Академический Документы
Профессиональный Документы
Культура Документы
CITRIX®
N
•
ot
Education
fo
rr
es
al
CNS-200W:
e
or
Workshop
is
t
rib
ut
io
n
Table of Contents
Table of Contents
Module 0 - Course Overview..........................................................................................................1
Module 1 - SD-WAN Overview.....................................................................................................16
Module 2 - SD-WAN Provisioning and Change Management......................................................74
Module 3 - Quality of Service.....................................................................................................124
Module 4 - Deployment and Configuration.................................................................................169
Module 5 - SD-WAN 9.0 Features..............................................................................................252
Module 6 - 9.1 Feature Release.................................................................................................276
Module 7 - SD-WAN 9.2 Features..............................................................................................322
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n
•
CITRIX
•
NetScaler SD-WAN
Hands-on Workshop
Course Overview
N
CNS-200W
Version: 1.3
ot
fo
201 ... IX A. 0 ._ .0 te t
rr
es
al
e
or
d
is
t
rib
ut
io
n
• Job title
Student
Introductions • Job responsibility
• Class expectations
N
ot
fo
CiTRJX
rr
es
al
e
or
d is
t
rib
ut
io
n
6 CiTR!X
rr
es
al
e
or
d is
trib
ut
io
n
-·-
E.!!.I
...-.11,~~
-1'1..I0.21
Lab ~--
---=-fJiiJ
_,__,_ .. 00JU.U.1D:11
Requirements
llt:l.•io.ill
• Check connectivity to
the environment and
report any issues.
• All lab environment
details are also
-- §;)= :::::---_
provided in the lab
guide. Q .. o,o,..,_.......,
.....,. :i...,
:,:;~~':.~ ciTRf
N
ot
fo
2017"' IX A. O ._ .0 te t CiTR!X
rr
es
al
e
or
d
is
t
rib
ut
io
n
2017"' IX A. 0 ._ .0 te t CiTR!X
rr
es
al
e
or
d is
t rib
ut
io
n
http://training.citrix.com/cms/ed ucation/faq
N
ot
fo
Education
Classroom Support
How do I open a
Classroom Support ticket?
......
Cli<1N•t10<.,1•uu,11ry
0 ()
N
ot
fo
CiTRJX
rr
es
al
e
or
dis
t
rib
ut
io
n
Extremely
How likely is it you would recommend Citrix Courses to a friend? Not at all
Likely Likely
SD-WAN Overview
N
CNS-200w
Version: 1.3
ot
fo
8 i t it oc:A zed e
fo
CiTRJX
rr
Key Notes:
es
• SD-WAN stands for Software Defined Wide Area Networking and it is a combination of SDN,
al
Software Defined Networking (which was created for use in cloud datacenters), and WAN, Wide
Area Networking (which is the network outside of your office, for example the Internet, or site-to-
e
site networks most commonly MPLS or Metro Ethernet). You might even say that SD-WAN is
or
• SD-WAN takes some of the similar software-defined concepts used in the data plane, and
is
leverages them on the WAN. By doing this, it is simplifying branch-office connectivity, ongoing
t
management, and reducing hardware sprawl while significantly improving enterprise application
rib
• We all know how important it is to have solutions in place for businesses that connect through
the cloud and on private networks. Solutions, that allow businesses to monitor their networks
io
• We’ve seen several new trends in solutions, some suggest reverting to massive centralized
infrastructure for application delivery. Others suggest that businesses enable requirements to
offset the use of expensive MPLS networks for cheaper, more cost-effective options like internet
transport. And we’ve also seen suggestions for shifting requirements from hardware-centric
models to software and application-driven ones.
• While some of these trends offer valuable solutions, they also bring new complexity to
businesses that may not be prepared to enable them.
• Perhaps because of these rapidly developing technological needs, Software Defined Wide Area
Network, or SD-WAN, is becoming the go-to option for companies both large and small who
want to increase their WAN throughput and branch-office application reliability and security, all
while improving the end-user experience.
CiTR!X
rr
Key Notes:
es
• These are 5 major values NetScaler SD-WAN solution brings to the table.
al
• Always on Branch
e
• Reduce Cost
• Simplify Branch Infrastructure
d
8
I
Always on Branch
N
ot
fo
CiTR!X
rr
Key Notes:
es
• These are 5 major values NetScaler SD-WAN solution brings to the table.
al
• Always on branch – Reliability is one of the primary values. NetScaler SD-WAN ensures
e
continuous access to applications, even when a network link is lost. This keeps business
operating.
or
d is
trib
ut
io
n
Better User
Always on Branch
Experience
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Through features such as TCP flow control, data compression, de-duplication and protocol
e
optimization, NetScaler SD-WAN can improve the end-user experience as well as provide a
reduction in WAN bandwidth expenses. And with video usage on the rise, NetScaler SD-WAN
or
can optimize video delivery within Citrix XenDesktop environments as well as for popular
d
• Beyond just availability, the solution makes sure that applications are responsive. Virtual
t
applications perform consistently, voice calls are clear, videos aren’t pixelated, websites are
rib
Better User
Always on Branch Reduce Cost
Experience
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Reduce cost – By making broadband networks viable for enterprise use, companies can spend
al
less on their network, often a very large expense. If companies can decommission MPLS in
e
favor of broadband, they will dramatically reduce costs and have more bandwidth. But even if
they don’t stop using MPLS, they can accommodate bandwidth growth through broadband,
or
CiTR!X
rr
Key Notes:
es
Routing, and Firewall. With this solution companies can radically simplify their network,
e
eliminating hardware and the cost of support. Companies with lots of locations and limited IT
resources at each location will particularly benefit from the hardware consolidation capability.
or
d is
t rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• Centralize control and management – NetScaler SD-WAN Center with eventually migrate into
al
NetScaler Management Analytics System (MAS) and will act as a single centralized system for
e
configuring the network and application policies, in addition to monitoring and reporting. With
version 10.0 you can now configure NetScaler SD-WAN Center to act as the remote license
or
server for centralized license management. NetScaler SD-WAN is Zero Touch deployment
d
capable. Zero Touch Service makes it simple to send a new appliance to a site with no technical
is
personnel on location and quickly bring up appliances to join the SD-WAN environment.
t rib
ut
io
n
Downtime
Which Portion of Your Access Type
Typical
Per Month
Availability
Network Is Most Expensive? Per Circuit
WAN 6 %
Business DSL 99.0% 7 Hrs.
~
Data Center
Metro Ethernet 99.5% 4 Hrs.
Campus/User Edge
MPLS Leased Line 99.9% 1 Hrs.
