server reachable through the

management network without using data/apA Ports.
ot
• Remote license server in the Branch network.

fo
36 ®2- -o
CiTR!X
• SO-WAN VPX-SF - PRR darilovrnant in thP Rrrinr.h offir.P
rr
Key Notes:
es
How to configure remote licensing:

al
1. In the SD-WAN web management interface, navigate to Configuration > Appliance Settings >
e
Licensing.
or
2. Select Remote and enter the Remote Server-IP address details.

3. Select the desired appliance Model from the drop-down menu. The default port for remote
d
license server is 27000

is
trib
ut
io
n

Centralized Licensing
• In the new centralized license model, the SD-
WAN center web management interface (SD-
WAN appliance management and reporting
portal), provides licensing services
to individual SD-WAN appliances in the network
without you having to login to the appliance.
• You can now manage licenses for all the nodes

in branch and MCN sites configured for
+ .... QSrtt ··-
a specific SD-WAN appliance configuration Local w
package from the licensing server you

configured.
'"'"
'""'
• This license server can be an SD-WAN Center ,.,.,., ...
management portal which acquires
licenses obtained from the network
N
configuration to the sites through the change

ot
management process
fo
CiTR!X
rr
Key Notes:
es
• The SD-WAN center IP address is provided in the SD-WAN appliance GUI

al
under Global > Centralized licensing. This IP address is propagated to individual appliances
e
through the configuration packages or updates. When the IP address is changed, you have
to go through the Change Management process to push it appliances. The global setting can be
or
overridden by the local site settings.

d
• The license bandwidth can be selected with the appliance model for Site settings. The WAN
is
links bandwidth are audited against the license selected.

t rib
To enable centralized licensing in the SD-WAN appliance GUI:

ut
1. Navigate to Configuration > Virtual WAN > Configuration Editor. Open an existing virtual
io
WAN configuration package or create new configuration package. The configuration package
n
opens.
2. Navigate to the Global tab. Select Centralized Licensing. Click Enable.
3. Enter the IP address for the License Server from which you need to download and manage SD-
WAN licenses. You can provide the SD-WAN Center management IP address, so that the
configuration package for the SD-WAN MCN or branch appliances can download license from SD-
WAN Center.
4. Enter 27000 for the License Server Port which is a default port number.
5. Click Apply.
6. Navigate to the Sites tab. Select MCN or Branch site under View Site, depending on the region
and site for which you want to manage central licensing.
7. Select Centralized Licensing. The central licensing options view is displayed. By default,
theLocal option is selected for the License Server Location.

8. Click the drop-down menu and select Central to change the default license server
location. This displays the IP address and port information you provided for the
license server when you enable central licensing in the Global settings. For example;
the license server could be the IP address of the SD-WAN Center managing the
appliances in the network.
9. Choose the Appliance Edition and License Rate depending on the appliances to be
installed; such as the Standard Edition or Enterprise Edition. Click Apply
10. Select Overide Global to overide global settings. Configure new license server IP
address. Retain the default license server port number; 27000. Click Apply.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
•
SD-WAN Licensing Considerations
• SD-WAN appliances licenses are managed by communicating with the remote license service
to check for licenses. If the appliance is licensed, the network operations continue without
interruption. If the appliance is not licensed, the grace license mode is initiated.
• The SD-WAN appliance goes into a 30-day grace period and you have to upload the license
after the license expires.
• During the grace period, all operations function normally. If the license is not uploaded in
time {30 days after expiry), Virtual WAN Service is disabled.
• 30 day grace period is provided for Out-of-Box client nodes. Notification indicates that the
appliance is in Out-of-Box mode and needs a valid license. This option uses a grace license
file.
• Loss of communication with SD-WAN center: After 2 heart beats loss, the appliance goes into
the grace mode for 30 days. Notification indicates that the reason for the grace period is
N
a communication failure.
ot
fo
CiTR!X
rr
Key Notes:
es
• SD-WAN appliance license management process:

al
• 1. Each site communicates with Remote Server or SD-WAN Center using the Web
e
Management Interface. This communication occurs through a heartbeat mechanism to monitor

connectivity and a checkout mechanism that verifies the license status.
or
• 2. Heartbeats are sent over a TCP connection to the license server every 10-20 mins to
d
check connectivity.
is
• 3. After a loss of 2 consecutive Heartbeats, the appliance goes into a grace mode. The
trib
checkout method determines the license status. This status could be “Real”, “Grace”, or
“Denied” that is sent to the appliance from the SD-WAN Center. Every time an appliance
ut
reaches out to the SD-WAN Center for license status, it checks-in and checks-out the new
io
license. If SD-WAN center does not receive 2 heart beats, the SD-WAN center will release the
license allocated to the site into the pool. The grace period is 30 days, so after loss of 2
n
heartbeats, the appliance will go into the grace period. During these 30 days, the
communication has to be restored. Once restored, the appliance reverts back to normal
operational mode. If the communication is NOT restored, the appliance will be put into
unlicensed state and follows the unlicensed/license expiry procedure
• Out-of-Box licensing (OOB) for MCN appliance:
• - MCN appliance will not have an initial grace period. It needs to be licensed to come up.
• Out-of-Box licensing (OOB) for client appliance:
• Client node will come up with a 30-day grace period with or without ZTD functionality.
• The appliance will be enabled and installed with a OOB license file valid for 30 days.
• You have 30 days to upload a license file or get licensed through the Centralized Licensing
server.

• If the appliance is licensed, it will function normally and be part of the network.
• If the appliance is not licensed within 30 days, the license expiry procedure is
followed.
• The only way to reset the appliance to again come up with OOB license is to
perform a “Factory Reset”
• License expiry: Once the license expires, a 30 day grace period is provided.
Notification indicates that the reason for grace period is the license expiry and
needs a renewal.
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n
•
•
NetScaler SD-WAN Standard Edition
Standard Edition features Include software-defined

WAN features to create a highly reliable network
from multiple network links and to ensure that each
application takes the best path to achieve the
highest application performance.
NetScaler SD-WAN
Standard Edition(SE)
N
ot
fo
CiTR!X
rr
Key Notes:
es
Standard Edition provides a solution for

al
• multi link bandwidth aggregation,

e
• WAN path resiliency and visibility for those paths.

or
As well as hardware consolidation with built in

• routing,
d
• firewall,
is
• VPN, and
t rib
• WAN optimization features.

ut
io
n

NetScaler SD-WAN SE:
Creates an aggregated tunnel
Virtual Path created

from diverse WAN links
I
I-
SO-WAN-SE
:----1 - ====
SO-WAN- SE
1 :::I-==
._! - _ ____,
Remote
Data Center
or Cloud
N
ot
fo
CiTR!X
rr
Key Notes:
es
• SD-WAN provides reliable connectivity between Data Centers, Branch Offices, and Clouds.
al
• Aggregated tunnels can be built statically or dynamically established between sites.

e
• MPLS - Expedited Forwarding Queue: make resources available to latency sensitive real-time,
or
interactive traffic: useful with VOIP…(no drop preference which is supported with Assured
Forwarding (af) model)
d is
t
rib
ut
io
n

Each path measured unidirectionally
•
0
Latency, loss, jitter, congestion and availability are
monitored for each path and in each direction.
• Real traffic is used for the measurement, not
probe data.
I ••
1atene'1iossjitter<ong.
I I I
latencylossjinercong.
II • II •
latencylossjittercong.
I-
latencylossjittercon,g.
I- : : : : ~ L~o;o.,jitte«!, I-
Remote
SD-WAN-SE
I I I I ••
latenCl/1ossjitten:ong.
SD-WAN-SE I-
Data Center
I I I .. II • or Cloud
N
ot
fo
CiTR!X
rr
Key Notes:
es
• NetScaler SD-WAN appliances continuously monitor every MPLS and broadband connection by
al
tagging packets with sequence numbers. Destination appliances can detect path outages after
just two or three missing packets, allowing seamless sub-second failover of traffic to the next-best
e
WAN path. Users are never forced to restart, reconnect, or log in to applications again. Appliances
or
also detect immediately when connections come back online, and seamlessly return traffic to the
restored paths. Competing solutions can’t match this level of failover performance.
dis
• With each packet that passes through the network, SD-WAN measures the latency, loss,
congestion and jitter of every available link, as well as on each available direction!
t
rib
• Not only are the measured link conditions used by the local SD-WAN, but the measurements
are shared with partner devices enabling the SD-WAN solution to even detect last mile condition
ut
changes that would normally impact reliable application delivery.

io
• This intelligence is used for all network decisions and is key to provide an always-on branch and
n
high application quality.

• And unlike competing SD-WAN solutions, NetScaler SD-WAN uses all factors in assessing
path quality and measures with real traffic, not probe data.

Detect and fail over with no impact
0y
• •
Detect degraded links, blackouts or brownouts,
and quickly adapt traffic
Undetected to the end user
SD-WAN-SE SD-WAN-SE
Remote
Data Center
or Cloud
N
ot
fo
CiTR!X
rr
Key Notes:
es
• With the measurement capabilities of SD-WAN, if individual WAN path conditions change,
al
NetScaler SD-WAN detects that within just a couple of packets.

• Even if there’s not a full outage, NetScaler SD-WAN can detect brownouts such as high latency
e
or loss spikes, and at a sub-second speed divert traffic across healthier paths.
or
• SD-WAN enables failures like these to go undetected by the end user!

• The NetScaler ADC and NetScaler SD-WAN provides a similar function for the WAN,
d is
automatically redirecting traffic across any available connections. In fact, the experience is so
seamless, users won’t even realize any change has occurred. Their primary access IP address
t
rib
will remain unchanged, allowing users to access their apps and data using the same methods and
devices.
ut
io
n

Delivery across the best path
QoS Bandwidth Controls
0
y
• •
Detect degraded links, blackouts or brownouts,
and quickly adapt traffic
Undetected to the end user
SO-WAN-SE SO-WAN-SE
Remote
Data Center
or Cloud
N
ot
fo

rr
Key Notes:
es
• When a session starts, the packets are directed along the best path which matches the
al
application classification based on those measurements. For example, real time data such as
voice or HDX is put on a low loss, low latency path.
e
• Based on the company’s policies, customization can be done to give high priority applications
or
higher priority class. And each application is assigned a share of the network using the Quality of
Service engine, preventing low priority applications from chocking out critical data.
d is
• And unlike many of competing solution, NetScaler SD-WAN treats each MPLS class of service
as a separate potential path, allowing the solution to make maximum use of all available
t
rib
bandwidth, and adding another layer of intelligence on MPLS Queues.

ut
io
n

Use multiple paths for a single session
Bonding links can result in a file transfers that take

half the time, mitigating the impact of latency
Spill over traffic
I-
Remote
SD-WAN-SE SD-WAN-SE I-
Data Center
or Cloud
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Large flows such as file transfers or HDX print jobs can use more than one link or MPLS queue
al
for a single session,

• This capability of spill over traffic, enables better application performance and better bandwidth
e
utilization.
or
d
is
t
rib
ut
io
n

Which is not
a key feature of NetScaler SD-WAN Standard Edition?
A. WAN bandwidth aggregation
Lesson Objective B. Server Load Balancing
Review C. WAN path resiliency
D. Improve end user performance
E. Sub-second path condition change detection

N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

Which is not
a key feature of NetScaler SD-WAN Standard Edition?
A. WAN bandwidth aggregation
Lesson Objective B. Server Load Balancing
Review C. WAN path resiliency
D. Improve end user performance
E. Sub-second path condition change detection

N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

NetScaler SD-WAN WANOP Edition
WANOP Edition features Includes application

acceleration, data reduction and protocol
control to optimize applications across the
WAN. Can optionally include virtual Windows
Server to simplify branch infrastructure and
NetScaler SD-WAN mobile user PC plug-in.
WANOP Edition (WO}
N
ot
fo
CiTR!X
rr
Key Notes:
es
• WANOP Edition provides a solution for optimizing a single link with

al
• application classification,
e
• quality of service and

or
• WAN optimization techniques for application optimization.

• With WANOP, application visibility is easily accomplished and proves invaluable when
d
troubleshooting.
is
• Specifcially:
trib
• Optimize through TCP Fast RAM (vs Slow Start); maximize usable throughput of available link
(not jus a percentage)
ut
• Compression!!: less bandwidth; faster delivery of smaller objects; less load on other devices
io
• Deduplication/Caching…don't retransmit already received data: faster response; less bandwidth

n

NetScaler SD-WAN WO: Advanced TCP Flow Control
• SD-WAN provides advanced TCP
flow control to medicate the
Without NetScaler SD-WAN
effects of TCP slow start when
0.
loss or congestion is detected on
11'--------
Link Speed
~ 1-----,.....,"+-,'----I.- u~~r::t~!. the network.

Flow control also maximizes the
usage of the available WAN link.
N
ot
fo
48 @20 C IXAUth .. ~"' e CiTR!X

rr
Key Notes:
es
• This is just a example of one Remote Branch Office communicating to the Data Center utilizing
al
the NetScaler SD-WAN WANOP Edition sitting transparently in the path of traffic flow.
• Adaptive TCP flow control is the most basic WAN optimization technique that addresses the
e
pessimistic approach in the TCP protocol design. Since traditional TCP is not aware of the
or
bandwidth ‘condition’, it is designed to pump less data on the line to begin with and then
increase gradually if all packets reach without errors. In case of a dropped packet, the protocol
d is
is designed to fall back to half the sending rate and ramp up again. This design helps avoid
congestion and retransmissions on poor, low-bandwidth WAN connections.
t
rib
• WANOP Edition takes an optimistic design approach and attempts to fill the pipe (sending rate
ut
almost equals the link speed). In case of a dropped packet, it does not let the sending rate fall
back exponentially and attempts to maintain the average utilization. The intelligent optimizer
io
responds to latency and packet loss by adapting to the line conditions.

n
• WANOP Edition is deigned to optimize a single WAN path or tunnel and is a viable option to
increase application performances when the WAN path is of poor quality due to
oversubscription, latency, and loss.
• The optimization techniques are designed to overcomes high packet loss and network latency
for connection across the world, “fill the available pipe” mitigating the effects of TCP slow start,
implement Quality of Service to prioritize business critical applications and to effectively delivery
all TCP applications.

NetScaler SD-WAN WO: Advanced TCP Flow Control
• Compression: single-ended,
Without NetScaler SD-WAN
object level compression
Deduplication: proprietary cross-
stream pattern matching with bit
pattern caching
Compression and
~:!:'::~:~i:~;;d le~: ':-1-__ c;;;).~. -.__: . l:EI:======:

.
With NetScaler SD-WAN
==-"1,
l
.Q[) . . . . 1- ....
.... I
I-
===
I!
N
I...__-_____.==== I !- Data Center

ot
Remote
SD-WAN-WO SD-WAN-WO I- I orCloud
fo
CiTR!X
rr
Key Notes:
es
• WANOP Edition’s adaptive compression technology works between appliance pairs residing on
al
opposite ends of a WAN connection to reduce WAN bandwidth requirements. It uses multiple
e
compression engines to optimize all applications traffic at full WAN speeds.

• Without any WAN Optimization solution every packet of communication would be required to
or
traverse the conditions of the Wide Area Network, and if the applications were not desired for
d
high latency, loss, and congested networks, the end user performance would suffer.
is
• NetScaler SD-WAN WANOP Edition uses several standard compression algorithms to reduce
t
the size of data as it moves across the WAN. SD-WAN also maintains a compression history
rib
that is shared across connections. This means that data sent earlier by one connection can be
ut
used later to optimize traffic flowing over another connection. Smaller data streams that are
io
seen frequently are stored in memory for low-latency access. Larger data streams, such as bulk
file transfers, are stored on disk. This large-history, multi-session compression technology
n
erases the distinction between compressible and uncompressible data. For example, a JPEG
image is normally considered uncompressible. However, when sent multiple times, the entire
image can be replaced by a pointer to the data already in the receiving appliance’s compression
history, resulting in significant bandwidth savings.
• SD-WAN is not limited to referencing entire file objects. By leveraging pattern matching down to
the block and byte level, it can also remove redundant data transmitted across different files and
applications.

Which is not
a key feature of NetScaler SD-WAN WANOP Edition?
Lesson Objective A. WAN bandwidth aggregation
B. Improve end user performance

Review
C. TCP slow start medication
D. Packet payload deduplication
E. Quality of Service
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

Which is not
a key feature of NetScaler SD-WAN WANOP Edition?
Lesson Objective A. WAN bandwidth aggregation
B. Improve end user performance

Review
C. TCP slow start medication
D. Packet payload deduplication
E. Quality of Service
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t
rib
ut
io
n

NetScaler SD-WAN Enterprise Edition
Enterprise Edition takes the features of both

Standard Edition and WANOP Edition and
combines into a single appliance solution.
NetScaler SD-WAN
Enterprise Edition(EE)
N
ot
fo
CiTR!X
rr
Key Notes:
es
• NetScaler SD-WAN WANOP Edition to provides application acceleration, data reduction and
al
advanced protocol control to optimize application across a limited WAN link.

e
• Enterprise Edition users will need one Standard appliance and one WANOP appliance in the
data center. In the branch office, you will need just one Enterprise Edition appliance, which
or
combines WAN optimization and virtual WAN functions into a single appliance for the branch.
d
- Branch office: 1 Enterprise Edition (1 appliance - doing work of both)

is
- DataCenter: usually either SE or WO or both (2 appliances)

trib
ut
io
n

NetScaler SD-WAN Enterprise Edition
All-in-one solution, providing reliable, resilient,

and high performing network delivery
I-
I-
SO-WAN-EE I-
Data Center
or Cloud
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Take what you have learned about Standard Edition and WANOP Edition and apply all that to
al
understand the Enterprise Edition.

• NetScaler SD-WAN Enterprise Edition also starts by building a single logical tunnel from diverse
e
network links. But also uses the techniques of WANOP Edition to make better use of the available
or
“aggregated” bandwidth.
• The diagram here is again very simple representation of a two site example utilizing a pair of
d is
appliances, but with the SD-WAN product portfolio, you can utilize a mix and match of hardware to
accomplish whatever challenges your network may face. For example, you can utilize separate
trib
hardware Standard Edition and WANOP Edition at the data center to communicate with any one
of the appliances, even a single Enterprise Edition at the branch offices. Enterprise Edition is
ut
specifically targeting remote sites that are in need of streamlining their operational and
io
management of remote office networking infrastructure.

n
• Enterprise Edition appliances is the “all-in-one” solution that provides reliable and robust
connectivity from branch to data center, branch to branch or branch to cloud.

NetScaler SD-WAN Enterprise Edition Built in application
optimization for HDX
•
0
Built in integration with Citrix XenApp and
XenDesktop traffic for HDX channel steering and
optimization
• Results turbo-charged end-user experience
XenApp
SO-WAN-EE
Remote
XenDesktop
N
ot
fo
CiTR!X
rr
Key Notes:
es
• NetScaler SD-WAN has built in integration with Citrix XenApp and XenDesktop traffic and also
al
enables HDX channel steering and optimization.

• With built in WAN optimization, the HDX protocol is further enhanced with optimization,
e
compression and deduplication,

or
• then handed off to the build in path measurement engine to deliver the individual sessions to the
paths that will best deliver to provide a reliable and high performing end-user experience.
d is
• Enterprise Edition appliances is the “all-in-one” solution that provides reliable and robust
connectivity from branch to data center, branch to branch or branch to cloud.
trib
ut
io
n

True or False?
NetScaler SD-WAN Enterprise Edition is designed to
consolidate hardware infrastructure by having build in
WAN Optimization, plus other features, to simplify the
operational and management cost associated with
having separate hardware gear typically used serve
individual functions.
Lesson Objective
Review
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t
rib
ut
io
n

True or False?
NetScaler SD-WAN Enterprise Edition is designed to
consolidate hardware infrastructure by having build in
WAN Optimization, plus other features, to simplify the
operational and management cost associated with
having separate hardware gear typically used serve
individual functions.
Lesson Objective
Review
CorrectAnswer: False
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
• The answer is False, NetScaler SD-WAN provides the WAN link bonding and resiliency, where
e
NetScaler ADC is focused on load distribution.

or
d is
t
rib
ut
io
n

NetScaler SD-WAN Solution and Platforms
000
0o0
Application Historical SD-WAN WAN Path Zero Touch
Visibility Reporting Orchestration Analytics Deployment Service
N
ot
fo
CiTR!X
rr
Key Notes:
es
• NetScaler SD-WAN management tools aid in deployment, configuration, analytics, and reporting
al
of NetScaler devices in a enterprise network.

e
• Centralize control and management is very important in making NetScaler SD-WAN a

manageable solution, especially with the ability of having different editions and models scattered
or
around a network environment and where partner devices residing in numerous remote offices
d
is a requirement.
is
• NetScaler Management Analytics System (MAS) will be the single centralized system for all the
t
listed management functions. Where previously Citrix Command Center and NetScaler Insight
rib
Center were used separately to handle the Orchestration and Application Visibility of WANOP
ut
and Enterprise Edition, that responsibility has now been seamlessly integrated into NetScaler
MAS.
io
• NetScaler SD-WAN Center is used exclusively to handle Orchestration, WAN Path Visibility, and
n
Zero Touch Deployments of Standard & Enterprise Edition. Eventually these functions will also
be seamlessly integrated into NetScaler MAS.
• NetScaler MAS will act as a single centralized system for configuring the network and
application policies, monitoring, reporting and analytics, in addition to Zero Touch deployment
capability.

NetScaler SD-WAN Application Visibility
NetScaler MAS
::::I Netscaler
----- Gateway
I- ::::I SD-WAN-WO
I-
I-
Remote
SD-WAN-EE SD-WAN-SE I-
Data Center or Cloud
10.102.186.32 10.102186.42 10.102186.31
::::1~1- ::::1~1-
172.75.131 172.75.5.55
:::=I~§
N
.....Q, ~,-
J.:::.tl.J
ot
NetScaler SD-WAN NetScaler SD-WAN NetScaler Gateway

fo
58
rr
Key Notes:
es
• Application visibility becomes invaluable when troubleshooting performance issues in a network.

al
• With NetScaler products in any environment, the capability of exporting Application Flow records
to a collector like NetScaler MAS is significant when dealing with application performance issues
e
that need deep investigation. NetScaler MAS aids in making applications more transparent and
or
provides granular detail that help Admins converge in a segment of the network as opposed to
troubleshooting end-to-end.
d is
• For the HDX protocol in particular, integrated data collection is laid out in a easy-to-ready
topology to help with hop-by-hop visibility.
t
rib
• WANOP or Enterprise Edition at the branch and WANOP Edition at the data center provide
Layer 4 visibility for ICA.
ut
• Standard Edition at the branch and Standard Edition at the data center, aided by NetScaler
io
Gateway provide the same Layer 4 visibility for ICA.

n
• Its important to understand that ICA information needs to come from a single device in the
network while the L4 information is supplied by every device.
• ICA information needs to come from SD-WAN WANOP Edition or NetScaler Gateway,
depending on the deployment and devices being used.
• MAS visibility requires (Appflow)
• for MDX visibilty
• WO editions x2
• or Standard Edition with NSG doing appflow reporting
• or Enterprise Edition…

NetScaler SD-WAN Orchestration of WANOP
Edition
NetScaler MAS
I- ::::I
cirJ _ . .
SD-WAN-WO
I- I
- :::: I- I
I- I
N
SD-WAN-EE SD-WAN-SE
Remote
ot
fo
CiTR!X
rr
Key Notes:
es
• NetScaler MAS can manage WAN OP editions only

al
• Monitoring: SE/EE/WO (9.3 and later)

• HDX Insight EE (9.3 and later)
e
• Use SD-Wan Center for SE/EE editions

or
• MAS allows for centralized management

of SD-Wan WanOp appliances from central management system.
d is
t
rib
ut
io
n

NetScaler SD-WAN Orchestration of Standard
Edition
1%1
000
NetScaler
D-
SD-WAN Center
000
Zero Touch
Deployment Service
I-
~
I- :===I :=,_====:
~I-~
N
SD-WAN-EE SD-WAN-SE
Remote
ot
fo
CiTR!X
rr
Key Notes:
es
• SD-WAN Center centralized management, configuration, monitoring and reporting for SD-WAN
al
appliances
e
• Supports: SE, EE, WanOP

• Requires Master Control Node (MCN)
or
• Plan for VM requirements: storage/cpu/mem/networking…

d is
t
rib
ut
io
n

True or False?
NetScaler SD-WAN Management Tools, such as NetScaler

MAS and SD-WAN Center, play as small role in NetScaler SD-
WAN environments
Lesson Objective
Review
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t
rib
ut
io
n

True or False?
NetScaler SD-WAN Management Tools, such as NetScaler

MAS and SD-WAN Center, play as small role in NetScaler SD-
WAN environments
Lesson Objective
Review
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
• False, the NetScaler SD-WAN solution requires partner appliances to establish either optimized
e
communication or tunneled communication between sites, meaning there a numerous

appliances in the network where without central management would be difficult to maintain and
or
manage
d is
t
rib
ut
io
n

SD-WAN Concepts and Configuration Management
• Master Control Node (MCN)

• Virtual WAN Service
• Configuration Editor
• Configuration Management -
Staging/Activation
N
ot
fo
CiTR!X
rr
Key Notes:
es
• MCN: Master Control Node: Only one per Virtual WAN.

al
• Appliances start in "client mode"; this allows for "local" configuration that is appliance
e
specific.
• MCN provides for centralized configuration and configuration/update distribution.
or
• Only 1 active MCN in virtual WAN; but a secondary MCN can be deployed for resiliency
d
(ha)
is
• PRIMARY Purpose: establish/utilize virtual paths (control the virtual wan (SD-WAN) site
t
topology)
rib
• Some monitoring limited to MCN only.

ut
• MCN console mode affects GUI; not overall appliance behavior.

• Configuration Editor: MCN is where you use the configuration editor; if GUI expires with
io
unsaved configuration settings; you lose settings.

n
• Save the configuration to store settings.

• Import/Open to edit existing configurations
• Use Configuration management to deploy settings.
• Use Save As to create a new package; as opposed to Save (overwriting existing)
• Virtual WAN Service: Virtual WAN service allows appliance to receive settings from MCN and
to participate in Virtual WAN networking/path decisions…
• New appliances will have the service disabled. Must first have an initial configuration
pushed identifying Virtual WAN and site participation information
• SD-WAN Center:
• Has a configuration Editor
• However Change Management is still handled by the MCN and it pushes packages to
managed systems.

Initial Appliance Setup
• Console Connection (SSH or Hypervisor)
• management_ip
• set interface <mgmt. ip> <netmask> <gateway>
SD-WAN Initial apply
• Switch to web browser for reset
Setup Tasks Initial Management Tasks- Appliance Administration
• System Date/Time, Time Zone, NTP synchronization
• ApplianceAdmin password (not in lab)
• Appliance Licensing (not in lab)
• SSL Certs
• Web Console Timeout: IMPORTANT
N
ot
fo
CiTR!X
rr
Key Notes:
es
• MCN: Master Control Node: Only one per Virtual WAN.

al
• Appliances start in "client mode"; this allows for "local" configuration that is appliance
e
specific.
• MCN provides for centralized configuration and configuration/update distribution.
or
• Only 1 active MCN in virtual WAN; but a secondary MCN can be deployed for resiliency
d
(ha)
is
• PRIMARY Purpose: establish/utilize virtual paths (control the virtual wan (SD-WAN) site
t
topology)
rib
• Some monitoring limited to MCN only.

ut
• MCN console mode affects GUI; not overall appliance behavior.

• Configuration Editor: MCN is where you use the configuration editor; if GUI expires with
io
unsaved configuration settings; you lose settings.

n
• Save the configuration to store settings.

• Import/Open to edit existing configurations
• Use Configuration management to deploy settings.
• Use Save As to create a new package; as opposed to Save (overwriting existing)
• Virtual WAN Service: Virtual WAN service allows appliance to receive settings from MCN and
to participate in Virtual WAN networking/path decisions…
• New appliances will have the service disabled. Must first have an initial configuration
pushed identifying Virtual WAN and site participation information
• SD-WAN Center:
• Has a configuration Editor
• However Change Management is still handled by the MCN and it pushes packages to
managed systems.

Configuration:
• Enable Master Control Node (MCN) on 1
(Head End Appliance)
• Note: Configuration Editor includes warnings to help you find
configuration details you are missing.
SD-WAN Initial Initial Virtual WAN Configuration
Configuration Create/Configure SITE
• Define appliance/location -appliancetype is identified
• Designate the MCN role (where applicable)
Configure: Site> INTERFACEGROUPS
• INTERFACEGROUPS: lnterface(s), Bypass mode (Fail-to-
Wire vs Fail-to-Block), Security (trusted/untrusted)
• VIRTUAL INTERFACES:network names, bridge pairs
Configure Site> WAN LINKS
• WAN LINKS: Use the Interface Groups/Virtual Interfaces to
define connection flows with other SD-WANs
• ACCESS INTERFACES: IP/Gateway of each WAN Link
N
ot
fo
CiTR!X
rr
es
al
e
or
d is
t rib
ut
io
n

Interface Groups:
DC_MPLS: 1 & 2
DC_INET: 3
Site DC DC_LTE: 4
Virtual IP Addresses:
Configuration 172.16.10.2/24 (DC_MPLS)
Summary 172.16.20.2/24 (DC_INET)

192.168.16.2/24 (DC_LTE)
Wan Links
<wan link>: <Access Type> <throughput>
DC_MPLS (WL): Private Intranet (Later lab, Private MPLS)
Access Interface: IP: 172.16.10.2; Gwy: 172.16.10.1
DC_INET (WL): Private Internet
DC_LTE (WL): Private Internet
N
ot
fo
CiTR!X
rr
es
al
e
or
d is
t rib
ut
io
n

• SD-WAN is designed to increase the performance
and reliability of application and resource access
across the WAN.
• Various platforms and features that allow for the right

Key Takeaways mix of capabilities combining proactive application
traffic management
• Centralized management tools the SD-WAN provides

to make networks more agile and adaptable.
N
ot
fo
67 20 1 '"' IX A. O ._ .0 te t CiTR!X
rr
es
al
e
or
d is
trib
ut
io
n

• Exercise 1-1: SD-WAN Installation Design
N
ot
fo
CiTR!X
rr
Key Notes:
es
• The Optional Self Study exercises are added to allow students to continue the hands on
al
experience outside of class time. You are given 30 days of access to the lab environment and
can go in at any time and complete these labs.
e
• This is a read only module and is a great one to review at a later time to examine the installation
or
design.
d is
t rib
ut
io
n

• Exercise 1-2: Configuration of the Head-End SD-WAN
• Exercise 1-3: Configure the Remote Office SD-WAN node
• Exercise 1-4: Configure the SD-WAN path relationships

N
ot
fo
CiTR!X
rr
es
al
e
or
d is
trib
ut
io
n

CITRIX
•
•

on Workshop
SD-WAN Provisioning and Change
Management
N
CNS-200W
Version: 1.3
ot
fo
70 @20 C IXAUth .. ~ .... le I

rr
es
al
e
or
d
is
t
rib
ut
io
n

• Identify appliance architecture
• Evaluate Data Interfaces

Learning • Examine the sizing and management options on
Enterprise, Standard, and WANOP editions.
Objectives
• Explain packet processing architecture
• Describe SD-WAN services architecture

N
ot
fo
7,.. 201 ... IX A. 0 ._ .0 te t CiTR!X

rr
es
al
e
or
d is
trib
ut
io
n

NetScaler SD-WAN Appliance Architecture
I- ....
••••
, I- .... ,
••••
Hypervisor Bare Metal
NetScaler SD-WAN Editions can either be hypervisor

based or run directly on bare metal.
N
ot
fo
72 201 '"' IX A. O ._ .0 te t CiTR!X

rr
Key Notes:
es
• WANOP edition virtual machine support: XenServer, ESXi, and Hyper-v since at least 9.1
al
as well; not XenCenter only

• SE/Ent Editions virtual machine support (as of 9.3): XS, ESXi, HyperV, KVM, AWS, Azure
e
Software Rel.
or
• Physical appliances for all editions; different models depending on

functionality/edition/throughput requirements.
d
is
• NetScaler SD-WAN Editions can either be hypervisor based, powered by XenServer, or can
run directly on bare metal.
t
rib
• We will take a look at the architecture for each and highlight the differences.
ut
io
n

NetScaler SD-WAN Virtual Appliance Architecture
I
Instances
I
r--------------------------------------
-------------
--: SD-WAN-WO ~---~ SD-WAN-SE : i
-------------~ I
: WANOP VPX l__l Virtual WAN VPX W,-----
•------------• ·-------------· i
~------- !
XenServer Hypervisor
> >
0
~------------------- cc::
----~----~,:x:, r---,
:x: : :, :x: ,I L---~
t -----------------:'----·
r---, Q------- - -------------------------·
. .L:x: J•------------------ -~-
CC::
V, vSwitch vSwitch vSwitch vSwitch
v,
·------·-------------------------------------------------------------------------~
Hardware
@ 11111 Ii]
N
Mgmt. Network
Memory CPU Data Network
ot
Interfaces SSD
Interfaces
fo
7:=i, 201 ... IX A. 0 ._ .0 te t CiTR!X

rr
Key Notes:
es
• Devices with primary focus on hypervisor based: 1000, 1100*, 2000, 2100
al
e
or
d is
t rib
ut
io
n

NetScaler SD-WAN Bare Metal Architecture
,-
1
I
I
Software
I
I
I
I
________________________________________ J_
I
J SD-WAN-SE
-------------~
l
I : Virtual WAN VPX:
t
I
I ·-------------· JI
Hardware
Mgmt Network
Interfaces SSD
•••••
Memory CPU Data Network
Interfaces
N
ot
fo
74 201 '"' IX A. O ._ .0 te t CiTR!X

rr
Key Notes:
es
• Here the software is installed directly on the hardware, which yields better performance. Due
al
to this you will see more SD-WAN appliance options as bare metal.
• Devices with primary focus on bare metal: 210*, 410, 4100*, 5100
e
• *At this moment, 210 and 4100 are roadmap platforms

or
• The bare metal architecture is currently shipping only with the 410 Standard Edition
appliances, but expect to see more appliances shipping as bare metal.
d is
• The upgrade procedure for bare metal requires less attention as only the software gets
updated and an OS upgrade is not required.
t rib
ut
io
n

SD-WAN Physical Appliance Interface Layout
410-SE (Rear view)
s·a·R
-
O
['_j c(c:::::lo -
s..,..,1 MGMT A 9 C
CJ i:=l., ' ' ' I~ -
I I I I I
• Management port I I I I I
<1111(--.l-J L_J_J ~ • Data ports
• Serial
• fail-to-wire pairs
5100-SE (Front view)
N
I I •
<-------
Management port : .LI Data ports
ot
l.--.l~. fail-to-glass pairs

• Serial
fo
75 201 '"' IX A. O ._ .0 te t CiTR!X

rr
Key Notes:
es
• Regardless of the internal architecture, and irrespective to the Edition, all SD-WAN appliances
al
are designed to provide management access to the appliance, which is designed to be

segregated from the data interfaces for security purposes.
e
• Depending on the model, the interfaces for management and data may reside on either the
or
front of the chassis or the rear.

d
• As an example, lets take a look at the 410-SE appliance with interfaces on the rear of the
is
chassis.
t
• Data interfaces are paired together to provide fail-to-wire capabilities, and are separated from
rib
management interfaces, both physically and via the internal architecture as illustrated earlier.
ut
• Management interfaces include both Ethernet and Serial port, providing different options to
io
begin initial configurations.

n
• Optionally configuration can be accomplished utilizing the Zero Touch Deployment. Only
certain SD-WAN appliances, like this 410-SE ship from factory with DHCP enabled so that the
appliance can IP address itself on the Management port as soon as soon as it boots up and
connects to the network. If DHCP is not available, then the appliance defaults to a
192.168.100.1 IP address for manual GUI access.
• As another example, lets take a look at the 5100 appliance with interfaces on the front of the
chassis.
• Again, management interfaces and paired bypass capable data interfaces are available.
Reference the NetScaler SD-WAN Data Sheet for further specs on interfaces, which vary
between platforms. In the case of the 5100 it uses fiber interfaces on the data ports and uses
fail-to-glass technology to accomplish the bypass.
• Regardless of whether the DHCP is enabled or not on the management interface, the default
IP address of any SD-WAN appliance is 192.168.100.1 in factory default state. That IP should

be changed during the initial configuration.
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n
•
•
Data Interfaces
with built-in • Paired interfaces with "fail-to-wire"
Bypass • Fault-tolerance hardware feature
• High Availability for Data Center
• Fail-to-wire for Branch Offices
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Let us dive a little deeper into the data ports or interfaces and the functionality of (2) paired
al
interfaces configured in bypass or “fail-to-wire” mode. We will need to consider the different
editions of SD-WAN to better understand this.
e
• NetScaler SD-WAN’s hardware bypass capability is important fault-tolerance feature of

or
networking hardware that protects essential business communication in the event of power
d
outage and/or system failure. More importantly it eliminates the need for redundant hardware
is
deployed at each site in high availability pairs.

t
• Typically a pair of SD-WAN appliances, regardless of the Edition, is recommended to be

rib
deployed at the data center, utilizing the high availability capability. This is because if the
ut
head-end appliance becomes unavailable, the impact is network-wide since all remote sites
typically rely on the data center for applications or data.
io
• But generally speaking, other sites are not dependent on the branch office site, and if a
n
remote site losses SD-WAN capability, the impact is not severe. This is where hardware
bypass comes into the picture, allowing for that particular site to still have connectivity utilizing
the existing underlay network.
• Don’t be mistaken however, hardware bypass is also useful at the data center locations, and is
not a feature limited to the branch office. Also high availability is available at remote sites for
deployment, if the network requires it.
• Similarly, NetScaler SD-WAN hardware deployed to virtualize multiple WAN links utilizes the
bypass capability of the hardware to guarantee network connectivity during issues, and the
bypass capability provides enough fail-safe in some scenarios eliminating the need for high
availability.

SD-WAN Hardware Bypass on WANOP Edition
Optimizing a single WAN Link
fail-to-wire
~
~ -Ix-ICore
--EB--~ Router
Hosts
N
ot
fo
77 20 1 ... IX A. 0 ._ .0 te t CiTR!X
rr
Key Notes:
es
• Let’s take a look at a remote site deployment to showcase the hardware bypass capability and
al
the WANOP Edition has been chosen to optimize a single WAN link.
e
• In order to utilize the hardware bypass capability, SD-WAN WANOP needs to be deployed
right in the path of the data flow. Normally between the core switch and the WAN edge router.
or
Reference the NetScaler SD-WAN documentation for interfaces naming and pair association.
d
• When the appliance is up and active, the traffic is being processed by the SD-WAN engine
is
and after processing sends the traffic right out of the partner data interface.
t
• When the appliance goes down, the packet processing capability is no longer active, and the
rib
appliance bypass relays detect that and immediately kicks into a closed sate, to connect the
ut
two ends.
io
• From the perspective of the network, it is as if the SD-WAN is not in the path at all and traffic
flow resumes on the underlay network.
n

Hardware Bypass for Standard and Enterprise Edition
Virtualize multiple WAN Links
----
---
--·
cifJ
fail-to-wire ~
x
Firewall
Core fail-to-wire
Hosts ~
Router
N
ot
fo
78 201 '"' IX A. O ._ .0 te t CiTR!X

rr
Key Notes:
es
• Let’s take a look at a simple depiction of the network components that make up a branch site,
al
where we need to virtualize the WAN.

e
• Similar to WANOP, SD-WAN Standard and Enterprise Edition need to be deployed right in the
path of the data flow in order to utilize the hardware bypass capability. Again, the normal
or
deployment for inline is between the core switch and the WAN edge devices. Reference the
d
NetScaler SD-WAN documentation for interfaces naming and pair association.

is
• When the appliances are up and active, the traffic is being processed by the SD-WAN engine
t
and delivered across the multiple WAN facing interfaces.

rib
• Standard and Enterprise Editions are unique in that interfaces can be identified as paired, and
ut
enabled for fail-to-wire or identified as single operated and configured for fail-to-block.
io
• In this example, there are two links between the core switch and the WAN edge devices, so
fail-to-wire can be enabled on both interface pairs that are sitting in the path of traffic.
n
• When the appliance goes down, the packet processing capability is no longer active, and the
appliance fail-to-wire relays detect that and immediately kick-in to close the connection
between the two interfaces. From the perspective of the network, it is as if the SD-WAN is not
in the path at all and traffic flow resumes on the underlay network.