N
Key Notes:
es
• The network links that compose the Wide Area Network (WAN) is generally the largest expense
al
in the network. These links have traditionally been MPLS, which is expensive, is a fixed monthly
e
commonly known as MPLS, will likely have an hour of downtime per month per line.
d
• MPLS: Multiprotocol Label Switching (MPLS) is a type of data-carrying technique for high-
is
performance telecommunications networks. MPLS directs data from one network node to the
t
next based on short path labels rather than long network addresses, avoiding complex lookups
rib
in a routing table.
ut
• Gartner Data Center Conference Dec 2015: Top 10 Ways to reduce Network/Telecom Budget
io
presentation
n
30,000
Web Applications 25,000
20,000
Video-Based Content 15,000
10,000
Guest WiFi 5,000
0
HD Photos/Videos
N
• PB/Month
ot
Source: Cisco Visual Networking Index: Forecast and Methodology, 2013 - 2018
fo
Key Notes:
es
• Even with the weaknesses Admins see with their networks bandwidth demands continue to rise
al
• Let’s take a look how enterprise bandwidth needs are changing. Each year, WAN traffic volume
is growing by 15%. This is driven by a number of factors:
or
• Apps are migrating to the cloud, which drives data volumes over the WAN
d
• Apps are becoming more feature rich, which drives each application to generate higher
is
bandwidth
t rib
• Video usage…the average employee watches almost 16 hours of video content per month,
and this figure is growing as companies leverage video for more effective communications
ut
and productivity.
io
• The net of it all is that corporate WAN bandwidth requirements are forecasted to grow by
n
• Compression
• Citrix XenApp/XenDesktop
(HDX}
• TCP Flow-Control
Acceleration
• Traffic Shaping
N
ot
fo
27 CiTR!X
rr
Key Notes:
es
compression. It is true compression that acts on arbitrary byte streams. It is not application-
e
aware, is indifferent to connection boundaries, and can compress a string optimally the second
time it appears in the data. SD-WAN compression works at any link speed. The compression
or
engine is very fast, allowing the speedup factor for compression to approach the compression
d
ratio. For example, a bulk transfer monopolizing a 1.5 Mbps T1 link and achieving a 100:1
is
compression ratio can deliver a speedup ratio of almost 100x, or 150 Mbps, provided that the
t
XenApp data streams for interactive data (keyboard/mouse/display/audio) and batch data
(printing and file transfers). This interaction takes place transparently and requires no
n
the link at a rate close to, but no greater than, the link speed. Unlike acceleration,
ot
which applies only to TCP/IP traffic, the traffic shaper handles all traffic on the link.
fo
rr
also providing more bandwidth available to applications. With the ability to bond
multiple WAN links, NetScaler SD-WAN creates a single, secure, logical link,
al
replication, NetScaler SD-WAN supports up to four times as many virtual app and
desktop users. NetScaler SD-WAN accelerator technology also improves
t rib
enterprises. Through its caching capabilities, NetScaler SD-WAN can reduce WAN
n
bandwidth demand for internal and external video content at branch offices.
• Branch service delivery. The NetScaler SD-WAN product family offers features that
simplify branch office IT and allow IT to securely deploy an Active Directory
database at branch offices, using a read-only domain controller.
• Visibility and insight. NetScaler SD-WAN allows you to monitor application delivery
through reporting and measurement features. These tools help you understand
application performance to improve troubleshooting and bandwidth management,
and to accelerate application delivery.
•
27 © 2018 Citrix Authorized Content CITRIX
•
What are the available options?
' -~ 4
I
•,. ·•i'"'~"I,·....·
'_;-:_.
\
...
. ... .''}:
't_ J ,lfl.;-"".,_ .... .,- -
~ TeleCeography
fo
2Q2015
e t CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
• Most Network Admins are tasked with making use of cheaper alternatives for building their Wide
e
Area Network. Primarily because, as we saw earlier, broadband internet is significantly less
reliable and because of that significantly less expensive! Here are some sample price points
or
• If you get creative enough, the task at hand in address increasing bandwidth needs without
is
driving up additional WAN costs is attainable. But the engineering and management to create a
t
solution like this from the ground up can be a nightmare. As we get into in more detail later in
rib
this module, we will educate you on how NetScaler SD-WAN is the solution that addresses this
ut
.. .....,,.
°""'
·-~._. , .__.,.tGll,lril
.ny ~wc:wt..
__ 5'),,llllr."I·~--"-~,.........
dnl:tops
-
... ~
Data Sheet _...
·~1119..,,h,lt~hCIIJoRfll;II•
......,ct., .. '°"""'""«P...
-
~~
~ .....,- ~,
-----. . . . .... -·-- ... ........
.[ ..... ~uo«itywCfl...U.
(!) --
-~ ....
,....... Q ....,..__,,,_..
·Swppo,tdtllll.. MIOll._.11 ICM
___
-*,IOll'Ol9d:-,....-..
...-...---c.oi-
- . _.....,..__. .....,_.. . ,.. _
•\otllclfJll..,...JIWll"9'ti!HIOl.t.,.W -·------ ......... __~so-
..,_ _,..._,,..._
-~----,
(j) _....._.
-----..--.
.s.: ...o.i1,.-t,..M!ll-lot
.. - . ...........
.. ... ,,,, ...,... __ o.,,r.-c ~.-
llwlW(loft)'~---
_~""'-
...............
._.
_... _,._
C-""*"'-.----.....---
a.t.11_,......,...__,,_ __ , ... ..,.._,....,._..·-·-
fo
CiTR!X
rr
Key Notes:
es
• The NetScaler SD-WAN product line is continuously growing and adapting to needs and
al
challenges seen in enterprise networks. Referencing the online NetScaler SD-WAN Data
e
Sheet will keep you updated on the latest in physical and virtual appliance availability and
performance capabilities.
or
d
Additional Resources:
is
sheet/netscaler-sd-wan-datasheet.pdf
ut
io
n
I- .... I
.... I- .... I
.... I- ....
. ... I
I- .... I
.... I- .... I
.... I- .....
... I
Multi Link aggregation Multi Link aggregation Single link QoS
WAN path resiliency WAN path resiliency Application optimization
WAN path visibility Application optimization Application visibility
N
CiTR!X
rr
Key Notes:
es
• NetScaler ADC: is an application delivery controller that provides flexible delivery services for
al
traditional, containerized and micro service applications from your data center or any cloud. It
e
features unmatched security, superior L4-7 load balancing, reliable GSLB, and increased
uptime.
or
• NetScaler Gateway: Previously known as the CAG, (Citrix Access Gateway), or the CSG (Citrix
d
Secure Gateway) primarily is designed and used for secure remote access.
is
• The traditional WAN was not designed to tackle today’s application traffic. Our software-defined
t
WAN solution, NetScaler SD-WAN, offers a scalable, reliable, and cloud-ready approach.
rib
NetScaler SD-WAN combines packet-level, real-time path selection, WAN optimization, firewall,
ut
routing, and application analytics into one comprehensive solution. Whether accessing SaaS
io
• It is important to note that the Citrix NetScaler product portfolio consists of NetScaler ADC,
NetScaler Gateway and NetScaler SD-WAN. Each product provides its own unique role in
application delivery and security, and each may reside in different parts of the network. Keep
note that even though the same hardware may be utilized across the board on the products,
software on the SD-WAN is uniquely different and requires deployment with partner device at
the remote site to provide the benefits of software defined wide area network. NetScaler ADC is
used for load balancing, NetScaler Gateway for enabling access to resources, and NetScaler
SD-WAN for virtualizing your wide area network.
• The SD-WAN product itself has several editions, each designed to address challenges typically
found in an enterprise network, such as congestion, unreliable WAN Links, and reliable delivery
of applications.
• Standard Edition provides a solution for multi link bandwidth aggregation, WAN path resiliency
•
30 © 2018 Citrix Authorized Content CITRIX
•
NetScaler SD-WAN Editions
I- ....
... · 1
I- .... ,
.... I- ....