What is the default IP address of any SD-WAN
appliance?
a) There is no default IP
Lesson Objective
b) 192.168.100.1
Review
c) 192.168.1.1
d) 172.168.0.1
e) None of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t
rib
ut
io
n

What is the default IP address of any SD-WAN
appliance?
a) There is no default IP
Lesson Objective
b) 192.168.100.1
Review
c) 192.168.1.1
d) 172.168.0.1
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t
rib
ut
io
n

Appliance Sizing for Standard Edition
·-
V•IINl>lt/A'4...,..4tl't
.'
M,.,_.,,~1..-,-tftt
'
~10-0lQ-S(
ll)p..11ll)!, ,,.
Branch A WAN Links:

MPLS- 2Mbps up/ 10Mbps down
INET - SM bps up/ SOMbps down
Branch C
,., !,1
SlOO 1000·~ !,100 2000 SE SlQ0.3000 Y. S10().4CUJSt Firewall

V"! IIV.APH1¥>0',,«h' 1~ 1Gep,. )f.,bpl 'Gli9i
SO-WAN
Sl00-2000-SE
Data Center WAN Links:
MPLS - lOOMbps up/down
INET - lGbps up/down
N
Data Center
ot
fo
201 ... IX A. 0 ._ .0 te t CiTR!X

rr
Key Notes:
es
• Taking a closer look at what it takes to configure NetScaler SD-WAN Standard Edition and
al
Enterprise Edition appliances in this example of a very simple yet common customer
environment.
e
• Once it is determined that Standard Edition, and Enterprise Edition alike, will be used to
or
address a customers application delivery needs, the first step is to architecture the
d
environment, and select the appropriate devices per location. This is done through a sizing
is
exercise to determine what total WAN capacity expected at each location is and the
t
appropriate appliance that fits the need. The NetScaler SD-WAN Data Sheet should be used
rib
to obtain the latest performance specs. Do a web search for “NetScaler SD-WAN Data Sheet”
ut
and you will find the latest PDF online.

• Starting at the Data Center site, we need to determine the number of WAN links that terminate
io
at that site as well as the upload and download speed per WAN link.
n
• As an example, let us say the MPLS WAN link is measured at a 100Mbps up/down and the
INET WAN link is measure at 1Gbps. We also have the added knowledge that the customer
quickly expects to grow with the potential off adding another 4Gbps of Internet capacity in the
coming 5 years. The number of remote sites is also important to understand for sizing, but
lets set that aside for now.
• With the provided detail we can quickly determine that a 5100-2000 Standard Edition
appliance is needed with a 2Gbps license file to support the 1.5Gbps of total WAN capacity.
That appliance will also allow for more capacity using the license pay-grow model to jump up
in bandwidth simply by purchasing a larger license later down the line when needed, without
having to upgrade the hardware.
• Let’s go through the same exercise with Branch A, we can see that we need a total WAN
capacity of 60Mbps to accommodate the higher download speeds.
• And with that determine that a 410-100-SE would be appropriate.

• Site B is a mirror of Site A, so a 410-100-SE can be selected there.
• Enterprise Edition also would falls into a similar sizing exercise, with the added
component of WANOP capability to calculate.
• Lastly, we have connectivity to the cloud that we want to provision an SD-WAN
instance to provide SD-WAN connectivity to apps that reside there from the
Branch and Data Center sites.
• Next we will step through how this architecture is managed and configured.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
•
Configuration Editor for Standard and Enterprise
Configuration Editor Branch A Branch B
sa .. 11111 --- Client Nodes

I
1±1 o,,aeen,er I
1±1 sranchA II) O I
&.
I
1±1 B<and18 I
I
8 B<anchAzure ll) 0 I
1±) s,s,c Settings I
(±) Routing Domains I
I
(B Interlace Groups I
(±] Virtual IP Addresses
m GRETunnels WAN ~
[±)WAN Links.--
(B Certrficates
[±) High Avalabil,ty Li n k
Central
Controller
Net Scaler Firewall
SO-WAN Center
~---- - MCN
I
Network 01sc0vt,y SD-WAN
5100-2000-SE
Network Conftgu~tlon
zero TOU<l'l Otpk)ymtnt

N
.......,,,.....,....
..................
ot
Apptaancesenings
SOWAN(f,,,llf"(~
Data Center
fo
l=i2 201 ... IX A. o ._ .o te t CiTR!X

rr
Key Notes:
es
• The Standard and Enterprise Edition appliances architecture is designed to act like a layer 3
al
router. From the perspective of end hosts it an encrypted tunnel that enables reliable
connectivity between sites, but from the perspective of the network, SD-WAN takes full control
e
of packet delivery across the Wide Area Network segment. We will get into detail of the
or
packet flow architecture later.

• The Data Center appliance is typically promoted to the “Master Control Node”, otherwise
d is
referred to as the MCN.

t
• An MCN promoted appliances, reveal an option in the GUI called “Configuration Editor”.
rib
• NetScaler SD-WAN Center can also be deployed on-prem to act as the central controller,
ut
which not only communicates with the MCN, but also the Branch office SD-WAN appliances.
io
• Both SD-WAN Center and the MCN have the Configuration Editor, where the configuration
can be build to identify the WAN link detail of the Data Center site, as well as the branch sites,
n
which are known as Client Nodes. The individual appliance GUI for the Client Nodes are
identical as the MCN node, but will lack the Configuration Editor and Change Management
components.
• A configuration file can be built and imported from an active MCN into SD-WAN Center and
also visa-versa a configuration can be built and imported from SD-WAN Center to the MCN.
• The Configuration Editor manages the SD-WAN architecture for each site device that is
intended to operate on the SD-WAN overlay network. Details of each site include device
model, routing domains, interface usage, WAN links with specific speeds and high availability
for each site. The Change Management is then used to build the configuration and software
package for each specific SD-WAN deployed site.

Sizing for WANOP Edition
i; Branch B WAN Links:

Branch A WAN Links: MPLS - 2Mbps up/ 1 OMbps down
MPLS - 2Mbps up/ 1 OMbps down 60 concurrent HDX
100 concurrent HDX I
-----------;---------------------'
SD-WAN
5000-1500-WO
Data Center WAN Links:
N
MPLS-1 Gbps up/down

3,500 concurrent HDX
ot
fo
CiTR!X
rr
Key Notes:
es
• Now lets focus on configuration management of NetScaler SD-WAN WANOP Edition

al
appliances. We will again use a very simple yet common customer environment as an example.
e
One thing to point out is that generally WANOP Edition is deployed to enhance the network
delivery capability of a single WAN link as illustrated in this example, but can be deployed
or
behind multiple WAN links, it just lacks the intelligence to distinguish between the two and treats
d
them as one.
is
• Once it is determined that WANOP Edition will be used for to address a customers application
t
delivery needs, again the first step is to architecture the environment, and select the appropriate
rib
devices per location. This is done through a sizing exercise to determine the WAN capacity
ut
expected at each location and the appropriate appliance that fits the need. The NetScaler SD-
WAN Data Sheet should be used to obtain the latest performance specs. Do a web search for
io
“NetScaler SD-WAN Data Sheet” and you will find the latest PDF online.
n
• Starting at the Data Center site, we need to determine the upload and download speed
associated with the WAN link.
• As an example, let us say the MPLS WAN link is measured at a 1Gbps up/down. With WANOP
we should also the number of concurrent HDX and TCP sessions expected to flow through the
single appliance. For this example, we will expect 3,500 concurrent HDX sessions.
• With those numbers, we can quickly determine that the 5000 WANOP appliance with 1.5Gbps
capacity is the most appreciate for this site.
• Let’s go through the same exercise with Branch A, where we see a 10Mbps download capability,
and 50 users at this site, each with capability of issue 2 HDX sessions for XenApps and
XenDesktops, totaling an aggregate of 100 HDX sessions that can potentially be seen.
• And with that we can determine that a 2000-010-WO would be most appropriate.
• Branch B having less users, and expectation of 60 concurrent HDX sessions can be sized with a
smaller 1000-006-WO appliance.

• Now keep this visual in mind, as we step through next how this architecture is
managed and configured.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
•
Configuration Management for WANOP Edition
LAN Link:
-: = I
Bandwidth In: 1 Gbps
Bandwidth Out: 1 Gbps •
I -- -- . . . -· - =-- Adapter: apA.2 -

-=:
Adm
in
_----. . -
-
-. . . -· - =--
WAN Link:
Bandwidth In: 5.7 Mbps
Bandwidth Out: 950 Kbps
i--- ------
- - -
-
--- I
••
Adm
in
-.-
i AElajlter. Src:
-,-
N
I I 192.168.1.0/16
/"
ot
Data Center
fo
rr
Key Notes:
es
• Next we will focus on what it takes to configure and manage this WANOP architecture. Unlike
al
the Standard and Enterprise Edition, there is no concept of promoting an appliance as the head-
e
office appliance. Mainly due to the nature of the packet flow architecture, which we will go into
detail later. The technology on WANOP is significantly simpler in design and transparently sits
or
in path of traffic acting much like a layer 2 switch.

d
• installers at each location IP addresses the appliances for management and cable in the path of
is
traffic.
t
• In addition to uploading a license file per appliance, one of the key configuration tasks is to
rib
identify which interface is WAN facing and to configure the link to 90 to 95% of the nominal WAN
ut
speed for both upload and download.

io
• (2) To exercise the proper configuration of the WANOP Edition appliances, let us first focus on
Branch A and acknowledge a 1 Mbps upload speed and a 6 Mbps download speed. so that the
n
local Admin connected the apA.1 interface to the WAN Router, and apA.2 to the Core switch.
With that detail, the Link Definitions for that specific appliance is configured by the local admin to
the appropriate speed of 95% of the WAN speed measurement.
• The link identified as facing the WAN will be edited with appropriate Name to identify the
interface, link type defined as WAN, Bandwidth in as 5.7 Mbps, which is 95% of the measured
6Mbps download, Bandwidth out set to 950 kbps, again 95% of measured 1Mbps, and Filter
Rules with simply apA.1 selected as the adapter since the Admin identified that was the WAN
facing interface which was cabled.
• The link identified as facing the LAN interface will also be edited with appropriate Name, link
type defined as LAN, Bandwidth in and out as 1 Gbps since there is no need to throttle on the
LAN, and adapter selected as apA.2 which is the other interface identified by the admin during
cabling.

• At the data center, the WAN link is identified as a 100Mbps upload and download.
• In this example, there are multiple interface bridge pairs used for this SD-WAN
appliance so identifying WAN versus LAN based on interface is not possible. We
need to use another technique leveraging the subnets that we know reside on the
LAN for this site. For the WAN link, we need to configure the WAN link name,
type, and 95% of the upload and download speed, but utilize IP based link
definition for the Filter Rules to distinguish between in and out traffic flow to the
site.
• WAN link definition needs to specify local LAN subnet in the Destination IP field
• LAN link definition needs to specify local LAN subnets in the Source IP field
• I would like to highlight that accurate WAN link speeds need to be entered for each
site node in the configuration otherwise SD-WAN will have a difficult time
managing accurate data flow across the WAN link.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
•
Configuration Management for WANOP Edition
NetScaler MAS Features:

Instance Management 3ms Insight through AppFlow
• HDX Insight
• Configuration Management
L4 I Per hop info
Certification Management
WANOP Insight
• Application Management
• StyleBooks
• Analytics
• Event Management
40ms
• Authentication
Analytics for:
•
• NetScaler MAS System •
• User and Application
• Quickly converge
I}
Admin
,......._......., so.wm.wo I
1ms
N
ot
fo
CiTR!X
rr
Key Notes:
es
• SD-WAN WANOP edition currently does not support Zero Touch Deployment Services, and is
al
reliant on a knowledgably on-site installer to get the appliance online for GUI accessibility.
e
• Management of each individual appliance and virtual appliances can be performed from the
local GUI access, but the majority of the administrative work can be significantly consolidate
or
utilizing NetScaler MAS to streamline the workflow and configuration changes. Keep updated
d
with added support capabilities, but currently the NetScaler SD-WAN WANOP and Enterprise
is
Edition have support for NetScaler MAS.

t
• As long as NetScaler MAS has IP connectivity to the management IP address of the devices for
rib
communication. The Admin can add the online SD-WAN devices to the infrastructure
ut
management of NetScaler MAS.

io
• In addition to Instance Management, allowing NetScaler MAS to be a central management

portal for all Citrix Networking products, the feature lists for MAS also include:
n
• Configuration Management – which enables custom and built-in job creations that can be push
configuration to the individual or collective devices
• Certification Management – allowing for central management of all SSL certificates
• Application Management – for reporting and customization of application definitions
• StyleBooks – powerful templates which simplify the task of managing complex NetScaler
configuration
• Analytics – for visibility into HDX, Web and WAN insight
• Event Management – enabling customization and thresholds for alerting
• Authentication – for RADIUS, LDAP, TACACS capability
• And lastly, management of the NetScaler MAS System itself
• Visibility into the network is an extremely powerful tool, which is enabled through NetScaler

MAS data collection from the individual SD-WAN appliances. The WANOP
engine, which is available in Enterprise Edition as well, is already breaking into the
TCP protocols in order to optimize, so its easy to export AppFlow data to any
collector like NetScaler MAS. In that detail the network is segmented out allowing
for quicker convergence on a segment of the network when troubleshooting a
network end-to-end.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
•
Management for Hybrid SD-WAN Environment
Branch A Branch B
i
i
i
!
i
i
i
!
]
····-··-···--·-----i
Branch D
N
Data Center
ot
fo
CiTR!X
rr
Key Notes:
es
• All SD-WAN Editions are capable of coexisting with one another in the same environment
al
enabling Hybrid SD-WAN Environments.

e
• Sites with application delivery issues that benefit from optimizing a single WAN link, can have
SD-WAN WANOP deployed.
or
• Sites with multiple WAN link can benefit with a reliable network using Standard Edition.
d
• Sites with multiple WAN links and needs for application optimization can be equipped with
is
Enterprise Edition.
t
rib
• Cloud environments can be joined to the SD-WAN overlay network with Standard Edition
instances
ut
• All the different SD-WAN editions at each site, can terminate to the data center, with a dual
io
edition setup
n
• SD-WAN Standard Edition to partner with the remote sites with Standard Edition and Enterprise
Edition models for Virtualizing the WAN and making full use of the various WAN links and an
SD-WAN WANOP Edition right behind that to partner with the remote sites with WANOP Edition
and the WANOP component build into Enterprise Edition
• In this Hybrid environment, we will need both…
• NetScaler SD-WAN Center to manage the WAN Virtualization devices and NetScaler MAS to
manage the WAN Optimization devices.

What other option is available to configure remote
Standard Edition appliances besides SD-WAN Center?
Lesson Objective a) SD-WAN promoted as MCN

b) Command Center
Review
c) Insight Center
d) Local SD-WAN GUI
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

What other option is available to configure remote
Standard Edition appliances besides SD-WAN Center?
Lesson Objective a) SD-WAN promoted as MCN

b) Command Center
Review
c) Insight Center
d) Local SD-WAN GUI
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

SD-WAN Packet
Processing
Architecture
N
ot
fo
CiTR!X
rr
Key Notes:
es
• SD-WAN has an integrated Deep Packet Inspection (DPI) library that enables real-time
al
discovery and classification of applications. Using the DPI technology, the SD-WAN appliance
analyses the incoming packet and classifies it as belonging to a particular application or
e
application family.
or
• NetScaler SD-WAN also has the ability to classify the following features of HDX traffic as ICA
d
application with “Citrix Protocol”.

is
• ICA
t
• ICA-CGP
rib
• Single Stream ICA

ut
• Multi-Stream ICA
io
• ICA over TCP

n
• ICA over UDP/UDT

• ICA over non-standard ports (Multi-ports)

Packet Processing Architecture
.... , . ... ,
Standard Edition (SE) Enterprise Edition (EE) WANOP Edition (WO)
I- .... I- ....
1-
l~~~~Jl~~~~J
====I
I I
EB
Router Switch
N
ot
fo
90 201 ... IX A. 0 ._ .0 te t CiTR!X

rr
Key Notes:
es
• Because of the technical differences between the editions of SD-WAN, one must be aware of
al
the packet flow architecture, which can be useful in troubleshooting and for deployment of the
SD-WAN solution.
e
• Recall that Standard Edition and Enterprise Edition are built with similar capabilities of
or
providing link bonding and resiliency leveraging multiple WAN links. And with that functionality
d
behave similar to a Layer 3 router.

is
• And the WANOP Edition along with the WANOP component of Enterprise Edition are built with
t
similar capabilities of providing TCP optimization of applications across a single WAN link, and
rib
with that functionality behave similar to a Layer 2 switch. When we look closer at the internal
ut
architecture of the Enterprise Edition, you will understand how it fits in both classifications.
io
n

Packet Processing for WANOP Edition
Client LAN Segment WAN Segment Server LAN Segment
:x:----
SD-WAN -WO
Client Switch Router Router Switch Server
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Firewall stripping options

al
• Beware of Firewall
e
• Firewall Sequence Number randomization

or
• Needs to be disabled
• MSS adjustments
d
• Beware of VPN tunnel

is
• Network Asymmetry
trib
• Beware on non-symmetric traffic flow

ut
• Beware of TTL for BGP

• WANOP Edition appliances process packets attempting to optimize any TCP session that
io
happens to flow across the appliances interfaces. The first three packets of the beginning of
n
any TCP session, also known as the initial TCP handshake, determine if that session will
accelerate or not. Sessions that are deem unaccelerated simply pass-through the appliance as
they normally would in a network. Sessions that are deemed accelerated, benefit from TCP
optimization, compression and deduplication which provide improved user experience to end
users that would otherwise be subject to the poor network conditions of the WAN.
• So lets take a look at how that acceleration state is determined, but looking at a Client host
communicating to a Server across a Wide area network.
• With a pair of WANOP Edition appliances placed in the traffic path, the initial TCP three-way
handshake flows through the appliances before hitting the end devices.
• With WANOP being in the path, the session is broken out to three segments.
• The Client LAN Segment. Also known as the Fast Side
• The WAN Segment. Also known as the Slow Side

• And the Server LAN Segment. Also known as the Fast Side
• The WANOP Edition is simple in that it doesn’t care if it is the appliance closest to
the server or the appliance closest to the client host. All it is waiting for is the first
SYN packet to attempt its acceleration packet processing.
• Taking a closer look at a sample three-way handshake, including the SYN,
SYN+ACK, and ACK we will look how SD-WAN processes those packets to
determine acceleration status.
• First, the Client initiates the connection to the Server.
• Since SD-WAN is in the path, and it notices the SYN flag set on the packet, it
knows to begin the acceleration processing.
• This WANOP appliance will append its identification “Options” to the header of the
SYN packet and sent it out on the WAN side. In addition to identification options,
the packet is altered slightly with adjustment of MSS down to 1380, increased
N
window scale advertisement, but the original source and destination along with
ot
ports continue unchanged.

• The slightly altered SYN packet arrives at the partner WANOP appliance where it
fo
has the capability to identify that that this packet came from a partner device by
rr
catching the identification options in the packet header.

• The partner device strips the header options and saves them, in an attempt to put
es
the packet back into the original state, it makes one minor change in the sequence
al
number by adding 2 billion, which goes undetected by the Server.

e
• As the Server receives the SYN request, it acknowledges it as it normally would

or
and sends out a SYN+ACK in response.

• The WANOP device, again being in the path, processes it by adding this time its
d
own identification options in the header and makes the same MSS and window
is
scale adjustments
t rib
• The partner appliance, sees and stores the options from its partner, and
remembers that this was for a flow initially sent out for acceleration, and marks the
ut
connection as accelerated.
io
• Similarly before sending to the end host, the options are stripped and 2 billion is
n
added to the sequence number. This is purposely done at both ends, so that
packets that flow around either of the WANOP devices will not be accepted by the
end hosts.
• The handshake is completed, with the client returning the acknowledgment packet.
• The method the WANOP Edition appliance use to communicate optimization
attempts is designed to make the solution transparent and eliminate the pre-work
required to establish paring between the boxes. It is designed that any WANOP
box can communicate with any other WANOP box as long it sees symmetric traffic
flow between the pair, with no tunnel required.
• But this method of processing packet for acceleration is subject to failure if there
are firewall devices in between the WANOP pairs to strip the TCP options from the
packet. Or if there are device in between that randomize sequence numbers for
•
•
security purposes. Or even if there are VPN devices that have a lower MSS then
the 1380 which SD-WAN uses. And if packets don’t flow through both appliances
symmetrically then the WANOP can not establish. There is no routing capability
on WANOP edition, so it is heavily dependent on being in the path of every packet.
• Understanding this packet flow, and using the on-board packet capturing capability
in the GUI can help root cause initial deployment issues.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
•
Packet Processing for Enterprise Edition
---- ---- ~----...1

Client LAN Segment Virtual WAN Segment Server LAN Segment
Firewal~Firewall
.- .....-. nternet .•.-:..•. I-
I-
Client Switch Switch Server
Router Router
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Firewall block UDP

al
• Port forward 4980 is required

e
• Static Public IP required at Data Center Internet Link

or
• 1:1 NAT to SD-WAN VIP

• All Branch Office public IPs are dynamically learned
d
• Standard Edition appliances process packets very similar to a router, regardless of TCP or UDP.
is
SD-WAN Standard Edition leverages a route table that determines the next-hop for a incoming
t rib
packet to be delivered to the destination address. The unique capability of Standard Edition is
its ability to make an adjustment on the delivery path based on network conditions of the
ut
available WAN Paths and the likelihood of successfully delivery.

io
• Next-hops are adjusted on the fly for every packet, and a single session can be delivered across
n
multiple paths. Packets for a single session can be delivered across paths of various different
conditions because of SD-WAN’s Transport Reliable Protocol (TRP), and packet reordering
capabilities to make sure the receiving device is delivering packets to the end host as they
would expect it and not out of order. Virtualizing the WAN is only accomplished by this unique
packet processing capability of SD-WAN.
• Let’s take a look at the packet flow between client and server host across the Wide Area
Network when Standard or Enterprise Edition is in the path.
• Again the network is broken up into three segments
• The Client LAN Segment
• The Virtual WAN Segment, which is the virtualized path since all paths are available to the SD-
WAN devices for packet delivery, regardless of what underlay path the packet would normally
take

• And the server LAN segment.
• Standard and Enterprise Edition are unique in that each appliance has an identify
in an SD-WAN environment. The head-end appliance being promoted as the
Master Control Node, or MCN, is the central intelligence and all remote sites know
how to communicate with other remote sites via the MCN as the next hop.
Because of this, it is important to have a high availability pair of appliances used at
the head-end for continued MCN operation during failure.
• Let’s take a look at this packet flow in action.
• Packets originating from the Client, regardless if TCP or UDP, will source from the
client host with a destination of the server.
• With SD-WAN in the path, it will intercept the packet because the destination is
picked up in its SD-WAN overlay route table. If the destination address was not
picked up in the route table, it simply delivers to the underlay gateway where it
N
would have normally been delivered.

ot
• With the destination address identified in the SD-WAN route table, the intercepted
packet will be assessed for priority based on the application’s defined class, then
fo
delivered across the path that best matches the application, with jitter, latency and
rr
loss being the criteria for path health.

• At this point the packet is encapsulated into a UDP envelope with a new outer
es
source and destination that forces the underlay network to delivery across the path
al
chosen by SD-WAN, but utilizing SD-WAN Virtual IP addresses, or VIP. If the

e
MPLS path is chosen, the destination of the outer UDP packet can be the partner
SD-WANs VIP assigned to the MPLS WAN Link.
or
• If the Internet path is chosen, the destination will be the static public IP picked up
d
at the WAN edge of the firewall. A one to one NAT would be needed to port
is
forward the UDP packet to the partners SD-WAN’s VIP address assigned to the
t
Internet WAN link.

rib
• If the public internet path was taken, this is where SD-WAN dynamically learns the
ut
dynamic public IP of the branch office site for the UDP envelope, and stores it for
the return traffic flow destined for the same WAN path.
io
• As the packet exists the SD-WAN tunnel, it returns to the same state as it was
n
when it first entered the tunnel, in the TCP or UDP form. Any packets that were
broken up to fit inside the SD-WAN tunnel are reassembled, and any packets that
arrived out of order are buffered to make sure the end host doesn’t receive any
unexpected packets that would interrupt the communication flow.
• The returning flow form the server, go through the same operation. Source and
Destination being Server to the Client.
• SD-WAN analyzes the packet for application class against the conditions of
available WAN links, then determines the best matching path, then encapsulating
the packet in a UDP envelope with outer source and destination being changed to
SD-WAN Virtual IP addresses based on the desired path.
• On the internet path, the dynamic public IP of the branch is used, which was
•
•
learned earlier.
• As the packet arrives at the original SD-WAN, the packet exits the tunnel in its
original format, and again reassembly and buffering is applied if needed.
• The challenges that are typically encountered with this form of packet processing
occurs during the initial installation. The SD-WAN communication between VIP
addresses easily establishes across the private MPLS lines, because of the direct
communication between IPs on the private network. Public Internet lines typically
pose challenges, usually because the Firewalls are not configured properly to
allow the traffic through, and/or are not NATing the traffic accordingly.
Understanding this packet flow, and using the on-board packet capturing capability
in the GUI can help root cause.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
•
Packet Processing for Enterprise Edition
Client to WANOP VWtoWO WANOP to Serve~

(
Client Server
Enterprise Edition
Router Router
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Understanding Enterprise Edition packet processing, involves first understanding a two

al
appliance solution at each location, with WANOP sitting on the LAN side of Standard Edition.
e
WANOP would not be able to sit on the side because of the UDP tunnel formed by Standard
Edition which would hinder any optimization attempts.
or
• Traffic flow that is subject to the packet processing of both sets of devices, will segment the
d
network into five unique segments.

is
• Client to WANOP
t
rib
• WANOP to Virtual WAN

• Virtual WAN Segment
ut
• Virtual Wan to WANOP

io
• WANOP to Server
n
• Now let us follow the path of the packet to understand the different state changes of the packet
traversing this setup.
• Like before, we will start with the client sending out the first SYN packet for a TCP session.
• The first WANOP device will alter the packet, with MSS, WinScale, and identification options in
the header field, while keeping the source and destination unchanged.
• As Standard Edition device receives the packet, it will determine the best WAN path and
encapsulate in UDP, changing the outer packet to a new source and destination to a partner SD-
WAN Virtual IP.
• The packet that exists the tunnel, is delivered to the partner WANOP device with the options in
tact, which will enable the acceleration of that flow.
• Lastly the original packet arrives, with destination to the server host, with one slight change of
two billon being added to the sequence number.

• The similar operation occurs on the return:
• The packet originates from the server with the client being the destination address.
• WANOP address its identification and alters the MSS and WinScale
• Standard Edition determines the best WAN path and delivers in an encapsulated
UDP packet with new destination of partner SD-WAN
• The packet exists the tunnel with Options in tact
• WANOP sees the options and acceleration handshake marks the session as
accelerated, and two billion is added to the sequence number in order to better
control the accelerated session.
• As before, getting the firewalls to NAT and allow the UDP flow will be the biggest
challenge. But the encapsulation of the packet and tunnel capabilities of SD-WAN
will allow WANOP options through without further modification needed.
• Enterprise Edition is designed to replace the two appliance solution with a single
N
appliance that performs this packet processing capability. Primarily this solution is
ot
targeted for the branch office locations, since they typically numerous amount of
them and hardware consolidation is a more compelling story there. Enterprise
fo
Edition may be deployed at the data center as well, but it is not recommended due
rr
to scale requirements at the data center. A two appliance solution at that head-end
is recommended.
es
• Packet flow is important to understand, and becomes extremely important when

al
troubleshooting initial deployments for SD-WAN pair communication.

e
or
d is
trib
ut
io
n
•
•
Transport Reliable Protocol
Ethernet header
IP header
• Every encapsulated UDP packet includes TRP UDP header
• TRP adds 49 bytes to every packet
TRP header
• Enabling sub-second traffic redirection
• Loss mitigation Aggregated header
• Packet ordering Customer packet 1 with flow header
• Packet aggregation
• TRP probes during lack of traffic
Customer packet 2 with flow header
• MTU auto detect
Customer packet n with flow header

N
Trailer
ot
fo
CiTR!X
rr
Key Notes:
es
• The Transport Reliable Protocol, also known as TRP, is the technology that enables NetScaler
al
SD-WAN to be best SD-WAN technology on the market. Every packet that is processed by the
e
SD-WAN and is placed is encapsulated envelope includes the TRP header, essentially making
every packet on the SD-WAN Overlay network a probe that continuously monitors health
or
conditions of the individual WAN paths.

d
• TRP adds a 49 byte header on every packet. This is the communication information between
is
MCN and various Client nodes that track what is happening on the WAN paths (BOWT, Latency,
t
Loss, Jitter), in addition to feedback from what's going on in other parts of the network. In here
rib
is the intelligence that allows the system to react at a sub-second level to condition changes on
ut
any one of the WAN paths that are being continuously monitored.
• Each UDP encapsulated packet not only contains timing information about the path, but also
io
information of the next packet and expected time of arrival. Reponses to requests for lost
n
packets have alternative paths of delivery to avoid loss. Loss within the Virtualized WAN is
controlled. It does not cause congestion, jitter, or wasted bandwidth on the WAN. The SD-WAN
node is far more orderly in how it handles congestion because of its knowledge of the network’s
ability and demands than traditional approaches. TCP congestion until loss within the WAN
adversely affect other traffic, such as UDP voice traffic for example. The SD-WAN method
prevents these negative side effects.
• The unique method of path measurement allows the functionality to work on TCP and UDP
applications alike.
• TRP enables packet aggregation, which combines several packets together into one big packet,
using a single set of UDP encapsulation to more efficiently utilize available bandwidth.
• If no traffic flow is available, SD-WAN will still send TRP packets at a rate of 1 every 50ms.
• MTU is also automatically detected so that packets are not fragmented on the WAN.

What is the primary reason why WANOP must be
deployed on the LAN side of the Standard Edition?
a) UDP is know to blocks WANOP Options

Lesson Objective b) WANOP adds 2 billion to the sequence number
Review c) MSS and Win Scale adjustment fragments packets
d) Application optimization can only be accomplished
on unencrypted TCP traffic flow
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

What is the primary reason why WANOP must be
deployed on the LAN side of the Standard Edition?
a) UDP is know to blocks WANOP Options

Lesson Objective b) WANOP adds 2 billion to the sequence number
Review c) MSS and Win Scale adjustment fragments packets
d) Application optimization can only be accomplished
on unencrypted TCP traffic flow
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

SD-WAN Services Architecture
.... , . ... ,
Standard Edition (SE) Enterprise Edition (EE)
.... ....
I- I-
l l
I
• Virtual Path Service
• Intranet Service
• Passthrough Service
• Internet Service
N
• WanOp Service - (WO/EE Only)

ot
fo
97 20 1 ... IX A. 0 ._ .0 te t CiTR!X
rr
Key Notes:
es
• NetScaler SD-WAN Standard Edition and Enterprise Edition are build on the same code base,
al
thus both editions have the same set of Network Services.

e
• Network Serves are logical sets of operations performed on network traffic that designed to
add value and improve end user satisfaction.
or
• The Network Services are:

d
• Virtual Path Service – provides the tunnel capability across multiple WAN paths between two
is
SD-WAN appliances. Virtual Path process a high service level by constantly measuring and
t
adapting to changing application demands and WAN conditions.

rib
• Intranet Service – provides capability for SD-WAN delivery to Intranet Sites that do not have
ut
an appliance in place. This service uses the underlay network for delivery
io
• Internet Service – provides SD-WAN delivery of traffic directly to the public internet. This
n
service can utilize multiple paths if available.

• Passthrough – is designed for any traffic that is meant to flow through SD-WAN untouched
and unmanaged.
• Keep in mind that there is another service, the…
• WANOP Service - which is in place for application optimization, but is only application when
WANOP Edition and Enterprise Edition are in the path of traffic.

SD-WAN Virtual Path Service
Virtual Path
·~~~~----1~1-~ 1
I-
=_=_==... I-
Remote
Data Center
or Cloud
Virtual Path Service

• Reliable application delivery
• Bonded/Aggregated bandwidth using diverse paths
N
• Continuous monitoring of WAN path conditions

ot
• Tunnel created by encapsulating packets

fo
98 201 '"' IX A. O ._ .0 te t CiTR!X

rr
Key Notes:
es
• Traffic that is delivered between two SD-WAN Standard or Enterprise Edition appliances is
al
being delivered using the Virtual Path Service.

e
• The Virtual Path Service delivers the full value of the Virtualized WAN.
• Providing reliable connectivity between sites
or
• Aggregates multiple diverse paths together forming the Virtual Path

d
• Actively manages traffic across multiple WAN links to create the end-to-end path intelligence
is
• Encapsulates the traffic in a tunnel using UDP port 4980

t
rib
• The Virtual Path Service ensures reliable delivery of all applications. The primary objective of
the Virtual Path Service is to make sure that business critical applications are delivered across
ut
the optimal WAN paths for the best end user experience.
io
n

SD-WAN Intranet Service
.... , I-
.... I-
Remote
Data Center
or Cloud
I-
I-
Intranet Service
• Destined for sites with no known SD-WAN partner
N
• Bandwidth is accounted for

ot
• Un-encapsulated and delivered across the underlay network

fo
99 201 '"' IX A. O ._ .0 te t CiTR!X

rr
Key Notes:
es
• Traffic that is delivered to a site that does not have a partner SD-WAN device in place to
al
establish a tunnel with is known as Intranet Service.

e
• SD-WAN manages Intranet traffic making sure that it is accounted for bandwidth usage of the
underlay network. Primarily to avoid bandwidth content between other services.
or
• The SD-WAN appliance does not encapsulate this traffic, and is similar to traffic that is pass-
d
through, except it is being monitored.

is
t
rib
ut
io
n

SD-WAN Pass-Through Service
I-
•••• 1----- ... -1
.... I-
SD·WAN·SE I-
Remote
Data Center
or Cloud
Passthrough
Passthrough Service
• Management GUI of WAN edge devices
N
• Local LAN bounce back traffic

• Should be used sparingly
ot
• Bandwidth is unaccounted for

fo
201 ... IX A. 0 ._ .0 te t CiTR!X

rr
Key Notes:
es
• Passthrough Service handles traffic that administrators want to transmit unchanged through
al
the SD-WAN appliance.

e
• Some examples would be management IP of the WAN edge router, or Local LAN traffic that is
expected to flow through the SD-WAN but should be returned back to the LAN from the
or
Gateway Router. It should not be any traffic that utilizes the WAN link bandwidth.
d
• Passthrough traffic should be used sparingly, since it goes unmanaged by SD-WAN and the
is
bandwidth is unaccounted for. This means that if any passthrogh traffic utilizes the WAN
t
paths that are being measured by SD-WAN, SD-WAN’s monitoring capabilities will be
rib
negatively effected. Each path that terminates into SD-WAN is configured for a setup upload
ut
and download speed. SD-WAN uses that to send traffic across a path, and if contending
traffic is causing SD-WAN to see dropped packets, it will back off using that path and falsely
io
think there are poor network conditions on that path, when in fact there is contention on that
n
path against unaccounted for traffic.

• Again note that SD-WAN does not delay, shape or modify passthrough traffic.
• Administrators must make sure pass-through traffic does not consume substantial resources
on the WAN links that are also configured for use with other services.

SD-WAN Internet Service Backhaul
~Internet
-
I-
I-
• --f ,,
- _, - -- ~- - - ' - - - -
Remote I Data Center
or Cloud
Internet Service Backhaul

• Traffic control for public internet
• Primary I Secondary
N
• Load Balance
ot
fo
CiTR!X
rr
Key Notes:
es
• SD-WAN’s Internet Service is a feature in itself. The Internet Service can be enabled at any
al
SD-WAN equipped site, and simply provides access to the public internet. But the feature
provides ability to either load balance internet traffic across available WAN links, or to use in a
e
primary secondary configuration.

or
• Direct internet access at branch offices is a security concern, it is difficult to manage and
d
expensive to maintain. More importantly it opens a backdoor for hackers to the secure
is
datacenters.
t
• The recommendation would be to force all internet traffic through a solid DC DMZ that
rib
includes all the security infrastructure, and anomaly detection. This is called backhaul of
ut
internet traffic.
io
• One limitation would be that backhaul of all remote site internet traffic to the datacenter is
taxing on the Virtualized WAN path and can quickly saturate the links at the datacenter, adding
n
additional WAN link or bumping up capacity on existing links is a quick solution, but breaking
off directly for access at the site utilizing SD-WAN firewall and secure web gateway
interoperability is an other option. We will cover that as a next topic.
• The backhaul of internet traffic from the branch sites can be accomplished by using the SD-
WAN overlay route table and creating a default route for the branch site, that points all traffic
through the Virtual Path to the data center SD-WAN appliance.

SD-WAN Internet Service direct at Branch
Inter~~
I-
+-----1_-=..__ = = =-= I I-
Remote
Data Center
or Cloud
Internet Service at Branch

• Traffic control for public internet
N
• Primary I Secondary
ot
• Load Balance
fo
102 201 '"' IX A. O ._ .0 te t CiTR!X

rr
Key Notes:
es
• Creating an Internet Service at the branch site, enables similar capabilities by providing ability
al
to either load balance internet traffic across available WAN links, or to use in a primary
secondary configuration.
e
Direct internet breakout at the branch means that your site needs to be equipped with the
or
appropriate security devices to protect the network. The majority of security hacks utilize this
entry method to gain access to the headquarters., but owning, maintaining and managing
d
is
security equipment at each and every site is very costly to maintain.

t
• As one possible solution, SD-WAN has interoperability with cloud based secure web gateways
rib
to serve as offsite security and web filtering enforcement for all Internet bound traffic.
ut
• Another solution would be to utilize the on-board Stateful L7 Firewall with Deep Packet
Inspection capabilities on the SD-WAN appliance, implementing consistent security policies
io
across the network in consideration of enabling direct internet access model.

n

Zero Touch Deplovment Service for Standard Edition
Branch A Branch B
I •••
Adm in ••
J li~II~
E:::::JI= = "" 11= =""I
Zero Touch
Deployment
Service
SD-WAN
"'"r--""T"""' 5100-2000-SE
N
ot
Data Center
fo
1Q!j, 20 1 ... IX A. 0 ._ .0 te t CiTR!X

rr
Key Notes:
es
• The SD-WAN Change Management tool, available in both the MCN and SD-WAN Center GUI,
al
builds packages specific per branch site device.

e
• The packages, generally are then shared with local site Admins that are tasked with directly
logging into the local appliance GUI to upload the package which provides their identity using
or
the Local Change Management. The Admin must also license the appliance and make sure it
d
is brought online and the communication on the SD-WAN overlay is established.

is
• Having a knowledgeable SD-WAN Admin at each site is a challenging, especially when having
t
to deal with a large number of branch sites. Reducing the amount of SD-WAN required
rib
knowledge required by that remote site installers is the main objective of Zero Touch
ut
Deployment.
io
• We are able to offload some of that responsibility of the Installer by introducing a Zero Touch
Deployment Service. Which automates the following services:
n
• Authenticates the Admin managing the SD-WAN Center

• Acknowledges deployment of new sites
• Authenticates the remote site appliance using the serial number
• Shares and automatically installs the configuration/software package meant for that specific
appliance
• Installs any additional firmware updates
• Licenses the SD-WAN appliance
• Enables the SD-WAN appliance for validation of path establishment
• More importantly, it eliminates the costly need of having knowledgably SD-WAN Admins to run
the manual tasks required to bring up the remote site SD-WAN appliances.
• Currently the SD-WAN Zero Touch Deployment service is available on the 410 Standard

Edition appliance, but more device will become available for this service.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
•
How is the packet delivery different between traffic
delivered across the Virtual Path Service versus traffic
delivered using the Internet Service?
Lesson Objective a) Bandwidth monitored versus unmonitored

Review b) Delivered across bonded paths versus load
balanced
c) Duplicated versus Forward Error Correction
d) Cached versus un-cached
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

How is the packet delivery different between traffic
delivered across the Virtual Path Service versus traffic
delivered using the Internet Service?
Lesson Objective a) Bandwidth monitored versus unmonitored

Review b) Delivered across bonded paths versus load
balanced
c) Duplicated versus Forward Error Correction
d) Cached versus un-cached
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

• NetScaler SD-WAN Editions can either be hypervisor
based, powered by XenServer, or can run directly on
bare metal
Key Takeaways • All SD-WAN appliances are designed to provide

management access to the appliance, which is
designed to be segregated from the data interfaces
for security purposes.
• NetScaler SD-WAN Standard Edition and Enterprise
Edition are build on the same code base.
N
ot
fo
106 20 1 ... IX A. 0 ._ .0 te t CiTR!X

rr
Key Notes:
es
• NetScaler SD-WAN unique architecture is designed to ensure reliable delivery of business

al
critical application utilizing multiple diverse WAN paths, whether that be applications and data
e
being access from the Data Center or websites being accessed directly from the Internet.
or
d is
t
rib
ut
io
n

• Exercise 2-1: Provisioning the MCM using the saved
configuration file
• Exercise 2-2: Applying the configuration to the remote

appliance
N
ot
fo
CiTR!X
rr
es
al
e
or
d is
t rib
ut
io
n

• Exercise 2-3: Troubleshooting dead path state
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
can go in at any time and complete these labs
e
or
d is
trib
ut
io
n

•
CITRIX
•

on Workshop
Quality of Service
N
CNS-200W
Version: 1.3
ot
fo
109 @20 C IXAUth .. ~ .... le I

rr
es
al
e
or
d
is
t
rib
ut
io
n

• Describe SD-WAN Quality of Service
Learning • Explain Classes of Service and Rules
Objectives • Understand SD-WAN Transmit Modes
• Describe Bandwidth Provisioning

N
ot
fo
CiTRJX
rr
es
al
e
or
d is
t rib
ut
io
n

NetScaler SD-WAN Management Architecture
•
• •
• •••
•
N
ot
fo
CiTR!X
rr
Key Notes:
es
• NetScaler SD-WAN has intelligent ability to achieve maximum bandwidth and deal with network
al
performance elements like latency, error rate and uptime to provide the optimal user experience
e
across the Virtualized WAN.