.... ,
I
'-----------·-····-_J L_ JI
CiTRJX
rr
Key Notes:
es
• Enterprise Edition users will need one Standard appliance and one WANOP appliance in the
al
data center. In the branch office, you will need just one Enterprise Edition appliance, which
e
combines WAN optimization and virtual WAN functions into a single appliance for the branch.
or
d is
t rib
ut
io
n
:__I
NetScaler SD WAN on Azure NetScaler SD WAN on AWS
Microsoft amazon
web services
L_ ~
instances.
backhaul cloud bound traffic
through a data center.
fo
CiTR!X
rr
Key Notes:
es
• Microsoft Azure:
al
• Benefits Include:
e
• Specs:
ut
• Benefits Include:
• Create direct connections from every location to AWS
• Ensure an ongoing reliable connection to AWS
• Simplify your network without the need to provision VPNs
• Extend your secure perimeter to the cloud with a single click
CiTR!X
rr
es
al
e
or
d is
t
rib
ut
io
n
Release I Yes - -
7.X
CiTR!X
rr
Key Notes:
es
• The above table illustrates which NetScaler SD-WAN platforms are supported for each of the
al
• When installing and applying a license, make sure that your specific appliance supports the SD-
WAN appliance edition you want to enable, and that you have the correct software version
or
available.
d
• Earlier version of licenses, including those compatible with release 7.x, are not supported with
is
the newer NetScaler SD-WAN release. The existing process to obtain NetScaler SD-WAN
t
licenses remains consistent with the CloudBridge 8.0.x, and 9.0.x releases. Once obtained, the
rib
• Before you can download the software, you must obtain and register a NetScaler SD-WAN
io
software license. For instructions on obtaining a NetScaler SD-WAN software license, contact
Citrix NetScaler SD-WAN Customer Support. Before installing the license, you must first setup
n
the appliance hardware, and set the date and time for the appliance.
ciTRfX
fo
rr
Key Notes:
es
• 1. In the SD-WAN web management interface, navigate to Configuration > Appliance Settings >
e
Licensing.
or
• 2. Select Local and upload the License. Click Upload and Install.
• 3. Save your changes by clicking Apply Settings.
d is
t rib
ut
io
n
License Configuration
If you want to install remote licenses for SD-WAN appliance
Loa • f'!'nC. I
using SD-WAN Center, ensure that you enable Centralized
licensing on the SD-WAN MCN appliance in the Global settings Configure Licensing Server
.
• Use Cases:
N
36 ®2- -o
CiTR!X
• SO-WAN VPX-SF - PRR darilovrnant in thP Rrrinr.h offir.P
rr
Key Notes:
es
1. In the SD-WAN web management interface, navigate to Configuration > Appliance Settings >
e
Licensing.
or
management process
fo
CiTR!X
rr
Key Notes:
es
under Global > Centralized licensing. This IP address is propagated to individual appliances
e
through the configuration packages or updates. When the IP address is changed, you have
to go through the Change Management process to push it appliances. The global setting can be
or
• The license bandwidth can be selected with the appliance model for Site settings. The WAN
is
1. Navigate to Configuration > Virtual WAN > Configuration Editor. Open an existing virtual
io
WAN configuration package or create new configuration package. The configuration package
n
opens.
2. Navigate to the Global tab. Select Centralized Licensing. Click Enable.
3. Enter the IP address for the License Server from which you need to download and manage SD-
WAN licenses. You can provide the SD-WAN Center management IP address, so that the
configuration package for the SD-WAN MCN or branch appliances can download license from SD-
WAN Center.
4. Enter 27000 for the License Server Port which is a default port number.
5. Click Apply.
6. Navigate to the Sites tab. Select MCN or Branch site under View Site, depending on the region
and site for which you want to manage central licensing.
7. Select Centralized Licensing. The central licensing options view is displayed. By default,
theLocal option is selected for the License Server Location.
•
37 © 2018 Citrix Authorized Content CITRIX
•
SD-WAN Licensing Considerations
• SD-WAN appliances licenses are managed by communicating with the remote license service
to check for licenses. If the appliance is licensed, the network operations continue without
interruption. If the appliance is not licensed, the grace license mode is initiated.
• The SD-WAN appliance goes into a 30-day grace period and you have to upload the license
after the license expires.
• During the grace period, all operations function normally. If the license is not uploaded in
time {30 days after expiry), Virtual WAN Service is disabled.
• 30 day grace period is provided for Out-of-Box client nodes. Notification indicates that the
appliance is in Out-of-Box mode and needs a valid license. This option uses a grace license
file.
• Loss of communication with SD-WAN center: After 2 heart beats loss, the appliance goes into
the grace mode for 30 days. Notification indicates that the reason for the grace period is
N
a communication failure.
ot
fo
CiTR!X
rr
Key Notes:
es
• 1. Each site communicates with Remote Server or SD-WAN Center using the Web
e
• 2. Heartbeats are sent over a TCP connection to the license server every 10-20 mins to
d
check connectivity.
is
• 3. After a loss of 2 consecutive Heartbeats, the appliance goes into a grace mode. The
trib
checkout method determines the license status. This status could be “Real”, “Grace”, or
“Denied” that is sent to the appliance from the SD-WAN Center. Every time an appliance
ut
reaches out to the SD-WAN Center for license status, it checks-in and checks-out the new
io
license. If SD-WAN center does not receive 2 heart beats, the SD-WAN center will release the
license allocated to the site into the pool. The grace period is 30 days, so after loss of 2
n
heartbeats, the appliance will go into the grace period. During these 30 days, the
communication has to be restored. Once restored, the appliance reverts back to normal
operational mode. If the communication is NOT restored, the appliance will be put into
unlicensed state and follows the unlicensed/license expiry procedure
• Out-of-Box licensing (OOB) for MCN appliance:
• - MCN appliance will not have an initial grace period. It needs to be licensed to come up.
• Out-of-Box licensing (OOB) for client appliance:
• Client node will come up with a 30-day grace period with or without ZTD functionality.
• The appliance will be enabled and installed with a OOB license file valid for 30 days.
• You have 30 days to upload a license file or get licensed through the Centralized Licensing
server.
•
38 © 2018 Citrix Authorized Content CITRIX
•
NetScaler SD-WAN Standard Edition
NetScaler SD-WAN
Standard Edition(SE)
N
ot
fo
CiTR!X
rr
Key Notes:
es
• firewall,
is
• VPN, and
t rib
I
I-
SO-WAN-SE
:----1 - ====
SO-WAN- SE
1 :::I-==
._! - _ ____,
Remote
Data Center
or Cloud
N
ot
fo
CiTR!X
rr
Key Notes:
es
• SD-WAN provides reliable connectivity between Data Centers, Branch Offices, and Clouds.
al
• MPLS - Expedited Forwarding Queue: make resources available to latency sensitive real-time,
or
interactive traffic: useful with VOIP…(no drop preference which is supported with Assured
Forwarding (af) model)
d is
t
rib
ut
io
n
•
0
Latency, loss, jitter, congestion and availability are
monitored for each path and in each direction.
• Real traffic is used for the measurement, not
probe data.
I ••
1atene'1iossjitter<ong.
I I I
latencylossjinercong.
II • II •
latencylossjittercong.
I-
latencylossjittercon,g.
I- : : : : ~ L~o;o.,jitte«!, I-
Remote
SD-WAN-SE
I I I I ••
latenCl/1ossjitten:ong.
SD-WAN-SE I-
latencylossjittercong.
Data Center
I I I .. II • or Cloud
N
latencylossjittercong.
latencylossjittercong.
ot
fo
CiTR!X
rr
Key Notes:
es
• NetScaler SD-WAN appliances continuously monitor every MPLS and broadband connection by
al
tagging packets with sequence numbers. Destination appliances can detect path outages after
just two or three missing packets, allowing seamless sub-second failover of traffic to the next-best
e
WAN path. Users are never forced to restart, reconnect, or log in to applications again. Appliances
or
also detect immediately when connections come back online, and seamlessly return traffic to the
restored paths. Competing solutions can’t match this level of failover performance.
dis
• With each packet that passes through the network, SD-WAN measures the latency, loss,
congestion and jitter of every available link, as well as on each available direction!
t
rib
• Not only are the measured link conditions used by the local SD-WAN, but the measurements
are shared with partner devices enabling the SD-WAN solution to even detect last mile condition
ut
• This intelligence is used for all network decisions and is key to provide an always-on branch and
n
0y
• •
Detect degraded links, blackouts or brownouts,
and quickly adapt traffic
Undetected to the end user
SD-WAN-SE SD-WAN-SE
Remote
Data Center
or Cloud
N
ot
fo
CiTR!X
rr
Key Notes:
es
• With the measurement capabilities of SD-WAN, if individual WAN path conditions change,
al
or loss spikes, and at a sub-second speed divert traffic across healthier paths.
or
automatically redirecting traffic across any available connections. In fact, the experience is so
seamless, users won’t even realize any change has occurred. Their primary access IP address
t
rib
will remain unchanged, allowing users to access their apps and data using the same methods and
devices.
ut
io
n
0
y
• •
Detect degraded links, blackouts or brownouts,
and quickly adapt traffic
Undetected to the end user
SO-WAN-SE SO-WAN-SE
Remote
Data Center
or Cloud
N
ot
fo
Key Notes:
es
• When a session starts, the packets are directed along the best path which matches the
al
application classification based on those measurements. For example, real time data such as
voice or HDX is put on a low loss, low latency path.
e
• Based on the company’s policies, customization can be done to give high priority applications
or
higher priority class. And each application is assigned a share of the network using the Quality of
Service engine, preventing low priority applications from chocking out critical data.
d is
• And unlike many of competing solution, NetScaler SD-WAN treats each MPLS class of service
as a separate potential path, allowing the solution to make maximum use of all available
t
rib
I-
Remote
SD-WAN-SE SD-WAN-SE I-
Data Center
or Cloud
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Large flows such as file transfers or HDX print jobs can use more than one link or MPLS queue
al
utilization.
or
d
is
t
rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
CiTR!X
rr
Key Notes:
es
• application classification,
e
troubleshooting.
is
• Specifcially:
trib
• Optimize through TCP Fast RAM (vs Slow Start); maximize usable throughput of available link
(not jus a percentage)
ut
• Compression!!: less bandwidth; faster delivery of smaller objects; less load on other devices
io
0.
loss or congestion is detected on
11'--------
Link Speed
Key Notes:
es
• This is just a example of one Remote Branch Office communicating to the Data Center utilizing
al
the NetScaler SD-WAN WANOP Edition sitting transparently in the path of traffic flow.
• Adaptive TCP flow control is the most basic WAN optimization technique that addresses the
e
pessimistic approach in the TCP protocol design. Since traditional TCP is not aware of the
or
bandwidth ‘condition’, it is designed to pump less data on the line to begin with and then
increase gradually if all packets reach without errors. In case of a dropped packet, the protocol
d is
is designed to fall back to half the sending rate and ramp up again. This design helps avoid
congestion and retransmissions on poor, low-bandwidth WAN connections.
t
rib
• WANOP Edition takes an optimistic design approach and attempts to fill the pipe (sending rate
ut
almost equals the link speed). In case of a dropped packet, it does not let the sending rate fall
back exponentially and attempts to maintain the average utilization. The intelligent optimizer
io
• WANOP Edition is deigned to optimize a single WAN path or tunnel and is a viable option to
increase application performances when the WAN path is of poor quality due to
oversubscription, latency, and loss.
• The optimization techniques are designed to overcomes high packet loss and network latency
for connection across the world, “fill the available pipe” mitigating the effects of TCP slow start,
implement Quality of Service to prioritize business critical applications and to effectively delivery
all TCP applications.
• Compression: single-ended,
Without NetScaler SD-WAN
object level compression
Deduplication: proprietary cross-
stream pattern matching with bit
pattern caching
Compression and
==-"1,
l
.Q[) . . . . 1- ....
.... I
I-
===
I!
N
Remote
SD-WAN-WO SD-WAN-WO I- I orCloud
fo
CiTR!X
rr
Key Notes:
es
• WANOP Edition’s adaptive compression technology works between appliance pairs residing on
al
opposite ends of a WAN connection to reduce WAN bandwidth requirements. It uses multiple
e
traverse the conditions of the Wide Area Network, and if the applications were not desired for
d
high latency, loss, and congested networks, the end user performance would suffer.
is
• NetScaler SD-WAN WANOP Edition uses several standard compression algorithms to reduce
t
the size of data as it moves across the WAN. SD-WAN also maintains a compression history
rib
that is shared across connections. This means that data sent earlier by one connection can be
ut
used later to optimize traffic flowing over another connection. Smaller data streams that are
io
seen frequently are stored in memory for low-latency access. Larger data streams, such as bulk
file transfers, are stored on disk. This large-history, multi-session compression technology
n
erases the distinction between compressible and uncompressible data. For example, a JPEG
image is normally considered uncompressible. However, when sent multiple times, the entire
image can be replaced by a pointer to the data already in the receiving appliance’s compression
history, resulting in significant bandwidth savings.
• SD-WAN is not limited to referencing entire file objects. By leveraging pattern matching down to
the block and byte level, it can also remove redundant data transmitted across different files and
applications.
E. Quality of Service
N
ot
fo
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
E. Quality of Service
N
ot
fo
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t
rib
ut
io
n
NetScaler SD-WAN
Enterprise Edition(EE)
N
ot
fo
CiTR!X
rr
Key Notes:
es
• NetScaler SD-WAN WANOP Edition to provides application acceleration, data reduction and
al
• Enterprise Edition users will need one Standard appliance and one WANOP appliance in the
data center. In the branch office, you will need just one Enterprise Edition appliance, which
or
combines WAN optimization and virtual WAN functions into a single appliance for the branch.
d
I-
I-
SO-WAN-EE I-
Data Center
or Cloud
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Take what you have learned about Standard Edition and WANOP Edition and apply all that to
al
network links. But also uses the techniques of WANOP Edition to make better use of the available
or
“aggregated” bandwidth.
• The diagram here is again very simple representation of a two site example utilizing a pair of
d is
appliances, but with the SD-WAN product portfolio, you can utilize a mix and match of hardware to
accomplish whatever challenges your network may face. For example, you can utilize separate
trib
hardware Standard Edition and WANOP Edition at the data center to communicate with any one
of the appliances, even a single Enterprise Edition at the branch offices. Enterprise Edition is
ut
specifically targeting remote sites that are in need of streamlining their operational and
io
• Enterprise Edition appliances is the “all-in-one” solution that provides reliable and robust
connectivity from branch to data center, branch to branch or branch to cloud.