• NetScaler SD-WAN’s Quality of Service engine further enables this capability, by prioritizing the
or
traffic and making sure the business critical applications have their fair share of bandwidth and
d
connections are not disrupted by other heavier workloads.

is
• Real-time: NetScaler SD-WAN adaptive TCP flow control dynamically detects real-time WAN
t
link conditions to mitigate TCP performance penalties from packet loss and retransmission. All
rib
WAN optimization controllers can regulate or meter the flow of data packets onto the WAN link.
ut
However, NetScaler SD-WAN imposes transparent, lossless flow control on each segment of a
io
connection: the LAN segment between branch users and the branch-based NetScaler SD-WAN
appliance; the WAN segment between the branch and datacenter NetScaler SD-WAN
n
appliances; and the LAN segment between the datacenter NetScaler SD-WAN appliance and
the server or application.
• By splitting a connection into three parts, NetScaler SD-WAN can independently manage the
flow control and utilization for each segment independently. This is important when a
connection’s speed needs to be ramped up or down quickly to its fair bandwidth share and to
ensure maximum advantage is taken of enhanced WAN optimization and compression
algorithms.
• Real-time –VoIP or VoIP like applications, such as Skype or ICA audio. In general, we refer to
voice only applications that use small UDP packets, that are business critical.
• Interactive – This is the broadest category, and refers to any application that has a high degree
of user interaction. Some of these applications, for example video conferencing, is sensitive to
latency, and requires high bandwidth. Other applications like HTTPS, may need less bandwidth,

but are critical to the business. Interactive applications are typically transactional is
nature.
• Bulk – This is any application that does not need rich user experience but is more
about moving data (i.e. FTP or backup/replication)
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
•
SD-WAN QoS WAN Link Configuration
______
----
20_!1!?~ - - ~
~--~Mbp~,.
LAN to WAN = 20 Mbps
WAN to LAN = 80 Mbps •••
SD-WAN - SE
Core
LAN to WAN = 3 Mbps
Hosts WAN to LAN = 4 Mbps
Router
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Proper Quality of Service operation begins with proper configuration of SD-WAN.

al
• When designing a site using the Configuration Editor, each site that is built must have a defined
e
set of WAN links. In that definition, one must identify the upload and download speed
associated with each link, then configure the SD-WAN appropriately to match.
or
• For most deployments, it is recommended to accurately measure the WAN Link speeds, before
d
introducing SD-WAN to the environment.

is
• Example:
t rib
• For the Internet link, the provider says it is a 100Mbps link, but after running a speedtest on that
internet link, we see 80Mbps download and 20Mbps upload.
ut
• For the MPLS link, the provider says it is a 5Mbps link, but running iperf across the WAN link,
io
the true measurement is seen as 4Mbps download and 3Mbps upload.

n
• The point here is that typically consumers are not going to receive the bandwidth providers are
contracting for. Taking the time to accurately measure each WAN link will eliminate any
misunderstanding in SD-WAN Quality of Service performance later.
• From the measured numbers, when SD-WAN is placed in the path of both links and sees the
total traffic flow.
• SD-WAN needs to be configured on the WAN links accordingly.
• The defined Internet WAN link on SD-WAN for this site needs to be configured for:
• LAN to WAN at 20Mbps
• WAN to LAN at 80Mbps
• Likewise, the defined MPLS WAN link on SD-WAN for this site needs to be configured for:
• LAN to WAN at 3Mbps
• WAN to LAN at 4Mbps

SD-WAN QoS Guaranteed Bandwidth
------),
Internet = 10 Mbps 20_!1!~--_-?-_a::)
••••
BO Mbps
i-----------------------------1.·.,.·.··---------, nternet
;- - -
-------~ WAN to LAN = 10 Mbps Firewall
-
\.
--x
Core SD-WAN - SE
...... ........\
Router
Hosts
.........
LAN to WAN = 3 Mbps
\
...... \ WAN to LAN = 4 Mbps
......... .........
\
_ ...
\
\
CJ CJ CJ '
Warning Signs of Speed Misconfiguration:
e..a ..e Path Statistics show high loss

N
INET
Latency spikes
ot
• MPLS Frequent Path state changes

Reports of WAN path congestion
fo
CiTR!X
rr
Key Notes:
es
• With proper definition of the WAN links, the deployment of SD-WAN needs to also be
al
considered.
e
• SD-WAN flexible deployment options could yield different configuration when considering traffic
flow. SD-WAN deployment can be categorized in three network topology types: fully inline,
or
partial inline, and one-arm.

d
• Regardless of the deployment topology, Quality of Service functionality can be impacted if SD-
is
WAN WAN link definition is inaccurate.

t rib
• When SD-WAN is fully inline, SD-WAN is capable of seeing and accounting for all traffic on the
configured WAN links, as we see here on the path to the MPLS link.
ut
• When SD-WAN is partial inline or one-arm, its more likely that SD-WAN does not see all traffic
io
on the configured WAN links, only what is being redirected to the appliance for SD-WAN
n
operation. Unaccounted for traffic, means SD-WAN will see unexpected contention on usage of
the WAN links, and misreport the finds as poor link quality as apposed to what it true is.
• In this topology we are attempting to showcase an example where we can potentially run into
this: SD-WAN being in direct path of the MPLS link, but being out of path for the Internet Link,
but still having the ability to use that Internet Link as a second WAN path.
• As before, SD-WAN configuration for MPLS link matches the measured speed for that link.
• In this case for the Internet link, there is a chance that SD-WAN encapsulated UDP traffic flow
being directed to the Internet Link will content with underlay traffic which may go directly out to
the Internet.
• During unexpected contention of a WAN link, SD-WAN will back off using the Congestion
Avoidance algorithm, nearly by half, even if congestion occurs below its configured usage rates.
SD-WAN will then slowly step performance up to ensure the link is not being saturated due to
SD-WAN flow, but eventually the contention will be reached again causing again a back off.

This is by design to not disrupt the underlay network in any way, even at the cost
of degrading the SD-WAN Overlay network.
• Typically this occurs when SD-WAN is not used for Internet/Intranet traffic control,
and when this is the case, rate control must be enacted on the external devices
(routers, switches, or firewalls) to ensure SD-WAN receives its allocated bandwidth
on the WAN links. In this case the firewall could be configured to set aside
10Mbps upload to SD-WAN and 10Mbps of upload for Internet/Intranet traffic.
Some Admins may make the mistake of configuration SD-WAN Internet WAN link
to 20Mbps, where with the Firewall configuration proper SD-WAN link speed would
be 10Mbps.
• Misconfiguration of the WAN link is likely, especially if diligence is not taken to
properly measure the WAN link speeds before hand, some warning signs for this
include:
• Path Statistics show unexpectedly high packet loss
N
• Latency spikes are occurring

ot
• (6) Path Virtual Path status jump between GOOD, BAD, and DEAD frequently
fo
because of dropped data frames

rr
• WAN path congestion flags are seen

es
al
e
or
d is
trib
ut
io
n
•
•
SD-WAN QoS Back-to-Back Solution
---- .
20!1~~--~
~ -- -- Enterprise Edition
- - - - - - I
LAN to WAN ; 20 Mbps y:·--:..·.----
~
-~~Mbp;
WAN to LAN ; 80 Mbps ""'----~

r------.1-.:.....-r-------,1----r---=,__ irewall
~~---1::X::i--------1~~~....J~~----1~~~......1~
SD-WAN-WO SD-WAN -SE
Core
I LAN to WAN ; 3 Mbps
-I - - - - ...
LAN to WAN ; 23 Mbps
Hosts WAN to LAN ; 4 Mbps
( :N.: LA: 8~bps
Router
I QoS - disabled QoS - enabled
N
ot
fo
CiTR!X
rr
Key Notes:
es
• For sites that already have existing WANOP equipment, SD-WAN Standard Edition can be
al
placed on the WAN side of the existing WANOP devices.

e
• The speed definition for upload and download speeds is the same as we have already practiced
or
• The WANOP device, which also dependent on proper WAN link speed definition, will now need
to be updated with Standard Edition in the path, because the new WAN is what the SD-WAN
d
tunnel provides, which is an aggregate of multiple WAN bandwidths.

is
• With a back to back solution like this, the responsibility of QoS if required to be offloaded to the
t rib
Standard Edition appliance which is more towards the WAN edge and will be required to be
disabled on the WANOP Edition
ut
• With QoS on the WANOP device disabled, proper WAN speed configuration is no longer a
io
concern and the WAN links can be left to default 1Gbps values.
n
• This solution allows for introduction of Standard Edition capabilities in a network that already
has WANOP deployed. When the time is right, for example, the maintenance expires on the
WANOP Edition, the two solutions can be replaced with an…
• Enterprise Edition appliance, which combines the functionality. Typical if this is the end-goal for
customers that deploy like this. The recommendation would be to use the appropriate Standard
Edition models that are capable of upgrade to Enterprise Edition, in order to make sure a
hardware swap is not required with this transition is eventually needed, but rather a simple
software and license upgrade to unlock the WANOP capabilities that transforms Standard
Edition appliance to Enterprise Edition which is available through a SKU.

SD-WAN QoS Dual-Ended QoS
11 I I I
SO-WAN-SE
Remote
l~tenq,toss jinwcon,.
100 Mbps I-
I-
----- 100 Mbps SO-WAN-SE I-
Data Center
SO-WAN-SE or Cloud
Remote
N
ot
fo
CiTR!X
rr
Key Notes:
es
• SD-WANs capabilities of per packet processing and unidirectional path measurements enables
al
differentiating capabilities of dual-ended quality of service, when compared to competing SD-

e
WAN solutions. Competing solutions typically are single-ended QoS and that can cause issues
in the network with multiple remote boxes possibly overdriving a single receiving device,
or
because of the expected bandwidth at each respective site.

d
• As an example, with the two 100Mbps devices on the left sending traffic flow to the data center
is
on the right, they can simultaneously push up 200Mbps to the data center and quickly overdrive
t
the head-end device causing poor overall user experience. Most competition solutions, lack of
rib
last-mile awareness, which can potentially result in a choke point at the destination.
ut
• NetScaler SD-WAN’s dual-ended or end-to-end QoS ensures delivery and efficiency across the
io
WAN. The design allows for QoS configuration globally from a single source, and that central
configuration knowledge is shared network-wide to all SD-WAN devices. Path measurements
n
are continuously shared and updated amongst peers. This information is used by SD-WAN to
proactively react to network conditions with retransmissions and/or redirection, as well as share
the last mile condition to sending peers.
• SD-WANs measurement sharing capabilities makes the systems aware of last-mile, and prevent
oversubscription and wasted bandwidth utilization before it can occur!
• With that knowledge, SD-WAN devices sending packets will throttle down their send rate, based
on the feedback the receiving device is dynamically advertising.

If NetScaler SD-WAN WAN links are not defined for the
proper speeds, what could this affect?
a) WAN path reporting instability of paths
Lesson Objective b) SD-WAN underutilizing or over utilizing the WAN

link
Review c) Quality of Service not properly being engaged
d) Accuracy of SD-WAN path monitoring statistics
e) All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

If NetScaler SD-WAN WAN links are not defined for the
proper speeds, what could this affect?
a) WAN path reporting instability of paths
Lesson Objective b) SD-WAN underutilizing or over utilizing the WAN

link
Review c) Quality of Service not properly being engaged
d) Accuracy of SD-WAN path monitoring statistics
e) All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

SD-WAN Classes of Service Categories
In the SD-WAN environment, we think of applications as falling into one of the following three
classes:
Category Minimum Bandwidth Prioritization

VoIP
Real Time 30% Video Conference
<custom>
XenDeslctop
Interactive 40% Exchange
<custom>
FTP
Bulk 30% Video

N
<custom>
ot
fo
CiTR!X
rr
Key Notes:
es
• Realtime: Used for low latency, low bandwidth, time-sensitive traffic. Real-time applications are
al
time sensitive but don't really need high bandwidth (for example voice over IP). Real-time
e
applications are very sensitive to latency and jitter, but can tolerate some loss.
• Interactive: Used for interactive traffic with low to medium latency requirements and low to
or
medium bandwidth requirements. Interactive applications involve human input in the form of
d
mouse clicks or cursor moves. The interaction is typically between a client and a server. The
is
communication might not need high bandwidth but is sensitive to loss and latency. However,
t
server to client does need high bandwidth to transfer graphical information, which might not be
rib
sensitive to loss.
ut
• Bulk: Used for high bandwidth traffic that can tolerate high latency. Applications that handle file
io
transfer and need high bandwidth are categorized as bulk class. These applications involve very
little human interference and are mostly handled by the systems themselves.
n
• The Quality of Service on the Standard and Enterprise Edition is strategically designed to
prioritize business critical applications and realtime traffic above other traffic flows. By design,
SD-WAN enables scale of WAN bandwidth by enabling easy addition of inexpensive broadband
internet to join already existing WAN infrastructure. Because of this easy addition of bandwidth,
most of QoS is assigning prioritized applications to the appropriate path that matches the
applications needed conditions to perform well.
• SD-WAN QoS is based on three main categories of application traffic: real time, interactive, and
bulk
• Categories can be provisioned with guaranteed minimums
• The real time category has absolute priority over everything until the provisioned rate is met.
And Interactive has absolute priority over bulk.
• Low latency, low bandwidth, time-sensitive apps are prioritized within the realtime category.

Those apps include VoIP and Video Conferencing
• Applications that fall into this category typical require low to medium latency, and
low to medium bandwidth . Usually apps that require chatting client-server
communication with user inputs and screen update responses.
• Bulk category has the least priority and can get starved in contention with real-time
and interactive if minimum bandwidth is not configured.
• Applications that fall into this category are typically low latency tolerant, but require
higher bandwidth, with little to no human interaction.
• The systems will come equipped with default applications already created, but with
the ability to alter and customize user defined applications using a 7-tuple filter
capability. Which includes source/destination IP and port, TCP/UDP protocol, and
DSCP marking.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
•
QoS Levels Defined by Classes
El Otf,uttS.-t; 7
8 Virtull P.th DefiM1ft ~
0 +?
EJ MSIJ)tflUI\_Stt 11)0
,? ?
• 17 Class levels
E){IH!M
..._.,
...
r---,
• Qos within Categories
..
"::''
0 HOX pnonfy laq O RHIIMl'le 30 30 • WANOP adds DSCP
..
·~
• RED queuing discipline
1 HOXJNlortb' taq 1 lnte,ac:bve 20 20
.. .
2 HOXJK)Ollty lag_ 2 ln1trat1v,
• Classes 0-3 are set for Citrix HDX traffic
'dns_4 .
l o_l-etone Bulk
. . and are not user configurable.

4 Bulk 0
s
. .
dau_5 Bulk 0
• • Classes 4-9 not used by default but are

.. .
dass_6 Bulk
.. . user configurable.
7 dass_7 Bulk 0 0
.. .
8 csass_a Bulk
• Classes 10-16 are the default classes used

...
9 dass_9 Bulk
10 rtalMnt_cta
ss RUlllltnt 30 30
by the default rules.
.
11 lnteractve_hiQh_dass kiter active 0 20 20
..
12 ln1eracwe_med,um_da» klterac;ve 13 13
..
13 lnteraarve_low_dlu lnltfadlve
N
..
14 Jn1eraave_very_low_dass lnte1ac:bve 0
..
15 bulk_batlo.Qroum:l_tlHS Bulk 100
ot
16 bulk_unus.cl
_dass Bulk
0 .....
fo
[!IIP$«Stttings
119 @r CiTR!X
rr
Key Notes:
es
• The SD-WAN system provides 17 classes (0-16). Classes 0-3 are predefined for Citrix HDX
al
QoS prioritization. To use this feature, enable the following options:

e
• WAN Optimization, available under Optimization > Features.

or
• HDX QoS Priorities, available under Optimization > Features.

• ICA Service Class, available under Optimization > Service Classes.
d
• These classes are used to classify HDX traffic with different ICA priority tags. You can edit the
is
class types and their assigned bandwidth sharing to obtain the optimal quality of service, but
trib
you cannot edit the names of the classes.

• Classes 10-16 are predefined and are associated with Realtime, Interactive, and Bulk class
ut
types. Each type can be configured further to optimize quality of service for its type of traffic.
io
Classes 4-9 can be used to specify user defined classes.

n
• WAN Standard and Enterprise editions enable global configuration of classes and rules that can
be distributed to all SD-WAN appliances, this global configuration of classes and rules is called
the “Default Sets.” Site specific customization can be done on each site specific device in
another part of the Configuration Editor. Here is a screenshot of the Configuration Editor
highlighting the creation of the default set.
• SD-WAN offers up to 17 customizable classes for QoS, and each can be associated with one of
the 3 main categories
• The SD-WAN QoS model is dual-ended and therefore provides guaranteed delivery, even
capable of last mile congestion detection.
• Within individual categories of real time, interactive, and bulk, Classes can be further defined for
quality of service in order to provide granular prioritization between apps that fall within the
same category type and allow allocation of a larger or smaller share of bandwidth.
Customization can be done here, or the preset classes can be called when defining application

rules.
• The first 4 out of the 17 classes will be predefined as Citrix classes for
implementing the reclassification of the HDX protocol.
• SD-WAN is tightly integrated with Citrix XenApp and XenDesktop and is capable of
distinguishing the different channels within a single HDX session.
• Allowing tag_0, which is associated with the audio channel, to be categorized as
realtime,
• tag_1, which is associated with interactive mouse curser movements, keyboard
entries, and screen refreshes on the ThinWire channel to be categorized as
Interactive,
• tag_2, which is associated with Media stream and client drive mapping, to be
categorized as Interactive
• And lastly tag_3, which is associated with Print, to be categorized as Bulk.
• With WANOP or Enterprise Edition in the data path, WANOP processes the HDX
N
packet and marks a DSCP priority bit with class-id for reclassified flows, where
ot
Standard Edition then can check if DSCP is marked and update the flow
classification and delivery across the appropriate path that matches the HDX
fo
channels priority.
rr
• SD-WAN utilizing Random Early Drops, also known as RED, queuing discipline for
es
a network schedule, which is suited for congestion avoidance.

• RED provides fairness among multiple TCP flows sharing the same class. This
al
queuing discipline starts dropping packets probabilistically when the queue has
e
sustained backup. This gives an early indication to TCP that congestion is

or
occurring. The effect is that no TCP flow can monopolize the path scheduler and
all TCP flows gets a fair share.
d is
trib
ut
io
n
•
•
WANOP Edition Application Classifiers
.,.,·-· ,
,,
,
,,
,,
_... ...,.._.
...,..,_.
,,
,,
--·
• 250+ predefined apps
_...., ,
,,
,, Reporting
,,
- ,, Service Classes
.......... ,,
,,
,
,,
N
-..,·-· ,,
-·--
... -~ ,,
ot
fo
CiTR!X
rr
Key Notes:
es
• The WANOP engine on SD-WAN contains a predefined list of 250+ applications, which are
al
defined based on TCP port number. Here is a screenshot of the Application Classifiers list in the
e
defaults.
• Additional ones can be added, and existing ones can be edited to reassign ports to other apps.
or
• These defined applications primarily serve two purposes.

d
• Reporting. NetScaler MAS extracts data from optimized sessions and provides visibility into the
is
applications in easy to read reports.

trib
• Service Class definition, which is filtering capability for granular control on Optimization levels.
ut
io
n

WANOP Edition Service Classes
El Stf,.;c•C?.5HS + )(
Add
Ami,.,_
s
ICA ENASLEO ,? 0 " ., En.ableid
Wlb Pnvc@) ENABLEO ,? 0
w.o-....seani ENAS.ED ,? 0 Acct tnbOn ~i<y
Web -
ENAS..EO ,? 0
WK! lrtemet-Stan ENAS-LEO ,? 0 BlclucM from SSI.. Tunnt
--
CFS ENABLED ,? 0
........ -...
foll•• RulH ng
IES ENAS.£0 ,? 0
,,_Ex.._ ENA!..EO ,? 0 """""- """'•
• Cllw) ENASLED ,? 0 CA.ICACG> 31 :,, =t..=<:T10NA:. ,? 0
---
VOIPrdL~ ENAS.EO ,? 0
FTPO... ENAS.£0 ,? 0 II.I Cancel
0.-.-
FTP~ EN.Aa.EO ,? 0
ENASLEO ,? 0
--
,? 0 Acceleration Policy:
__
ENAS.E:>
s.. ..... -
Dndoy .....Seady ENASLED ,? 0
ENAS.ED ,? 0 • Flow Control Only
0
....
ENASLEO ,?
......
N
ENAS..EO ,? 0 • Disk based compression

0
.
ENASLEO ,?
ot
QtwTCPT ENAS.EO ,? 0
Unc:m.s,&d Trd,c ENAS.EO ,? 0 • Memory based compression
fo
CiTR!X
rr
Key Notes:
es
• The WANOP engine on SD-WAN utilizes the Service Classes definitions to individually enable
al
optimization for a specific protocol. By default all the Service Class policies are enabled, but
e
the level of optimization is set to none.

• As individual Service Classes are enabled for optimization, the admin is tasked with the level of
or
optimization desired for that application or set of applications.

d
• Flow control only, should be selected for chatting apps with little to no data payload
is
• Disk should be selected for heavy data payload applications, since lookup from Disk takes
t rib
longer and a bigger hit for deduplication bits will yield positive results even with longer lookup
time
ut
• Memory should be select for light data payload applications that wont consume a lot of memory
io
space but will benefit from expiated lookups using memory as opposed to disk.
n

QoS Queue Depth
....... 81
• The Queue depth (send buffer) is defined in the IP rule Bill • _1

~ .,1
per application. It defines the amount of data to be
queued on the sending side before dropping packets.
..
9
-~
This means you can have multiple applications all 8
8
feeding into the same class with different buffer B
depth. All flows matching the same rule will share the
same queue.
• The lower the application priority the larger the queue
depth needs to be. For Real-time applications, this
queue depth has not only a buffer size in bytes but
also in time. The theory here is it is bad to buffer Real-
time traffic for a long period of time because it can
introduce jitter. That being said if the real-time class
does not get serviced fast enough then you may have
N
bigger problems.
ot
fo
CiTR!X
rr
Key Notes:
es
• Assign only VoIP or VoIP like traffic to the real-time class.

al
• Set the queue depth to 80-125 ms and not more than 200 Kbytes
e
• If you have a lot of real-time traffic and you see packet drops in the Monitor > Classes view,
or
increase the buffer.

• Set Duplicate Disable Delay to about 70% of the queue depth timer if you are doing packet
d
duplication.
is
• For all other types of classes queue depth is less critical but it is recommended to set these to
t
rib
be fairly large. You can use different depths to throw less important applications away by setting
them slightly shorter. Again, it is good to look at the classes and see if any of the classes are
ut
dropping. Note, drops in the class view is not the same as packets lost in the WAN. We do not
io
recover drops from the queue. We can retransmit packets lost in the WAN.
n

Basic QoS Rules
• Be as specific as you can with the match conditions to

- ..., - .,.. .... _ prevent other applications getting captured by the
B
B rule
B
l!l
B
• Never duplicate applications that have more than
lOOKbps of throughput. Dup uses 2X the BW and
should only be used for VoIP like applications.
• Retransmitting lost packets takes roughly 2.5 times
the round trip. Consider if the added jitter is worth it.
• Reordering also takes time. Tradeoff is less lost
packets but the longer the timer the worse the jitter.
• Video streaming is not a real-time application. Map it
to an Interactive class with a fairly large queue depth.
• Video conferencing can be tricky to optimize for. Start
N
with an interactive class and big buffer.

ot
fo
CiTR!X
rr
Key Notes:
es
• When creating a new rule think about what the application is and how you want it to behave.
al
Also, remember that other traffic may be using the same class so prioritize the application
e
appropriately. There are benefits and drawbacks to the transmit modes and settings.
or
d is
t rib
ut
io
n

Filtering capability with Rules
• Default Set of Rules
- ..., - .,.. .... _

B
• 7-tuple filtering
B
B • Source and destination IP address
l!l
B
• Source and destination port
• Protocol
• DSCP tag
• VLAN
• Top down priority
• Direction specific
• DSCP tag matching

N
• Transmission Modes
ot
fo
CiTR!X
rr
Key Notes:
es
• Where Classes are associated with data delivered across the Virtual Path Network Service and
al
affect how traffic flows are categorized then scheduled and shaped Rules are filters to define
e
applications and tie them to a Class to determine QoS and bandwidth share and also the
Transmission Mode. Here you can see a screenshot of the Rules for a particular client node.
or
Defaults will be prepopulated and grayed out, and custom rules can be added to the top of the
d
list for granular control, and change in default behavior.

is
• SD-WAN comes equipped with a default set of rules and classes which capture all the
t
commonly found protocols in an Enterprise network, but these rules are extendable and
rib
customizable to provide more granular control ether globally with the Default Set or Local Site
ut
specific. Customized Rules take precedence over the Default Set.

io
• Custom rules can be creating using a 7-tuple filtering mechanism, which is based on…
• Source and destination IP address,
n
• Source and destination port number

• Protocol
• DSCP tag
• VLAN
• The order of processing is top-down with a catch-all bucket at the bottom
• Rules can be defined direction specific for granular control
• Rules enable tagging with explicit DSCP markings, which provides more intelligence then MPLS
QoS Queues because SD-WAN can do assured delivery of the packet, not just prioritization
• In addition to many other fine grain controls, Rules allow for definition of Transmission Mode,
which we will get into in the next section.

Application QoS Rules as of 9.3
7 •
Qin
• With Release 9.3 we have introduced another
Add AppWc.alion
Matttllwe Apcil,,11,on;
Awtclllrin S~l
layer to the application rules. Whilst you can

,-Stc•Dtst
create rules using just the IP settings, you can

now take advantage of the application DPI Engine
to identify specific applications or groups of
applications as defined by custom application ........ l)rapUfflJl(ltol!
,,,...
Drop0.plh ...... tr
objects. The IP rules are still processed first and

the app QoS rules are processed second but the
Dtullisli_'lllt0,,11;
' .....
D!wbl•O,,pcll~·
same settings and elements still apply. The -. ll'llbil P«lo.tt lltw:ii.ot11e:1110
1,s."Jt11CeHoldn,1t(1111)
PJ Dtkn Llw llt1tqutracl P'UktU
application QoS rules can be used to override the

default IP rules also.
N
ot
fo
CiTR!X
rr
es
al
e
or
d is
t rib
ut
io
n

Default Rules Breakdown
Rule Name MATCH SET
protocol DSCP port class transmit type retransmit queue depth (bytes) reorder time misc
VOiP SIP EF 10RT dup no 15K/100ms 80 reassign at 6008yte to class13
ICA ICA 11 int LB yes 30000/3 soms 250 RED on
ICACGP ICACGP 11 int LB yes 30000/350ms 250 RED on
.
ICAUDP ICAUDP 11 int LB yes 30000/350ms 250 RED off
ICACGP UDP ICACGPUDP 11 int LB yes 30000/350ms 250 RED off
ICMP ICMP 12 Persist no 30000/350ms 250
SSH SSH 12 LB yes 65000/350 900 RED on
telnet telnet 12 LB yes 65000/350 900 RED on
RDP RDP 12 LB yes 65000/350 900 RED on

N
RPC RPC 12 LB yes 65000/350 900 RED off

ot
LDAP LDAP 12 LB yes 65000/350 900 RED off

fo
CiTR!X
rr
Key Notes:
es
• Slide 1 of 3
al
• These are added as reference.

e
or
d is
t rib
ut
io
n

Rule Name MATCH SET
HTIP HTIP 14 LB yes 100000/350 900 RED on
ALTHTIP ALTHTIP 14 LB yes 100000/350 900 RED on
HTIPS HTIPS 14 LB yes 100000/350 900 RED on
CIFS CIFS 13 LB yes 65000/350 900 RED on
POP3 POP3 13 LB yes 30000/350ms 900 RED on
SMTP SMTP 13 LB yes 30000/350ms 900 RED on
IMAP IMAP 13 LB yes 30000/350ms 900 RED on
FTP FTP 15 LB yes 128000/50 900 RED on
IPERF IPERF 15 LB yes 128000/50 900 RED off

N
GRE GRE 13 LB yes 200000/350 250 RED off

ot
DNS DNS 13 LB yes 128000/350 250 RED off

fo
CiTR!X
rr
Key Notes:
es
• Slide 2 of 3
al

e
or
d is
t rib
ut
io
n

Rule Name MATCH SET
SNMP SNMP 13 LB no 128000/350 0 RED off
SN MP TRAP SNMPTRAP 13 LB no 128000/350 0 RED off
ALL EF ALL EF EF 10 dup no 15K/100ms 80 reassign at 20008 to class 13
ALLAFll ALL AF 11 AF11 12 persist no 30000/350ms 250
UDP UDP persist no 15000/100 250
TCP TCP 13 LB yes 300000/350 900
catch all 13 persist no 200000/350 0

N
ot
fo
CiTR!X
rr
Key Notes:
es
• Slide 3 of 3
al

e
or
d is
t rib
ut
io
n

Basic guidance on QoS Rules
• Unless you really don't care about the

- ..., - .,.. .... _ application only put them into the interactive
B
B
B
l!l
B
-- .. classes. Bulk can be starved off entirely
• Only put VoIP into Real-time.
• Only use packet duplication for narrow band
applications (i.e. VoIP)
• Load-balance is the safest option.
• Retransmit packets when the loss will have
great affect (i.e. TCP apps)
• Remember other traffic maybe classified into
the same class - check the other rules
N
ot
fo
CiTR!X
rr
es
al
e
or
d is
trib
ut
io
n

What cannot be used as a filter when defining SD-WAN
Rules?
a) UDP Protocol
Lesson Objective b) TCP Protocol
Review c) IP Subnet
d) Service Provider ID
e) All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

What cannot be used as a filter when defining SD-WAN
Rules?
a) UDP Protocol
Lesson Objective b) TCP Protocol
Review c) IP Subnet
d) Service Provider ID
e) All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

NetScaler SD-WAN Transmit Modes
SD-WAN can delivery traffic across the Virtual Path using

different Transmit Modes:
• Load Balance Paths

• Persistent Paths
• Override Service
• Duplication Paths
N
ot
fo
CiTR!X
rr
Key Notes:
es
• SD-WAN Transmit Modes determine the behavior of packet delivery across the Virtual Path
al
Service. Transmission modes are designed to further enhance the end-user experience, which
e
include:
• Load Balance Paths. In this mode, the application will select the best available path based on its
or
overall class and the other application traffic currently transmitting. If the bandwidth demand for
d
an individual flow exceeds a single path WAN link’s bandwidth, it will intelligently load balance
is
the packets to multiple paths. It does this in such a way to minimize the re-ordering time on the
t
receive side. Note, it will only load balance as needed, it is not simple round robin.
rib
• Persistent Path. In this mode when the app flow starts the best path is selected. The application
ut
will stay on the path unless the latency of said path changes by 50ms (Default Persistent
io
Impedance). It will then select the next best path. This means the flow generally will pin to a
given path unless the quality changes dramatically. If the path goes BAD (die to loss) it will also
n
move. If the application’s bandwidth demand exceeds the path it is on the app is allowed to flow
across multiple paths (similar to Load Balanced transmit mode).
• Duplicate Paths. This mode is used for VoIP applications. The flow is duplicated and sent to the
two best and most diverse paths available based on Service Provider IDs. Use this for VoIP like
applications only, as it consumes 2X the application bandwidth.

SD-WAN Transmit Mode: Load Balance Paths
I-
I-
Remote
Data Center
or Cloud
Load Balance
Load Balance Paths Transmit Mode • Quality of Service with application categorization
• Balance a single session across multiple paths • Packet scheduling with in-sequence delivery
• Intelligent per packet delivery decision making • Advanced reorder algorithms to minimize wait time
N
• Overflow capabilities onto other paths • Maximized good-put utilizing lowest latency WAN paths first
• Packet retransmission
ot
fo
CiTRJX
rr
Key Notes:
es
• Load Balance Paths Transmit Mode allows the flow for a filtered application to be balanced
al
across multiple paths simultaneously across the virtualized WAN. However it is not your typical
e
load balancer…it is much more intelligent then that. SD-WAN is capable of dynamically
matching every packet to the application’s priority and matching it up with the WAN path that
or
best matches the priority of the application.

d
• With load balance, apps are allowed to spill over when more bandwidth is required. This is a
is
differentiator against competing SD-WAN solutions, in that WAN bandwidth is truly aggregated
t
and applications are not limited to the bandwidth of the assigned path. From the perspective of
rib
the application, it just sees a thicker pipe for delivery and as applications are assigned to a path
ut
they are not limited to the capacity limits of that single path. Packets are sent across the best
path until it is completely used. The remaining packets are then sent across the next best path.
io
• There is much more that goes into SD-WAN intelligence, including Quality of Service to make
n
sure one session does not consume the bandwidth, and that business critical applications are
not displaced by lower priority applications. With utilizing multiple paths of various different
conditions, SD-WAN schedules packets to the WAN so that they arrive close to in-sequence for
efficient reordering on the receiving end, before being delivered to the end host. SD-WAN
maximizes best good-put by utilizing lowest latency WAN paths first. Also, packet
retransmission optimized to determine packet lose and retransmit before TCP is aware of lost
packets. This even works for non-TCP traffic as well, by utilizing the SD-WAN overlay packet
sequence algorithm, and innate time knowledge of the network and next packet expected time
windows.

SD-WAN Transmit Mode: Persistent Paths
Persistent
l I-
I-
Remote
Data Center
or Cloud
Persistent Paths Transmit Mode

• Application persists on assigned path
• Reassigneddepending on availability of path or latency increases by SOms or more
N
• Reassigneddepending on bandwidth needs of application

ot
• Automated path delivery intelligence, Ad min path assignment is no longer needed

fo
CiTR!X
rr
Key Notes:
es
• Certain applications are highly sensitive to changing characteristics of latency, bandwidth, or

al
jitter. A good example of that would be video applications.

e
• Persistent Paths transmit mode is designed purposely to address those application needs.
or
• Persistent path binds a session to the best available WAN path when the session is established.
• SD-WAN will persist using that path for further packets as long as the path is viable and the
d
session traffic load is within the ability of the WAN path.

is
• If needed, the session will be moved, but typically bound to one path for its duration.
t rib
• If the path is no longer available or latency worsens, greater than 50ms, vs. alternatives, then
the session will be moved to the next best WAN path.
ut
• If the traffic load for the session exceeds the WAN path bandwidth, then the session will be
io
moved to an alternative capable WAN path.

n
• Persistent path should be configured for real-time and interactive traffic only, and not for bulk
data unless the exact amount of bandwidth per application is known and available.
• SD-WAN path measurements and intelligent is also applied with this transmit mode. Admins are
not burdened with statically assigning applications to paths. However, there are available knobs
to adjust if desired to have more control of application path assignment, but SD-WAN is
designed to be automated and static Admin assignments take away from the intelligence of the
box to make the correct delivery decision at all moments in time with live and accurate
measurements of the available WAN paths. Even MPLS links with their high cost and promised
SLA are subject to failure and poor conditions during times of peak utilization. An Admin
customizing SD-WAN to force applications down a desired WAN path are not necessarily doing
the appropriate thing for that application, since Admins are not typically monitoring that path
every minute of every day, to make the adjustment when necessary. SD-WAN is designed to do
this automatically for you.

N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n
•
•
SD-WAN Transmit Mode: Duplicate Paths
Duplicate
l
I-
I-
Remote
Data Center
or Cloud
Duplicate Paths Transmit Mode

• VoIP packet is duplicated acrossthe two best links
• Packet that arrives first is forwarded on
N
• Packet arriving last is discarded

• First path selected based on lowest latency appropriate for real-time traffic
ot
• Second path select again based on priority, but also variance in provider as first path
fo
CiTR!X
rr
Key Notes:
es
• Voice Over IP is a very important and sensitive protocol, which SD-WAN has a special designed
al
Duplicate Paths transmit mode for. This feature is not required to be enabled in order for Voice
Over IP to benefit from reliability and intelligent path delivery which SD-WAN will provide by
e
default, but this transmit mode is specially designed to improve the quality of VoIP, again with
or
the optimal end-user experience in mind.

d
• Applications enabled for Duplicate Paths will have a copy of every packet simultaneously sent
is
across a distinct path as the original packet. The packet that makes it to the destination first will
t
be used, the other discarded. This results in the best end-user experience with VoIP calls, in
rib
that every packet essentially is guaranteed to arrive eliminating the chance for any lost packets.
ut
• The duplicated packets are assigned to WAN paths that match the real-time criteria when
determining the path conditions. The first path selected is the lowest latency path, and the
io
second path selected would be again based on latency but also based on least amount of
n
similarities to the first path, to guarantee variety. Typically Service Provider identifier is used to
make that distinction between paths.

NetScaler SD-WAN l ~ IOdeplO\'MW lwlndlln
• tone (SO-WAH Mffllft eM001
Zero Touch newllrancllnoclo

MCH tlw°"III eonr.
,,,._
._)
Deployment
I- :::: 1---UOP--"""'----2S98
lntomol/MPU
----
Service ............
N
ot
fo
CiTR!X
rr
Key Notes:
es
• This will be covered in more depth in later Modules.

al
• Zero Touch Deployment (ZTD) Cloud Service is a Citrix operated and managed cloud-based
e
service which allows discovery of new appliances in the NetScaler SD-WAN network, primarily
focused on streamlining the deployment process for NetScaler SD-WAN at remote or branch
or
office locations. The ZTD Cloud Service is publicly accessible from any point in a network via
d
public Internet access. The ZTD Cloud Service is accessed over Secure Socket Layer (SSL)
is
Protocol.
t
• The ZTD Cloud Services securely communicates with backend Citrix services hosting stored
rib
identification of Citrix customers who have purchased Zero Touch capable appliances (e.g.
ut
NetScaler SD-WAN 410-SE, 2100-SE). The backend services are in place to authenticate any
io
Zero Touch Deployment request, properly validating association between the Customer Account
and the Serial Numbers of NetScaler SD-WAN appliances.
n
• ZTD High-Level Architecture and Workflow

• Data Center Site:
• NetScaler SD-WAN Administrator – A user with Administration rights of the NetScaler SD-
WAN environment with the following primary responsibilities:
• Configuration creation using NetScaler SD-WAN Center Network Configuration tool, or import of
configuration from the Master Control Node (MCN) SD-WAN appliance
• Citrix Cloud Login to initiate the Zero Touch Deployment Service for new remote site deployment
• Network Administrator – A user responsible for Enterprise network management (DHCP,
DNS, internet, firewall, etc.)
• If required, configure firewalls for outbound communication to
FQDN sdwanzt.citrixnetworkapi.net from SD-WAN Center

• Remote Site:
• Onsite Installer – A local contact or hired installer for on-site activity with the
following primary responsibilities:
• Physically unpack the NetScaler SD-WAN appliance
• Reimage non-ZTD ready appliances
• - Required for: NetScaler SD-WAN 1000-SE, 2000-SE, 1000-EE, 2000-
EE
• - Not required for: NetScaler SD-WAN 410-SE, 2100-SE
• Power cable the appliance
• Cable the appliance for internet connectivity on the Management interface (e.g.
MGMT, or 0/1)
• Cable the appliance for WAN link connectivity on the Data interfaces (e.g.
apA.WAN, apB.WAN, apC.WAN, 0/2, 0/3, 0/5, etc)
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
•
SD-WAN Transmit Mode: Override Service
I-
Remote
~---------
SD-WAN-SE
·-- ..... ' \
·~~~~------11~1_-- :_:_:_:1
SD-WAN-SE
I-
I-
\ Data Center
\ or Cloud
Internet,
Intranet,
Passthrough,
Discard
Override Service Transmit Mode

• Override to other available services, dropping from the Virtual Path Service
N
• Additional option of discard

ot
fo
CiTR!X
rr
Key Notes:
es
• The Override Service transmit mode, allows applications that are filtered to be transmitted using
al
the other services beside the Virtual Path Service.

e
• Options for override service include: Internet, Intranet, Passthrough, and Discard
or
dis
t
rib
ut
io
n

True of False?
If Duplicate Path is not enabled for VoIP traffic and a
path is lost during usage, the end user would still not
notice anything disruption on the call.
Lesson Objective
Review
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

True of False?
If Duplicate Path is not enabled for VoIP traffic and a
path is lost during usage, the end user would still not
notice anything disruption on the call.
Lesson Objective
Review
Correct Answer: True
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

NetScaler SD-WAN Provisioning Bandwidth
• -, ------·---
do
Firewall
~
Core
SD-WAN-SE
/
ce:)
tt
Hosts
Router
N
ot
fo

rr
Key Notes:
es
• SD-WAN Provisioning allows for bidirectional (ingress and egress) distribution of bandwidth for
al
each WAN link among the various services associated with that link.
e
• Control is provided, allowing SD-WAN to portion a segment of the bandwidth for Internet Service
and a port of bandwidth for Virtual Path Service on the Internet links
or
• Separate control is provided to portion bandwidth on your Private MPLS links for the different
d
Services; Internet, Intranet, and Virtual Path Service.

is
trib
ut
io
n

Provisioning Bandwidth for Groups and Services
a .......
. --... -.... .....""" -......