•
0
Built in integration with Citrix XenApp and
XenDesktop traffic for HDX channel steering and
optimization
• Results turbo-charged end-user experience
XenApp
SO-WAN-EE
Remote
XenDesktop
N
ot
fo
CiTR!X
rr
Key Notes:
es
• NetScaler SD-WAN has built in integration with Citrix XenApp and XenDesktop traffic and also
al
• then handed off to the build in path measurement engine to deliver the individual sessions to the
paths that will best deliver to provide a reliable and high performing end-user experience.
d is
• Enterprise Edition appliances is the “all-in-one” solution that provides reliable and robust
connectivity from branch to data center, branch to branch or branch to cloud.
trib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t
rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
• The answer is False, NetScaler SD-WAN provides the WAN link bonding and resiliency, where
e
000
0o0
Application Historical SD-WAN WAN Path Zero Touch
Visibility Reporting Orchestration Analytics Deployment Service
N
ot
fo
CiTR!X
rr
Key Notes:
es
• NetScaler SD-WAN management tools aid in deployment, configuration, analytics, and reporting
al
around a network environment and where partner devices residing in numerous remote offices
d
is a requirement.
is
• NetScaler Management Analytics System (MAS) will be the single centralized system for all the
t
listed management functions. Where previously Citrix Command Center and NetScaler Insight
rib
Center were used separately to handle the Orchestration and Application Visibility of WANOP
ut
and Enterprise Edition, that responsibility has now been seamlessly integrated into NetScaler
MAS.
io
• NetScaler SD-WAN Center is used exclusively to handle Orchestration, WAN Path Visibility, and
n
Zero Touch Deployments of Standard & Enterprise Edition. Eventually these functions will also
be seamlessly integrated into NetScaler MAS.
• NetScaler MAS will act as a single centralized system for configuring the network and
application policies, monitoring, reporting and analytics, in addition to Zero Touch deployment
capability.
NetScaler MAS
::::I Netscaler
----- Gateway
I- ::::I SD-WAN-WO
I-
I-
Remote
SD-WAN-EE SD-WAN-SE I-
Data Center or Cloud
::::1~1- ::::1~1-
172.75.131 172.75.5.55
:::=I~§
N
.....Q, ~,-
J.:::.tl.J
ot
58
rr
Key Notes:
es
• With NetScaler products in any environment, the capability of exporting Application Flow records
to a collector like NetScaler MAS is significant when dealing with application performance issues
e
that need deep investigation. NetScaler MAS aids in making applications more transparent and
or
provides granular detail that help Admins converge in a segment of the network as opposed to
troubleshooting end-to-end.
d is
• For the HDX protocol in particular, integrated data collection is laid out in a easy-to-ready
topology to help with hop-by-hop visibility.
t
rib
• WANOP or Enterprise Edition at the branch and WANOP Edition at the data center provide
Layer 4 visibility for ICA.
ut
• Standard Edition at the branch and Standard Edition at the data center, aided by NetScaler
io
• Its important to understand that ICA information needs to come from a single device in the
network while the L4 information is supplied by every device.
• ICA information needs to come from SD-WAN WANOP Edition or NetScaler Gateway,
depending on the deployment and devices being used.
• MAS visibility requires (Appflow)
• for MDX visibilty
• WO editions x2
• or Standard Edition with NSG doing appflow reporting
• or Enterprise Edition…
NetScaler MAS
I- ::::I
cirJ _ . .
SD-WAN-WO
I- I
- :::: I- I
I- I
N
SD-WAN-EE SD-WAN-SE
Remote
Data Center or Cloud
ot
fo
CiTR!X
rr
Key Notes:
es
1%1
000
NetScaler
D-
SD-WAN Center
000
Zero Touch
Deployment Service
I-
~
I- :===I :=,_====:
~I-~
N
SD-WAN-EE SD-WAN-SE
Remote
Data Center or Cloud
ot
fo
CiTR!X
rr
Key Notes:
es
• SD-WAN Center centralized management, configuration, monitoring and reporting for SD-WAN
al
appliances
e
Lesson Objective
Review
N
ot
fo
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t
rib
ut
io
n
Lesson Objective
Review
CorrectAnswer: False
N
ot
fo
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
• False, the NetScaler SD-WAN solution requires partner appliances to establish either optimized
e
manage
d is
t
rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• Appliances start in "client mode"; this allows for "local" configuration that is appliance
e
specific.
• MCN provides for centralized configuration and configuration/update distribution.
or
• Only 1 active MCN in virtual WAN; but a secondary MCN can be deployed for resiliency
d
(ha)
is
• PRIMARY Purpose: establish/utilize virtual paths (control the virtual wan (SD-WAN) site
t
topology)
rib
CiTR!X
rr
Key Notes:
es
• Appliances start in "client mode"; this allows for "local" configuration that is appliance
e
specific.
• MCN provides for centralized configuration and configuration/update distribution.
or
• Only 1 active MCN in virtual WAN; but a secondary MCN can be deployed for resiliency
d
(ha)
is
• PRIMARY Purpose: establish/utilize virtual paths (control the virtual wan (SD-WAN) site
t
topology)
rib
CiTR!X
rr
es
al
e
or
d is
t rib
ut
io
n
CiTR!X
rr
es
al
e
or
d is
t rib
ut
io
n
67 20 1 '"' IX A. O ._ .0 te t CiTR!X
rr
es
al
e
or
d is
trib
ut
io
n
CiTR!X
rr
Key Notes:
es
• The Optional Self Study exercises are added to allow students to continue the hands on
al
experience outside of class time. You are given 30 days of access to the lab environment and
can go in at any time and complete these labs.
e
• This is a read only module and is a great one to review at a later time to examine the installation
or
design.
d is
t rib
ut
io
n
CiTR!X
rr
es
al
e
or
d is
trib
ut
io
n
CNS-200W
Version: 1.3
ot
fo
I- ....
••••
, I- .... ,
••••
Hypervisor Bare Metal
Key Notes:
es
• WANOP edition virtual machine support: XenServer, ESXi, and Hyper-v since at least 9.1
al
Software Rel.
or
• NetScaler SD-WAN Editions can either be hypervisor based, powered by XenServer, or can
run directly on bare metal.
t
rib
• We will take a look at the architecture for each and highlight the differences.
ut
io
n
XenServer Hypervisor
> >
0
~------------------- cc::
----~----~,:x:, r---,
:x: : :, :x: ,I L---~
t -----------------:'----·
r---, Q------- - -------------------------·
. .L:x: J•------------------ -~-
CC::
V, vSwitch vSwitch vSwitch vSwitch
v,
·------·-------------------------------------------------------------------------~
Hardware
@ 11111 Ii]
N
Mgmt. Network
Memory CPU Data Network
ot
Interfaces SSD
Interfaces
fo
Key Notes:
es
• Devices with primary focus on hypervisor based: 1000, 1100*, 2000, 2100
al
e
or
d is
t rib
ut
io
n
,-
1
I
I
Software
I
I
I
I
________________________________________ J_
I
J SD-WAN-SE
-------------~
l
I : Virtual WAN VPX:
t
I
I ·-------------· JI
Hardware
Mgmt Network
Interfaces SSD
•••••
Memory CPU Data Network
Interfaces
N
ot
fo
Key Notes:
es
• Here the software is installed directly on the hardware, which yields better performance. Due
al
to this you will see more SD-WAN appliance options as bare metal.