•
•
"""" .., """' • Groups
: 1000000 1IO 10000 1000000
''° 10000
a-,1
- -d-""" ·- -... ---

--d
-
··-· - ... ...
• Services
N
;oo() 10000 :000 ,0000

ot
fo
CiTR!X
rr
Key Notes:
es
• There are two steps for provisioning bandwidth amongst the services in a simple and effective
al
way, here is a screenshot of the Configuration Editor highlighting the ability of:
e
• Creating Groups
or
• and Creating Services, with ability of assigning them to the groups

• Each WAN link can be configured separately for its own unique setting for Groups and Services,
d
and each set of groups and services can be adjusted separately for LAN to WAN traffic flow and
is
WAN to LAN traffic flow.

t
rib
ut
io
n

Provisioning Bandwidth Fair Shares
Internet WAN Link
LAN to WAN N to LAN
Name"' • Group
Ion
( bps)
lax
(kbps)
Shares
of
Group
Faor
(kbps)
Min
(kbps)
la
( bps)
Shares
of
Group
Fair
(kbps)
DC_CB_VWAN Default j 1000 2540 80 no hrrut 1000 2020
• Dynamic Virtual Paths Default 1000 2460 Oto O no hmt 1000 1940
• Internet Default j 500 1000 1000 1000 100 no lirmt 1000 2040
Totals· 580 1000 3000 6000 180 0 3000 6000
One User: Two Users:

N
ot
1000 kbps upload 500 kbps upload

fo
CiTR!X
rr
Key Notes:
es
• Fair Shares provides further granular control and allows distribution of the permitted bandwidth
al
over groups, and services with groups.

e
• With Shares, the total number of shares is up to the user, allowing any granularity or precision
when allocating bandwidth among the different Groups and Services.
or
• As an example, provisioning the Internet Service for this specific Internet WAN links with a total
d
cap of 1000kbps, we can set a minimum of 500kbps for LAN to WAN flow, which will provision
is
our upload bandwidth for internet traffic.

t rib
• If a single user is on the Internet Service, they will be allocated the Maximum of 1000kbps for
upload, but as soon as a second user joins on that Internet Service, fair share is provided and
ut
both users will drop to 500kbps.

io
n

WAN Link Bandwidth can not be Provisioned for which
Service?
a) Virtual Path Service
b) Internet Service
c) Intranet Service
Lesson Objective d) Passthrough Service
Review e) None of the above

N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

WAN Link Bandwidth can not be Provisioned for which
Service?
a) Virtual Path Service
b) Internet Service
c) Intranet Service
Lesson Objective d) Passthrough Service
Review e) None of the above

N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

• SD-WAN Quality of Service functionality is designed to
provide overall improved user experience for all
applications managed for delivery across WAN links
Key Takeaways
• SD-WAN will make sure a fair share of bandwidth is
allocated for each user, and one user or application does
not starve out another.
N
ot
fo
145 20 1 '"' IX A. O ._ .0 te t CiTR!X

rr
Key Notes:
es
• NetScaler SD-WAN Quality of Service functionality is designed to provide overall improved user
al
experience for all applications managed for delivery across WAN links. Regardless if the
e
application is bound for a partner site or bound for the Internet, SD-WAN will make sure a fair
share of bandwidth is allocated for each user, and one user or application does not starve out
or
another.
d is
trib
ut
io
n

• Exercise 3-1: SD-WAN Quality of Service
• Exercise 3-2: SD-WAN Center Deployment and

Configuration
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

N • Exercise 3-3: Use SD-WAN to Calculate MOS
ot
fo
CiTR!X
rr
Key Notes:
es
• The Self-Paced Bonus Exercises are added to allow students to continue the hands on
al
e
or
d is
trib
ut
io
n

•
CITRIX
•

on Workshop
Deployment and Configuration

N
CNS-200W
Version: 1.3
ot
fo
148 @20 C IXAUth .. ~ .... le I

rr
es
al
e
or
d
is
t
rib
ut
io
n

• Understand Deployment Modes
• Describe Interface Groups
Learning • Describe Virtual IP Addresses
Objectives • Describe WAN Links

• Understand Change Management
• Upgrading with a Working Virtual Wan Configuration

N
ot
fo
149 20 1 '"' IX A. O ._ .0 te t CiTR!X

rr
es
al
e
or
d is
t rib
ut
io
n

Deployment Modes - Preview
Reviewfrom the Environment Overview
• Typically:
• Datacenter: Deployl-arm/pbrwith HA
• Branch Office: lnlineorGateway/Edgemode
• Mixed Mode - per WAN Link

• Meaning: One WAN link maybehavel-arm and another link may be in line (bridge pairs)
Deployment Scenarios {datacenter)
• Option 1/2: HA Pair or Single SD-WAN: 1-arm/PBR with MPLS router and Firewall
• Option 3: Single SD-WAN in 1-arm PBR configured with the Core Switch
• Option 4: HA Pair: In line mode between new pair of switches and pair of core switches
• Option 5: Single SD-WAN in lnline mode between routers/firewalls and the core switch, in fail-to-wire
N
• Option 6**: Single SD-WAN deployed in in line mode, between MPLS router and core switch with direct
ot
termination of the Internet Link into the SD-WAN

fo
CiTR!X
rr
Key Notes:
es
• Traffic Types:
al
• Pass through traffic: goes through appliance, but appliance doesn't accelerate
e
• Direct Access: to the appliance itself: such as mgmt. connection

or
• Appliance-to-appliance communication: signaling connections, vrrp, GRE tunnels (group mode)

• Accelerate bridge ports: in one; out the other (can act as a switch).
d
• One-arm mode: packets flow in one port and out same port
is
• Forwarding Modes:
t rib
• Inline mode, in which the appliance transparently accelerates traffic flowing between its two
Ethernet ports. In this mode, the appliance appears (to the rest of the network) to be an
ut
Ethernet bridge. Inline mode is recommended, because it requires the least configuration.
io
• Virtual inline mode, in which a router sends WAN traffic to the appliance and the appliance
n
returns it to the router. In this mode, the appliance appears to be a router, but it uses no routing
tables. It sends the return traffic to the real router. Virtual inline mode is recommended when
inline mode and high-speed WCCP operation are not practical.
• High availability mode, which allows to appliances to operate as an active/standby high
availability pair. If the primary appliance fails, the secondary appliance takes over.
• Additional traffic types are listed here for completeness:
• Pass-through traffic refers to any traffic that the appliance does not attempt to accelerate. It is a
traffic category, not a forwarding mode.
• Direct access, where the appliance acts as an ordinary server or client. The GUI and CLI are
examples of direct access, using the HTTP, HTTPS, SSH, or SFTP protocols. Direct access
traffic can also include the NTP and SNMP protocols.
• Appliance-to-appliance communication, which can include signaling connections (used in secure

peering and by the SD-WAN plugin), VRRP heartbeats (used in high-availability
mode), and encrypted GRE tunnels (used by group mode).
• Deprecated modes. Proxy mode and redirector mode are legacy forwarding modes
that should not be used in new installations.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
•
Deployment Modes - Preview
Reviewfrom the Environment Overview
• Deployment Scenarios (Branch Office)
• Option 1: Single SD-WAN: in line mode, between routes/firewalls and core switch
• Option 2: Single SD-WAN: in line mode, between MPLS Router and Core Switch with direct termination of
internet into the SD-WAN
• Option 3: Single SD-WAN: 1-arm/PBR configured with the MPLS router and Firewall
• Option 4: Single SD-WAN: 1-arm/PBR mode with Core Switch
• Option 5: Single SD-WAN: inline mode on LAN side of Core Switch
• Option G**: Single SD-WAN: edge mode on the LAN side of the existing MPLS router/firewall
• Option 7: Single SD-WAN: Gateway/edge mode replacing the Firewall and Router
N
ot
fo
CiTR!X
rr
Key Notes:
es
• INLINE MODE: Appliance acts as bridge.

al
• Packets addressed to something beyond the appliance (not my mac/not my ip)

e
• Inline mode: appliance accelerates traffic between its two ports

or
• Least configuration
• In inline mode, traffic passes into one of the appliance's Ethernet ports and out of the other.
d
When two sites with inline appliances communicate, every TCP connection passing between
is
them is accelerated. All other traffic is passed through transparently, as if the appliance were not
t rib
there.
ut
• Virtual Inline Mode:

io
• Router sends WAN traffic to appliance and the appliance returns to router
n
• Appliances appears to be a router, but it is using no routing tables; real router routes.
• Used when inline or high-speed WCCP operation are not practical
• Do not mix inline and virtual inline modes within the same appliance. However, you can mix
virtual inline and WCCP modes within the same appliance. Citrix does not recommend virtual
inline mode with routers that do not support health monitoring.
• In virtual inline mode, the router uses policy based routing (PBR) rules to redirect incoming and
outgoing WAN traffic to the appliance for acceleration, and the appliance forwards the
processed packets back to the router. Almost all of the configuration tasks are performed on the
router. The only thing to be configured on the appliance is the forwarding method, and the
default method is recommended.
• Like WCCP, Virtual inline deployment requires no rewiring and no downtime, and it provides a
solution for asymmetric routing issues faced in a deployment with two or more WAN links.

Unlike WCCP, it contains no built-in status monitoring or health checking, making
troubleshooting difficult. WCCP is thus the recommended mode, and virtual inline
is recommended only when inline and WCCP modes are both impractical.
• High Availability Mode:

• Active/Standby HA pair; secondary takes over.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
•
NetScaler SD-Wan Deployment Methods
Supported Platforms:
.•.........................•.•
lnline Mode ----
·---·
••••
Firewall
Ct:'\_,_
w SD-WAN
::::1-I :x: I :-
Servers
:
Standard Edition
Enterprise Edition
WANOP Edition
•.............•
:- :
................. Standard Edition (PBR)
Virtual lnline Mode Servers
Enterprise Edition ( PBR)
I- ===:I
SD-WAN
WANOP Edition (PBR & WCCP}
Edge/Gateway Mode
I- ::::I •.............• Standard Edition (PBR)
. ..............
:- :
N
SD-WAN
Enterprise Edition (PBR}
Servers
ot
fo
CiTR!X
rr
Key Notes:
es
• The NetScaler SD-WAN solution is very flexible in deployment and is designed to sit as an
al
overlay to any existing infrastructure without major change. SD-WAN deployment modes
e
include:
• Inline Mode-NetScaler SD-WAN SE needs to be configured to pass traffic to the proper
or
gateway. Traffic intended for the Virtual Path is directed towards the SD-WAN SE and then
d
encapsulated and directed to the appropriate WAN link.

is
• Out-of-path in Virtual Inline Mode

t rib
• Gateway mode places the SD-WAN appliance physically in the path (two-arm deployment) and
requires changes in the existing network infrastructure to make the SD-WAN appliance the
ut
default gateway for the entire LAN network for that site. One thing to take note of is that each
io
SD-WAN Edition has some variances with deployment modes.

n
• For example, all three editions of SD-WAN support Inline deployment mode. Where Standard
and Enterprise Edition are similar from a configuration standpoint, WANOP edition also support
Inline mode but is deployed a little differently.
• Virtual Inline Mode is also supported by all three Editions, but the difference is that WANOP
Edition has the added support of WCCP in addition to Policy Based Routing (or PBR).
• Edge mode deployment is only supported on the Standard Edition and Enterprise Edition
appliances. WANOP Edition has a different set of features and can only be deployed behind
existing routers and firewalls.

Recommended Deployment Modes
Recommended Branch Deployments i
1) lnline or Edge/Gateway Mode
i
i
2) Virtual lnline (PBR) Mode
i
i
i
3) I nline Mode w I HA
i
4) Virtual lnline (PBR) Mode w/ HA
Cloud Deployments --------------··················_[

1) Edge/Gateway Mode
Recommended DataCenter Deployments

1) Virtual lnline (PBR) Mode w/ HA
2) lnline Mode w/ HA
3) Virtual lnline (PBR) Mode
4) lnline Mode
N
Optional WAN OP Edition

ot
WAN OP appliances have the added

capability of WCCP for Virtual I nline. Data Center
fo
CiTR!X
rr
Key Notes:
es
• Deployment modes and options are numerous and all depend on the existing underlay
al
environment.
e
• SD-WAN is recommended to be deployed in Inline mode at the branch offices, where SD-WAN
sits as an overlay in the existing environment in the path of all traffic, typically between the
or
existing WAN edge router and the core switch. Inline is recommended due to simplicity and
d
ease of traffic management, since the appliance being in the direct path will see all traffic, and
is
also the hardware bypass capability will allow the network to operate on the existing underlay
t
network should the SD-WAN become unavailable due to power failure or other anomalies.
rib
• For Branch deployments , the second recommended option would be Virtual Inline mode
ut
leveraging Policy Base Routing (PBR) allowing placement of the SD-WAN out of direct path of
io
traffic flow. PBR on network devices are needed to direct traffic to SD-WAN on outgoing traffic
flows, returning traffic flow will be returned to the SD-WAN for Standard Edition and Enterprise
n
Edition since a tunnel is built, but for WANOP Edition, additional PBR configuration is needed to
make sure returning traffic is also redirected to WANOP. PBR is typically used in networks
where direct inline is not feasible, most of the time due to inability of down-time to cable-in a
appliance in direct path. The WANOP Edition has the added benefit of leveraging WCCP for
redirection, where Standard and Enterprise currently do not have that as an option.
• Two appliances can be used at any branch site to operate in high-availability to continue SD-
WAN operation even during power failure issues or other anomalies that may occur. High
Availability would eliminate the need for bypass mode fail-to-wire, since one of the two SD-WAN
appliances are always expected to be active.
• Cloud deployed SD-WAN machines must be deployed in Edge or Gateway mode. In this
deployment, the SD-WAN is the WAN edge device, deployed similarly to a customer edge
router. All backend machines are pointing to the SD-WAN for their default gateway.

• Data Center deployments are recommended to be deployed in Virtual Inline in a
High Availability pair. Policy Based Routing is required for Virtual Inline to
redirect traffic to the SD-WAN appliance, in outgoing direction flow. PBR SLA
heartbeats can also be enabled to make sure the devices are alive so that the
redirected traffic is not black-holed. High Availability should address this, as at
least one appliance should be available to handle this redirected traffic. Inline
mode would be recommended as the second option, since it is production
impacting to physically cable an appliance in path at the datacenter, and you are
forced to fully configure the SD-WAN to perform the desired operation on all the
traffic as opposed to a controlled roll out that PBR provides.
• WANOP Edition at the branch office or data center typically follows the same
recommended deployments as Standard and Enterprise Edition mentioned
above, but has the added capability of WCCP mode in addition to PBR for traffic
redirection in Virtual Inline Mode.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
•
SD-WAN Deployment: lnline Mode
r1-BR . R
(1/1) (1/3) (1/5)
LJ
Se,-al MGMT A B C - I "9
Cl c::::J" . • ciC:O - --
(1/2) (1/4) [1/6)
Standard
and
----a;:)
Enterprise
Edition
Hosts
Router
__ ___,1/2
WAN OP
N
Edition Router
ot
WAN OP
Hosts
fo
CiTR!X
rr
Key Notes:
es
• SD-WAN appliances come equipped with multiple data interfaces paired together as bypass
al
bridge pairs to provide fail to wire capabilities.

e
• Generally SD-WAN Standard and Enterprise Edition have similar features and capabilities and
typically are similar with deployment approach.
or
• SD-WAN WANOP Edition is unique with its feature set and may be slightly different in
d
deployment when compared to Standard and Enterprise Edition.

is
• For the most part all Editions are very similar in deployment approach when it comes to Inline
t rib
Mode.
• Each appliance leverages the available data interfaces and when sitting as an overlay solution,
ut
and placed directly behind the existing Router and/or Firewall.

io
• For Standard and Enterprise Edition, Inline mode typically means multiple WAN Links are
n
expected and in some cases there are two links between the core and the WAN edge of the
network where SD-WAN can be placed in the path of, one path to the Internet Firewall and one
path to the MPLS Router.
• WANOP Edition generally optimizes a single WAN link, and when deployed in path, usually
utilizing a single pair of interfaces.

Caveats for lnline Mode Deployment
••••
···--·---cC:)
···
Firewall ~
I I
I I
L - - - - - - - - _I ,~--~~
Hosts Management
Router
Caveats for lnline Mode:

Speed and Duplex negotiation
0/t •MACAdol"~lO.t,1Jui1t7JIO~t,.tw 'j,pe,td 1~ ·~FLil
Sizethe appliance appropriately
N
111 • MACAdcn»tt1UH1•1• AuloNaoWtt'~ 1~ • D\4l6t> FLil
Validate the availability of the interfaces ·~·Flil

ot
·~FLil
(fiber or cooper), speeds and bridged pairs ·O..-·~
fo
CiTR!X
rr
Key Notes:
es
• Some general things to be aware of for Inline Mode deployment involve typical layer 2 issues,
al
which include proper cabling and correct speed/duplex negotiation between neighboring
e
devices. SD-WAN Ethernet interfaces are equipped with MDI-X feature allowing for auto-
detection of the signaling convention the device on the other end of the cable is expecting and
or
negotiates use of the transmit and receive wires accordingly. Only one-end of the connection is
d
required to have MDI-X for this feature to work.

is
• More often then not, speed and duplex is typically the culprit in performance issues when SD-
t
WAN is deployed. The appliance is typically shipped with auto-negociate set by default, but if
rib
an existing network has the speed and duplex hard-coded, then SD-WAN must be configured to
ut
match otherwise the negotiation results in half duplex.

io
• The system GUI of each SD-WAN Editions has this negotiated interface speed/duplex reported.
This is the screenshot form the Standard and Enterprise Edition.
n
• For Inline Deployments, SD-WAN sit directly in path of all traffic and per the data sheet these
appliances are spec’d for a particular speed. Overutilizing the appliances is not recommended,
and typically yields poor performance. Its better to err on the side caution and to oversize the
appliance rather then undersize. This may become even more important as you enable all the
features and functionality SD-WAN has to offer, including SSL optimization and Data Encryption
which generally adds performance impact.
• Another important aspect of the SD-WAN to consider for Inline Mode is the number of available
data interfaces, the speeds associated with them and the availability of bridged pairs. This may
become important in deployment where SD-WAN is expected to be deploy in multi WAN link
deployments, or in path with network devices that only support copper or fiber interfaces, SD-
WAN has to have matching interfaces.
• Also be aware that even though the topology diagrams don’t always show the management

interface when data flow is being discussed, the connection to management GUI is
also there and usually connects to a dedicated management network or directly
into the LAN.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
•
Virtual lnline Mode
Standard and Enterprise SD-WAN
---cCJ
Edition
1/1
PBR Router
Hosts
Router
WANOP Edition SD-WAN-WO

N
ot
WCCP / PBR Router Router

Hosts
fo
CiTRJX
rr
Key Notes:
es
• An alternate method of deployment is generally needed when SD-WAN can not directly be
al
placed in the data path, either to prevent business disruption in introduction of SD-WAN or
e
because not all traffic is intended to be delivered with SD-WAN.

• The Virtual Inline Mode of deployment is available for all Editions of SD-WAN.
or
• Standard and Enterprise Edition rely on policy based routing (or PBR) to redirect LAN to WAN
d
traffic over to SD-WAN for reliable delivery across the Wide Area Network and for Virtualized
is
WAN feature set.

t
rib
• The return flow does not need redirection by the underlay since a tunnel is built and the
returning packets will have a destination address of the SD-WAN for processing before being
ut
allowed to be sent to the end devices.

io
• WANOP edition has the same capability if being deployed in Virtual Inline Mode and PBR can
n
be leveraged for traffic redirection for LAN to WAN traffic flow. However WANOP Edition is
coded differently and does not have the same tunnel establishment as Standard and Enterprise
Edition with partner devices, which means returning traffic flow WAN to LAN typically does not
have WANOP Edition as the destination address of the returning packet.
• What this means is that returning flows for WANOP Edition also need traffic redirection in place
so that the flow is also redirected to the WANOP appliance for symmetric acceleration,
otherwise the optimization will not successfully be established.
• In addition to PBR, the WANOP Edition has support for WCCP which enables the WANOP
Edition be deployed in WCCP clusters scaling the bandwidth capacity for WANOP far beyond
the limits of a single box.

Caveats for Virtual lnline Deployment
SD-WAN
1/1
Firewall Gateway:
192.168.1.1 ·.·.:-.·--+--
••••
+- . .
LAN Subnets: Firewall
VLAN 100: 192.168.100.0/24 1Gbps i!1Gbps
VLAN 200: 192.168.200.0/24 SD-WAN Gateway:
192.168.10.1
SOOMbps
Hosts
Router CPU
Caveats for Virtual lnline Mode Deployment:

CPU overhead for policy based routing
N
Enable Heartbeat or IP SLA to not black hole traffic

The speed for the dedicated PBR Router interface for SD-WAN needs to greater then the aggregated speed of the WAN links
ot
Be cautious of contention for the WAN links between SD-WAN and non-SD-WAN traffic
fo
157 @20 CiTR!X

rr
Key Notes:
es
• In deployment of SD-WAN in Virtual Inline mode it is helpful to know some caveats that would
al
generally cause some undesired results.

e
• PBR is done at layer 2 in hardware, so for the most part it is not very impactful to most high-end
routers, but the recommendation would be to do an incremental approach of applying a few
or
PBR policies and monitor for the CPU usage and TCAM usage on the PBR enabled device.
d
This helps prevent unexpected results and ensure that the network devices are capable of
is
handling the additional workload.

t
• Also for PBR deployments, it is important to enable heartbeat probes or IP SLA on the PBR
rib
router to make sure it is checking the health of the SD-WAN before redirecting traffic to it. If this
ut
is not in place, traffic can easily be black-holed if SD-WAN has a power failure or any type of
io
packet processing issue.

• The speed for the router interface that SD-WAN is connected into is also important to
n
understand.
• As an example, lets say that this interface is a 1Gbps full/duplex. Meaning it can send 1Gbps
and receive and send simultaneously. Now with this in mind, as SD-WAN processes packets
and sends them to the LAN and WAN networks, (3) it can really only push 500Mbps for each
LAN and WAN destination.
• This is important to understand that because SD-WAN is expected to delivery across a
Virtualized WAN and in this example, that Virtual WAN would be capped at 500Mbps maximum.
If each of these WAN links were 1Gbps each, then the interface used for SD-WAN would need
to be a 10Gbps interface and the appropriate 10Gbps fiber port on the SD-WAN would also
need to be used.
• With policy based routing, the use of access lists can potentially limit the traffic SD-WAN has
visibility to. If only a small test subnet is redirected to SD-WAN, but SD-WAN is configured for

the WAN links as the full speed, then there will most definitely be contention
between SD-WAN traffic and non-SD-WAN traffic on the WAN links. SD-WAN is
designed to back off during contention would may not yield the desired results.
Either take this into consideration and lower the configure WAN link speeds on the
SD-WAN or make sure to redirect all traffic for SD-WAN to manage the traffic
accordingly and eliminate any contention.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
•
Standard and Enterprise Edition
SD-WAN
114
-- .. r-...----f X i--------m
1/1 ----~
••••
Core
Hosts
--
--·
El ~m
Edge/ Gateway Deployment Mode:
1/1. 1n 11.f 1/S I/Ci
--·
......... +
• Deployed like a VPN r:: - -
, 0
• Appliance becomes the gateway for all subnets
1/S Ill
• Appliancefailure will result in an outage if not in HA

..... ....
-
+
0
• Enabling DHCPClient on WAN facing interfaces helps r:: -0 -

N
,
auto-configure the Virtual IP address per link
ot
·- 0
......... +
r:: - -
fo
0
CiTR!X
rr
Key Notes:
es
• Standard Edition and Enterprise Edition appliance have another deployment mode that is not
al
available on WANOP Edition, and that is Edge or Gateway mode.

e
• This deployment is very much similar to how IPVPN networks are deployed, and essentially is a
replacement of that technology.
or
• In Edge Mode, SD-WAN becomes an L3 termination point for every subnet on the LAN.
d
Bypass bridge interface pairs are not involved, and if the SD-WAN goes down then that means
is
the gateway would also be down for that site. So its typically recommended with HA.
t rib
• When SD-WAN is deployed in Edge mode on internet links, there is a feature that is introduced
in release 9.1 that allows the data interfaces to automatically assign an IP to themselves using
ut
DHCP. When an interface is enabled as DHCP Clients, the WAN links are also set to Auto
io
Detect the Public IP. Typically these links are marked as untrusted since they are directly
connected to the internet, and also are configured to fail-to-block, which would prevent the
n
network from being directly exposed to the Internet during power failure.
• Also in Edge Mode, a LAN interface is created and associated with a Virtual IP address to act as
the default Gateway for the LAN.

Standard and Enterprise Edition
Hosts
Standby HA
Edge I Gateway Mode with High

a- ..
s-
,1
•• - .
-
1 • 1 ..
.
Availability:
-
I
• Standby HA is forced to be in hardware
• "' ... iq
1-.A~•"-" ,_,__ S,.,,N ..... W£:
lr....:IIHA MMM.DOOOOO
bypass mode to allow its WAN link to be used

by the partner Active HA appliance
- - .
N
• Not supported on WANOP Edition

ot
{!l lNHOI
a
• Some loss occurs during fail over of SD-WAN
•
fo
159 @20 CiTR!X

rr
Key Notes:
es
• The Edge Mode deployment for NetScaler SD-WAN can be coupled with High Availability to
al
provide a highly available site. Even though the HA setup is in active and standby mode, the
e
WAN links are both active. This is targeted for customers that want to replace their edge routers
with SD-WAN devices and want to retain redundancy of SD-WAN in case of failure. This design
or
is specific to Edge/Gateway mode, otherwise a typical HA deployment for Inline would require
d
both WAN links to terminate into both appliances (usually accomplished with additional
is
router/switch hardware).
t
• Edge Mode with High Availability is only available on the Standard and Enterprise Appliance,
rib
• Interfaces 1 & 2 on the bottom Standby SD-WAN and interfaces 1 & 2 on the top Active SD-
ut
WAN are configured for Fail-to-Wire mode.

io
• When all is working well, the active SD-WAN takes interface 2 for Internet WAN and interface 3
via partners interface 1-2 for MPLS WAN.
n
• If Primary goes down and the Secondary takes over, the new SD-WAN Primary takes 2 for
MPLS WAN and 3 via partners 1-2 for Internet WAN.
• Its important to note that you must enable the “HA Fail-to-Wire” Mode option in the GUI for this
Edge mode deployment to be accepted in the configuration editor. Normally HA restricts Fail-to-
Wire to prevent traffic bypassing the Active appliance.
• One word of caution here is that Edge Mode with HA is not completely hitless as the Fail-to-wire
pairs have to transition from Bypass to active, so expect a short period of loss -1-5s depending
on switch port configurations upstream and downstream. Also note this HA setup is designed
specifically for Edge mode deployments.

lnline Mode with High Availability
----------, ~fa_i_l_t_o_b_l_oc_k~~~~~~---;;-•.•.;.-;
Mgmt: 172.10.10.3 I ,-----------------------, •• •
I : INET VIP: 192.168.10.2 :
--'--- ... l MPLSVIP:192.168.20.2 .l
:X:·------> ..._ ..... fail to block
, '
I - - - - - - - - - - - - - - - - ~
, : Heartbeat VIPs: :
'
: : ln.20.20.3 (P) :
\ :_ 1n.20.20.2_LS __ :
-......-- ......
--
---:l>- -----fail to block
:X:·--- -----------------------·
I
: INET VIP: 192.168.10.2
Mgmt: 172.10.10.2 :_ MPLS VIP: 192.168.20.2 ,
-----------'
I
~fa_i_l-to~b-lo_c_k~~~~~~---::..•.ii:-.:
lnline Mode with High Availabili

ty:
Same hardware should be used
N
Similar configuration on data path

Interfaces must be set to fail-to-block to prevent loops
ot
Failover of one WAN link will force failure of SD-WAN and second WAN link
fo
CiTR!X
rr
Key Notes:
es
• Standard and Enterprise Edition High Availability in Inline Mode is very easy to configure, since
al
the configuration for both appliances is very much identical.

e
• The WAN Link Virtual IP assignment is identical between the two appliances.
or
• The only differences between the two appliances is the management IP addresses and (3)
Heartbeat address which are unique per appliance.
d
• Inline HA deployment, we need to understand bridge pairs and fail-to-block operation which
is
helps forces traffic through only the active appliance..

t rib
• The two firewall are operating in active/passive, and the two MPLS routers running VRRP or
HSRP also running in an active/passive in this example environment.
ut
• What we need to make sure in the event of either one of those WAN link failures,
io
• SD-WAN also fails over forcing the failover on the second WAN link as well, so that the partner
n
HA SD-WAN appliance has full control of both WAN paths and path selection.
• Key point is that even in HA fail-over the applications continue to stay alive, the failover
convergence is so fast that there is no disruption in the network.

Virtual lnline Mode with High Availability
-----------t
Mgmt: 172.10.10.3 I
I
-------------------
: Heartbeat VIPs: :
: 172.20.20.3 (P) :
!_ 172.20.20.2 (S) !
I
_ Mgmt: 172.10.10.2 ~
Virtual lnline Mode with High Availability:

Same hardware should be used
N
Similar configuration on data path

Interfaces must be set to fail-to-block to prevent
ot
loops
fo
CiTR!X
rr
Key Notes:
es
• Standard and Enterprise Edition High Availability in Virtual Inline Mode is also very easy to
al
configure, since the configuration for both appliances is very much identical.
e
• The WAN Link Virtual IP assignment is identical between the two appliances.
or
• The only differences between the two appliances is the (2) management IP addresses and (3)
Heartbeat address which are unique per appliance. Optionally one can directly attach the data
d
interfaces between appliances for the heartbeat communication to work directly as opposed to
is
be reliant on the underlay network for delivery.

t
rib
• Also with Virtual Inline, HA fail-over is seamless and applications continue to function without
disruption, due to the fast failover convergence.
ut
io
n

~,. ,
SD-WAN Deployment: Mixed Mode
-----···· Firewall
... ·---------
ce:)
~
1---((C)
Router
Hosts
Mixed Mode Deployments: Proxy Arp:

lnline Reply to ARP requests on behalfof default
N
Virtual lnline gateway

Responds with MAC of SD-WAN
ot
Direct termination
fo
CiTR!X
rr
Key Notes:
es
• NetScaler SD-WAN Standard and Enterprise Edition are designed to be integrated as an

al
overlay into any network, and are flexible with the various deployment mode options. Mixed
e
deployment mode enables the deployment of SD-WAN (1) directly inline with respect to one
WAN link, while simultaneously supporting (2) Virtual Inline from the perspective of another
or
WAN link, as well as ability to (3) directly terminate new WAN link into the appliance.
d
• This becomes significant when SD-WAN needs to be deployed at sites where the existing
is
infrastructure needs to stay as is, yet SD-WAN technology needs to be integrated and tested.
t
• In this example, the existing network consisted of a MPLS link and a Standby Internet link. SD-
rib
WAN was introduced inline on the MPLS path, and Virtual Inline using PBR on the Firewall to
ut
leverage SD-WAN by bringing up the standby internet link into an active state. Soon the
io
capacity needs of grew, so a third Internet link was added terminating directly into the appliance.
• Traffic is normally delivered form the LAN network to the default gateway. The intermediate
n
Router diverts any traffic to the firewall that is bound for internet, but for the most part the traffic
is destined to the gateway. With SD-WAN in the path, it is able to intercept that traffic and
determine which of the three WAN links is better suited to delivery the flow. Once that
determination is made, SD-WAN can change the normal route of the packet via delivery across
the Virtual Path.
• If that default gateway happens to go down, then that impacts SD-WANs ability to intercept
traffic, thus the need for a feature called Proxy Arp. Proxy ARP can only be enabled when SD-
WAN sits in the path of a gateway in Inline Mode. This feature allows the end hosts to continue
to send traffic as if the gateway was still operational, allowing SD-WAN to intercept and delivery
across the Virtual WAN.

True or False?
NetScaler SD-WAN can be must be deployed in lnline

Lesson Objective Mode at the branch if the Data Center SD-WAN is also
deployed in lnline Mode.
Review
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t
rib
ut
io
n

True or False?
NetScaler SD-WAN can be must be deployed in lnline

Lesson Objective Mode at the branch if the Data Center SD-WAN is also
deployed in lnline Mode.
Review
N
ot
fo
CiTR!X
rr
es
al
e
or
d is
t
rib
ut
io
n

EJ Branch ID S
[±] Basic Settings
+ Routm Domains
Virtual I Addresses
EIDHCP
GwANLlnks
[±] Certificates
NetScaler EJ High Ava1lab1llty
SD-WAN
Interface Groups
N
ot
fo
165 ® 20 " :nx A tho ...... C e t CiTR!X

rr
Key Notes:
es
• Generally the layout of the Interface Groups leads to the deployment mode chosen for SD-
al
WAN. Interface Groups allows for one or more Ethernet Interfaces to share a common subnet
to be configured together. Keep in mind that each appliance has different Ethernet and Fiber
e
ports and the labeling may be unique per appliance model. This is an example image of the
or
data ports on an SD-WAN 410 Standard Edition appliance.

d
is
t
rib
ut
io
n

Interface Level Security Zones
r--------.
! MGMT !
I I
Hosts
Trusted SD-WAN-SE
·---&)
Router
Trusted Interface Management Interface

Port that connects to secure networks Port connected to internal network, separate IP
MPLSnetwork Stack
Firewall that leads to Public Internet
Untrusted Interface
Port that connects non-security no firewal I networks
N
Public internet
ot
Data Encryption is required

Only allow UDP4980, ARP, and ICMPtraffic
fo
166 @20 " CiTR!X

rr
Key Notes:
es
• On SD-WAN Standard and Enterprise Edition, each interface can be configured to act
al
differently. The concept of interface groups is not applicable to the WANOP Edition platform.
e
• Interfaces can be configured to different levels of security zones. Interfaces labeled as

“Trusted” allow SD-WAN to understand that this interface is being connected into a private
or
secure part of the network, and is allowed to pass through traffic without concern of opening the
d
network up to security risks. Generally these are LAN networks, private MPLS networks,
is
connections to Routers that manage network-to-network security via a VPN infrastructure, or

t
even networks that are connected to the public internet, but are being protected by a firewall.
rib
• The WAN paths that are configured as trusted interfaces can optionally be configured for data
ut
encryption, or opt for no encryption. This is primarily because of different deployment modes
io
options like Virtual Inline, where SD-WAN would not directly sit facing each WAN link, and in
that case a single interface would be used and marked as trusted, but would still need
n
encryption enabled because that single interface would handle both public and private WAN
links.
• Interfaces can also be configured as “Untrusted” which are denoted as ports that are connected
to public networks with no security or firewall provided to protect the network. SD-WAN on
these untrusted interfaces will drop all incoming packets, with exception to partner SD-WAN
UDP 4980, ARP, and ICMP packets.
• Lastly the management network is zone separately from the data interfaces, and is on a
separate IP stack. This interface typically gets connected to a detected management network,
but can be connected directly to the LAN network for sites with limited subnet blocks.

Securing Data with Encryption
AES128 or AES 256
or IPSEC
Hosts
WAN Path Security Data EncryptionLevels SD-WAN Overlay Network Security

All WAN Paths within a Virtual AES 128-bit Encrypted Key Rotation
Path can be independently AES 256-bit Extended Packet Encryption
configured to encrypt or not Header
N
IPsec
encrypt data Packet Authentication Trailer
ot
The method of encryption is

configured globally for the entire
fo
67 IXA
Virtual Path ciTR!X
rr
Key Notes:
es
• Depending on your WAN link interface assigned characteristic, trusted or untrusted, SD-WAN
al
either forces data encryption to be enabled, or allows it to continue to be disabled.

e
• Regardless of the assigned characteristic, data encryption can be setup as a global parameter.
This global parameter can be more granularly controlled per site.
or
• Network encryption defines the algorithm used for all encrypted paths in a SD-WAN appliance.
d
This encryption setting does not apply to non-encrypted paths, but can be enabled for all and
is
any paths if desired.

t rib
• There are three levels of encryption:

• AES 128-bit, which are the performance specs listed in the NetScaler SD-WAN Data Sheet
ut
• AES 256-bit
io
• And in the 9.0 release IPsec encryption

n
• As you go down the list and enable more advanced encryption mechanism keep in mind that the
performance specs on the Data Sheet may be impacted. So it is important to size accordingly if
encryption is intended to be enabled.
• In addition to securing the payload with advanced encryption algorithms, the relationship
between SD-WAN partners is also hardened with levels of security. By default SD-WAN’s global
parameters enables Encrypted Key Rotation which checks the integrity of every Virtual Path by
regenerating an encryption key at intervals of 10-15 minutes. Optionally, one can also enable
Extended Packet Encryption Header, which will randomizes the output of the encryption,
providing strong message indistinguishability. Optionally, Extended Packet Authentication
Trailer can also be enabled, which will allow for verification that the packets are not modified in
transit.
• Again keep in mind that the more advanced security features are enabled, the bigger the impact

it becomes in performance specs listed on the data sheet.
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n
•
•
Interface Bypass Modes: Fail-to-Block or Fail-to-Wire
I
Fa i I-to-Block
Core
l/\
\
SD-WAN/1/2
/ Trusted
, ce:)
Hosts
Fail-to-Wire Router
Fail-to-Wire: Link State Propagation (LSP):

Bass traffic between two interfaces when Synchronizes the link state between bridge
SD-WAN Service is not operational interface pairs
Enable only for non-HA setup
Fail-to-Block:
N
Protects the network from untrusted networks

in the event of SD-WAN failure
ot
Used in High-Availability appliance pair setups,

forcing traffic through active paths
fo
CiTR!X
rr
Key Notes:
es
• How the interfaces behave during operational times is great, but that same level of security
al
must also be enacted should the SD-WAN device go offline. A pair of appliances can be used in
e
high availability mode to make sure the SD-WAN service is always available, but in some
branch offices a two appliance solution may not always be a cost effective approach.
or
• SD-WAN Standard and Enterprise Edition appliance enable configurable settings for how the
d
bridge pair behave when the appliance fails or has lost power.
is
• Pass-through of traffic may be enabled between two Ethernet Interfaces by creating a Bridge
t
Pair. Setting the Bypass Mode to Fail-to-Wire will enable a physical connection between the
rib
bridge pairs, allowing traffic to flow in the event of Appliance restart or failure. Only interfaces
ut
forming a hardware bypass pair are eligible for Fail-to-Wire.

io
• In relation to interface security zones, fail-to-wire is recommended to only be enabled on

interfaces that are also marked as trusted. Typically the fail-to-wire capability is enabled across
n
the path that reaches the private MPLS WAN link.