• Devices with primary focus on bare metal: 210*, 410, 4100*, 5100
e
• The bare metal architecture is currently shipping only with the 410 Standard Edition
appliances, but expect to see more appliances shipping as bare metal.
d is
• The upgrade procedure for bare metal requires less attention as only the software gets
updated and an OS upgrade is not required.
t rib
ut
io
n
s·a·R
-
O
['_j c(c:::::lo -
s..,..,1 MGMT A 9 C
I I I I I
• Management port I I I I I
<1111(--.l-J L_J_J ~ • Data ports
• Serial
• fail-to-wire pairs
5100-SE (Front view)
N
I I •
<-------
Management port : .LI Data ports
ot
Key Notes:
es
• Regardless of the internal architecture, and irrespective to the Edition, all SD-WAN appliances
al
• Depending on the model, the interfaces for management and data may reside on either the
or
• As an example, lets take a look at the 410-SE appliance with interfaces on the rear of the
is
chassis.
t
• Data interfaces are paired together to provide fail-to-wire capabilities, and are separated from
rib
management interfaces, both physically and via the internal architecture as illustrated earlier.
ut
• Management interfaces include both Ethernet and Serial port, providing different options to
io
• Optionally configuration can be accomplished utilizing the Zero Touch Deployment. Only
certain SD-WAN appliances, like this 410-SE ship from factory with DHCP enabled so that the
appliance can IP address itself on the Management port as soon as soon as it boots up and
connects to the network. If DHCP is not available, then the appliance defaults to a
192.168.100.1 IP address for manual GUI access.
• As another example, lets take a look at the 5100 appliance with interfaces on the front of the
chassis.
• Again, management interfaces and paired bypass capable data interfaces are available.
Reference the NetScaler SD-WAN Data Sheet for further specs on interfaces, which vary
between platforms. In the case of the 5100 it uses fiber interfaces on the data ports and uses
fail-to-glass technology to accomplish the bypass.
• Regardless of whether the DHCP is enabled or not on the management interface, the default
IP address of any SD-WAN appliance is 192.168.100.1 in factory default state. That IP should
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n
•
75 © 2018 Citrix Authorized Content CITRIX
•
Data Interfaces
with built-in • Paired interfaces with "fail-to-wire"
Bypass • Fault-tolerance hardware feature
• High Availability for Data Center
• Fail-to-wire for Branch Offices
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Let us dive a little deeper into the data ports or interfaces and the functionality of (2) paired
al
interfaces configured in bypass or “fail-to-wire” mode. We will need to consider the different
editions of SD-WAN to better understand this.
e
networking hardware that protects essential business communication in the event of power
d
outage and/or system failure. More importantly it eliminates the need for redundant hardware
is
deployed at the data center, utilizing the high availability capability. This is because if the
ut
head-end appliance becomes unavailable, the impact is network-wide since all remote sites
typically rely on the data center for applications or data.
io
• But generally speaking, other sites are not dependent on the branch office site, and if a
n
remote site losses SD-WAN capability, the impact is not severe. This is where hardware
bypass comes into the picture, allowing for that particular site to still have connectivity utilizing
the existing underlay network.
• Don’t be mistaken however, hardware bypass is also useful at the data center locations, and is
not a feature limited to the branch office. Also high availability is available at remote sites for
deployment, if the network requires it.
• Similarly, NetScaler SD-WAN hardware deployed to virtualize multiple WAN links utilizes the
bypass capability of the hardware to guarantee network connectivity during issues, and the
bypass capability provides enough fail-safe in some scenarios eliminating the need for high
availability.
fail-to-wire
~
~ -Ix-ICore
--EB--~ Router
Hosts
N
ot
fo
77 20 1 ... IX A. 0 ._ .0 te t CiTR!X
rr
Key Notes:
es
• Let’s take a look at a remote site deployment to showcase the hardware bypass capability and
al
the WANOP Edition has been chosen to optimize a single WAN link.
e
• In order to utilize the hardware bypass capability, SD-WAN WANOP needs to be deployed
right in the path of the data flow. Normally between the core switch and the WAN edge router.
or
Reference the NetScaler SD-WAN documentation for interfaces naming and pair association.
d
• When the appliance is up and active, the traffic is being processed by the SD-WAN engine
is
and after processing sends the traffic right out of the partner data interface.
t
• When the appliance goes down, the packet processing capability is no longer active, and the
rib
appliance bypass relays detect that and immediately kicks into a closed sate, to connect the
ut
two ends.
io
• From the perspective of the network, it is as if the SD-WAN is not in the path at all and traffic
flow resumes on the underlay network.
n
----
---
--·
cifJ
fail-to-wire ~
x
Firewall
Core fail-to-wire
Hosts ~
Router
N
ot
fo
Key Notes:
es
• Let’s take a look at a simple depiction of the network components that make up a branch site,
al
• Similar to WANOP, SD-WAN Standard and Enterprise Edition need to be deployed right in the
path of the data flow in order to utilize the hardware bypass capability. Again, the normal
or
deployment for inline is between the core switch and the WAN edge devices. Reference the
d
• When the appliances are up and active, the traffic is being processed by the SD-WAN engine
t
• Standard and Enterprise Editions are unique in that interfaces can be identified as paired, and
ut
enabled for fail-to-wire or identified as single operated and configured for fail-to-block.
io
• In this example, there are two links between the core switch and the WAN edge devices, so
fail-to-wire can be enabled on both interface pairs that are sitting in the path of traffic.
n
• When the appliance goes down, the packet processing capability is no longer active, and the
appliance fail-to-wire relays detect that and immediately kick-in to close the connection
between the two interfaces. From the perspective of the network, it is as if the SD-WAN is not
in the path at all and traffic flow resumes on the underlay network.
a) There is no default IP
Lesson Objective
b) 192.168.100.1
Review
c) 192.168.1.1
d) 172.168.0.1
e) None of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t
rib
ut
io
n
a) There is no default IP
Lesson Objective
b) 192.168.100.1
Review
c) 192.168.1.1
d) 172.168.0.1
e) None of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t
rib
ut
io
n
·-
V•IINl>lt/A'4...,..4tl't
.'
M,.,_.,,~1..-,-tftt
'
~10-0lQ-S(
ll)p..11ll)!, ,,.
Branch C
,., !,1
Data Center
ot
fo
Key Notes:
es
• Taking a closer look at what it takes to configure NetScaler SD-WAN Standard Edition and
al
Enterprise Edition appliances in this example of a very simple yet common customer
environment.
e
• Once it is determined that Standard Edition, and Enterprise Edition alike, will be used to
or
address a customers application delivery needs, the first step is to architecture the
d
environment, and select the appropriate devices per location. This is done through a sizing
is
exercise to determine what total WAN capacity expected at each location is and the
t
appropriate appliance that fits the need. The NetScaler SD-WAN Data Sheet should be used
rib
to obtain the latest performance specs. Do a web search for “NetScaler SD-WAN Data Sheet”
ut
at that site as well as the upload and download speed per WAN link.
n
• As an example, let us say the MPLS WAN link is measured at a 100Mbps up/down and the
INET WAN link is measure at 1Gbps. We also have the added knowledge that the customer
quickly expects to grow with the potential off adding another 4Gbps of Internet capacity in the
coming 5 years. The number of remote sites is also important to understand for sizing, but
lets set that aside for now.
• With the provided detail we can quickly determine that a 5100-2000 Standard Edition
appliance is needed with a 2Gbps license file to support the 1.5Gbps of total WAN capacity.