• Interfaces that lead to unsecure / untrusted networks like the public internet with no firewall can
be enabled for Bypass Mode Fail-to-Block.
• Setting the Bypass Mode to Fail-to-Block will disable the physical connection between the
bridge pairs, preventing traffic from flowing in the event of Appliance restart or failure. This is
also useful in High Availability setups where because of potential routing asymmetry during the
failure of the active appliance, the fail-to-block capability is enabled on all interface groups to
ensure that the network paths are completely down forcing traffic to go through the active
appliances paths.
• Take note that Bypass Mode functionality is for direct inline deployments, or for mix
deployments where one path is directly inline and another is out of path. For appliances that are
strictly deployed in virtual inline mode and using only one interface to connect to the network

don’t have much use for fail-to-wire capability.
• In the scenario where appliance or hardware interface failure occurs outside of the
SD-WAN appliance, a feature of Link State Propagation on a Bridge Pair can be
enabled to force the appliance to administratively take the WAN-side port of a
bridge pair down when its corresponding LAN-side port goes down and vice versa.
This completely stops the flow of traffic through the bridge pair, and is not
dependent on the SD-WAN packet processing capability.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
•
Interface Group: VLAN
Hosts
Router
(3 111tffl.;t Groups + t? ? 0
I ... . ., ,. .
SD-WAN Interface Group VLANs: ~.-"
Irrespective of configuration, SD-WAN will not B MPLS· 10011001.MPIS-20014 f113
1/4 1/S 1,6 T;;.. 0
block the traffic or drop the packets
V,~ lnttrfKtt + 8ndgtPui +
Only if the traffic needs to go through the Virtual ~ o.~.
Path, is when VLANs need to be configured on MPLS-100

MPLS-200
100
200
N..,.
N..,.
I 111 ... 1/2 0
SD-WAN
Multicastand Unicast traffic handling: B 111 112 116 Fili4o--Blod< 0 A
N
INET·,nd-'GI()) Unlrustfd
Multicast on VLAN 100- Passthrough + +

ot
lntfflKH Bndgt P••n
Unicast on VLAN 100- Virtual Path Service "' C>e4'!•
0 1/3 ++ 114 0
~
Ncne
Unicast or Multicast on VLAN 300 - Passthrough
---
fo
CiTR!X
rr
Key Notes:
es
• Interface Groups also provide capability to create Virtual Interfaces to help with VLAN traffic
al
routing. Traffic matching the given VLAN ID will be routed by the SD-WAN appliance based on
e
user configuration while undefined VLAN traffic will simply pass through.
• This enables SD-WAN to be directly deployed on a VLAN truck and still be capable of handling
or
VLAN traffic routing.

d
• Irrespective of whether we configured VLAN tags or not, SD-WAN will not block the traffic or
is
drop the packets.

t rib
• Only if SD-WAN needs to send the traffic through the Virtual Path, is when configuration for
Interface Groups need VLANs identified
ut
• As an example, lets focus on the bottom path leading to the MPLS WAN link. SD-WAN is
io
deployed on that path as inline mode utilizing interface 1/1 (1 slash 1) and 1 / 2.
n
• Here is the screenshot of the configuration build out for that Interface Group.
• When creating the Interface Group for MPLS, Ethernet Interfaces 1/1 and 1/2 are selected
• Bypass Mode is set to Fail-to-Wire because the desired effect for this example is to have the
network fall back to the MPLS link on the underlay network should the SD-WAN appliance go
down.
• The bridge pair interfaces are identified as 1/1 and 1/2
• Lastly, two Virtual Interfaces are created to address VLAN 100 and VLAN 200 traffic, which is
desired to go through the SD-WAN Overlay network. The are other VLANs on this network, but
based on this configuration the other VLANS will be pass-through through the underlay network
to the MPLS Router.
• With this sample configuration, lets walk through the behavior of both multicast and unicast
traffic flows.

• With this setup, if multiple traffic came through on VLAN 100, SD-WAN would
pass that traffic through
• If unicast traffic came through on VLAN 100, SD-WAN would process the traffic
and deliver it across the Virtual Path Service
• If any traffic (unicast or multicast) cam in with VLAN 300, SD-WAN would pass
that traffic through
• The same configuration process is taken when building the Internet path across
interfaces 1/3 and 1/4. If there were a firewall on this link configured as a gateway
for this leg and that firewall terminated not only a public internet link but also a
4G/LTE link, the Virtual Interfaces can be configured to capture both links and
named accordingly as Internet-and-4G. We will discuss later how this single
Virtual Interface will be split between into two distinct WAN Paths.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
•
In what scenario is not recommended to set an
interface group to trusted?
Lesson Objective a) Public Internet with no Firewall

b) Public Internet with a Firewall
Review
c) Private MPLS with Firewall
d) Private MPLS with no Firewall
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

In what scenario is not recommended to set an
interface group to trusted?
Lesson Objective a) Public Internet with no Firewall

b) Public Internet with a Firewall
Review
c) Private MPLS with Firewall
d) Private MPLS with no Firewall
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

El•- II) 0
Configuring
~;;MW
[i)a.sec:SffllngJ
[i) lbn"'9 Dom.Im
l!S:1PAddrc,snl
Virtual IP ~ ~--1~
;:::ET
{i)WANLJnb
[i)ce1111,u,1ts
Addresses
@""'-
(EHigt,A~~!ty
NetScaler SD-WAN
VIPM~ / ~IP4G/LTE
. I r::, 0 .Li.DJ]
Ll t Jl 1f1
l-=_!
...
C\do ,
(1/2] (1/4) (1/6]
~
N
ot
fo
172 ®20 ":nxA tho ...... C et CiTR!X

rr
Key Notes:
es
• The next step in configuration build out involves Virtual IP Addresses which can be assigned to
al
interfaces. The Virtual IP address is used for communication between Sites across the Virtual
e
Path and can be used as next-hop routes for traffic transmitted across the Virtual WAN Service.
Each Interfaces can have multiple Virtual IP Addresses, allowing SD-WAN to terminate more
or
WAN links then the number of physical interfaces that are available.
d is
t rib
ut
io
n

Virtual IP Addresses for lnline Deployment
LAN Subnets:
VLAN 100: 192.168.100.0/24
VLAN 200: 192.168.200.0/24
Hosts
VIP MPLS-100: 192.168.100.2
VIP MPLS-200: 192.168.200.2 ·----~
=
MPLS Gateway:
192.168.100.1 Router
Trunk Link (VLANlOO + VLAN 200) 192.168.200.1
Interface Group 1/3 and 1/4: (E lnterfa~e Groups

Single subnet path to Firewall EJ Virtual IP Addresses +~?
Two WAN links handled by Firewall
IP Address I Prefix Virtual Interface Identity Security Delete
PBR required on firewall to route to WAN links
192.168.1.2/24 INET-and-4G ., Untrusted 1iiJ
N
Interface Group 1/1 and 1/2:

192.168.1.3/24 INET-and-4G Untrusted 1iiJ
ot
Multicast on VLAN 100- Passthrough

192.168.100.2/24 MPLS-100 ., Trusted 1iiJ
Unicast on VLAN 100- Virtual Path Service
192.168.200.2/24 MPLS-200 ., 1iiJ
fo
Trusted
173 @20 " A Unicast or Multicast on VLAN 300 - Passthrough CiTR!X
rr
Key Notes:
es
• After Interface Groups are identified. The next step in configuration involves identifying the
al
Virtual IP Addresses and associating them with the Virtual Interfaces previously created.
e
• Looking first at the Interface Group defining interfaces 1/3 and 1/4 which sit on the path to the
Internet and 4G/LTE links. We will need a single Virtual Interface that can be associated with
or
two unique WAN Links. Because this Interface Group sits in path of a single line with only the
d
default VLAN available, two available IP addresses are need to be used as SD-WAN VIPs and
is
associated with each WAN link but must be created in the same Subnet available on the line.
t
• The Firewall in this example use case will receive two sets of SD-WAN encapsulated UDP port
rib
4980 packets, because SD-WAN will want to delivery across the two available WAN links along
ut
this paths separately. In order for the SD-WAN paths to be distinguished accordingly between
io
the two Internet WAN links, there is dependency on the underlay network to help route the UDP
traffic accordingly to the two desired paths separately.
n
• In this case, that task is on the Firewall, which needs policy based routing to ensure that all SD-
WAN packets with source port 4980 and source IP address of a VIP get properly routed
outbound, regardless of the destination IP address and port number. This example use case will
involves creation of two access list to filter for the traffic of the two unique VIP addresses both
on port 4980, then a route-map for each to deliver the filtered traffic to their respective next-
hops. The returning flow doesn’t need any additional configuration because the destination
packet will be one of the two VIPs which the underlay network already has the ability to deliver.
• The Virtual IP Address in the configuration identifies the two VIPs for those WAN links and ties
them to the Virtual Interface that identifies with the Interface Group, and the configuration is
simple.
• Next we will take a look at the Interface Group defining 1/1 and 1/2 which sit on the path to the
MPLS WAN Link, this example use case forces the usage of two VIP for the single MPLS link,

because of the fact that 1/1 and 1/2 are sitting on a trunk line, and the desire is to
have both VLAN 100 and 200 picked up by the SD-WAN for delivery across the
Virtual Path, otherwise only one would be needed.
• In the SD-WAN configuration, we will need to identify the two available IP
addresses in the network to be used by SD-WAN as the VIPs, one for each
targeted VLAN. Once those IPs are identified from the underlay network, we can
associate each VIP with the Virtual Interface corresponding to that VLAN.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
•
Virtual IP Addresses for Virtual lnline Deployment
SD-WAN
-:-.•·~~~-,er~
VIP tNET: 192.168.10.2
VIP MPLSl: 192.168.10.3 Firewall Gateway: •••• ~
VIP MPLS2: 192.168.10.4 I 79216811
.• ..
11
LAN Subnets: Firewall
VLAN 100: 192.168.100.0/24 Src: VIP !NET
VLAN 200: 192.168.200.0/24 SD-WANGateway: Ost: Public IP
192.168.10. ~
Router
Virtual lnline Mode Deployment: (±J 1nterfa~e Groups
Allows for a controlled introduction of SD-WAN EJ Virtual IP Addresses +~ ?

Policy based routing using source based redirect IP Address I Prefix Virtual Interface Identity Security Delete
SD-WAN can be deployed on a dedicated subnet or 192.168.1.2/24 INET-and-4G ., Untrusted wJ

N
even on a LAN subnet 192.168.1.3/24 INET-and-4G Untrusted wJ

Only a single interface is needed .,
ot
192.168.100.2/24 MPLS-100 Trusted wJ

192.168.200.2/24 MPLS-200 ., Trusted wJ
fo
CiTR!X
rr
Key Notes:
es
• Virtual IP Address are required in all the various different deployment possibilities for SD-WAN.
al
Virtual Inline Mode allows for a controlled introduction of SD-WAN into any environment.
e
Access lists and policy based routing allow an admin to selectively choose which traffic to
redirect over to SD-WAN for Virtual Path delivery, even down to a single host. This allows for
or
vetting of the solutions before committing it to all traffic. Be aware when performing this type of
d
operation, since SD-WAN traffic will be competing with non SD-WAN traffic, during times of
is
congestion SD-WAN will back off on throughput.

t
• When SD-WAN is deployed out of path of traffic and in Virtual Inline Mode, SD-WAN is again
rib
dependent on the underlay network delivering the traffic accordingly when the path is
ut
determined for a packet.

io
• The Interface Group for Virtual Inline Deployments typically consists of one interface being
used, and that single interface group handing all the WAN links.
n
• In this example, SD-WAN will need three Virtual IP Address, each mapped accordingly, one per
WAN link. Take note that these VIP addresses are all in the same subnet. This SD-WAN
subnet can be newly added to the network if there is an available interface on the router, or can
be place on a LAN subnet if required.
• When SD-WAN makes a route decision for the overlay network, the delivered packet is an
encapsulated 4980 UPD packet that will be sourced from one of the three VIPs, the dependency
is on the underlay network to help deliver across to the correct WAN link.
• In this example, we only have one internet WAN link, so traffic SD-WAN wants to be delivered
on the Internet link will naturally be routed to the correct path. This is because the UDP packet
will have a source IP of the Internet VIP, but more importantly, the destination packet will be a
public IP address of a partner SD-WAN appliance, recall that the Firewall needs to before a NAT
operation on the Internet WAN links. The router only having one Internet link, generally will

already have the route in place to deliver to the Firewall as a next-hop.
• In this case because there are two MPLS WAN links and two gateways, select
traffic needs to be routed via policy based routing on the router with next-hop
identification, in order for SD-WAN to successfully deliver and distinguish the
difference between the two MPLS WAN links.
• The returning traffic is not much of a concern because the packets coming back
from a partner SD-WAN appliance will have a destination address of any of the
three VIPs, and the underlay network knows how to deliver that traffic accordingly.
• In this scenario, because the SD-WAN appliance is more then one hop away from
the respective gateways, one may question how each WAN gateways availability
is being monitored.
• SD-WAN does comes equipped with IP SLA tracking ability to make sure SD-WAN
doesn’t deliver on a particular path unless it knows that WAN router is still active
N
and can process the request.

ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
•
What can Virtual IP Addresses be used for?
a) To distinguish between WAN Links

Lesson Objective b) To identify local subnets at a site
Review c) To associate with Interface Groups
d) As a next hop address for Router redirection
e) All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

What can Virtual IP Addresses be used for?
a) To distinguish between WAN Links

Lesson Objective b) To identify local subnets at a site
Review c) To associate with Interface Groups
d) As a next hop address for Router redirection
e) All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

El•- 11:10
[3a-~
.
(3 Ro,,uno Dotrlllns
(!)1ncffll{@Gfoups
{!IVW1UIIIPAddr.sses
Configuring
Upload/Download Upload/Download Upload/Download
Cr'). --------
WAN Links Q7~ ;:,~~
NetScaler SD-WAN
.~1
'~
1 g D.
CJ
u.ClD
CJIUtJr-14c:to
_ ...
.
~I
N
ot
fo
177 ® 20 " :nx A tho ...... C e t CiTR!X

rr
Key Notes:
es
• With Interface Groups and Virtual IP Addresses complete, WAN Link definition is the next
al
component in configuration. WAN Links can consist of Private MPLS, Public Internet like
Cable, DSL, fiber, or other Internet Service Providers, MPLS, IPsec, or other site-to-site VPN
e
connections; backup links such as cellular or advanced wireless providers.

or
d is
t
rib
ut
io
n

WAN Link Definition for Standard and Enterprise Edition
---
Firewall Gateway:
192.168.1.1 ••••
1/3 1/4 Firewall
·-----~
1/l SD-WAN 112
Core
Hosts MPLS Gateway:

192.16s.100.1 Router
WAN Link Definition:

Physical Rate
--- -- -
Access Type
o Public Internet
o Private Intranet
~.
o Private MPLS
N
--
-
Tracking IP Address
Autodetect Public IP
ot
-~~~~~~~~-
-
'
'
Metered Link '
Cl-
Access interface
fo
CiTR!X
rr
Key Notes:
es
• A WAN Link definition provides detail of individual private and public connections out to the
al
WAN.
e
• From the Basic Settings you can define every WAN link for the site, and set the physical rate for
ingress and egress for each link.
or
• One can also define the Access type as either:

d
• Public Internet – which would be a public WAN link which provides internet connection via an
is
ISP
t rib
• Private Intranet – which would be a private WAN link to provide connectivity to only sites within
your organization
ut
• Private MPLS – which is the same as a Private Intranet Access Type, but provides an option
io
for when that line uses one or more DSCP tags to control service provider MPLS Quality of
n
Service Queues.
• There are some additional Advanced settings in the link definitions that can for the most part be
left default. Two to point out that are more frequently used are:
• Tracking IP Address – which can track the availability of a WAN link by pinging for a specific IP
address, This proves to be useful when SD-WAN is not in direct site of the gateway and can
help prevent delivery on that path if it becomes unavailable.
• AutoDetect Public IP is more often used on the Internet access types. This option should be
enabled for all branch nodes so that the SD-WAN environment can auto learn all remote site
public IP address, which can dynamically change. This option should also be disabled for the
head-end node for the Internet link, but should replaced with a Static Public IP address, which
is needed for every Internet link at the head-end. The configuration shares this static public IP
with remote sites so that they can initiate their Virtual Path connection by calling home.
• Additional Advanced Settings and Eligibility settings are available, but can be left default for

initial configuration.
• Metered Links can also be defined here, which help identify cost 4G/LTE links that
on billed on usage basis. Enabling metered links allow for limited use of that link
for on an only-as-needed basis, as well as identify billing cycles and usage for
reporting and monitoring.
• Lastly WAN link definition includes Access interface configuration, which marry the
previously defined Virtual Interface, Virtual IP address, and allow configuration of
the underlay networks gateway that will help differentiate that WAN link from other
WAN links. Here is also where the Proxy Arp feature can be enabled so that that
LAN devices looking for their gateway will always get a response for ARP
requests, allowing for SD-WAN to help when that gateway is down and utilize
alternate paths for delivery.
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n
•
•
WAN Links
SD-WAN
....
1/1
----
--·
---- er;:)
ce:)
PBR Router
Hosts
Router
WAN Link Limits:

Allows up 8 public WAN links
Allows up to 32 private WAN links
N
ot
fo
CiTR!X
rr
Key Notes:
es
• NetScaler SD-WAN Standard and Enterprise Edition are capable handling up to 8 public WAN
al
links to a single appliance. This maximum is not limited by the number of physical interfaces,
e
but rather the need for encryption to be enabled typically on the Internet links. Virtual IP
addresses are used to allow a single Interface to handle more then just one WAN link,
or
• When encryption is not enabled, the maximum is up to 32 private WAN links, again making use
d
of the Virtual IP address to handle more then then available interfaces would typically allow.
is
This flexibility along with the license pay-grown model, allows SD-WAN to live longer in a
t
network, without the need for hardware upgrade to handle more capacity.
rib
ut
io
n

What is the difference between defining a WAN Link as
an access type "Private Intranet" versus "Private
MPLS"?
a) Nothing they are the same
Lesson Objective b) One defines public internet
Review c) Ability to define MPLS QoS Queues
d) Direct versus non-direct connections to other sites
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

What is the difference between defining a WAN Link as
an access type "Private Intranet" versus "Private
MPLS"?
a) Nothing they are the same
Lesson Objective b) One defines public internet
Review c) Ability to define MPLS QoS Queues
d) Direct versus non-direct connections to other sites
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

NetScaler Appllu.ce St.ging •
SD-WAN Tlwptpwtddllfl9t1W11..-itN'~tdlO,l~ts11,our~lo~ddk-,.AHI~
toS11oc,lflotpr.uutt...,t-tM~
~!N""-ffl~ffllt""9t4,dd.Nao:tMC_IO.. ol.clMiltW""'
Transmit Modes ·-- 100%

Change Management
~·latN-
C~~Cof6.;,lr-..U>-W,11Htil.Zlfl
~
~tt.t.o..tn.544171
•
---· c...--.-
'-"'
c- .......
w-.,
s...,..
'-""
,.- ...........
,_ ....
locO.,Mti
loco,,,..
-
-··--
_,..,..
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Once you have a complete configuration, SD-WAN utilizes the Change Management tool, to
al
provide a central point to prep configuration and software, and to push the content network-wide
e
in a systematic approach. In a new install a compete configuration will consist of one head-end
node, and at least one branch node built in the Configuration Editor. With the Interface Groups,
or
Virtual IP Addresses, WAN Links, and High Availability all defined. A completed configuration is
d
exported to the Change Management tool for appliance staging.

is
trib
ut
io
n

Change Management
------- SD-WAN
Change Management
• Configuration
• Software
I-
I-
Remote
SD-WAN-SE I-
Data Center
or Cloud
N
ot
fo
83
ciTR!J(
rr
Key Notes:
es
• The Change Management tool is only available on the Standard and Enterprise Edition
al
appliances, and allows for systematic change control of all nodes across the SD-WAN
environment.
e
• This allows for a central point of configuration and software push to all appliances, allowing
or
them to be staged and prepared to make sure the entire network has all the components in
place to flip over to the new settings.
d is
• Remote appliance need their initial configuration and software to be manually installed via the
local GUI or via the Zero Touch Process, but once they have successfully joined the SD-WAN
t
rib
environment, Change Management tool can be used to send updates and software changes.
• Generally speaking, most configuration changes are non-intrusive and a configuration change
ut
can be pushed to the network with no detection of failover by the end users.
io
• Software changes that accompany the configuration changes force a reboot of the systems to
n
that would ne noticeable by end users, and a maintenance window is recommended for this type
of operation. But since the appliances continue to operate as they are being pushed down the
configuration and software packages, they are quick to flip over to the new settings once the
appliances are activated.

Path Statistics
.... I-
••I• I-
Remote
SD·WAN·EE SD·WAN·SE I-
Data Center
OC·INO
.... . . .
... """'""' or Cloud
""'
oc;:-IN[t
""' " ooo 1u• M')
.,
IX- n 000 OU M)
N
ot
fo
CiTR!X
rr
Key Notes:
es
• After initial configuration and software is obtained and activated on all SD-WAN nodes. The
al
paths statistics help indicate proper configuration and connectivity on the underlay network to
allow VIP to VIP communication between appliances along the various paths.
e
• Each SD-WAN devices local GUI reports path statics that are specific to it, and help identify the
or
characteristics per path for best one way time, jitter, loss, kbps of usage, and congestion.
These are the measurements that are used to help determine the best path for delivery based
d is
on applications class of service.

• In this example screenshot, this shows the paths between a single branch and a data center,
t
rib
utilizing 3 unique paths, Internet, MPLS, and 4G/LTE. Because SD-WAN measures paths
unidirectional, each direction is represented as a separate entry in the table. 3 WAN links
ut
results in 6 total WAN individual paths of delivery.

io
n

Path State
.... ...., .... ,_
Good Good when the algorithm which calculates based on loss, latency,
and jitter, identifies that the path is in its ideal state.
-
Bad Bad when the algorithm which calculates based on loss, latency, and jitter,
identifies that the path is not in the ideal state. Packets will only use Bad path if
the circumstances force it to.
Dead when there is no Virtual Path packet received on the path for 1.5 seconds.
No packets will be sent across this path.
N
ot
fo
CiTR!X
rr
Key Notes:
es
• The Virtual Path Service State is generally up and reporting a Good usable state, as long as at
al
least one path is available for transit.

e
• Individual paths states are generally very accurate in reporting the usable health condition of
each WAN link, and could report a Bad or Dead state if:
or
• The Latency, Jitter, Loss is abnormally high for a path

d
• WAN Links physical rates are misconfigured

is
• WAN Links are encountering contention with non-SD-WAN traffic

t rib
• Path State reports:

• Good when the algorithm which calculates based on loss, latency, and jitter, identifies that the
ut
path is in its ideal state.

io
• Bad when the algorithm which calculates based on loss, latency, and jitter, identifies that the
n
path is not in the ideal state. Packets will only use Bad path if the circumstances force it to.
• Dead when there is no Virtual Path packet received on the path for 1.5 seconds. No packets
will be sent across this path.

Upgrading SD-WAN
N
ot
fo
CiTR!X
rr
es
al
e
or
d is
t
rib
ut
io
n

There is different Citrix SD-WAN software package for each
supported SD-WAN appliance model. You will need to acquire
the appropriate package for each appliance model you plan to
incorporate into your network.
There are three main categories of Citrix SD-WAN Appliances:

• SD-WAN Appliance hardware models
• WANOP, Standard Edition, and Enterprise Edition
SD-WAN Software • SD-WAN VPX Virtual Appliances (SD-WAN VPX)
Packages • Standard Edition and WANOP Edition
There are two main upgrade scenarios:

1. Upgrade appliances with working Virtual WAN.
2. Upgrade appliances without existing Virtual WAN

configuration.
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Before you download the software, you must obtain and register a Citrix SD-WAN software
al
license.
e
or
• SD-WAN Platform Models and Software Packages: https://docs.citrix.com/en-us/netscaler-sd-

wan/10/updating-upgrading/sd-wan-platform-models-and-software-packages.html
d is
t rib
ut
io
n

Prerequisites:
Upgrade to 9.3 1. Targeted appliances for upgrade to Enterprise
with Working Edition (1000-EE or 2000-EE) are required to have:
Virtual WAN - factory image of 9.0.0.x RTM build, if your
appliance is WANOP edition which has been
converted to Enterprise Edition using USB.
- factory image of 8.1.0.x RTM build and higher.
2. Have a valid SD-WAN license.
3. Have a working Virtual WAN configuration
running 8.1.x, 9.0.x, 9.1.x, or 9.2.x build with
virtual paths established from MCN to the branch
N
sites.
ot
fo
CiTR!X
rr
Key Notes:
es
• Upgrading to 9.3 release is a multi-step process. Virtual WAN software is upgraded centrally
al
from the MCN appliance using tar.gz files.

e
or
• Upgrade to 9.3 without Virtual WAN Configuration: https://docs.citrix.com/en-us/netscaler-sd-

wan/9-3/updating-upgrading/upgrade-new-appliance.html
d is
• This upgrade procedure to software release 10.0 assumes that virtual paths are not established
between the MCN and Branches. Upgrade to 10.0 Without Virtual WAN Configuration:
trib
https://docs.citrix.com/en-us/netscaler-sd-wan/10/updating-upgrading/upgrade-new-
appliance.html
ut
io
n

1. Obtain applicable cb-vw_ <APPLIANCE-
MODEL>_9.3.X.tar.gz file for all sites in the Virtual WAN network
from Citrix download page for NetScaler SD-WAN Release 9.3
Upgrade to 9.3 at: https://www.citrix.com/downloads/netscaler-sd-wan.html
2. Upload the cb-vw-<ApplianceModef>-9.3.x.tar.gz file for the
with Working branches defined in the configuration file for which upgrade
Virtual WAN needs to be performed. Perform Change Managementin SD-
WAN web interface for the MCN appliance and complete the
change management process.
On the MCN appliance,
navigate to:
Configuration> Virtual --~
WAN> Change
Management.
--- ---- --
N
-- -
ot
-
fo
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in class presentation and added for additional student reference.
al
e
or
d is
t
rib
ut
io
n

--
__
~
Upgrade to 9.3
~---
-- .!:-..:::: ...~
__
'-
. l-.-..-------
,-...-'-.•.•.1
_._
... _ .....>.- .....
-
with Working
Virtual WAN
-- --- --- -
-
3. Click Next to proceed
-· ·~---. ------_
further.
-. -.-..,.
-. ....
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

Upgrade to 9.3
with Working --
.............
._ -- ------
--
- --
Virtual WAN
---~- ---- -
-- .
4. After accepting license
-- -- ·-
....... .......
agreement, you are navigated
to Appliance Staging where ·- .
appliances can be staged by
clicking on Stage Appliances.
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

--- -- --·-·--·--·----
·- -·---
Upgrade to 9.3
with Working --- .
_....,. ., -....--- -· - ...
-
'"-- - '"""'' >. """'-"------ .....
Virtual WAN
--
5. Transfer Progress status
is displayed as part of
preparing and staging the
---
-- --
-- 80%
. . . _. '"-~"""""--·-.-. -. . . -t..~----
software packages to the
appliances. ......__...--...- ...... -
·- ---- --
---
-
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

Upgrade to 9.3
with Working --
-..;:.
--- -·- . -=··-·--·-
.. . __ . . _
Virtual WAN 100%
6. Click Next when Transfer

---- --
Progress shows 100%, and
button is enabled to proceed. --
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d
is
t rib
ut
io
n

---
Upgrade to 9.3
with Working
Virtual WAN -- ---- --
7. You are navigated
·-·- - - -
m:===----::-~:-:-:.~=-··- ~~~~~~~~~~-
··-·
to Activationpage where you
can activate staged software
by clicking Activate
--
--
Staged and confirm to start
activation by clicking OK in
pop message.
---- --
N
--
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

--_
Upgrade to 9.3
.....
with Working
Virtual WAN
------ ---- ---- ----

8. After completion of
activation countdown of 180s
click Done that gets enabled.
--
N
ot
fo
CiTRJX
rr
Key Notes:
es
al
e
or
dis
trib
ut
io
n

Upgrade to 9.3
with Working ---
-- ..._,.._....
•
Virtual WAN ........ -.:.:---··•.•CJiJ>--·
9. After the appliances are

•
upgraded to 9.3.0 you need to
perform Change Management
once again this time by
uploading single step upgrade
package, ns-sdw-sw-9.3.0.x.zip
after downloading the package
N
from the download server.

ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

Upgrade to 9.3
with Working --
--
__~·-·---
. . _.
.... ----··------·
---..._ - ·--·---
Virtual WAN
.........
10. After completion of
activation countdown of 180s
--
--- - ---- --
click Done that gets enabled.
---
N
ot
fo
CiTRJX
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

--,-····->--· --
Upgrade to 9.3
with Working .. - - - ·-
Virtual WAN -- ... -- -
-- . _----- -·-----·..... _..

-- _
11. After the appliances are """""'-~,
upgraded to 9.3.0 you need to - .. _ ..
perform Change Management --"":".::.::·-
once again this time by
uploading single step upgrade
package, ns-sdw-sw-9.3.0.x.zip
after downloading the package
N
from the download server.

-- ..~ -- -
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

Upgrade to 9.3
with Working
Virtual WAN
-- •
=----·----
~";5;~=..E.=-:::.===::.~.:.-:..·
==.:..:...-=--=---=-...:.=~:~.:::...-:.=:::..
... -( ..,
12. Click Stage Appliances once
upload process is successful and
. ---~_..
==--===..._..._-:-.. _
:::=~:;:E.;:;;.=_=::;:..:.::.1:":?:.:s~~=-
-·--- . ---..........--·--··-
..•
-=:==:.:.::--=:::....
-=::!--=-:.·.-::::-..=..:::..:...-=-:=:-.:-;..-: .:
relevant models are displayed that
would be upgraded based on the
configuration file that has
information about each branch
platform models. License
agreement page pop-up for user
N
to take action and proceed is

ot
displayed.
fo
CiTRJX
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

--_ -·-
....
..
..
_
Upgrade to 9.3
with Working
-- __.-_._.~,---- - ···-_ _____
._. . _..._ .__....... ....
Virtual WAN
13. After accepting license
agreement, you are navigated
to Appliance Staging page which
--
. ---_
---------
_ ...
,.,
. .
- ---
_
shows the status of package 100%
preparation and staging followed

by transfer status for each
--
-- _"""""_,,__,
-·· .....,.
-·. --
.... ._.I.A,,. ...... _
branches.
-
N
-
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

Upgrade to 9.3
with Working
--
-- ~----· ---·- . ·--
•
-,_._ ·-_ ----·--------

Virtual WAN - ------ - ----- ---
14. After completion of transfer,
you are navigated to Activation
--- . _.___ - --
,,._ .................
.... \A....-_.......,._ --~\.I.. ...... -...-.....-
•
page where you can click
on Activate Staged button to
active the staged software.
- - ·--- ....
N
ot
fo
CiTRJX
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

,._ __ .........
Upgrade to 9.3
--
-- _ -·-·--··---· --
...... ... ..... ....,._ .
, ,,,
•
---
..
with Working
---
.... ....
st.,1
...
Step 1 St-, 2
Virtual WAN ..........• ...•

"'--
CJ
15. Click done once the ._.._, ........--...- __ ,.,.....,...,._ _

•
countdown is completed and the
button is enabled.
-
··-
16. Navigate to Change
Managementpage and you can
check the transfer status of
WANOP, SVM , XenServer Hotfixes
for applicable branches only.
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

Upgrade to 9.3
--
~""""9-"" ..
"'---
'°""'.nt,Oo'f,D-
0-.-,,...,......
with Working '-1110oo1~-.t

*"-"-~·
0.,,.-clf-·-
...... ,-
n-~:l•n.1~-w..~--•u,...-,_.__....,u~
~~:a:i::oo e11-.n-...-.....,.1a,,,;
~~:!a.:1::ui\4o"--C111-...--......,.1~
e
e
•
t?
t?
t?
Virtual WAN
~,._·-""~=--.---~u--=
1,0.W4.~C.,,U.(.r..•,cQ1:
.)11-05.;•••• t?
~1-0S-:1an.::,xQ-.~--•u-,--........-u.-- e (?
IIOSot!rre 1---
17. Navigate to Change

Management Settings page to
schedule the installation of Schedu ng lnfonnabon
software other than non-SDWAN Edit Sdwto.iltnc Info Few S..ectlfd Snn •
like WANOP, SVM, XenServer °""' lio,r.-os.21

r-. E,,2000
Hotfixes. By default the MCN -~1,1
assigns schedules installation to

~t\YirdoH: I
UNt: Days ~
be attempted every day
N
at 21:20:00 based on software

Apply Cwtcel
ot
availability on the branches.

fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

Upgrade to 9.3
with Working Sl'owC,!______Sil •
Sch~uling Information
ToKhedlAenull.Miclnf11rot-VW11«~lhS\,,._WO,~hocfbo:e,p4.-rwvlpteto-C~~Setdrc'~trtt~
Virtual WAN ;;=.~

Vwt ..... WNf' tree .tt. perlom,ir. actMlllon ln(Nf'Ce~.
O C!l~ • Settq" ciWAn Ske ltMne-, Sd'l!Clu.l"I: Worr,,,uCll'I #Id «i• opuon to ic,dM.e the kN!Ck.4.e detli.s fo, r,e,l.pl'(tt,,e
Q CL~: ~~'!~~:,:-::=cGIUnWotmKlonllleDlle, Ttm!,#.w«fflll"CeVlnklw..S~ Window.
Q C&:lOOlnt : :·.~.,~wi:~===:=~~~'&:.h~
18. For detailed information or (3
O
Cl'th
CS'M!r..-
• Time loc.tl twne d the ,tppl'N'lte wtlel"t the Rt1Uat1C1"1 sl'lcdd belo1' once the ffes •• r«ff>'«I. v,ud fo'mM " HH;JrNritSS
• M,inl"*'"
the Al~ 1re pr_.
'Mndi,w: The,~ d t1me p,en by the._..- for nttllitlQI\. If V 15 pro,,ided nt.tl1Uon wit st.rt wrwnedt.atC'l)' Oflte
on the ,ool*lte ffesoe,ct,,. ol the- d•• wd ,...., ,.tun ""'"...-der d.i;e ....S t- tiel<h.
help on the scheduling

• ~'M'*-FrfCIUl'l'ICYfflW..+.chtt.syulf'!lwllct.d,;k,r1roev,"l?VD--wdperform1C>1J,.U,criy...._.,1 _
~lto.ScfS .,,..Ible
• 1.nt Ur,tchoHntoched,.for,..,,~.tcddbe#?/<ndHui.n,Dl)'llw.eb,~ .
• ByCMf.At b .. hsuKhedu.ed nul.lwil beittefflP(ed • 21:ZOh:u"....,.day (ICK.11 ~)once the tin ..-erNdy~hthesu
information, you can click on help • null11.,an wtl &oM: tna««t n lq n JO "*-'le 15 lffi for m.lft«we:e wincloNtocl-. for htvc::e, IC)plWC::e hm bMfl Khe(Med to
'"°'IIH'on"'2017.(16.1T It 21:lllto.n .....,..l'l'llh:~W¥dorwol I holl. AltfffCH. toht .. l W'l thearr«- """fNll'lteM"do,,,_.I bt'""lde
I.I'll 23:50to.n .-cl .ti« thlt it ...ti •lffllP( lnthern:ttd,e,dJed "*"lleow.::e.....-dow.
icon and get the information. • ht.lll1tDlwil 1« l"lt"I' e•orce )Offli,"& IJlffl b ll'IIIWlt«w1tewlr,dow to<l-. 5-r~WC:ehn
soft:,..11Mon"2017-06.-lr •t 2),20hor.nWMINlrl.MltlCIP..wlo#ol l l'Gn ardr~
beenKhed\led tolnlult ,.,.....,·,1, 1
~day. AllffllP( totrat.al.l lntheCVTM
l'l\alrf.@Nl'UwWdo,,, wll bf, l'Jlid,p lrtl 2l:5() hoers and .ti« that it ....ti Attftl'ICM: In thf l'lb.t schedued mawitfNll'lt,P wirdor,,,
• Sc~ed "*itMll'IC:e\JINdowut~blP~toWull tht>«.w'l'IO(lnl'r lrat..-c.ly by~ thfnwhfl'IIICe wwdow to V and U. wtl
1oklp w:hed!Jed t.-,,e ....i dtt.e .-.d st,rt the tratflll.i.lCl'I once •t the Pkbtt's •e n«••ed.
• SchecW.wcdftdiunbe~b«w!donthe,-,clth!-1£ft'"Wlt.hdiff«ffll~•~.r~....wbw.-.d~
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

• If your MCN appliance is running previous releases 8.1.x,
9.0.x, 9.1.x, 9.2.x,_use the cb-vw_ <APPLIANCE-
MODEL>_10.0.0.x.tar.g
Upgrading to 10.0 • The upgrade is a multi-step process, if you are upgrading

from previous release versions; 8.1.x, 90.x, 9.1.x, 9.2.x
with Working to 10.0. The Virtual WAN software is upgraded centrally from
Virtual WAN the MCN appliance using tar.gz files first, and then the
.zip file is used to upgrade to 10.0.
• If your MCN appliance is running 9.3.x or newer proceed with

the steps below. This procedure is accomplished by
using the ns-sdw-sw-<release-version>.zip file.
Prerequisites
1. Have a valid SD-WAN license.
N
2. Have a working Virtual WAN configuration running release

ot
version 8.1.x, 9.0.x, 9.1.x, 9.2.x with virtual paths established

from MCN appliance to the branch site appliances
fo
CiTR!X
rr
Key Notes:
es
• All SD-WAN appliance models in a Virtual WAN environment are required to be running the
al
same NetScaler SD-WAN firmware release.

• Browsers must have cookies enabled, and JavaScript installed and enabled.
e
• The NetScaler SD-WAN Management Web Interface is supported on the following browsers:
or
• Mozilla Firefox 35.0+ (Recommended version 43.x)

d
• Google Chrome 40.0+ (Recommended version 49.x)

is
• Supported browsers must have cookies enabled, and JavaScript installed and enabled.
t rib
ut
• Upgrade to 9.3 With Working Virtual WAN Configuration: https://docs.citrix.com/en-

io
us/netscaler-sd-wan/9-3/updating-upgrading/upgrade-with-vw-configuration.html
n

1. Perform Change Management by uploading single step
upgrade package, ns-sdw-sw-10.0.0.0.xzip file after downloading
Upgrading to 10.0 the package from the download server.
with Working
Virtual WAN
....................
If your master control ,_ -· --·- ------
.--------· - ...-- . . -·----- ... •
node appliance is
running 9.3.x or newer ........... ... .... ...• - -
--
s,.,1
(.J
proceed with the

following steps:
-·
---- ---
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
• If your appliance is already running release version 10.0 and you are upgrading the appliance to
the next build version, uploading the single step upgrade (.zip) package file will display only the
e
MCN software unless you click on the Verify or Stage appliance changement management
or
options.
d is
• Convert SD-WAN 1000 / 2000 WANOP Appliances to Enterprise Edition With USB:
t rib
https://docs.citrix.com/en-us/netscaler-sd-wan/9-3/updating-upgrading/convert-usb-wanop-1000-
2000-to-enterprise-edition.html
ut
• Converting Existing Appliance to Enterprise Edition Appliance: https://docs.citrix.com/en-

io
us/netscaler-sd-wan/9-3/updating-upgrading/convert-platform-standard-edition-to-enterprise-
n
edition.html

2. Click Stage Appliances once upload process is successful and
relevant models are displayed that would be upgraded based on
Upgrading to 10.0 the configuration file that has information about each branch
platform models. License agreement page is displayed.
with Working
Virtual WAN
•
If your master control
node appliance is
running 9.3.x or newer
proceed with the
following steps:
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

3. After accepting license agreement, you are navigated
to Appliance Staging page which shows the status of package
Upgrading to 10.0 preparation and staging followed by transfer status for each
branches.
-·-
with Working
-- -·----
•
--·- - --
Virtual WAN .... ;:-:..::::~::.-::-·"- .
... . . ...... . ...

node appliance is
~-·-,sc.....,._.-.-.....-.
c.,. ~ . __
-
running 9.3.x or newer ....,._,.
~-. -.
c.......,- --C., -------~.._~
•
·-.
.......,-loO(,,
proceed with the

following steps:
---
......... -- - -
-:s ·- ...... __
- -·
N
- c....,. -- ,.._
ot
fo
CiTR!X
rr
Key Notes:
es
al
• The various states of software package configuration displayed in the summary table indicates
the following:
e
• Preparing - local processing to prepare update package for transfer to the appliance.
or
• Preparing Region Pkgs - local processing to prepare update package for transfer to RCN.
d
(Applicable if RCN is part of network).

is
• Percentage - percent of package transferred to the appliance.

t rib
• Unpacking - remote appliance processing to apply the update package.

• Transferring Region - Package are being transferred to RCN. (Applicable if RCN is part of
ut
network).
io
• Failed - remote detected incomplete transfer.

n
• Cancelled - cancelled by user when 'Ignore Incomplete' was checked during Stage Appliances
• Not Needed - prepared staged package does not include this site-appliance name..
• Not Connected - local cannot see the remote's active package information

3. (continued) After accepting license agreement, you are
navigated to Appliance Staging page which shows the status of
Upgrading to 10.0 package preparation and staging followed by transfer status for
_ ... _. __
each branches.
with Working ................
... . •
Virtual WAN ........ ._ ··---·..,.---
----·----·-·---
100%

node appliance is
running 9.3.x or newer "-,._.. - - .-...... - ---
-..
~- _.._. ~. i....,. _~.
proceed with the

following steps: --.. - ·-.. •
'
·---- -·
--
N
~....
ot
fo
CiTR!X
rr
Key Notes:
es
al
• These are screen shots of the Appliance Staging completed.

e
or
d is
t rib
ut
io
n

4. After completion of transfer, you are navigated to Activation
page where you can click on Activate Staged button to active the
Upgrading to 10.0 staged software.
with Working
-- _................-......
1- ..................
•
-..... ...................
\'°"'9,,- ~
Virtual WAN """"' ·-~-C-V-YrA~-----

--
,,...,,...,.,_ _..,,,.WQOl'Cl~---~--,.._-l«l>....,_._~N~
~~...,.""""'
0,..-.........,,_
s:MV.,c-er.<lcDI

+s,.-v--•
node appliance is
running 9.3.x or newer Ss
proceed with the
following steps: -,._"'.... ~·~-......•I ......._wow,,.,;
.....--~N~_..,.,_,_._....,._
....... .,.,. _..,
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t
rib
ut
io
n

5. Click done once the countdown is completed and the button is
enabled.
Upgrading to 10.0
with Working
Virtual WAN --
,......,_
...... ._ ........
~.,.... ............
.~--
,.,_, __ , ...............
~'°""'. . . ~ Nf"d-...-~-
C.-'I
--_..., ..... ..,_............. .. _ ....
---)'OI,'--~...-
........
V.4.'fS.
. ..-.e.-..
... .......,....
_....
0
o,,.-w...or• NottlA_o,_of_U""II ,.._,,,_..,..,........... .-..;,ow,.o,t ..,_.

sc,. c-""-~,.. -...ir.-._

+S,,-t,r.-o
node appliance is
running 9.3.x or newer Adw.llion~
_ ...~-
,..~d"~O,OUSSfol!lff'!INO.C DolliltlOKltl'JStaffj'
proceed with the

to....SOfO.llchW'IQft,Cdtteltffftttlu~-
following steps: (.......,,,...... (..,..,.,_.

Collf'IOurMlon,.llfNIIWi: Aa"'
_.._
Mi.ltt.~-~o
~· """""'
Sl.lOfd·~'.OWl9.o,s,t(f7S.:.o
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d
is
t rib
ut
io
n

6. Navigate to Change Management page and you can check the
transfer status of WAN OP, SVM , XenServer Hotfixes for
Upgrading to 10.0 applicable branches only.
with Working
Virtual WAN -- -...--
----·-·--· . --·--....
-----...-- ----·
.... _..,.__ .
•
., ... ,,_
1
.... ..... .... -.
°'=~... ~~ ~
St•p l Step 2 Step 3
•••••••••••WN MOI ••••~ IIICN t., ~

0.-. ... ...... _....., ,_
node appliance is '-- ..c...-.-... - --

-. -..
~-- - ~·· ...... -mi. -- """'-'""--
proceed with the

following steps: --. --. -..
-----
-· -- -
- - ·-- -
N
- - --- 1.1<i.-M1:s
ot
- - AWJC.-
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

7. Navigate to Change Management Settings page to schedule
the installation of software other than non-SDWAN like WANOP,
Upgrading to 10.0 SVM, XenServer Hotfixes. By default the MCN assigns schedules
installation to be attempted every day at 21:20:00 based on
with Working software availability on the branches.
Virtual WAN
--
node appliance is
proceed with the 0 !tOi.·~ :0~11..:!UXIOtM~..OO.o'llto.n:rlr~-.ry.cl.lj1. ti
ti
following steps:
0 ~~~..,~ :O~llrlUO«ii,.<_.Wll'll::l:llro'llllo,,rtvidr~-,y.41j'l •
O llo.:>it'--.~\'P'I :O~ll.-:ll-:o«>1l,O.--.~oi'~llol.inr'ldr~..o.....,..o.i,1. • t?
Q ~J:8~ ~.A-~1 :O~US.ll.:::!.l~1Y...-~..--. oflhoo,;,1Nr.,..0.....,..4'-il' 0 /?
O .-cv,-:.:1-• ~~~:1r:1~v~, O'!ltio,.,.iroct1tptr.td......-:NJ"-' e ti
Q MIC't,'lJVI,; HA.-~ ~;.6',0S-ll-.:?Ul):00,1,1~•----ll'l'°"Mll~'*t;4tf1-, • ti
N
O c~m ::o~.U..:ll3t'DOa.o!-~~of1tio,,.,,.n1-,,.r..o...,.;41)1. ti
O ~Ut;.:ooo :0.;.6,,0S,ll.ao::!ll'O«l1V.-.-:e..-dcMcl~11o,ot1.1.'1dr~-.ry.41t, ti
ot
O ltOfllt.'Vn :O~llr:uo-«1 y__.._...~>Wldowof~ID.i<lvdr~.....,.~~ t?

O ~~1.-.0. :O~llr~l~1.,.__....._,~oi'll'o.;rir'ldf.-<lt"")':41ii t?
""Oli:,,lOol •• _....s \?•;;;;:, · : ~
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

8. For detailed information or help on the scheduling
information, you can click on the help icon. You can also edit
-
Upgrading to 10.0 scheduling information.
with Working •
Virtual WAN Schedulinc Information
ToKt.d~~lat.,ondrcn-\'W~b~S V.O.X..S..-hDth•c.pkot-pc.•to"Chlwlfrt~Mlbnf"MbUN~ ... ~'tlt'AH'trM-1l41f
P«fcnnt111~uon1nc._...~
"("""""~
Sct..olAtrf Id~
~ccn..rs
£dit d•lilos ~COl"IUlll'II wtorn9bOnbM o.t. T...,. ._N.ftlll"<e ~-
a.....11" bfMf dftc:r19uon d Ndl t..W
JI...._
Sit• fllmt Sdlld ....... lrlon"l'\Mkll'IInd tid•t opt>Onto141dKe thl KNchMCMUllls for rt'SP«U... bf'an:fwl
Wtrdow

• Srt•N- AppliMCellM'/Walf,W1b)'161f"1nCon'11£.d•torf0tuchstt•
• 0.. O.C..on~KNd\Mld~~"'"l5Urtfr-.
• r.,,. 1oc,&u...,.dthtl0Slbrc:•-eNnl:N~st'OAdbtolt"1onc.dwt1\tos .. nc«,'td .WfGr'fl'IK11....-""4.SS
node appliance is
• "'-'le-nine• Window Thi ~d tl'Y'lt p,wiby thl~ tor,~ If Vu pn,,,,ded lNUlllMJon.,.,ll Sl.llt WT'l'Nd-.tttyOI"« tN tq •• ~on tN
~ptu,nc:e 1rrl'IP«U~• d thl dKe -,r:1 n,.,. ,..t\olft p,wi ~ dK• .-.d n.,,. fMMl1
• ~W1ndc,w- f~f/fM"'hctlthlsyst_.._.Udwdi.fOl'1,_..~...,_MdP«form~adeorltr....twi1,- 'WstonnT.-.~

• Unit thtc:ta...to~for,-...,..._COIAdbe.,,GNd~_....
one.• w f1kil •• rNdJ' ...,th ct. ac..
lrcull.M',on .... ,U 1« tnft«9d •'°'IS•
lrd«'aiJt for NCh stc..KhldlMd 1f"Mllll 1a11t beKleff'IJ(td .1t ll 20 ta, "'W'Yd"Y 11ou1 u ...... i
lO ml'I.UI1s l«'t tor m11ntW1W1C.e ... ~todoM '°
r«1r&Unte. l!PfK1..-c:• hm bNnKhtd\Md ~on-?011~,r..,
proceed with the

2l !Oto..n,.,th""'~"'·ndOoicl 1 hcu' At~tto1rsull1nttwanw,cl'Nllir&.ww::e-.•ndow'*'llbeffl11Ck1#'1t>lll ~to..nandllwrthM,t'*'LIMt~tmtht
~ sct.d\Md INfnt-•-ndow
l~,;,,,UJ«tnn-aslllqasJOmt1Jtskoftfortn11~"","°°""'°daM s..y-~·-~~l.hdto1!Ulll- lll,,d~on"2017~fl'At
following steps: ~•...,ndo.o

2J 20tv.n...,th-nt«'llnt• nOowd t h:utltld ,...,_l«t _.,dr, AltM'IJtto-UU1ntN~fNlt&..wit• 11'dc,,.;.,.,U IM~Y'mlll ,Oha,.nltldaitft'
thlt1t...,U attM'Ot 1t1thtflb."t KNd"-d
Schld\Md INltnt.wic• -,ndo,.,u,n IM CPIW'T'idden to 1NuU tht <Of'l'4)0l'llf& lfUll'lllj ~ "*"ltrt lN IN,nr.-•••ndQ., to V And ths lt $lop KNdr.A4d a,.,. And du.
and sun lN 1rauillltl0flont• litl the~ -.rK-....:1
Schldlhrc 6-ulb <an IM~ bawd on the rlNd d w _.- ...,th d,,, .... -"'--• '"''~· ,._..t ...,ndo,., and \,ll'IL
N
ot
fo
CiTRJX
rr
Key Notes:
es
al
• Scheduling Information Status:

e
• Green Check Mark: Upgrade is Successful.

• Orange exclamation: Appliance has received all necessary components, waiting for it's
or
scheduled installation window to start.

d
• Yellow circle: Change Management has not been done, No action is required.
is
• Red cross mark : An error has occurred during installation of OS components. Please try
t rib
Change Management once again, if problem persists, please contact tech support.
• Orange dotted circle: Files are being transferred to the appliance.
ut
• Yellow dotted circle: Upgrade is in progress.

io
n

What information does Change Management helps
distribute the to SD-WAN nodes?
a) Software
Lesson Objective b) Configuration
Review c) WAN Links defined for each site
d) Virtual IP address that reside at each site
e) All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

What information does Change Management helps
distribute the to SD-WAN nodes?
a) Software
Lesson Objective b) Configuration
Review c) WAN Links defined for each site
d) Virtual IP address that reside at each site
e) All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

• NetScaler SD-WAN Deployment modes allow for flexible
integration of SD-WAN in virtually any network of various
different WAN link capabilities.
• The Configuration Editor enables this flexibility by
Key Takeaways providing all the knobs needed to adjust SD-WAN behavior
and deployment capabilities.
• The Change Management tool simplifies the distributes to
allow for non-intrusive changes to the network.
N
ot
fo
217 201 '"' IX A. O ._ .0 te t CiTR!X

rr
es
al
e
or
d is
trib
ut
io
n

• Exercise 4-1: Prepare the environment with a working
configuration
• Exercise 4-2: Applying the configuration to the remote

appliance
N
ot
fo
CiTR!X
rr
es
al
e
or
d is
trib
ut
io
n

• Exercise 4-3: Validating bandwidth aggregation
• Exercise 4-4: Customization of the Rules and Classes

N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

CITRIX
•
•

on Workshop
SD-WAN 9.0 Features

N
CNS-200W
Version: 1.3
ot
fo
220 @20 C IXAUth .. ~ .... le I

rr
es
al
e
or
d
is
t
rib
ut
io
n

• Describe Metered Links
Learning • Describe MPLS Queues
Objectives • Explain IPsec Data Encryption
• Explain Path State Sensitivity Control

N
ot
fo
22,.. 201 '"' IX A. O ._ .0 te t CiTR!X

rr
es
al
e
or
d is
t rib
ut
io
n

• Configure traffic flow on dedicated WAN
Metered Links Links
• Conserve Bandwidth on links based on
NetScaler SD-WAN
usage
• Lowers path assessment frequency
• Report on usage thresholds
• You can configure the Link of Last Resort
N
ot
fo
CiTRJX
rr
Key Notes:
es
• NetScaler SD-WAN supports enabling metered links, which can be configured such that user
al
traffic is only transmitted on a specific Internet WAN Link when all other available WAN Links
e
are disabled.
• Metered links conserve bandwidth on links that are billed based on usage. With the metered
or
links you can configure the links as the Last Resort link, which disallows the usage of the link
d
until all other non-metered links are down or degraded. Set Last Resort is typically enabled
is
when there are three WAN Links to a site (i.e. MPLS, Broadband Internet, 4G/LTE) and one of
t
the WAN links is 4G/LTE and may be to costly for a business to allow usage unless it is
rib
absolutely necessary.
ut
• The combination of advanced features on NetScaler SD-WAN 9.0 enables enterprises to

io
support a variety of application delivery strategies, and allows them to select technologies based
on what works best for their environment, now and to plan for the future. For instance,
n
enterprises with bandwidth-intensive, business-critical applications now more than ever require
the use of intelligent routing capabilities to channel traffic through all multiple available WAN
links ultimately to optimize cost but at the same time they have to proactively conserve
bandwidth on those links specially when they are highly billed. This is where NetScaler SD
WAN 9.0 introduces Metered Links. Metered Links is applicable only for the Standard Edition
and Enterprise Edition appliances.
• The metered links feature provides business with a logical approach to conserve bandwidth on
links that are billed based on usage. The feature lowers it path assessment frequency, and
provides ability to email alert on meeting/exceeding user defined byte usage count thresholds.
Links defined as metered also have a Link of Last Resort feature which disallows usage of the
link unless all other non-metered links are in down or degraded state.

SD-WAN Metered Links
azd. SSS
••••
1/5 1/4
,----~
Core
Hosts
Router
8WN4L#lu+ ?
[!J•,r(t.-1'*1
a
Metered Links:
13•-h-m
s~ .. "?
Data Cap for BillingCycle ... ~ ?
Lowers SD-WAN path condition checks from

w.-i....iu.. ?
once every SOms to once every ls
N
Link of last resort w,...

ot
.,,t,.. ~~ftORI;
!100 ~ li)'t','2(111
fo
CiTRJX
rr
Key Notes:
es
• Each WAN link has a Metered Links feature that can be optionally be enabled.
al
• When enabled, the admin must provide a Data Cap in MB, Billing Cycle, and Starting Date
e
specific to the agreement with the 4G/LTE service provider. This information is used to provide
alerting when the data usage nears the defined cap. Alerting is triggered if threshold is reached
or
at 50, 75, 90, and100% usage.

d
• When the metered links feature is enabled, the SD-WAN will sparingly check the health of that
is
path. Specially health check is lowered from once every 50ms down to once every second.
t
This significantly reduces the amount of data on the wire from 14kbps down to 0.4kbps. In a
rib
day timeframe that is roughly 50 Meg of WAN Path health check reduced down to 1 Meg.
ut
• With Metered Links NetScaler SD WAN can be configured such that user traffic is only
transmitted on a specific WAN Link when all other available WAN Links are disabled. Effectively
io
configuring this link as the Last Resort link, which disallows the usage of the link until all other
n
non-metered links are down or degraded. Metered Links Last resort Link is typically enabled
when there are three or more WAN Links available at a site and one of the WAN links is 4G/LTE
which may be to costly for a business to allow usage unless it is absolutely necessary.

True or False?
When configuring a WAN link as a Last Resort link, this
effectively disallows the usage of the link until all other
Lesson Objective non-metered links are down or degraded.
Review
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

True or False?
When configuring a WAN link as a Last Resort link, this
effectively disallows the usage of the link until all other
Lesson Objective non-metered links are down or degraded.
Review
CorrectAnswer: True
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

OSCP
af13
af21
•122
af23
af31
MPLS Queues
af32
af33
af41
af42
af43
NetScaler SD-WAN est
cs2
cs3
C54
C55
cs6
cs7
ef
N
ot
fo

rr
Key Notes:
es
• Financial Institutions specially banks along with retailers are believe to be at the forefront of SD-
al
WAN adoption. Largely in part because of their collective need to support huge numbers of
e
branch offices and the complexity and reliability on costly MPLS WAN links and their SLAs.
Many of them have MPLS Queues implemented as part of their legacy WAN architecture to
or
provide with Quality of Service (or QoS) capabilities.

d
• SD-WAN can be easily incorporating with these existing environment that are dependent on
is
MPLS queues and believe that they need to stay intact, with SD-WAN onboard path delivery
t
intelligence, WAN link monitoring and application Quality of Service. SD-WAN 9.0 introduced
rib
WAN link MPLS Queues integration feature for the purposes of simplifying the SD-WAN
ut
configuration when adding a Multiprotocol Layer Switching (MPLS) WAN links that has MPLS
queues implemented. The creation of WAN links with added configuration to separate a WAN
io
links queues is a feature designed for Standard Edition and Enterprise Edition appliances.
n
Although, WANOP Edition SD-WAN also has ability to filter and tag on DSCP to better
interoperate with the underlay network.

WAN Link Configuration
MPLSEF-30%
L,----1--==;::;:....-i+--
MPLSBulk-
70%
I-
I-
Remote
Data Center
or Cloud
(3v. ..... v.:, •? 01

111 m
MPLS QoS Queues:
13.,.,-.s O o,
8Sr"'91 ,1
Allows MPLS providers to identify Virtual Path UDP traffic
based on DSCP markings
Underlay network MPLS Quality of Service and bandwidth% 0.....
13 t,tPU......
... ""
OEfAULT
-
"
....... J. .... --...... -·'J,/-<--- a
8 .-U_fl' 0
SD-WAN is configured to match existing MPLS Queues
Allows paths from this WAN Link to

N
transmit set classes of service. If

ot
disabled, these paths will still be

considered eligible if no other paths
are available.
fo
rr
Key Notes:
es
• For most deployments SD-WAN’s path delivery intelligence and link monitoring capability
al
eliminates the need for MPLS queues because it has intelligent path monitoring ability that
e
immediately detects packet loss, where MPLS queues do not and can easily drop packets in
time of over utilizing. However, for deployments that require MPLS Queues to not be impacted,
or
this feature allows for SD-WAN to sit harmoniously in that environment and add additional
d
benefit to application delivery.

is
• The feature of identifying a WAN link on SD-WAN as Private MPLS enables SD-WAN to
t
associate Virtual Path UDP traffic with DSCP markings to match up with the underlay MPLS
rib
providers Queues.
ut
• The bandwidth for the single Private MPLS WAN link is split up amongst the available queues,
as SD-WAN is configured to match the existing MPLS Queues configuration.
io
• For example, if the underlay network has 30% allocated for the EF queue for VoIP traffic, and
n
the remaining 70% allocated for the Bulk Queue, SD-WAN can be
• SD-WAN WAN link creation involves configuring the physical line rate of the MPLS link, plus
sub-configuration of the MPLS QoS Queues and based on percentage of each queue, SD-WAN
gets configured with the appropriate permitted rate per Queue.
• Additional configuration is available on Eligibility of Classes of Service for the individual MPLS
Queues. Eligibility biases a WAN link queue from using that particular path for the set class of
service. This bias, don’t not eliminate the usage of the path fully, and allows the path to be used
by any class if no other path is available.
• SD-WAN then monitors each queue and treats each as yet another path that can be utilized for
the overlay transport.

In regards to the MPLS queues feature SD WAN
enables?
a) Maintain end user experience during even during
Lesson Objective queue congestion
Review b) Match existing MPLS queue configuration thus not

impacting current legacy architecture
c) Provide reporting on WAN Links
d) Configuration of individual Queue bandwidth
e) All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

In regards to the MPLS queues feature SD WAN
enables?
a) Maintain end user experience during even during
Lesson Objective queue congestion
Review b) Match existing MPLS queue configuration thus not

impacting current legacy architecture
c) Provide reporting on WAN Links
d) Configuration of individual Queue bandwidth
e) All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

SD-WAN IPsec
Data Encryption
SD-WAN-SE
Remote
Center
or Cloud
N
ot
fo
ciTR!X
rr
Key Notes:
es
• NetScaler SD-WAN 9.0 introduced IPsec data encryption across the Virtual Path. With ability to
al
terminate with third-party VPN devices with IPsec Tunnels either on the LAN or WAN. You can
e
secure site-to-site IPsec Tunnels terminating on an SD-WAN appliance by using a 140-2 Level 1
FIPS certified IPsec cryptographic binary.
or
• SD-WAN also supports resilient IPsec tunneling using a differentiating tunneling mechanism,
d
which protects from tunnel reestablishment, even when an individual path goes down within the
is
Virtual Path.
t
rib
ut
io
n

SD-WAN IPsec Data Encryption
Remote
SO-WAN-SE
a
VPN
a
VPN SO-WAN-SE
I-
I-
I-
Data Center or
Cloud
w --
--.
8
- _ - ..
8
e-
m--
;-
--
.-.
W·-
,,
N
a-
ot
fo
CiTR!X
rr
Key Notes:
es
• IPsec Data Encryption:

al
• Enterprise grade standards based encryption

e
• IKEv2
or
• IPsec tunnel connectivity is not effected by WAN Path states

• AES 128-bit, AES 256-bit and 140-2 Level 1 FIPS certified IPsec cryptographic binary
d
• Untrusted links forces encryption

is
• Datasheet specs with AES-128 bit

t
rib
• IPsec is an enterprise grade, standards based encryption protocol, with the capability of using
multiple types of encryption algorithms as well as multiple algorithms to ensure data integrity.
ut
IKEv2 is used for initial key negotiation and Security Association (SA) establishment between
io
two IKE Peers.

n
• SD-WAN provides a differentiated Virtual Path tunneling mechanism (patent pending) that
prevents the need for IPsec tunnel re-initiation even in the event of WAN Path failure. The
IPsec tunnel stays up as long as one WAN Links is up and functioning.
• The VPN tunnel is established before the Virtual Path, so any path fluctuations within the Virtual
Path Service does not effect the IPsec tunnel, more specifically the sessions don’t need to
reconnect and reestablish the tunnel because it stays up and connected.
• IPsec Encryption on SD-WAN intelligently differentiates from a trusted link and an untrusted link
in which it then forces encryption. IPsec supports AES-128 bit, AES-256 bit and 140-2 Level 1
FIPS certified IPsec cryptographic binary.
• SD-WAN interfaces that are not protected by Firewall and are facing the public internet are
recommended to be configured as untrusted links, which forces encryption to be enabled on that
WAN link. The Data Sheet specs for each appliance outline performance numbers for AES-128
bit encryption enabled. Keep in mind that enabling more advanced levels of encryption impacts

performances on the respective models.
• To configure IPSec Tunnels between SD-WAN branch site you will need to
navigate to Global → Virtual Path Default Sets or Dynamic Virtual Path Default
Sets. From there you will create new default set and enable “Secure Virtual Path
User Data with IPsec”.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
•
True or False?
If a Virtual Path consists of four WAN paths, and three
out of the four paths encounter blackout, the IPsec
Lesson Objective tunnel will automatically reestablish the IPsec
Review negotiation, causing user session reconnects.
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t
rib
ut
io
n

True or False?
If a Virtual Path consists of four WAN paths, and three
out of the four paths encounter blackout, the IPsec
Lesson Objective tunnel will automatically reestablish the IPsec
Review negotiation, causing user session reconnects.
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t
rib
ut
io
n

SD-WAN Path
State Sensitivity - ....
......----,
r---L---
E:::J
E:::J
E:::J
Control
SD-WAN-SE SD-WAN-SE
Remote
Data
Center or
Cloud
N
ot
fo
ciTR!X
rr
Key Notes:
es
• Enterprises are on a constant look for strategies to be more efficient and have more tailored
al
control over performance in both upstream and downstream paths. This is specially challenging
e
for WAN links that are prone to poor connectivity. Path state sensitivity control is a feature
introduce on NetScaler SD WAN 9.0 applicable only for the Standard Edition and Enterprise
or
Edition appliances that provide enterprises with a mechanism to adjust the Virtual Path
d
sensitivity to accommodate for these challenges.

is
t
rib
ut
io
n

SD-WAN Path State Sensitivity Control
----------
/ DEAD Path State
-~
SD-WAN-SE
"f- _ SD-WAN-SE
Remote
------------
-- ;If Data Center
or Cloud
GOOD Path State
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Path State Sensitivity Control:

al
• User controlled BAD state % loss

e
• Additional configurable parameters

or
• The path state sensitivity control becomes useful when dealing with links that are known to be of
poor quality and expected to have high loss. The SD-WAN solution is fined tuned to quickly
d
determine condition changes of a path and to adapt accordingly to protect application delivery
is
and performance. Prior to this feature, lossy links would be dropped automatically by the SD-
t
WAN path state algorithm and would rarely be used.

rib
• In some cases, with remote sites, WAN link instability is not avoidable and for SD-WAN to be
ut
less sensitive to those poor-quality links this feature was added to provide granular control over
io
the path state algorithm that dictates if a path is usable or not.

n

SD-WAN Path State Sensitivity Control
I!] Virt~ WAN ~e!YiOrt Settr9t
E]Ro'11. ..Q0o11"&.. ,
ffiAWat.ons
l!)f,tt<AI
EJ RaeGro,.,,ps
,._ttwol1(0b,«u
Global > Autopath Group > Set
E) Oef1.stSeu
OHCP~o,,Sffl
8Al.ltOPf,,iGro..JPS 1
Loss Sensitive:
L- 0t'ttJ t.,Gro.,p " 0 ? • Enable(default)
• Disable
...,
rPOSCP IQ'il,.Q
. • Custom
• Bad Loss Sensitive is enabled by

default, which allows the
s~ce~oo ...
system to mark Paths as BAD
OEFA.UlT
due to high loss
N
IOOOOtOefM) ~
ot
fo
CiTR!X
rr
Key Notes:
es
• To enable path state sensitivity control, navigate to the Global section in the Configuration
al
Editor. Here you will encounter the following options for sensitivity control on SD-WAN path
e
state monitoring.
• Bad Loss Sensitive is enabled by default, which allows the system to mark Paths as BAD due to
or
high loss and will incur a Path scoring penalty when compared to other paths. There is an
d
option to disable Bad Loss Sensitive, which may be useful when a WAN Link is inherently poor
is
quality and the high loss of packets is expected, allowing the system to continue using the WAN
t
Path even in high loss conditions (i.e. skip the BAD state). The last option is Custom, which is a
rib
new 9.0 feature which allows granular path state sensitivity control.
ut
io
n

B.d loss St-ns, e
Enab'9 (Oetault "
8 Autopoth Groups ? If 8«1 Loss Xffitt:IW" is~ to lrwblr. P•tfn. wil be

EJ 0.f•uli.G,oup ~ fi ? m•rbd BADd~ to lois•nd WII incur• P.ithsconng
prn.lty. Sc-tbng th6 opt,on lo Dwwblrrrwy be- m.rful
whc-n the loH of t..ndwdth IS ,ntoAer•bk-.Cus.tom
SD-WAN Path
~ 4llow you to 'f»K'Y lit P"n::N\t.ag,e of loss
~ tml!' requll'@d to mft .1 P•th BAD.
State Sensitivity
IP DSCP T~ ng,
lvty S11tnc:t PtnOc::1 "'I
DEFAULT
Control ., Enabdnaypcon / Specify s.icnce dur.tJon bt'for-e P•th rate tQnvbons

from GOOD to BAD. Whffl not s.pKrfiiPd, the dri•uft
11lSOms.
8.Jd Loss Sffis:, e
Enable (Default
There are additional parameters Pith Probaition Penod ms
S~tnee PtnOd 1'1'11 10000 (Default •
available in Default_Group that DEFAULT
Spoofy tho wort bme_ °'
P•lh Probot>on Ponod.
controls Path state behavior Path P,oba11onPenod "'l ~fo,e ,1 Pith b'iftSlbons from BAO to GOOD. Thi!
drf.a,ll l'!io 10 s«oncb ..
10000 !Default, •
11 )'OU~ lnst.b11ly ~~ LitNIC'y perwft.es

due to the- P.._h being n • RAD \t.lr .-lei other
N
Lltency spkcs •r consdered 1n the P•th sconng

•lgontlun.
ot
fo
CiTR!X
rr
Key Notes:
es
• Additional parameters available:

al
• Silence Period: Specify silence duration before a Path state transitions from GOOD to BAD.
e
When not specified, the default is 150ms.

• Path Probation Period: Specify the wait time, or Path Probation Period, before a Path
or
transitions from BAD to GOOD. The default is 10 seconds.

d
• Instability Sensitive: If enabled, latency penalties due to the Path being in a BAD state and
is
other latency spikes are considered in the Path scoring algorithm.

t
• With Custom option being selected, users can further control the sensitivity with BAD state %
rib
loss sensitivity within a timeframe.

ut
io
n

Path state sensitivity control is a useful feature when
which of the following conditions are seen?
a) WAN path is reporting high loss
Lesson Objective
b) WAN path continuously shows BAD state
Review c) A sites WAN links are known to have non-ideal
conditions due to its geographical location
d) All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

Path state sensitivity control is a useful feature when
which of the following conditions are seen?
a) WAN path is reporting high loss
Lesson Objective
b) WAN path continuously shows BAD state
Review c) A sites WAN links are known to have non-ideal
conditions due to its geographical location
d) All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

• Enterprises can greatly benefit from leveraging NetScaler
SD WAN 9.0 to help on determining the right network
setup and to best control costs, maximize uptime and
deliver a reliable and faster experience over the WAN.
• NetScaler SD-WAN 9.0 advanced features like metered

links and MPLSqueues simplify the need for aggregating
Key Takeaways different connections, constantly analyzing path quality
and saving the organization money along the way.
Centralized management tools the SD-WAN provides to
make networks more agile and adaptable.
• I Psecencryption and Path State Sensitivity Control add

granularity, control and security over the existing WAN
links.
N
ot
fo
240 20 1 '"' IX A. O ._ .0 te t CiTR!X

rr
es
al
e
or
d is
trib
ut
io
n

• Exercise 5-1: Metered Links
N
ot
fo
CiTR!X
rr
es
al
e
or
d is
trib
ut
io
n

• Exercise 5-2: MPLS Queues
• Exercise 5-3: IPsec Data Encryption
• Exercise 5-4: Path State Sensitivity Control

N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•

on Workshop
9.1 Feature Release

N
CNS-200W
Version: 1.3
ot
fo
2.13 @20 C IXAUth .. ~ .... le I

rr
es
al
e
or
d
is
t
rib
ut
io
n

• Describe Dynamic Routing
• Describe Route Domains
Learning • Explain Secure Internet Breakout
Objectives • Explain IPsec Termination

• Configure DHCPServices
• Understand Zero Touch Deployment

N
ot
fo
44 CiTR!X
rr
es
al
e
or
d is
trib
ut
io
n

NetScaler
SD-WAN Dynamic
Routing Core SD-WAN-CE
Hosts
N
ot
fo
CiTR!X
rr
Key Notes:
es
• One of the most important features added with the NetScaler SD-WAN 9.1 release was route
al
learning or dynamic routing. NetScaler SD-WAN Standard and Enterprise Edition appliance's
e
have the ability discover LAN subnets and advertise virtual path routes using the BGP and
OSPF routing protocols. This interoperability with the underlay networks routing protocols
or
allows SD-WAN to seamlessly be deployed in an existing environment without the need for
d
static route configuration and graceful router failover.

is
• Route learning further allows consolidation of hardware requirements for the branch by taking
t
over responsibilities for features such as routing.

rib
ut
io
n

SD-WAN Supported Routing Protocols
Core SD-WAN-CE
Hosts
Supported Routing Protocols: Limitations:

OSPF SD-WAN does not participate as Designated Router (DR)
iBGP or Backup Designated Router (BDR)
eBGP SD-WAN appliances does not support summarization as
the Area Border Router (ABR)
MBGP not supported
N
ot
fo
CiTR!X
rr
Key Notes:
es
• SD-WAN Standard Edition and Enterprise Edition supports popular routing protocols, like OSPF,
al
iBGP, eBGP. And uses those protocols to facilitate advertising SD-WAN routes to the underlay
e
network to allow for seamless introduction of SD-WAN into any network.

• From a configuration standpoint, the addition of routing protocols allows for more effortless
or
configuration, where previously static subnet definition for each site was mandatory.
d is
t rib
ut
io
n

SD-WAN Dynamic Routing Protocol
OSPF/BGP
I- ....
.... ,
SD-WAN
Core SD-WAN-CE
Hosts
CE Router
Dynamic Routing:
LAN Route Learning
WAN Route advertising to partner and non-
N
partner sites
ot
fo
CiTR!X
rr
Key Notes:
es
• SD-WAN appliances perform route discovery of layer 3 routing advertisements within a local
al
underlay network for each desired routing protocols (OSPF and BGP).
e
• In the configuration editor, when building the site, you no longer are required to identify what
subnets reside at that branch.
or
• On the WAN side, SD-WAN can advertise existing routes, plus learned routes to other SD-
d
WAN appliances in the network, or even other CE routers in the network.

is
• NetScaler SD-WAN appliance having an AREA defined as a STUB area by limiting the
t rib
learning of Type 5 AS-external LSA. SD-WAN appliances can advertise the locally learned
dynamic routes with the head-end MCN SD-WAN. The MCN can then relay these routes to
ut
other SD-WAN appliances in the network. The exchange of information dynamically allows
io
for maintaining connectivity between sites across the changing network.

n
• With the latest release, SD-WAN can now advertise routes as intra-area routes (LSA Type 1)
to get higher preferences as per its route cost using the OSPF path selection algorithm. The
route cost can be configured and advertised to the neighbor router. This allows for deploying
SD-WAN appliances in Virtual Inline mode

What are the SD-WAN supported dynamic routing
protocols?
Lesson Objective
A. OSPF
Review
B. eBGP
C. iBGP
D. All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

What are the SD-WAN supported dynamic routing
protocols?
Lesson Objective
A. OSPF
Review
B. eBGP
C. iBGP
D. All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

SD-WAN
Routing Domain
N
ot
fo
CiTR!X
rr
Key Notes:
es
• NetScaler SD-WAN 9.1 introduced Routing Domains, also known as Virtual Routing and
al
Forward (VRF) capability that allows multiple instances of a routing table to exist in the SD-WAN
e
overlay network and work simultaneously. Allowing for network segmentation and policy
separation without the need of multiple devices.
or
d is
t rib
ut
io
n

SD-WAN Routing Domains
I-
~- .... I I-
....
Remote
Routing Domains Benefits

Achieved through Virtual Routing and Forwarding (VRF-lite) Security with complete network isolation
Segmentation of traffic Easily integrate mergers and acquisitions with overlapping IP addresses
Multiple Route tables separate from each other Simplifies management
Support multiple tenants
Up to 16 routing domains supported
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Routing domains enables distant networks that can only share traffic using external routing, and
al
has the ability to contain overlapping IP spaces.

e
• Routing domains are useful for physically distinct networks using a shared overlay such as
service provider customers.
or
• Routing domains can also be used to isolate networks where any shared traffic is potentially a
d
security violation.
is
• SD-WAN Standard and Enterprise Editions support up to 16 routing domains.

t rib
• Some example use cases would be Guest Wi-Fi internet backhaul versus Corporate traffic.
ut
io
n

True or False?
Routing Domains feature in SD-WAN allows a network
Admin to more easily management an acquisition,
allowing the segments of the new network to be
Lesson Objective communicate with specific segments of the existing
network.
Review
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t
rib
ut
io
n

True or False?
Routing Domains feature in SD-WAN allows a network
Admin to more easily management an acquisition,
allowing the segments of the new network to be
Lesson Objective communicate with specific segments of the existing
network.
Review Correct Answer: True
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t
rib
ut
io
n

SD-WAN Secure Web Gateway
---- ---
---
1-
....
···· ....___ ===-=I =='-I-_.....,
=:::::::
SD-WAN-SE SD-WAN-SE .....
Remote
Data Center
or Cloud
N
ot
fo
54 CiTR!X
rr
Key Notes:
es
• NetScaler SD-WAN 9.1 introduced the ability to secure traffic and enforce policies using third-
al
party Secure Web Gateway solutions. For most deployments, Citrix recommends backhauling
e
branch internet traffic to the corporate data center using the Virtual Path, and allowing the data
center hardened security policies and filters to protect the network. For some customers this
or
backhaul of traffic is expensive and is taxing on the head-end appliances and WAN links. It also
d
typically results in poor user experience because the process adds latency and there still
is
possibility that users bypass your security controls.

t
• An alternative approach to backhauling, would be to add security appliances at the branch.

rib
However, the cost and complexity increases as you install multiple appliances to maintain
ut
consistent policies across the sites. And if you have a large number of branch offices, it
becomes impractical to manage costs.
io
• For some customers, the ideal solution to enforce security without adding cost, complexity, or
n
latency is to route all branch Internet traffic from the NetScaler SD-WAN appliance to a Secure
Web Gateway solution, and allow that cloud service provide the policing and filtering for Internet
traffic.

..
SD-WAN Secure Web Gateway
Remote
SD-WAN-SE
--- SD-WAN-SE
I-
.... I I-
....
I-
Data Center
or Cloud
Secure Web Gateway Limitationswith release 9.1:

• Granular global security policy control • Only GRE traffic forwarding mode (IPsecfeature is not
• No security hardware needed for the branch supported)
• Reduced footprint of appliances • Only supports a single Routing Domain
N
• Reduced cost in management of individual appliances • Only supports a single WAN Link Internet Service
• Improved end-user experience
ot
• Optional abilityto backhaul to another site that has

Internet access
fo
255 @2- ·o
CiTR!X
rr
Key Notes:
es
• With the addition of Secure Web Gateway integration to you NetScaler SD-WAN network, an
al
Admin can create granular security policies. The same policies can be applied globally and
consistently across all sites that perform this operation of sending internet traffic to the secure
e
web gateway.
or
• With this service hosted in the Cloud coupled with SD-WAN providing the secure reliable
d
network delivery. There is significant cost saving in hardware and management to make sure
is
your network is protected. Not to mention improved end-user experience, with reduced latency
t
with web surfing as compared to the backhaul approach.

rib
• For sites that do not have Internet WAN Links, flexibility is provided so that those sites can
ut
utilize the Virtual Path and be configured to have the Internet traffic backhauled to partner sites
to make use of the Secure Web Gateway integration.
io
• With the 9.1 release, only GRE traffic forwarding will be supported. IPsec capability is not
n
supported. There is also a limitation of the number of Routing Domains that can be used, only
one is supported. Also, with Secure Web Gateway, only a single WAN link is configurable for
Internet Service.

What are some benefits of the Secure Web Gateway
feature?
a) Lower latency for Internet traffic
b) Cost savings in CAPEX and OPEX
Lesson Objective c) Less bandwidth usage on the Data Center links
Review d) Granular policing and control of traffic
e) All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

What are some benefits of the Secure Web Gateway
feature?
a) Lower latency for Internet traffic
b) Cost savings in CAPEX and OPEX
Lesson Objective c) Less bandwidth usage on the Data Center links
Review d) Granular policing and control of traffic
e) All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

yJ I- ::::!
H+-+1
E=::::J
E=::::J
-es- E=::::J
SD-WAN IPsec
SD-WAN-SE
Remote or
Data Center Apps and
Servers
Tunnel
Termination yJ .... E=::::J
~
SD-WAN-SE SD-WAN-SE ~
Remote
Appsand
Servers
N
ot
fo
2 8
ciTR!X
rr
Key Notes:
es
• NetScaler SD-WAN 9.1’s IPsec Tunnel Termination enables third-party devices to terminate
al
IPsec VPN tunnels on the LAN or WAN side of a Standard or Enterprise Edition appliance.
e
• The same IPsec tunnel can be used to terminate VPN tunnels between two SD-WAN Standard
or Enterprise appliances.
or
• One of the unique capabilities of terminating the VPN tunnels using a pair of SD-WAN
d
appliances is added resiliency of that VPN tunnel. Since the tunnel is established before the
is
path delivery engine is utilized, any unstable condition of the available paths does not impact the
t
IPsec tunnel. Meaning any given WAN link can fail or degrade, and partner SD-WAN devices
rib
will continue delivery using the same VPN tunnel. No renegotiation or dropped connection will
ut
be experienced by the end-user. This provide differentiating capability with the NetScaler SD-
io
WAN solution providing support for resilient IPsec tunneling using a virtualized wide area
network.
n

SD-WAN IPsec Tunnel Termination
I-
-1+-+1 I-
I-
Remote or
SD-WAN-SE
-0-
Data Center Appsand
Servers
IPsecTunnel Termination
• 140-2 Level 1 FIPS certified cryptographic binary
• IKEvl
o Encapsulation types: ESP, AH, or ESP+AH
o Encryption Modes: AES 128, or 256-bit
o Hash Algorithm: SHAl or SHA-256
• IKEV2
N
o Peer Authentication: Mirrored, pre-shared key, certificate

ot
o Peer Pre-shared Key: Text string

o Integrity Algorithm:: MDS, SHA, SHA-256
fo
CiTR!X
rr
Key Notes:
es
• SD-WAN utilizing a Federal Information Processing Standard 140-2 Level 1 cryptographic binary
al
for the site-to-site IPsec tunnel.

e
• Level 1 fulfills basic security requirements for production-grade components.