That appliance will also allow for more capacity using the license pay-grow model to jump up
in bandwidth simply by purchasing a larger license later down the line when needed, without
having to upgrade the hardware.
• Let’s go through the same exercise with Branch A, we can see that we need a total WAN
capacity of 60Mbps to accommodate the higher download speeds.
• And with that determine that a 410-100-SE would be appropriate.
•
81 © 2018 Citrix Authorized Content CITRIX
•
Configuration Editor for Standard and Enterprise
Configuration Editor Branch A Branch B
&.
I
1±1 B<and18 I
I
8 B<anchAzure ll) 0 I
1±) s,s,c Settings I
(±) Routing Domains I
I
(B Interlace Groups I
(±] Virtual IP Addresses
m GRETunnels WAN ~
[±)WAN Links.--
(B Certrficates
[±) High Avalabil,ty Li n k
Central
Controller
Net Scaler Firewall
SO-WAN Center
~---- - MCN
I
Network 01sc0vt,y SD-WAN
5100-2000-SE
Network Conftgu~tlon
.......,,,.....,....
..................
ot
Apptaancesenings
SOWAN(f,,,llf"(~
Data Center
fo
Key Notes:
es
• The Standard and Enterprise Edition appliances architecture is designed to act like a layer 3
al
router. From the perspective of end hosts it an encrypted tunnel that enables reliable
connectivity between sites, but from the perspective of the network, SD-WAN takes full control
e
of packet delivery across the Wide Area Network segment. We will get into detail of the
or
• An MCN promoted appliances, reveal an option in the GUI called “Configuration Editor”.
rib
• NetScaler SD-WAN Center can also be deployed on-prem to act as the central controller,
ut
which not only communicates with the MCN, but also the Branch office SD-WAN appliances.
io
• Both SD-WAN Center and the MCN have the Configuration Editor, where the configuration
can be build to identify the WAN link detail of the Data Center site, as well as the branch sites,
n
which are known as Client Nodes. The individual appliance GUI for the Client Nodes are
identical as the MCN node, but will lack the Configuration Editor and Change Management
components.
• A configuration file can be built and imported from an active MCN into SD-WAN Center and
also visa-versa a configuration can be built and imported from SD-WAN Center to the MCN.
• The Configuration Editor manages the SD-WAN architecture for each site device that is
intended to operate on the SD-WAN overlay network. Details of each site include device
model, routing domains, interface usage, WAN links with specific speeds and high availability
for each site. The Change Management is then used to build the configuration and software
package for each specific SD-WAN deployed site.
SD-WAN
5000-1500-WO
Data Center WAN Links:
N
CiTR!X
rr
Key Notes:
es
appliances. We will again use a very simple yet common customer environment as an example.
e
One thing to point out is that generally WANOP Edition is deployed to enhance the network
delivery capability of a single WAN link as illustrated in this example, but can be deployed
or
behind multiple WAN links, it just lacks the intelligence to distinguish between the two and treats
d
them as one.
is
• Once it is determined that WANOP Edition will be used for to address a customers application
t
delivery needs, again the first step is to architecture the environment, and select the appropriate
rib
devices per location. This is done through a sizing exercise to determine the WAN capacity
ut
expected at each location and the appropriate appliance that fits the need. The NetScaler SD-
WAN Data Sheet should be used to obtain the latest performance specs. Do a web search for
io
“NetScaler SD-WAN Data Sheet” and you will find the latest PDF online.
n
• Starting at the Data Center site, we need to determine the upload and download speed
associated with the WAN link.
• As an example, let us say the MPLS WAN link is measured at a 1Gbps up/down. With WANOP
we should also the number of concurrent HDX and TCP sessions expected to flow through the
single appliance. For this example, we will expect 3,500 concurrent HDX sessions.
• With those numbers, we can quickly determine that the 5000 WANOP appliance with 1.5Gbps
capacity is the most appreciate for this site.
• Let’s go through the same exercise with Branch A, where we see a 10Mbps download capability,
and 50 users at this site, each with capability of issue 2 HDX sessions for XenApps and
XenDesktops, totaling an aggregate of 100 HDX sessions that can potentially be seen.
• And with that we can determine that a 2000-010-WO would be most appropriate.
• Branch B having less users, and expectation of 60 concurrent HDX sessions can be sized with a
smaller 1000-006-WO appliance.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
83 © 2018 Citrix Authorized Content CITRIX
•
Configuration Management for WANOP Edition
LAN Link:
-: = I
Bandwidth In: 1 Gbps
Bandwidth Out: 1 Gbps •
_----. . -
-
-. . . -· - =--
WAN Link:
Bandwidth In: 5.7 Mbps
Bandwidth Out: 950 Kbps
i--- ------
- - -
-
--- I
••
Adm
in
-.-
i AElajlter. Src:
-,-
N
I I 192.168.1.0/16
/"
ot
Data Center
fo
rr
Key Notes:
es
• Next we will focus on what it takes to configure and manage this WANOP architecture. Unlike
al
the Standard and Enterprise Edition, there is no concept of promoting an appliance as the head-
e
office appliance. Mainly due to the nature of the packet flow architecture, which we will go into
detail later. The technology on WANOP is significantly simpler in design and transparently sits
or
• installers at each location IP addresses the appliances for management and cable in the path of
is
traffic.
t
• In addition to uploading a license file per appliance, one of the key configuration tasks is to
rib
identify which interface is WAN facing and to configure the link to 90 to 95% of the nominal WAN
ut
• (2) To exercise the proper configuration of the WANOP Edition appliances, let us first focus on
Branch A and acknowledge a 1 Mbps upload speed and a 6 Mbps download speed. so that the
n
local Admin connected the apA.1 interface to the WAN Router, and apA.2 to the Core switch.
With that detail, the Link Definitions for that specific appliance is configured by the local admin to
the appropriate speed of 95% of the WAN speed measurement.
• The link identified as facing the WAN will be edited with appropriate Name to identify the
interface, link type defined as WAN, Bandwidth in as 5.7 Mbps, which is 95% of the measured
6Mbps download, Bandwidth out set to 950 kbps, again 95% of measured 1Mbps, and Filter
Rules with simply apA.1 selected as the adapter since the Admin identified that was the WAN
facing interface which was cabled.
• The link identified as facing the LAN interface will also be edited with appropriate Name, link
type defined as LAN, Bandwidth in and out as 1 Gbps since there is no need to throttle on the
LAN, and adapter selected as apA.2 which is the other interface identified by the admin during
cabling.
•
84 © 2018 Citrix Authorized Content CITRIX
•
Configuration Management for WANOP Edition
•
• NetScaler MAS System •
• User and Application
• Quickly converge
I}
Admin
,......._......., so.wm.wo I
1ms
N
ot
fo
CiTR!X
rr
Key Notes:
es
• SD-WAN WANOP edition currently does not support Zero Touch Deployment Services, and is
al
reliant on a knowledgably on-site installer to get the appliance online for GUI accessibility.
e
• Management of each individual appliance and virtual appliances can be performed from the
local GUI access, but the majority of the administrative work can be significantly consolidate
or
utilizing NetScaler MAS to streamline the workflow and configuration changes. Keep updated
d
with added support capabilities, but currently the NetScaler SD-WAN WANOP and Enterprise
is
• As long as NetScaler MAS has IP connectivity to the management IP address of the devices for
rib
communication. The Admin can add the online SD-WAN devices to the infrastructure
ut
• Configuration Management – which enables custom and built-in job creations that can be push
configuration to the individual or collective devices
• Certification Management – allowing for central management of all SSL certificates
• Application Management – for reporting and customization of application definitions
• StyleBooks – powerful templates which simplify the task of managing complex NetScaler
configuration
• Analytics – for visibility into HDX, Web and WAN insight
• Event Management – enabling customization and thresholds for alerting
• Authentication – for RADIUS, LDAP, TACACS capability
• And lastly, management of the NetScaler MAS System itself
• Visibility into the network is an extremely powerful tool, which is enabled through NetScaler
•
85 © 2018 Citrix Authorized Content CITRIX
•
Management for Hybrid SD-WAN Environment
Branch A Branch B
i
i
i
!
i
i
i
!