• Adjustable levels of IKEv1 settings; encryption modes, and hash algorithms can be selected as
or
a global parameter that can be picked up by any of the SD-WAN sites. Additional IKEv2
d
settings are available for Peer Authentication, Peer Pre-Shared Keys, Integrity Algorithm.
is
t
rib
ut
io
n

Under which conditions would an SD-WAN IPsec tunnel
require to be reestablished?
a) One out of five WAN links fail
b) Two out of five WAN links fail
Lesson Objective c) Three out of five WAN links fail
Review d) Four out of the five WAN links fail
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

Under which conditions would an SD-WAN IPsec tunnel
require to be reestablished?
a) One out of five WAN links fail
b) Two out of five WAN links fail
Lesson Objective c) Three out of five WAN links fail
Review d) Four out of the five WAN links fail
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

• DHCP Server
SD-WAN • DHCP Relay

DHCP Services
• DHCP Client
N
ot
fo
ciTR!X
rr
Key Notes:
es
• NetScaler SD-WAN 9.1 introduced ability to use Standard or Enterprise Edition appliances as
al
either a DHCP Server or a DHCP Relay agent. Giving SD-WAN another feature to further
e
consolidate hardware requirements at the branch office.

• With DHCP Service, SD-WAN has the ability to issue IP addresses using DHCP
or
• And with DHCP Relay, SD-WAN can forward DHCP packets between clients and servers
d
• The above two mentioned features with the 9.1 release are purposely built to be used with the
is
management interface of SD-WAN. In a later release this capability will be also be introduced
trib
for the data interface.

• SD-WAN 9.1 also introduced support for WAN Link IP address leaning through a DHCP Client
ut
feature. The feature was purposely build for the data interfaces and can aid in simpler
io
configuration of WAN links.

n

SD-WAN DHCP Services: DHCP Server
Core
--
Mgmt:
DHCP Server
DHCP Clients
DHCPServer:
Configuration> Network Interface:
• Consolidates branch hardware requirements
• Assign IP addresses for host using DHCPthrough
DHCP~Stah.ls;. n.ml'llng
EMblt'OHCP~ ~
management interface ~Tlffle(1n111Utes):F ~
OonMoinNtitne: J
Limitations with release 9.1: SWtlPAdd1~1.: 1721610200 J
DHCPServer supports only IP Pool based E!!_ 10 205 J
N
End 19 Addr61.:
address assignment ~
ot
Do not enable DHCPServer on both active

and standby SD-WAN appliance.
fo
263 ®20 " CiTR!X

rr
Key Notes:
es
• The DHCP server feature was introduced to help further consolidate branch hardware
al
requirements. This feature also helps in simplifying the SD-WAN enabled site for configuration.
e
In the 9.1 release DHCP Server is available through the management interface only, but in a
later release this capability will be accessible through the data interfaces as well.
or
• SD-WAN DHCP Server can issue IP addresses for hosts using DHCP. SD-WAN can be
d
configured to assign additional parameters such as Domain Name System (DNS) sever, but it is
is
optional. Through DHCP, the clients will also get assigned their default gateway. The feature
t
will accept address assignment requests and renewals.

rib
• The DHCP Server feature accepts broadcasts from locally attached LAN segments. SD-WAN
ut
will issue IP address from the management interface, thus requires the management interface to
io
be connected to the LAN segment.

• Keep in mind that you should not enable DHCP on both active and standby appliances, doing so
n
will result in duplicate IP addresses on the defined management network.

SD-WAN DHCP Services: DHCP Relay
Core SD-WAN
Mgmt:
DHCP Relay
DHCP Clients
DHCP Relay: Configuration> Network Interface:

Consolidates branch hardware requirements
~""••m•nt lnt«fao OHCP R,lay
• Assign IP addresses for host using DHCP through
management interface
Limitation with release 9.1:
DHCP Relay does not support multiple DHCP
N
Server IP address assignment

Do not enable DHCP Relay on both active
ot
and standby SD-WAN appliance.

fo
CiTR!X
rr
Key Notes:
es
• The DHCP Relay Agent feature acts as a host or router that forwards DHCP packets between
al
client and servers. Network admins can use the DHCP Relay service on the management port
e
of the SD-WAN (Standard or Enterprise Edition) appliances to relay requests and replies
between local DHCP Clients and a remote DHCP Server. This allows local hosts to acquire
or
dynamic IP address from a non-local DHCP

d
• can help forward DHCP packets between clients and servers where the server and clients are in
is
different subnets. The Relay feature receives DHCP messages and generates a new DHCP
t
message to send out on another interface.

rib
ut
io
n

• Exercise 6-1: Dynamic Routing
• Exercise 6-2: DHCP Server

N
ot
fo
CiTR!X
rr
es
al
e
or
d is
t rib
ut
io
n

What would be the outcome of enabling DHCP Server
feature on two SD-WAN appliances, deployed in High
Availability?
a) A resilient, highly reliable network.

Lesson Objective
b) SD-WAN will be unable to assign IP addresses
Review c) Nothing
d) Potential of duplicate IP addresses in the network
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

What would be the outcome of enabling DHCP Server
feature on two SD-WAN appliances, deployed in High
Availability?
a) A resilient, highly reliable network.

Lesson Objective
b) SD-WAN will be unable to assign IP addresses
Review c) Nothing
d) Potential of duplicate IP addresses in the network
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

1~1
000
SD-WAN
Zero Touch
Deployment
N
ot
fo
268 ® 20 ":nx A tho ...... c e t CiTR!X

rr
Key Notes:
es
• Zero Touch Deployment (ZTD) Cloud Service is a Citrix operated and managed cloud-based
al
service which allows discovery of new appliances in the NetScaler SD-WAN network, primarily
e
focused on streamlining the deployment process for NetScaler SD-WAN at remote or branch
office locations. The ZTD Cloud Service is publicly accessible from any point in a network via
or
public Internet access. The ZTD Cloud Service is accessed over Secure Socket Layer (SSL)
d
Protocol.
is
• The ZTD Cloud Services securely communicates with backend Citrix services hosting stored
t
identification of Citrix customers who have purchased Zero Touch capable appliances (e.g.
rib
NetScaler SD-WAN 410-SE, 2100-SE). The backend services are in place to authenticate any
ut
Zero Touch Deployment request, properly validating association between the Customer Account
and the Serial Numbers of NetScaler SD-WAN appliances.
io
• The Zero Touch Deployment Service works in tandem with the NetScaler SD-WAN Center to
n
provide an easier deployment of branch office SD-WAN appliances. SD-WAN Center is

configured and used as the central management tool for the SD-WAN Standard and Enterprise
Edition appliances. In order to utilize the Zero Touch Deployment Service (or ZTD Cloud
Service), an Administrator must begin by deploying the first NetScaler SD-WAN device in the
environment, then configure and deploy the SD-WAN Center as the central point of
management. When the SD-WAN Center, release 9.1 or later, is installed with connectivity to
the public internet on port 443, SD-WAN Center will automatically call home to the Cloud
Service and install necessary components to unlock the Zero Touch Deployment features and to
make the Zero Touch Deployment option available in the GUI of SD-WAN Center. Zero Touch
Deployment is not available by default in the SD-WAN Center software. This is purposely
designed to make sure the proper preliminary components on the underlay network are present
before allowing an Administrator to initiate any on-site activity involving Zero Touch Deployment.

• The Zero Touch Deployment service is supported only on select NetScaler SD-
WAN appliances:
• NetScaler SD-WAN 410 Standard Edition
• NetScaler SD-WAN 2100 Standard Edition
• NetScaler SD-WAN 1000 Standard Edition (reimage required)
• NetScaler SD-WAN 1000 Enterprise Edition (reimage required)
• NetScaler SD-WAN 2000 Standard Edition (reimage required)
• NetScaler SD-WAN 2000 Enterprise Edition (reimage required
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
•
NetScaler SD-WAN Zero Touch Deployment Authentication
1~¢11 NetScaler
Q
J i Crrd,doodLoo;o
SD-WAN Center 9.1
I= ""Ii= ""I~
Zero Touch
Deployment Service
r Se,;,1 Number
I-
__ _.. ........_ ::::I-====:
SD-WAN-SE
......._ __ ___, ...._I- ____.
Remote SD-WAN-SE
MCN Data Center
or Cloud
N
Zero Touch Deployment Authentication

• Citrix Workspace Cloud Login tied to Customer ID
ot
• Customer ID tied to purchased hardware

• Serial number associated with Customer ID
fo
269 ® 20 " A thor ... CiTR!X

rr
Key Notes:
es
• The Citrix Zero Touch Service works in tandem with the NetScaler SD-WAN Center to enable
al
easier deployment of branch office SD-WAN appliances. SD-WAN Center is utilized as the
central management tool for SD-WAN Standard Edition and Enterprise Edition appliances.
e
Eventually this responsibility will also be integrated into NetScaler MAS.

or
• In order to utilize the Zero Touch Deployment Service (or ZTD service), an Admin must first
deploy an SD-WAN environment utilizing the SD-WAN Center as the Central point of
d is
management.
• In most cases, in addition to the head-end SD-WAN appliance, typically one or two remote sites
trib
are also deployed to prove the technology. It is recommended that SD-WAN Center be used for
this initial deployment, and a working SD-WAN environment be up and running before
ut
introducing the Zero Touch Deployment Service.

io
• With SD-WAN Center Release 9.1 installed, with proper IP connectivity to the public internet,
n
SD-WAN will automatically install an Agent that will install the necessary components to unlock
Zero Touch Deployment capabilities.
• With SD-WAN Centers management IP successfully being able to communicate with the ZTD
service, the GUI will make available Zero Touch Deployment option under the Configuration tab.
• The login does require a Citrix Workspace Cloud account to be created. The Citrix Cloud
account is important in that the account needs to be tied to the same account used to purchase
the hardware. Specifically the Citrix Customer IDs between the two need to match. This is an
important authentication process, to validate that the correct authority is in place to allow
appliances to join the SD-WAN environment, as well as to validate the serial numbers of the
appliances that call home to use this service.

NetScaler SD-WAN Zero Touch Deployment Workflow
1-="1~~:~~=-,, -,
Zero Touch
----~Jr~;:1~~--
S) Config,
Software,
3) Deploy New Site
lI
DeploymentService License
1) Configuration Editor
2) Change Management
I-
SD-WAN-SE
Remote
Data Center
4) Power and Cable or Cloud
Zero Touch Deployment Workflow

1. Configuration Editor - Create New Site (Clone or manually create a unique site)
N
2. Change Management
ot
3. Zero Touch Deployment - Deploy New Site

4. Installer powers and cables the appliance
fo
5. Zero Touch Service proxies config, software, and license

6. Virtual Paths are established
CiTR!X
rr
Key Notes:
es
• SD-WAN Zero Touch workflow begins with a working SD-WAN environment. And one of the first
al
tasks involves building a new site using the Configuration Editor, either through cloning an
existing site, if the new remote site is similar to an existing site, or by manually create a unique
e
site.
or
• Next the Change Management process must be used to make all the other sites aware of the
new SD-WAN node about to be added.
d is
• With the Zero Touch Deployment option available in the SD-WAN Center GUI, and the SD-WAN
configuration in place for the environment to expect a new site, the Admin at this point initiates
t rib
the deployment of a new site.

• The deploy new site populates the available sites using the latest active configuration built
ut
utilizing the Configuration Editor. With the admin approving the deployment of the new site, they
io
optionally can require that the remote Installer manually enter in the serial number through an
n
activation portal or allow the remote appliance to automatically join the network as soon as it
comes online.
• The Installer is required to power and cable the appliance, and make sure the management port
on the appliance has internet connectivity and DNS is assigned to the appliance through DHCP.
• As soon as the appliance boots up, there is an exchange of information between the appliance,
zero touch deployment service, and the SD-WAN Center. After an authentication process takes
place to validate the serial number against the customer ID, the ZTD service will proxy the
configuration specific to this site, as well as software and license to get the appliance on the SD-
WAN environment without further actions being required by the local installer.
• The end result is a remote site being introduced to the SD-WAN environment in a manor of
minutes, at the same time eliminating the dependencies of a local installer who is knowledgably
enough with the SD-WAN solution to help deploy correctly, now that task can be assigned to
anyone who is able and willing to plug in cables.

NetScaler SD-WAN Zero Touch Deployment Workflow
1-="1~~:~~=-,, -,
Zero Touch
----~Jr~;:1~~--
S) Config,
Software,
3) Deploy New Site
lI
DeploymentService License
1) Configuration Editor
2) Change Management
I-
SD-WAN-SE
Remote
UDP Port: 4980 Data Center
4) Power and Cable or Cloud
Zero Touch Deployment Workflow

1. Configuration Editor - Create New Site (Clone or manually create a unique site)
N
2. Change Management
ot
3. Zero Touch Deployment - Deploy New Site

4. Installer powers and cables the appliance
fo
5. Zero Touch Service proxies config, software, and license

6. Virtual Paths are established
CiTR!X
rr
Key Notes:
es
• SD-WAN Zero Touch workflow begins with a working SD-WAN environment. And one of the first
al
tasks involves building a new site using the Configuration Editor, either through cloning an
existing site, if the new remote site is similar to an existing site, or by manually create a unique
e
site.
or
• Next the Change Management process must be used to make all the other sites aware of the
new SD-WAN node about to be added.
d is
• With the Zero Touch Deployment option available in the SD-WAN Center GUI, and the SD-WAN
configuration in place for the environment to expect a new site, the Admin at this point initiates
t rib
the deployment of a new site.

• The deploy new site populates the available sites using the latest active configuration built
ut
utilizing the Configuration Editor. With the admin approving the deployment of the new site, they
io
optionally can require that the remote Installer manually enter in the serial number through an
n
activation portal or allow the remote appliance to automatically join the network as soon as it
comes online.
• The Installer is required to power and cable the appliance, and make sure the management port
on the appliance has internet connectivity and DNS is assigned to the appliance through DHCP.
• As soon as the appliance boots up, there is an exchange of information between the appliance,
zero touch deployment service, and the SD-WAN Center. After an authentication process takes
place to validate the serial number against the customer ID, the ZTD service will proxy the
configuration specific to this site, as well as software and license to get the appliance on the SD-
WAN environment without further actions being required by the local installer.
• The end result is a remote site being introduced to the SD-WAN environment in a manor of
minutes, at the same time eliminating the dependencies of a local installer who is knowledgably
enough with the SD-WAN solution to help deploy correctly, now that task can be assigned to
anyone who is able and willing to plug in cables.

Zero Touch Deployment Cloud Service will Automate the following
SD-WAN Zero Actions:
Download and Update the ZTDAgent if new features are available
Touch Deployment on the branch appliance
Cloud Service Configuration Editor- Create New Site (Clone or manually create a
unique site)
Change Management
Zero Touch Deployment- Deploy New Site
Installer powers and cables the appliance
Zero Touch Service proxies configurations, software, and licenses
Virtual Paths are established
Additional steps are required of the SD-WANAdministratorto install
a permanent license file on the appliance.
N
ot
fo
CiTR!X
rr
Key Notes:
es
• After a working SD-WAN environment is up and running registration into the Zero Touch
al
Deployment Service is accomplished through creating a Citrix Cloud account login. With SD-
WAN Center able to communicate with the ZTD service, the GUI will expose the Zero Touch
e
Deployment options under the Configuration tab. Logging into the Zero Touch Service
or
authenticates the Customer ID associated with the particular NetScaler SD-WAN environment
and registers the SD-WAN Center, in addition to unlocking the account for further authentication
d is
of ZTD appliance deployments.

t rib
ut
io
n

NetScaler SD-WAN Zero Touch Deployment Activation URL
Zero Touch Deployment Activation URL

1. Waitingfor Installer
2. Appliance Connecting to ZTD Service
3. Downloading Configuration I Software I License
N
4. ApplyingConfiguration
5. Activated
ot
fo
CiTR!X
rr
Key Notes:
es
• With the deployment of every new site, the zero touch service provides an activation URL to
al
monitor the progress of each deployment.

• Each automated stage of the deployment is outlined and if a failure occurs during each of
e
respective stages, an error message is provided with detail as to why the failure occurred.
or
• Along with this, the Admin has more granular detail on the SD-WAN Center in appliances that
currently waiting of on-site activity, as well as appliances that have completed the activation
d is
process, along with options to restart the process if needed.

t
rib
ut
io
n

What are two factors of authentication used for Zero
Touch Deployment?
Lesson Objective a) Serial number and Customer ID

b) MAC address and Appliance Name
Review
c) Serial number and Host name
d) MAC address and Host name
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

What are two factors of authentication used for Zero
Touch Deployment?
Lesson Objective a) Serial number and Customer ID

b) MAC address and Appliance Name
Review
c) Serial number and Host name
d) MAC address and Host name
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

True or False?
NetScaler SD-WAN appliances can share routes using
Lesson Objective routing protocols with Customer Edge router at remote
sites, even one without a peer SD-WAN appliance.
Review
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Slide is hidden from the in class presentation and added for additional student resources.
al
e
or
d is
t
rib
ut
io
n

True or False?
NetScaler SD-WAN appliances can share routes using
Lesson Objective routing protocols with Customer Edge router at remote
sites, even one without a peer SD-WAN appliance.
Review
CorrectAnswer: True
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t
rib
ut
io
n

What setting enables SD-WAN to advertise routes as
intra-area routes (LSA Type 1) to get higher
preferences as per its route cost using the OSPF path
selection algorithm?
Lesson Objective
a) LSA Type 5
Review b) LSA Type 1
c) Metric Type 2
d) External Type 2
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

What setting enables SD-WAN to advertise routes as
intra-area routes (LSA Type 1) to get higher
preferences as per its route cost using the OSPF path
selection algorithm?
Lesson Objective
a) LSA Type 5
Review b) LSA Type 1
c) Metric Type 2
d) External Type 2
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

What is the total number of routing domains allowed on
SD-WAN?
a) 2
Lesson Objective
b) 4
Review c) 8
d) 16
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

What is the total number of routing domains allowed on
SD-WAN?
a) 2
Lesson Objective
b) 4
Review c) 8
d) 16
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

True or False?
DHCP Client can be enabl
Interface of SD-WAN. ed on the Management
Lesson Objective
Review
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t
rib
ut
io
n

True or False?
DHCP Client can be enabl
Interface of SD-WAN. ed on the Management
Lesson Objective
Review
CorrectAnswer· . F a I se
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

The Zero Touch Deployment automates which of the
following on-site activities?
a) Configuration install
Lesson Objective b) Software Upgrade
Review c) License Install

d) Enable Virtual WAN Service
e) All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

The Zero Touch Deployment automates which of the
following on-site activities?
a) Configuration install
Lesson Objective b) Software Upgrade
Review c) License Install

d) Enable Virtual WAN Service
e) All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

• SD WAN 9.1 enables a more rounding SD-WAN solution
that provides network security, feature rich functionality
to consolidate hardware at the branch, and ease of
management for easier adoption and rollout of the
solution.
Key Takeaways
• The DHCP Relay Agent feature acts as a host or router that
forwards DHCP packets between client and servers.
• The Secure Web Gateway gives you the ability to secure

traffic and enforce policies using third-party.
N
ot
fo
2R6 20 1 ... IX A. O ._ .0 te t CiTR!X

rr
es
al
e
or
d is
trib
ut
io
n

• Exercise 6-3: Virtual Routing and Forwarding
• Exercise 6-4: Zero Touch Deployment

N
ot
fo
CiTR!X
rr
Key Notes:
es
• The Self-Paced Bonus Exercises are added to allow students to continue the hands on
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•

on Workshop
SD-WAN 9.2 Features

N
CNS-200W
Version: 1.3
ot
fo
288 @20 C IXAUth .. ~ .... le I

rr
es
al
e
or
d
is
t
rib
ut
io
n

• Application Classification
• Top Application Reporting
• Stateful Firewall
Learning
• Network Address Translation
Objectives • Management Enhancements
• Diagnostic Tools
• Platform Enhancements
N
ot
fo
2R9 20 1 ... IX A. 0 ._ .0 te t CiTR!X

rr
es
al
e
or
d is
trib
ut
io
n

Application
Classification
NetScaler SD WAN
Core
Hosts
N
ot
fo
ciTR!X
rr
Key Notes:
es
• NetScaler SD-WAN 9.2 for Standard and Enterprise Edition introduced an integrated SD-WAN
al
API library that provides Deep Packet Inspection (DPI) technology for real-time classification of
e
packets.
• Using the DPI technology, the NetScaler SD-WAN appliance analyzes the incoming packet and
or
classifies it as belonging to a particular application or application family.

d
• Once packets are classified, the application identifier can be used on either the rule or firewall
is
filter as a match criterion to identify this type of traffic.

trib
ut
io
n

Application Classification
• Deep Packet Inspection (DPI)
• Statistics provides visibility of top apps in SD-
WAN Center (disabled by default)
SD-WAN Application • Optionally enable on a per site basis
Classification
Glob.11
00 Virtual WAN Network Settings

00 Routing Domains
EJ Apphcaltons ?
I
EJ Settings ~ ?
F7 Enable Deep Packet Inspection
00 Apphcat,on objects
00 Search
N
ot
fo
291 ® 20 " :nx A tho ...... C e t CiTR!X

rr
Key Notes:
es
• The application classification feature serves two main functions:

al
• Deep Packet Inspection (DPI) – enabling SD-WAN to put an identifier on a packet when it enters
e
the system to track it.

or
• Statistics – enabling generated reports for applications in SD-WAN Center, which is enabled by
default.
d
• Once DPI has the packet identifier in place, it can be used either on the SD-WAN rule or firewall
is
filter as a possible match criteria to handle this type of traffic.

t rib
ut
io
n

SD-WAN Application Objects
-·- -
IP Protocol Application Application Family
......... .........
Appltc.tbOn Match Cntffl41 +
..,.,.__,....,
.:J .:J - .:J
.,
~Fa/Tiiiy•
.,_
..,,.,_.........
"""""
-.
.
TCP(O)
t.CIP(l7}
-
""'(0 Al.ld'lerilU~
....._
-
<Jtf(..7}
.... ($0) CO!CW"eMicll'I
Nl(SI)
°' .......
""""''"'
-(2)
......... -
Cl(J>(])
..........
AltTr-"-'
•(~
""'
.... .,
CS,())
-·
lnlW!t~
"'"'
ll!NJt(C~(IO) ""
""-""""'
Application Objects - group applications to be used in firewall policies

N
using match criteria:

IP protocol
ot
Application name
Application family
fo
CiTR!X
rr
Key Notes:
es
• NetScaler SD-WAN 9.2 also provides capability to create Application Objects, which enables
al
ability to group different types of match criteria into a single object that can be used in firewall
e
policies. Match criteria include:

• IP Protocol
or
• Application
d
• Application Family
is
t
rib
ut
io
n

SD-WAN Application Search
Application Search
Search Name
Results with DPI Application Family and Description
Search ~ ?
Search for the DPI Apphcat1ons
Search: l,hcrosoft Office 365
DPI Approationf•mily:
Web
Description:
Office 365 is a Microsoft on·hne setVice,. with pay-as-you-go subscription (monthly or annually), giving access to many Microsoft Office
applications from the internet,. as well as cloud storage,. Skype ccmmumcencns, etc. h also grves free sccess to the on-line venion of the most
popular Office applicetlons (Worc;l Excel. Powerpomt).
N
ot
fo
CiTR!X
rr
Key Notes:
es
• A search capability enables quick identification of the DPI application family name, as well as a
al
brief description of the application.

e
or
d is
t rib
ut
io
n

Deep Packet Inspection can be enabled globally and at
which other level?
A. Site
B. WAN Link
Lesson Objective
C. Application
Review
D. None of the above
N
ot
fo
CiTR!X
rr
es
al
e
or
d is
t
rib
ut
io
n

Deep Packet Inspection can be enabled globally and at
which other level?
A. Site
B. WAN Link
Lesson Objective
C. Application
Review D. None of the above
N
ot
fo
CiTR!X
rr
es
al
e
or
d is
t
rib
ut
io
n

Top Application
Reporting
NetScaler SD-Wan
Hosts
N
ot
fo
296 CiTR!X
rr
Key Notes:
es
• NetScaler SD-WAN 9.2 application classification feature enables application identifier can be
al
used on either the rule or firewall filter as a match criterion to identify this type of traffic. These
e
classifiers are also used to generate reporting capabilities with the NetScaler SD-WAN Center
management tool.
or
dis
trib
ut
io
n

SD-WAN Top Application Visibility in SD-WAN Center
m•
Top Applications Top Application Families
Select Site. SelectSneal
~Tm1eJ!l~ltz'c' Select Time.. Lisi 2.t Ho1.n
......
1 '
e lnmnel conrrol Mess.age Protocol ( 47.90)

Coogle Cene.rlc ( 16.13) • Microsoft ( I 3.52 )
• Wlndow5Updau.( 11.22) 8 PostgrdQL( 6.70) • Nel'WOr1c.Servk:e(47.90) Web(44.09)
Others ( 4.53) • Database( 6.70) • Application Service ( 1.31 )
Application Visibility with SD-WANCenter 9.2

Top Application last 5 mins, 1 hour or last 24 hours
Top Application Families last 5 minutes, 1 hour or last 24 hours
Enabled by default
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Upgrading SD-WAN Center to release 9.2 installs the needed enhancements to display the top
al
applications and top application families used at the different sites in your network. The report
e
details incoming traffic, outgoing traffic and total traffic of the top applications, sites, and
application families. This provides a holistic view of your network bandwidth usage.
or
• DPI and top application reporting is enabled by default upon upgrade to 9.2 release.
d
• Deep packet inspection (DPI) enables the SD-WAN appliance to parse the traffic passing
is
through it and identify the application and application family types. The number of bytes of
t
incoming and outgoing traffic of every application is recorded and is stored in the SD-WAN
rib
appliance. The SD-WAN Center polls the SD-WAN appliance as per the defined polling interval,
ut
and displays this polled data in the dashboard and as reports.

io
• The SD-WAN Center dashboard displays the top applications and top application families. You
can select the site and time interval (Last 24 Hours, 1 hour, or Last 5 minutes).
n

SD-WAN Application Reporting in SD-WAN Center
T~ 11Mcfl21,20171250Jw!! e
......
Mooe ~(1'fflli'll«ff•·IDIIWMS•)..:J
-"""''"..., ::I
.-
RltponTypr T09~ • S,u.
10 .:J1 , rOP~~
lc,ps-(~, .... ,
...
inall'nl"ITr.tl'lctMes:I (>
. ~.
310l.6l 31169S
'"""'"
1161
1!!,16119"
1161
..
2J.2l
Application Reporting in SD-WAN Center 9.2

N
Top Applications
ot
Top Sites
Top Application Families
fo
Top Sites (Application Families)

298 201 ... IXA. Q,_ CiTR!X
rr
es
al
e
or
d is
t
rib
ut
io
n

True or False?
Top application reporting in SD-WAN Center is
Lesson Objective available by default after upgrade to release 9.2.
Review
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t
rib
ut
io
n

True or False?
Top application reporting in SD-WAN Center is
Lesson Objective available by default after upgrade to release 9.2.
Review
CorrectAnswer: True
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t
rib
ut
io
n

Core Customer Edge
Dynamic Routing
Hosts
SD-WAN
Firewall
@)
Stateful Firewall
You(D.
• Device consolidation and simplicity of
deployment
• Secure direct internet accessat the branch
• L4-L7 Application Firewall
• Application centric Firewall policies
N
• Support for Dynamic and Static NAT

ot
fo
CiTR!X
rr
Key Notes:
es
• One of the most important features added with the NetScaler SD-WAN 9.2 release is a firewall
al
built into the SD-WAN technology. The firewall capabilities allows policies between services and
e
zones, and with supporting features such as Network Address Translation.

• With built in Firewall, NetScaler SD-WAN enables device consolidation and simplifies
or
deployment at the WAN Edge. Built in firewall also enables secure direct internet access at the
d
branch, with application centric firewall policies.

is
• Expect additional enhancements to this feature in later releases with further ability to rate limit
t
and steer web apps across different paths.

rib
• Additional Firewall capabilities include:

ut
• Provide security for user traffic within SD-WAN network (Enterprise and Service Providers)
io
• (Potential) Reduction of External Equipment (Enterprise and Service Providers)

n
• Using the same IP address space for Multiple customers: NAT Capability (Service Providers)
• Apply multiple firewalls from a global perspective (Service Providers)
• Filtering traffic flows between Zones
• Filtering traffic between services within a Zone
• Filtering traffic between services that reside in different Zones
• Filtering traffic between services at a site
• Defining Filter Policies to Allow, Deny, or Reject flows
• Tracking flow state for selected flows
• Applying Global Policy Templates
• Support for Port Address Translation for traffic to the Internet on an untrusted port, as well as
port forwarding
• inbound and outbound

• Provide Static Network Address Translation (Static NAT)
• Provide Dynamic Network Address Translation (Dynamic NAT)
• Port Address Translation (PAT)
• Port-Forwarding
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n
•
•
Global
[±] Virtual WAN Network Settings

Stateful Firewall [±] Routing Domains
[±] Applications
Configuration EJ Firewall ?
EJ Zones + ,? ?
Firewall Configuration
Nam, Delete
• Firewall policies are created globally
• Zones Default_LAI _2'one
• Default_LAN_Zone lnternet_Zone
• lnternet_Zone (Trusted) Untrusted_lnternet_Zone
• Untrusted_lnternet_Zone
• Firewall Policy Templates Firewall Policy Templates
N
ot
fo
30L ®20 "nxAutho ze C et CiTR!X

rr
Key Notes:
es
• Firewall policies are created at the Global configuration level. The global firewall configuration
al
allows Admins to configure global firewall objects, including defining Zones and Firewall Policy
e
Templates.
• By adding a stateful firewall, this enables implementation of consistent security policies across
or
the SD-WAN network in consideration of enabling direct internet access model for the branch.
d
• Firewall zones in the network define policies to control how traffic enters and leaves zones.
is
NetScaler SD-WAN creates the following default zones:

t rib
• Default_LAN_Zone – which applies to traffic to or from an object with a configurable zone,

where the zone has not be set
ut
• Internet_Zones – which applies to traffic to or from the Internet services using Trusted
io
Interfaces
n
• Untrusted_Internet_Zones – which applies to traffic to or from the Internet Service using an

Untrusted Interfaces
• An admin can create their own zones and assign them to the following types of objects
• Virtual Network Interfaces (VNI)
• Intranet Services
• GRE Tunnels
• LAN IPsec Tunnels
• The source zone of a packet is determined by the service or virtual network interface a packet is
received on. The exception to this is the virtual path service. When traffic enters a virtual path,
packets are marked with the zone that originated the traffic and that source zone is carried
through the virtual path. This allows the receiving end of the virtual path to make a policy
decision based on the original source zone before it entered the virtual path.

SD-WAN Firewall Zone Use Case
Site A Sites
VLAN 30 (ZoneA_lntranet) VLAN 10 (ZoneA_lntranet)
VLAN40 VLAN 20
SD-WAN-SE SD-WAN-SE
Zone A Zone B Zone B Zone A

192.168.10.0/24 172.168.10.0/24 172.168.11.0/24 192.168.11.0/24
Firewall Zone Use Case

0
Source Zone
•· 3'
N
Destination Zone ,_
'''"
ot
Segment network traffic

... 2 8
11U1Ja,1n»da( .. 1
fo
CiTR!X
rr
Key Notes:
es
• For example, an Admin may want to define firewall polices so that only traffic from VLAN 30 at
al
Site A is allowed to enter (2) VLAN 10 at Site B. The administrator can assign a zone for each
e
VLAN and create policies that permit traffic

• between these zones and blocks traffic from other zones.
or
• The screenshot below shows how a user would assign the "ZoneA_Intranet" zone to VLAN
d
10.
is
• The destination zone of a packet is determined based on the destination route match. When
t rib
the appliance looks up the destination subnet in the route table, the packet will match a route,
which has a zone assigned to it.
ut
• Source zone
io
• For Non-virtual path: its determined through the virtual network interface the packet
n
was received on
• For Virtual path: it is determined through source zone field in packet flow header
• For Virtual network interface: it is determined by the network interface the packet was
received on at the source site
• Destination zone
• Determined through destination route lookup of packet
• Routes shared with remote sites in the SD-WAN maintain information about the destination
zone, including routes learned through dynamic routing protocols (BGP, OSPF). Using this
mechanism, zones gain global significance in SD-WAN network and allow end-to-end filtering
within the network. The use of zones provides a network admin an efficient way to segment
network traffic based on customer, business unit, or department.
• The capability of SD-WAN firewall allows the user to filter traffic between services within a

single zone, or to create policies that can be applied between services in
different zones.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
•
SD-WAN Firewall Policies
Customer Edge
-- ... r~------1 :X:

L...._:_.r-----1----------------,
Core SD-WAN
Firewall
Hosts
Firewall Policies
ra--
• Allow, Deny, Reject, Log
Firewall Policy Templates (grouping of filters)
m-- .,1
ra--
,._
ra-,
s-
I I 'IE"i
,,,,,._
N
ot
fo
30- @20 C IXAUth .. ~ .... le I CiTR!X

rr
Key Notes:
es
• Firewall Policies provide the ability to allow, deny, reject, or log specific traffic flow. Applying
al
these policies individually to each site would be difficult as the SD-WAN network is expected to
e
continuously grow. To resolve this issue, groups of firewall filters can be created with a Firewall
Policy Template.
or
• A Firewall Policy Template can be applied to all sites in the network or only to specific sites.
d
These policies are ordered as either Pre-Appliance template Policies or Post-Appliance

is
Template Policies. Both network-wide Pre-Appliance and Post-Appliance Template Policies are
t
configured at the Global level. Local policies are configured at the site level under the
rib
Connections tile and apply on to that specific site.

ut
• Pre- Appliance Template Policies are applied before any local site policies. Local site policies
are applied next, followed by Post-Appliance Template Policies. The goal is to simplify the
io
configuration process by allowing you to apply policies while still maintain the flexibility to apply
n
site-specific policies.

SD-WAN Application Classification Usage in Firewall
Edit Firew~ Policy ?0
Prionty.
100
.... ............ '.:.]

Connttt,onStttt
ToZOO'lti .:J rloo T,-O.mv:
.:J
:::::::::::::t~::::~IWtOl
Any i;, Any f,l<toOOII: Mlll(l'Kt000li\,....
Oefault_LAN_Zone r Oefault_l.AN_Zone r .:J

h<t~u.t1P1<t~"'1t
~r-'l..,.....,_t,
lntemet_Zone
r~ lnttrnet_Zone
r~
Action: log Interval (s): Connection State T,acbng:
Allow ~J r log Start r log End Use Site Setting .:J
Mitch Type
IPPrOIOCOI . .:J .:J
,.. ..
.
DSCP,
"""""""'
"""""""' .....,
_.....,_
.:J My ~ P' Allow Fragmuits r Reverse Also r Match Established
P'urce $.e:rv,ce Name: Source IP:

MY ·J MY .:J
Dffl~tType Dffl~<eName:
.:J
N
My My..:J
ot
fo
CiTR!X
rr
Key Notes:
es
• The classification of traffic as applications and application families allows you to use the
al
application, application families and application objects as match types to filter traffic and apply
e
firewall policies and SD-WAN rules. This applies for all Pre, Post and Local policies.
• The specific configurable attributes for a policy are displayed in this screenshot. These filters
or
are the same for all policies.

d
• The search capability enables granular identification of DPI applications.

is
t
rib
ut
io
n

SD-WAN Policy Definitions Firewall
Global ?
Connect.ions
[!) V'lrtual WAN Networt Settings

I!) Rooting Domams
El DC
(B WAN·to·WAN fOf'IQfdtng
[B Appl1cat.1ons (!)V1rtualP.11ths
8Fir.,.all ? ~tmftStMCH
I!) Zones fnlr~ntl StMCH
E] F1rewal Policy Templates + ? [±)WANL1nts
(!I GRE TUMtts
EJ U)St<lunntls
B Pre·Pohaes + if ? a, ..... ?
I~· ~
lo , Sourct Otshn,tion a-~?
Act,on fro• lo 1111 ?
.....
P<ilityTunp1o1tes
B Post·Po•c•es + if ?
Firewall Policy Definition

Global
Local
N
ot
fo
CiTR!X
rr
Key Notes:
es
• NetScaler SD-WAN policy definitions can be configured pre-appliance and post-appliance

al
template policies at a global level.

e
• Local policies are applied at the site level of each site node.
or
• This screenshot shows the policy template that would be applied to the SD-WAN environment at
the global level. To apply the templates to the sites in the network, the templates can be called
d
upon in the Connections tile, under the site specific Firewall > Settings > Policy Templates.
is
t rib
ut
io
n

13 Virtual WAN N•twork s,tt,nos ~ ?
Note: Changing the Network Encryption Mode may cause Site Secure Keys to
be truncated or regenerated rf they do not meet the requirements of the new
mode.
SD-WAN Global Network Encryption Mode:
Firewall Settings AfS 12S-B•
P' Enable Encryption Key Rotation
r Enable Extended Packet Encryption Header

Global Firewall Settings
r Enabl• ut,nd,d Pack<I Auth,nllcat,on Trail"
Global
Local Extended Packet Authent1cat1on Trailer Type:
Global PohcyT,mplato: Default Firtwall Action:

<None> AJow r Default Connection State Track1no
N
ot
fo
CiTR!X
rr
Key Notes:
es
• With firewall policy templates created, admins can use the polices to configure firewall settings
al
for the NetScaler SD-WAN environment using the Global firewall settings.
e
• Global Firewall Settings, can be found in the Global Virtual WAN Network Settings. These are
global firewall parameters, that can be applied to all the sits on the Virtual WAN environment.
or
• In the Global Firewall Settings section, the following options are available:
d
• Global Policy Template

is
• Default Firewall Actions, select allow to allow packets not matching the filter policy, select drop
t rib
to drop the packets not matching the filter policy

• Default Connection State Tracking, enables directional connection state tracking for TCP, UPD
ut
and ICMP flows that do not march a filter policy or NAT rule. This blocks asymmetric flow,
io
even when there are no firewall policies defined.

n
• You can also configure these settings at the site level. Site level settings override the global
setting.

Which of the following zones are created by default by
the NetScaler SD-WAN?
Lesson Objective
A. Default - LAN- Zone
Review B. Internet Zone
C. Untrusted - Internet - Zone
D. All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

Which of the following zones are created by default by
the NetScaler SD-WAN?
Lesson Objective
A. Default - LAN- Zone
Review B. Internet Zone
C. Untrusted - Internet - Zone
D. All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

Network Address
~ .
Private NAT
Customer Edge
~
Public
.
Translation SD-WAN
SD-WAN Hosts
• Static one-to-one NAT

• Dynamic NAT (PAT- Port Address Translation)
• Dynamic NAT with Port Forwarding rules
N
ot
fo
CiTR!X
rr
Key Notes:
es
• The SD-WAN firewall allows the user to configure static NAT and dynamic NAT for different use
al
cases. The following configurations are supported for NAT:

e
• Static one-to-one NAT

or
• Dynamic NAT (PAT- Port Address Translation)

• Dynamic NAT with Port Forwarding rules
d
• At this time, the NAT capability can only be configured at the site level; there is no global
is
configuration (templates) for NAT. All NAT policies are defined from a Source-NAT (SNAT)
t rib
translation. Corresponding Destination-NAT (DNAT) rules are created automatically for the user.
ut
io
n

Static NAT Policies
4
Private
.. NAT
4
Public
Core Customer Edge
oc
SD-WAN
Hosts
8oc
9
Static NAT Policies
Wl,JUo·WAN Forwatdmg
? •
E) Viftu.l
P.. th:1 Edit Sbtk NAT Polley
Static one-to-one NAT

&nttmetStrti<H
PhOfrty
-
lntratt~Strtl<H
E)WAHUnb 100
Site> Firewall> Static NAT Policies 9 GRETunnds
El IP'lt<lunntls Dirtct1on; StmuTn,e St'MltNlmt
8f1r_- .. 11
ffiStttinoi
? ::] •::J •.:J
1,u,deZonr lnstdelP4ddrtu. OuU1dt tP AddftU.;
*.:I
N
+ St1Uc NAT Polidu

+ DJn-k NAT Polldt1 * *
El Routu
ot
El Routt lHrn1n9 - CM><•

El Applliuhon Snt1n9s
(3 S.•n<hOnt
fo
CiTR!X
rr
Key Notes:
es
• Static NAT configuration allows the admin to configure one-to-one NAT, where an local IP
al
address will match a public IP address. The admin must also define the filter policies to allow
e
traffic back in for the static NAT configuration.

• The Static NAT Policies can be configured under the Firewall node at the site level.
or
• When adding a Static NAT Policy, the following detail is expected:

d
• Priority - the order the policy will be applied within all the defined policies. Lower priority
is
policies are applied before higher priority polices.

t rib
• Direction – the direction, from the perspective of the virtual interface or service, that the
translation will operate.
ut
• Outbound – the destination address for a packet will be translated for packets
io
received on the service. The source address will be translated for packets
n
transmitted on the service.

• Example: LAN service to Internet service – for packets outbound, (LAN to
Internet) the source IP address is translated. For packets inbound or
received (Internet to LAN) the destination IP address are translated.
• Inbound - the source address for a packet will be translated for packets received on
the service. The destination address will be translated for packets transmitted on the
service.
• Example: Internet service to LAN service – For packets received on the Internet service, the
source IP address is translated. For packets transmitted on the Internet service, the
destination IP address is translated.
• Service Type – in reference to a SD-WAN service. For static NAT, these include Local (to the
appliance), Intranet, and Internet.

• Service Name – specific service name that corresponds to the defined Service
Type above.
• Inside Zone – one of the existing inside zones configured on the appliance.
• Inside IP address – source IP address and mask of the direction selected above.
• Outside IP address – the outside IP address and mask of packets that are
translated to.
•
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
•
Dynamic NAT Policies
Private
Dynamic NAT
Customer Edge
Core SD-WAN
Hosts
.
Goe
eJ WAN-to-WAN Fo,w1re11no
Dynamic NAT Policies El VirtualPathl
fnttfnttStMus
LAN to WAN Dynamic NAT Intr1nttStM(U
--
Site> Firewall> Dynamic NAT Policies SwANUnlr.s
13 GRE Tunnels 3 ":-::i •::J •3
EJ lPsec Tunnrls
EJ f11ewall ? ... ::J
(!) Stn1nos r-- r_ ... _.,.. r ~-...._ r_._
N
IBPolidH
ffi
St1hc NAT Pohdu
j~
ot
DyrwmlcNAfPolidu
EJ bib
8 Routt lurning
(B Appl,cation Sttbngs
fo
tt)Br~nchOnt
CiTR!X
rr
Key Notes:
es
• Dynamic NAT can be used by an Admin to forward traffic from a LAN segment to the Internet
al
on an untrusted port. In this case, the Admin would configure the NAT in an outbound
e
direction, as well as make sure the corresponding filter policies are defined to allow traffic back
into the network. By default, once the dynamic NAT has been configured the system will add in
or
three filter policies. These policies will:

d
• allow any IP host route, Any zone, Any source and destination.
is
• allow match established rule, for reverse traffic of session initiated from the inside of the
t
network
rib
• drop all other traffic from the source zone to the destination zone (zone specific).
ut
• The following screenshot displays the configuration options for the dynamic NAT configuration.
io
• When adding a Dynamic NAT Policy, the following detail is expected:

n
• Priority – the order the policy will be applied within all the defined policies. Lower priority
policies are applied before higher priority polices.
• Direction – the direction from the virtual interface or service perspective the translation will
operate.
• Outbound – the destination address for a packet will be translated for packets
received on the service. The source address will be translated for packets
transmitted on the service.
• Example: LAN service to Internet service – for packets outbound, (LAN to
Internet) the source IP address is translated. For packets inbound or
received (Internet to LAN) the destination IP address are translated.
• Inbound - the source address for a packet will be translated for packets received on
the service. The destination address will be translated for packets transmitted on the

service.
• Example: Internet service to LAN service – for packets
received on the Internet service the source IP address is
translated. For packets transmitted on the Internet service, the
destination IP address is translated.
• Type – the type of dynamic NAT to perform.
• Port-Restrictive - Port-Restricted NAT is what most consumer grade
gateway routers use. Inbound connections are generally disallowed
unless a port is specifically forwarded to an inside address. Outbound
connections allow return traffic from the same remote IP and port (this
is known as endpoint independent mapping). This requirement limits a
Port-Restricted NAT firewall to 65535 simultaneous sessions, but
facilitates an often used internet technology known as hole punching.
N
• Symmetric – Symmetric NAT is sometimes known as enterprise NAT

because it allows for a much larger NAT space and enhances security
ot
by making translations less predictable. Inbound connections are

fo
generally disallowed unless a port is specifically forwarded to an inside

address. Outbound connections allow return traffic from the same
rr
remote IP and port. Connections from the same inside IP and port need
es
to map to the same outside IP and port (this is known as endpoint

dependent mapping). This mode explicitly prevents hole punching.
al
• Service Type – in reference to a SD-WAN service. For static NAT these include
e
Local (to the appliance), Intranet, Internet.

or
• Service Name – the specific service name that corresponds to the defined
d
Service Type above.

is
• Inside Zone – select the inside zone for the packets that require NAT.
t
• Inside IP address - define an IP host address or a subnet based on traffic that

rib
requires NAT. This should be an IP address that resides in the Inside Zone.
ut
• Allow Related – allow traffic related to the flow matching the rule. For example,
io
ICMP redirection related to the specific flow that matched the policy, if there was
some type of error related to the flow.
n
• IPsec Passthrough – allow IPsec traffic to pass through unchanged.

• GRE/PPTP Passthrough – allow GRE or IPsec to pass through unchanged.
• Port Parity - allows for NAT connections
•
•
? x
Edit Dynamic NAT Policy
Dynamic NAT Pnonty:
with Port
100
Forwarding
Direction:
Inbound
Typo,
Port Restncted . Service
Internet
Type,: Service Name:
*.
Inside IP Address: Outside Zone: Outside IP Address:
lntemet_Zone 172.58.3.20
Dynamic NAT with Port Forwarding Alk,,.v Related IPSK Passthrough GRE/PPTP Passthroogh Port Parrty
.
Port forward specific traffic to a Port Forwardlng Rules +
defined IP address
.
onrKtJOr, tate
~rotocol :>.i.t•
Sun Trxking
* * .
Both • Use Site Setting •
TCP • 80 172.16.187.11 0 Track

·I
Apply Cancel
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Dynamic NAT with port forwarding allows the admin to port forward specific traffic to a defined
al
IP address. This is typically used for inside hosts like web servers. Once the dynamic NAT is
e
configured the admin would define the port forwarding policy.

• For example, in this screenshot dynamic NAT is configured for a specific IP host address. The
or
NAT example will map an inside IP host (172.16.187.11) to an outside IP host. Port forwarding
d
can then be configured which will define a specific inside and outside port mapped to an inside
is
IP address. In this example, HTTP port 80 is defined for port forwarding.

t
• Port Forwarding Rule definition includes:

rib
• Protocol – TCP, UDP, or both.

ut
• Outside Port – outside port the user will port forward into the inside address.
io
• Inside IP address – inside address to forward matching packets.

n
• Inside Port – map the packet to the same, or a different, inside port.
• Fragments – allow the forwarding of fragmented packets.
• Log Interval – time in second between logging the number of packets matching the policy to a
syslog server.
• Log Start – selected when a log file is created for new flow.
• Log End – log the data for a flow when the flow is deleted.
• The default Log Interval value of 0 means no logging.
• Connection State Tracking – allows the firewall to track the state of a flow and display this
information in the Monitor > Firewall > Connections table.

With the NetScaler SD-WAN 9.2 release, at which level
can NAT be configured?
Lesson Objective
A. Global
Review B. Local Site
C. Zone
D. All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
dis
t rib
ut
io
n

With the NetScaler SD-WAN 9.2 release, at which level
can NAT be configured?
Lesson Objective
A. Global
Review B. Local Site
C. Zone
D. All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
dis
t rib
ut
io
n

Management
Enhancements
NetScaler SD-WAN
N
ot
fo
CiTRJX
rr
Key Note
es
• NetScaler SD-WAN 9.2, new customers with five or more basic sites configuring for the first
al
time will save time when setting up new sites and WAN Links. With the use of templates, you
e
can configure certain settings one-time and then duplicate the settings across more than one
site as required.
or
d is
trib
ut
io
n

SD-WAN Basic Mode Configuration Editor
El
r----- Network view: WAN Link templates

l Sites view: Basic site built out
View: Sftes
+ 54lt
O ApplUlnu:
,.......
DC
VPX((IVP)Q
AWS8R
-.~
.....
...... E~Panl
• M_:,•-to-toct -~.,'°Ad
• V\ANS:O \l,;!IH..$0-Z/J:a
Basic Mode Configuration Editor

• WAN Link templates
N
• Basicsite built out

ot
fo
CiTR!X
rr
Key Notes:
es
• This functionality of templates is implemented in two views under the Configuration Editor in
al
Basic Mode.
e
• (1) First, the ability to create and administer WAN Link templates under the Network view
• (2) Second, the ability to setup sites using basic options
or
d is
t
rib
ut
io
n

SD-WAN Basic Mode: Network View
El
View:
l ~. ----
.-----
Network Sites
Network view: WAN Link templates
Sites view: Basic site built out
Filter Templates.:
WA Un Template 11110 E 1
Spffds,
BI\..MPlSJ1 Q
BR,.INET_SO I.SM (Auto-learn)/ 1.SM (Auto·leam)
Basic> Network view: Create WAN Link templates

..... .._
•
Common WAN Link (e.g. Branch MPLS Tl@ 1.5 Mbps)
N
rx:."3 • 1'2111,02
Filter capabilities
ot
Basic> Sites view: Edit or create WAN Links with templates

WAN Link template eliminates the need to manually enter speeds
•""'·
fo
rr
Key Notes:
es
The Network view’s WAN Link Templates eases the process for initial configuration build out.
al
The WAN Link templates functionality provides a way to setup basic configuration for WAN Links
e
and reuse these across the network to save time. The WAN Link templates feature exists within
both the Basic configuration mode and the advanced configuration mode with minimal differences
or
between the two modes.

d
Once a WAN Link Template is added, the detail is displayed when selected.
is
Providing a descriptive name for the WAN link template allows for easier search using the Filter
t rib
Templates tool.
The Sites view is where the template can be used.
ut
Specifically when creating a new or editing an existing WAN Link for a Site. The template allows
io
for quicker selection of speeds as opposed to manually entering the upload and download speed.
n

SD-WAN Basic Mode: Sites View
+.----- Sites view: Basic site built out
View: Network Sites
FdterSnes:
Applbnce:
oc O
.......
AWSBll
T...SR
YPX(CJ'm()
ThoBll lnt.rla«s:
Twt!!R EtMfMtPon 1
• Mod<!!: fa -~·ll«c. Tn.is~td
• VLANS:0111:IQ.!.:).UJO
EtMme1 Pon 3
• Modes: fa -~·llioc,. TN~ed
• YLANS:0(1&.l.lfl>G.l/29
Basic > Sites view: Quick creation of sites Limitations

N
• Appliance • Proxy ARP

• Interface
ot
• WAN Links
• Static Routes
fo
319 @20 " A CiTR!X

rr
Key Notes:
es
• The concept of the Basic > Sites view is to simplify the configuration creation process to quickly
al
build SD-WAN environments.

e
• The basic configuration properties for a site build-out include:

or
• Appliance
• Interface
d
• WAN Links
is
• Static Routes
trib
• It should be noted that one configuration change on the Basic mode view may modify or change
more than one setting in the Advance mode.
ut
• Existing configurations build on previous firmware releases can still make use of Basic mode
io
after the upgrade to 9.2.

n
• The Basic > Sites view provides a basic site list on the left and displays the site summary on the
right when a site is selected.

Which feature configuration is not likely available
through Basic Mode configuration? A second appliance
with WAN Optimization capabilities
a) MPLS Queues
Lesson Objective
b) WAN link templates
Review
c) Interface Groups
d) None of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t
rib
ut
io
n

Which feature configuration is not likely available
through Basic Mode configuration? A second appliance
with WAN Optimization capabilities
a) MPLS Queues
Lesson Objective
b) WAN link templates
Review
c) Interface Groups
d) None of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
t
rib
ut
io
n

• •
Diagnostics
Enhancements
NetScaler SD-Wan
B Traceroute
Packet
capture L..::::_j
'-Sys-te-m~·-D-iag-no-st-ic~r::l
_ Info _ Data
N
ot
fo
CiTR!X
rr
Key Notes:
es
• SD-WAN release 9.2 introduces a couple more diagnostics tools that are specially designed to
al
ease the introduction of SD-WAN into an existing environment and improve on monitoring and
e
reporting capabilities. We will outline the specifics of each of these diagnostic enhancements in
this mini-lesson.
or
d is
t rib
ut
io
n

SD-WAN Diagnostics: Adaptive Bandwidth Detection
&-t- - - - - -r-
Remote
SD-WAN-SE SD-WAN-SE
I-
_________ ~1:=::=====:
I ...-
Data Center
_.
Adaptive
or Cloud
Bandwidth _.
Detection
8WANlinb + ?
"?
8BR1J>lfl O
a ........
Adaptive Bandwidth Detection
Reduce rate when loss is encountered before path state change
Set minimum accepted rate to allow for path state change
Use with "Bad Loss Sensitivity" feature
. ....,,_.
N
J.4-mvm A«tptebl, S.ndwodli'I N

ot
50
?
t--..1····-
Eiigibaty
fo

rr
Key Notes:
es
• NetScaler SD-WAN 9.2 release adds a new advanced setting in WAN link definition called
al
“Adaptive Bandwidth Detection”. This feature is for a WAN Link which experiences a variance
e
of available bandwidth levels throughout the day. This feature is most useful for networks such
as VSAT, LOS, Microwave, 3G/4G/LTE WAN Links, for which the available bandwidth varies
or
based on weather and atmosphere conditions, location, and line of site obstructions.
d
• This Adaptive Bandwidth Detection feature enables NetScaler SD-WAN to adjust bandwidth rate
is
on the WAN link dynamically based on a defined bandwidth range (minimum and maximum
t
WAN link rate) to use the maximum amount of available bandwidth without marking the path as
rib
BAD or unusable. This will help achieve:

ut
• Greater bandwidth reliability (Over VSAT, Microwave, 3G/4G, and LTE)

io
• Greater predictability of adaptive bandwidth over user configured settings

n
• This feature needs “Bad Loss Sensitivity” option to be enabled (default/custom) as a

prerequisite. Bad loss sensitivity feature was introduced in 9.0 to be used under path or auto
path group in conjunction with this feature.
• With this feature enabled, when loss is detected on a WAN link, SD-WAN attempts to use this
WAN link at a reduced bandwidth rate first. When the available bandwidth is below the
configured “Minimum Accepted Bandwidth”, then SD-WAN will be allowed to mark the path in a
Bad state.
• “Minimum Accepted Bandwidth” is a percentage of WAN to LAN Permitted rate. The minimum
kbps is different on each side of a virtual path. The value can be in the range of 10%-50% with
the default being 30%.

SD-WAN Adaptive Bandwidth Detection Use Case
,. ,. .,,.
.,,.
___ g ---------- :a,~ .,,. .,,. .,,.
--
.:>
/ .,,. .,,.
I .,,. .,,.
I _,_,
I
,. _,
I
... .- ,.
....A.A.,
N
ot
fo
CiTR!X
rr
Key Notes:
es
• The Adaptive Bandwidth Detection feature is only available on the branch node WAN links. This
al
is by design since the feature was intended to address a specific use case of application
e
delivery across WAN paths of highly variable bandwidth WAN links. As an example ship to
shore communication.
or
• The distance of the ship (the branch node), to the shore (location of the MCN), varied
d
throughout the day and with that the available bandwidth also fluctuated. Where previously SD-
is
WAN WAN link configuration requiring static entry of permitted rate for LAN to WAN and WAN to
t
LAN, now with this feature allows for some deviation from that static configuration, and still allow
rib
the SD-WAN technology to make good use of that the available WAN link resource.
ut
io
n

SD-WAN Diagnostics: Active Path Bandwidth Testing
I-
I-
SD-WAN-SE I-
Data Center or
Cloud
Active Path Bandwidth Testing and Reporting

• Instant Path Bandwidth Testing
1---- ·I
• Schedule Path Bandwidth Testing
N
• History Path Bandwidth Testing Results
7""~=:_":._:- . ---
ot
_ •• o .. ,-
fo
1
CiTR!X
rr
Key Notes:
es
• Bandwidth testing allows SD-WAN to not be impacted by misconfiguration, in certain scenarios

al
when the service provider is not providing accurate available bandwidth, or when there is
e
unexpected contention for a underlay WAN link.

• NetScaler SD-WAN 9.2 Active Bandwidth Testing feature enables an Admin the ability to issue
or
an instant path bandwidth test through any WAN link, or to schedule WAN link bandwidth testing
d
to be completed at specific times on a recurring basis. This feature is useful for demonstrating
is
how much bandwidth is available between two locations during new and existing installations,
t
also for testing paths to determine the outcome of setting and confirmation changes, such as
rib
adjusting DSCP tag settings or bandwidth Permitted Rates.

ut
• On the diagnostics Path Bandwidth table, you will find:

• “Instant Path Bandwidth Testing”, which will run an immediate bandwidth test, simply select the
io
desired path to test from the drop down list and click the Test button to run a path bandwidth
n
test. Dynamic virtual paths will also be listed when the dynamic virtual path exists.
• The output displays the minimum, maximum, and average bandwidth results of the test. Along
with the ability to test the bandwidth, you can now change the configuration file to use the
learned bandwidth. This is accomplished through the Auto Learn option is under Site > [Site
Name] > WAN Links > [WAN Link Name] > Settings and if enabled, the system will use the
learned bandwidth.
• “Schedule Path Bandwidth Testing”, which configures the appliance to run path bandwidth
testing regularly at certain time. No dynamic virtual path will be listed here. The settings on this
appliance will not be synchronized to the High Available peer.
• Frequency: How often the path bandwidth test should be run for the selected path.
• Day of Week On what day of the week the test should be run. This is only valid when
frequency is set to every week.

• Hour: At what time the test should be run. This is only valid when frequency is
set to every week or every day.
• Minute: At what time the test should be run. The appliance may add some
random value to the minute so not all scheduled path bandwidth tests are run at
same time.
• “History Path Bandwidth Testing Results” which shows all the past path bandwidth
testing result from instant testing and scheduled testing.
• Note: A history of the path bandwidth testing results is displayed at the bottom of
this page and results are archived every 7 days.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
•
SD-WAN DiagnosticTools: DiagnosticTools
I-
I-
SD-WAN-SE I-
Data Center or
Cloud
Diagnostic Tools Useful to Diagnose

• Onboard iPerf port 5001 • Path qualitychanges- Good, Bad, Dead
• Control Traffic Type - unencapsulatedTCPtraffic • Poor application performance
• Data Traffic Type - encapsulated UDPtraffic • Higher packet loss with SD-WANin path
N
ot
fo
CiTR!X
rr
Key Notes:
es
• The Diagnostic Tools are extremely helpful when troubleshooting the SD-WAN product. It can
al
help determine if the SD-WAN overlay is at fault if or if the underlay network is not functioning as
e
expected.
• With this new 9.2 enhancement, standard iPerf tool is now packaged and available right in the
or
web interface of SD-WAN Standard and Enterprise Edition appliances. With the iPerf tool,
d
Admins can get insight into the path capacity and provide useful data in questioning proper
is
router queue configuration and/or service providers service level agreement.

t
• This diagnostic tool is useful when troubleshooting network issues that may results in:
rib
• Frequent change in path state from Good, Bad, to Dead

ut
• Poor application performance

io
• Higher packet loss when SD-WAN is introduced

n
• Most often, these problems arise due to rate limiting configured on firewall / router, incorrect
bandwidth settings, low link speed, lower then expected priority queue set by network provider
or misconfiguration of the routers and so on. The diagnostic tools enables Admins to identify the
root cause of such issues and help troubleshoot it.
• The diagnostic tool removes the dependency on third party tools such as iPerf which has to be
manually installed on the Data Center and Branch hosts. It provides more control over the type
of diagnostic traffic sent, the direction in which the diagnostic traffic flows, and the path on which
the diagnostic traffic flows.
• The diagnostic tool allows to generate the following two types of traffic:
• Control: Eliminates SD-WAN processing such as SD-WAN QoS/ Schedulers, optimization and
so on, on the diagnostic traffic. This is used to identify SD-WAN related issues.
• Data: Simulates the traffic generated from the host with SD-WAN traffic processing. This is

used to identify issues related to ISP/ customer gateway devices and so on.
• To run a diagnostic test on a path, you need to start the test on both the end
appliances of the path. Start the diagnostic test as a server on one appliance and
as a client on the other appliance.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
•
SD-WAN DiagnosticTools: DiagnosticTools
----oc..wi.
·---- .:I
. . -f- j
--, ·---.:1 -·--K..N'~-
............. ;1
.:J
--
Not supported iPerf arguments
• -c : Client mode
• -s : Server mode
• -B: Binding to IP/Interfaces
.. -
,i, _ ,_
I • 1,., , .,_
.. • -p: Port number
.... .
I '"'
_ , ,,.,
..
. ·-
·- JN ,
_. _
Ut_u_
Server Mode Client Mode

• Traffic type, port number, path under test • Matchingtraffictype, port number, path under test
• lperf (-t) time argument needed (default 10 seconds, max • Uses standard iPerf to pump traffic on the path
N
100 seconds) • Standard iPerf arguments supported

ot
fo
CiTR!X
rr
Key Notes:
es
• The diagnostic tool provides the ability to allow any SD-WAN device to be in Client or Server
al
test mode. This enables the unidirectional bandwidth measurement on any of the available
e
paths.
• The selected traffic type, port number, and path under test must match on both ends of the test.
or
• With the server listening on the assigned port, another SD-WAN device can be enabled in client
d
mode to starting pumping traffic on the targeted path. (2) The results window will indicate the
is
available bandwidth between the two WAN links.

t rib
• The iPerf field does support standard iPerf arguments, but some of these arguments are already
handled by diagnostic tool, thus the following are not needed:
ut
• -c : Client mode
io
• -s : Server mode
n
• -B : Binding to IP/Interfaces
• -p : Port number

Accurate path bandwidth assessment is importing
because of which of the reasons:
a) Optimal SD-WAN delivery
b) Optimal end-user experience
c) Accurate SD-WAN path and link measurement
Lesson Objective d) Keep service providers honest with their contracted
SLA
Review
e) Al I of the above
N
ot
fo
CiTR!X
rr
es
al
e
or
d is
t rib
ut
io
n

Accurate path bandwidth assessment is importing
because of which of the reasons:
a) Optimal SD-WAN delivery
b) Optimal end-user experience
c) Accurate SD-WAN path and link measurement
Lesson Objective d) Keep service providers honest with their contracted
SLA
Review
e) All of the above
N
ot
fo
CiTR!X
rr
es
al
e
or
d is
t rib
ut
io
n

Platform
Enhancements
• 4100-SE and 2100-SE with ZTD
• High Capacity Virtual Appliance
• Azure release for VPX-SE
• Auto Secure Peering - EE as MCN

N
ot
fo
CiTRJX
rr
Key Notes:
es
• With the introduction of the NetScaler SD-WAN 9.2 software release, platform enhancements
al
were also introduced. With primary focus around providing increased performance and
e
scalability of SD-WAN deployments. Platform enhancements include:

• New 4100-SE and 2100-SE with zero touch deployment capabilities
or
• Higher capacity virtual appliance

d
• SD-WAN Standard Edition Virtual Appliance release for Azure

is
• Auto secure peering enhancements with Enterprise Edition capability as the Master Control
t
rib
Node for the data center.

ut
io
n

SD-WAN Higher Capacity Virtual Appliance
St•rw:lardEditionvr,tu1I ap~lancts
AppU1nc;e VPX
Higher Capacity Virtual Appliance:
Model VPX·020·SE VPX·OSO·SE VPX·100·SE VPX·200·SE VPX·SOO·SE VPX·1000·SE
Virtual WAN bandw,dth' 20Mbps 50 Mbps 100 Mbps 200Mbps 500 Mbps IGbp, VPX-SE for ESXi -1 Gbps
Malumumv11tual paths
(futed/dynam,cl
8/4 16/8 16/8 16/8 16/8 16/8 VPX-SE for XenServer - 200 Mbps
Hy~rYtSOl XenSe,ver 6 S SPl. ESX/ESX, SS s6 0 XS6 S SPl. ESX16.0 ESX160
VPX-SE for AWS- 200 Mbps
ProctsSOf Dual cort (quad cort rtcommendtd) ltotet VTx· Quad Cort lnte-1 S·Cort lnttl
MemOfy 4G8 4G 8G VPX-SE for Azure - 200 Mbps
Virtual CPU 2 ,CPU @ 2 7Ghz 4,CPIJ @27GHz 8,CPIJ @27GHz 8,CPIJ@)OGHz
Supported Hypervisors: Limitations with VPX-SE:

XenServer Maximum of 5 interfaces (1 Mgmt, 4 Data)
ESXi ESXi support only elOOO driver (vmxnet3 is not supported)
AWS ESXi promiscuous mode must be enabled on data interfaces
Azure
N
ot
fo
CiTR!X
rr
Key Notes:
es
• SD-WAN release 9.2 introduced further performance improvements for the virtual appliances or
al
VPX model to address the need for higher throughput and a wider range of supported
e
hypervisors.
• Both the WANOP and Standard Edition virtual appliances are supported on: XenServer, ESXi,
or
Azure, and AWS.

d
• In this table you will find the hardware specifications required for the virtual appliance.
is
• With release 9.2, a new set of virtual hardware with a new CPU profile has been introduced.
t rib
With the appropriate resource allocation, SD-WAN Standard Edition virtual appliances can
achieve higher throughput capacities.
ut
• VPX-SE for ESXi – 1 Gbps

io
• VPX-SE for XenServer – 200 Mbps

n
• VPX-SE for AWS – 200 Mbps

• VPX-SE for Azure – 200 Mbps
• The limitations with Standard Edition VPX is that it can only sustain a maximum of five
interfaces. The first interface must be the management interface and remaining four are the data
path interfaces. Additional interfaces past the five interface limit results in the system detecting
only the first five interfaces and rest of the interfaces are ignored.
• On XenServer, there is no additional configurations required.
• On ESXi, SD-WAN appliance can only support e1000 driver
• . VMWare enlightened net driver vmxnet3 is not supported. Each data path interfaces should be
in promiscuous mode.

Standard Edition Platform Enhancements
Performance improvements
Refresh of 5000 platform
High performance SE
High capacity VPX on-
platform
2100 SE
Large Branch / Small

VPX
Data Center
{100 to 1500 Mbps SE)
ZTD capable
Azure Support
N
(10 to 1000 Mbps VPX-SE

ot
)
(300 Mbps to 3 Gbps SE)
Previous#: {10 to 100 Mbps VPX-SE) {100 to 300 Mbps SE) 256/32 Virtual Paths {5100)
fo
33.L ® 20 " A tho ... - CiTR!X

rr
Key Notes:
es
• NetScaler SD-WAN platforms provides a wide range of appliances enabling application delivery
al
to a variety of locations. To accompany release 9.2, SD-WAN expanded the available virtual and
e
hardware platforms.
• On the cloud side, release 9.2 introduced Standard Edition availability for Microsoft Azure cloud.
or
Also software enhancements have been made to provide a 1Gbps VPX-SE model for the ESXi
d
hypervisor.
is
• On the physical platforms, new hardware has been introduced to provide a higher performance
t
Standard Edition model to support large branch and small data center deployments. (3) Also
rib
higher performing appliances to cover data center deployments up to 4 Gbps of bidirectional

ut
throughput, with larger support of branch offices.

io
• The 5100-SE model can not only increase its capacity through the 9.2 software upgrade, but it
also increases the number of supported remote sites from 256 to now 550.
n

New SD-WAN Standard Edition Platforms
Platforms BW(Mbps) Chassis Interfaces Hl1hll1hts
200
300
Up to 1.5 Gbps bi-directional
4 x lOOOBaseTx (2 pairs of FTW)
NS-SDW-2100-SE 500 Up to 128 remote sites (Virtual
4x lGE SFP
Paths)
1000
1500
4x lOG/lG SFP+ Up to 2 Gbps bi-directional

1000
4 x 10006aseTX Up 256 remote site (Virtual
NS:SOW:4100-SE Paths)
2 x lOGBase--SR
2000
2 x lOOOBaseTX(Mgmt)
New Standard Edition Appliances:

2100-SE
4100-SE
N
ot
fo
33::i, 201 ... IX A. 0 ._ .0 te t CiTR!X

rr
es
al
e
or
d is
t
rib
ut
io
n

4100 Standard Edition
••••••••••••••••••••
GI NetScelor SO-WAN
GJ~IE ==:;;;;;£
~.::i::::
Serial __J
bM -
0/1
LJ 10/1
10/2
10/3
10/4
__J
1/1
1/2
10/5
10/6
__J
0/2 1/3
N
1/4
ot
fo
CiTR!X
rr
Key Notes:
es
• Here is a look at the front bezel of the new 4100-SE platform.

al
• The interface layout includes; a serial port, Lights out Management port, 2 x 1000BaseTX
e
management ports, and the following data ports:

or
• 4x 10G/1G SFP+
• 4 x 1000BaseTX
d
• 2 x 10GBase-SR
is
t
rib
ut
io
n

2100 Standard Edition
4x 10/100/lOOOBase-T copper Ethernet
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Here is a look at the front bezel of the new 2100-SE platform.

al
• The interface layout includes; two USB ports, Lights out Management port, 2 x 1000BaseTX
e
management ports, a serial port, and the following data ports:

or
• 4 x 1000BaseTx (2 pairs of FTW)

• 4x 1GE SFP
d is
trib
ut
io
n

Factory Shipped Image and Software
Model Standard Edition Standard Edition WANOP Edition WANP Edition MFG
MFGlmace MFG Image (April MFGlmace Image (April 2017)
(current) 2017) (current)
400 8.1.0.95 9.1.2.26 7.4.3.14 9.1.2.26
410 9.1.1.33 {ZTD ready) 9.1.2.26 {ZTD ready) N/A N/A
800 N/A N/A 7.4.3.14 9.1.2.26
1000 8.1.0.95 9.1.2.26 7.4.3.14 9.1.2.26
7.4.3.14 9.1.2.26
tOOOWS N/A N/A
Windows Server 2012R2 Windows Server 2012R2
2000 8.1.0.95 9.1.2.26 7.4.3.14 9.1.2.26
7.4.3.14 9.1.2.26
2000WS N/A N/A
Windows Server 2012R2 Windows Server 2012R2
2100 N/A 9.1.2.26 {ZTD ready) N/A N/A
3000{CU and
N/A N/A 7.4.3.14 9.1.2.26
Fiber)
4000 8.1.0.95 9.1.2.26 7.4.3.14 9.1.2.26
4100 N/A 9.1.2.26 {ZTD ???) N/A N/A
5000 N/A N/A 7.4.3.14 9.1.2.26

N
5100 9.1.1.33 9.1.2.26 N/A N/A

ot
fo
336 20 1 ... IX A. 0 ._ .0 te t CiTR!X

rr
es
al
e
or
d is
t rib
ut
io
n

Azure Release for Standard Edition
Internet
Users
fl 8 -_
Data Center
~=!,i
NS SD-WAN
I- ·
====r-l1---i,;,
NS
ADC/Gateway
Branch Office Branch Office
Azure Release for SD-WAN Standard Edition Limitations of Azure

Azure web U I/Portal Requires Gateway Mode Deployment
N
Azure CLI/PowerShell WAN and LAN SD-WAN subnets required to be different

User Defined Routes (UDR) needed to direct all LAN machines to SD-WAN
ot
LAN interface IP address as gateway

Static Routes on SD-WAN to needed to advertise Azure LAN in the SD-WAN
fo
overlay network
CiTRJX
rr
es
al
e
or
d is
t rib
ut
io
n

Enterprise Edition Enhancements
WAN OP
• Enables large scale
deployments
Enterprise
• Coming up enhancements
Standard
Remote • Management
Data Center
simplification
or Cloud
• Pricing bundles
Data Center Enterprise Edition Solution (EE) PoCs and Mid-size deployments
Only on 1000 and 2000
appliances
• 9.2 supports
I- • Appflow
I- • Domain join
N
Remote
Enterprise Enterprise
I- • SSL Acceleration
ot
Data Center
• Enables full acceleration and
or Cloud
visibility
fo
338 20 1 ... IX A. 0 ._ .0 te t CiTR!X

rr
es
al
e
or
d is
t rib
ut
io
n

Two Box Mode Management Simplification
SD-WAN
WANOP Edition
I- .... I
I- Core
I-
I- SD-WAN
Data Center Standard Edition
·-__
Two Box Solution:
• Standard Edition supported
-
---
--
,
s---- -..
o.
appliances: 5100-SE, 4100-
9...__ .,,
I
SE, 4000-SE
1--
--_ ....
• WAN OP Edition supported
N
---
El-
appliances: 5000-WO, 4000- s,-
ei-___
-
__
s- ...
ot
WO ,
m ..........."-,_....
fo
CiTR!X
rr
Key Notes:
es
• In order to accommodate larger scale deployments, and simplify the deployment model for a two
al
appliance solution, WANOP plus Standard Edition, Two Box Mode was introduced in NetScaler
e
SD-WAN release 9.2.

• The Two Box Mode is targeted for deployment in the data center so supported hardware is
or
limited to the higher-end platforms. From a physical deployment perspective, the WANOP
d
Edition appliance will be deployed one-arm off of an available interface of the Standard Edition
is
appliance. The Standard Edition appliance takes the role of the router performing redirection of
t
traffic flow targeted for optimization.

rib
• Redirect to WANOP can be found as an option in the Global > Routing Domains node of the
ut
Configuration Editor.
io
n

SD-WAN Auto Secure Peering - Enterprise Edition
as MCN
I-
I-
Remote
Enterprise Enterprise I-
Data Center
or Cloud
Auto Secure Peering for Enterprise Edition

• For Enterprise Edition appliances, secure peering will always be enabled
•. C1tr1x NetSule, SD WAN 2000 2~0 EE • ·• .,
,,.,...... .. ...
·--
--
N
/
ot
fo
CiTR!X
rr
Key Notes:
es
• With the 9.2 SD-WAN release, some of the limitations previously preventing Enterprise Edition
al
from being deployed as the head-end SD-WAN appliance and being promoted as the Master
e
Control Node have been eliminated.

• With 9.2, Enterprise Edition appliance can be installed at the data center and now has the
or
capability to join the appliance to a Windows Domain Controller allowing users/administrator to

d
make use of extended WAN Optimization feature previously only achievable with the use of a
is
standalone WANOP appliance.

t
• Data Store Encryption can be performed on the Enterprise Edition appliance through a 9.2
rib
feature enabled from the MCN Configuration Editor under the Optimization node for an
ut
Enterprise Edition appliance. For an Enterprise Edition appliance, secure peering will always be
io
enabled.
• Auto-secure peering is initiated from EE appliance at DC site and Branch site EE appliance
n
• This deployment configures the EE appliance at the DC site in LISTEN ON mode and the
Branch side EE in CONNECT TO mode.
• Reference SD-WAN documentation for proper configuration steps to configure auto-secure
peering on the new Enterprise Edition appliance at the Data Center.

If a customer purchases an Enterprise Edition
appliance and they are shipped a 9.1.2 Standard
Edition appliance, what is required to unlock Enterprise
Edition features?
a) Enterprise Edition license file
Lesson Objective b) Software upgrade to 9.2
Review c) A second appliance with WAN Optimization
capabilities
d) Replacement of hardware with factory shipped
Enterprise Edition
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

If a customer purchases an Enterprise Edition
appliance and they are shipped a 9.1.2 Standard
Edition appliance, what is required to unlock Enterprise
Edition features?
a) Enterprise Edition license file
Lesson Objective b) Software upgrade to 9.2
Review c) A second appliance with WAN Optimization
capabilities
d) Replacement of hardware with factory shipped
Enterprise Edition
N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

• SD-With 9.2, Enterprise Edition appliance can be installed
at the data center and now has the capability to join the
appliance to a Windows Domain Controller allowing
users/administrator to make use of extended WAN
Optimization feature previously only achievable with the
use of a standalone WANOP appliance.
Key Takeaways • Dynamic NAT with port forwarding allows the ad min to
port forward specific traffic to a defined IP address.
• The 5100-SE model can not only increase its capacity

through the 9.2 software upgrade, but it also increases the
number of supported remote sites from 256 to now 550.
• With the appropriate resource allocation, SD-WAN

Standard Edition virtual appliances can achieve higher
N
throughput capacities.
ot
fo
34:=i, 201 ... IX A. 0 ._ .0 te t CiTR!X

rr
es
al
e
or
d is
trib
ut
io
n

• Exercise 7-1: Introduction to the SD-WAN 9.2 environment
• Exercise 7-2: Application Classification
• Exercise 7-3: Stateful Firewall

N
ot
fo
CiTR!X
rr
es
al
e
or
d is
t rib
ut
io
n

• Exercise 7-4: Dynamic Network Address Translation
• Exercise 7-5: Static Network Address Translation
• Exercise 7-6: Basic Mode Configuration Editor
• Exercise 7-7: Active Bandwidth Testing
• Exercise 7-8: Diagnostic Tools

N
ot
fo
CiTR!X
rr
Key Notes:
es
al
e
or
d is
trib
ut
io
n

•
CITRIX"
•
N
ot
fo
346 2017"' IXA. OZ onter t

rr
es
al
e
or
dis
t rib
ut
io
n

CNS 200W en StudentManual v03

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

CNS 200W en StudentManual v03

Загружено:

Авторское право:

Доступные форматы

•

NetScaler SD-WAN Hands-on

1 © 2018 Citrix Authorized Content

• Discuss and evaluate the different deployment modes and

2 201 ... IX A. 0 ._ .0 te t CiTR!X

2 © 2018 Citrix Authorized Content

• Name and company

• Networking and virtualization experience

• Citrix hardware and software experience

:i, 201 ... IX A. 0 ._ .0 te t CiTR!X

3 © 2018 Citrix Authorized Content

4 © 2018 Citrix Authorized Content

5 201 ... IX A. 0 ._ .0 te t CiTR!X

5 © 2018 Citrix Authorized Content

Course Outline • Module 2: Provisioning and Change Management

• Module 3: Quality of Service

6 © 2018 Citrix Authorized Content

7 201 '"' IX A, O ._ .0 te t CiTR!X

7 © 2018 Citrix Authorized Content

8 © 2018 Citrix Authorized Content

Self-Paced • There is no dedicated in class time to complete these

• Lab access is granted

are designed to be Fr- '•I:';:!• :_$:_""-..:-<Q-""'""-~ ~~.

9 © 2018 Citrix Authorized Content

• Access your student materials

• Complete the course survey

Visit http://elearning.citrix.com to learn how to:

Have more questions?

Browse our FAQ at:

10 201 ... IX A. 0 ._ .0 te t CiTR!X

10 © 2018 Citrix Authorized Content

Printing • Follow these steps to print to a PDF file:

201 ... IX A. 0 Z .0 te t CiTR!X

11 © 2018 Citrix Authorized Content

.i2 20 1 ... IX A. 0 ._ .0 te t CiTR!X

12 © 2018 Citrix Authorized Content

qO What can we do better?

13 © 2018 Citrix Authorized Content

Promoter Passive Detractor

14 2017"' IXA. Q,_ onter t CiTR!X

14 © 2018 Citrix Authorized Content

Face book Twitter Linked In

Visit http://training.citrix.com to find more information on training, certifications, and exams.

15 201 '"' IX A. O ._ .0 te t CiTR!X

15 © 2018 Citrix Authorized Content

NetScaler SD-WAN Hands-

6 @20 C IXAUth .. ~ .... le I

16 © 2018 Citrix Authorized Content

• Describe the Citrix NetScaler SD-WAN

• Identify features of NetScaler SD-WAN editions

• Utilize management tools for NetScaler SD-WAN

17 201 ... IX A. 0 ._ .0 te t CiTR!X

17 © 2018 Citrix Authorized Content

SDN’s newly-born sibling!

performance and visibility.

and ensure performance and reliability to remote applications.

18 © 2018 Citrix Authorized Content

Better User Simplify Branch Centralize Control

• Better User Experience

• Centralize Control and Management

19 © 2018 Citrix Authorized Content

20 © 2018 Citrix Authorized Content

• Better user experience –

websites and internal video content repositories.