]
····-··-···--·-----i
Branch D
N
Data Center
ot
fo
CiTR!X
rr
Key Notes:
es
• All SD-WAN Editions are capable of coexisting with one another in the same environment
al
• Sites with application delivery issues that benefit from optimizing a single WAN link, can have
SD-WAN WANOP deployed.
or
• Sites with multiple WAN link can benefit with a reliable network using Standard Edition.
d
• Sites with multiple WAN links and needs for application optimization can be equipped with
is
Enterprise Edition.
t
rib
• Cloud environments can be joined to the SD-WAN overlay network with Standard Edition
instances
ut
• All the different SD-WAN editions at each site, can terminate to the data center, with a dual
io
edition setup
n
• SD-WAN Standard Edition to partner with the remote sites with Standard Edition and Enterprise
Edition models for Virtualizing the WAN and making full use of the various WAN links and an
SD-WAN WANOP Edition right behind that to partner with the remote sites with WANOP Edition
and the WANOP component build into Enterprise Edition
• In this Hybrid environment, we will need both…
• NetScaler SD-WAN Center to manage the WAN Virtualization devices and NetScaler MAS to
manage the WAN Optimization devices.
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• SD-WAN has an integrated Deep Packet Inspection (DPI) library that enables real-time
al
discovery and classification of applications. Using the DPI technology, the SD-WAN appliance
analyses the incoming packet and classifies it as belonging to a particular application or
e
application family.
or
• NetScaler SD-WAN also has the ability to classify the following features of HDX traffic as ICA
d
• ICA
t
• ICA-CGP
rib
• Multi-Stream ICA
io
.... , . ... ,
Standard Edition (SE) Enterprise Edition (EE) WANOP Edition (WO)
I- .... I- ....
1-
l~~~~Jl~~~~J
====I
I I
EB
Router Switch
N
ot
fo
Key Notes:
es
• Because of the technical differences between the editions of SD-WAN, one must be aware of
al
the packet flow architecture, which can be useful in troubleshooting and for deployment of the
SD-WAN solution.
e
• Recall that Standard Edition and Enterprise Edition are built with similar capabilities of
or
providing link bonding and resiliency leveraging multiple WAN links. And with that functionality
d
• And the WANOP Edition along with the WANOP component of Enterprise Edition are built with
t
similar capabilities of providing TCP optimization of applications across a single WAN link, and
rib
with that functionality behave similar to a Layer 2 switch. When we look closer at the internal
ut
architecture of the Enterprise Edition, you will understand how it fits in both classifications.
io
n
:x:----
SD-WAN -WO
Client Switch Router Router Switch Server
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Beware of Firewall
e
• Needs to be disabled
• MSS adjustments
d
• Network Asymmetry
trib
happens to flow across the appliances interfaces. The first three packets of the beginning of
n
any TCP session, also known as the initial TCP handshake, determine if that session will
accelerate or not. Sessions that are deem unaccelerated simply pass-through the appliance as
they normally would in a network. Sessions that are deemed accelerated, benefit from TCP
optimization, compression and deduplication which provide improved user experience to end
users that would otherwise be subject to the poor network conditions of the WAN.
• So lets take a look at how that acceleration state is determined, but looking at a Client host
communicating to a Server across a Wide area network.
• With a pair of WANOP Edition appliances placed in the traffic path, the initial TCP three-way
handshake flows through the appliances before hitting the end devices.
• With WANOP being in the path, the session is broken out to three segments.
• The Client LAN Segment. Also known as the Fast Side
• The WAN Segment. Also known as the Slow Side
window scale advertisement, but the original source and destination along with
ot
has the capability to identify that that this packet came from a partner device by
rr
the packet back into the original state, it makes one minor change in the sequence
al
own identification options in the header and makes the same MSS and window
is
scale adjustments
t rib
• The partner appliance, sees and stores the options from its partner, and
remembers that this was for a flow initially sent out for acceleration, and marks the
ut
connection as accelerated.
io
• Similarly before sending to the end host, the options are stripped and 2 billion is
n
added to the sequence number. This is purposely done at both ends, so that
packets that flow around either of the WANOP devices will not be accepted by the
end hosts.
• The handshake is completed, with the client returning the acknowledgment packet.
• The method the WANOP Edition appliance use to communicate optimization
attempts is designed to make the solution transparent and eliminate the pre-work
required to establish paring between the boxes. It is designed that any WANOP
box can communicate with any other WANOP box as long it sees symmetric traffic
flow between the pair, with no tunnel required.
• But this method of processing packet for acceleration is subject to failure if there
are firewall devices in between the WANOP pairs to strip the TCP options from the
packet. Or if there are device in between that randomize sequence numbers for
•
91 © 2018 Citrix Authorized Content CITRIX
•
security purposes. Or even if there are VPN devices that have a lower MSS then
the 1380 which SD-WAN uses. And if packets don’t flow through both appliances
symmetrically then the WANOP can not establish. There is no routing capability
on WANOP edition, so it is heavily dependent on being in the path of every packet.
• Understanding this packet flow, and using the on-board packet capturing capability
in the GUI can help root cause initial deployment issues.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
91 © 2018 Citrix Authorized Content CITRIX
•
Packet Processing for Enterprise Edition
Firewal~Firewall
.- .....-. nternet .•.-:..•. I-
I-
Client Switch Switch Server
Router Router
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Standard Edition appliances process packets very similar to a router, regardless of TCP or UDP.
is
SD-WAN Standard Edition leverages a route table that determines the next-hop for a incoming
t rib
packet to be delivered to the destination address. The unique capability of Standard Edition is
its ability to make an adjustment on the delivery path based on network conditions of the
ut
• Next-hops are adjusted on the fly for every packet, and a single session can be delivered across
n
multiple paths. Packets for a single session can be delivered across paths of various different
conditions because of SD-WAN’s Transport Reliable Protocol (TRP), and packet reordering
capabilities to make sure the receiving device is delivering packets to the end host as they
would expect it and not out of order. Virtualizing the WAN is only accomplished by this unique
packet processing capability of SD-WAN.
• Let’s take a look at the packet flow between client and server host across the Wide Area
Network when Standard or Enterprise Edition is in the path.
• Again the network is broken up into three segments
• The Client LAN Segment
• The Virtual WAN Segment, which is the virtualized path since all paths are available to the SD-
WAN devices for packet delivery, regardless of what underlay path the packet would normally
take
• With the destination address identified in the SD-WAN route table, the intercepted
packet will be assessed for priority based on the application’s defined class, then
fo
delivered across the path that best matches the application, with jitter, latency and
rr
source and destination that forces the underlay network to delivery across the path
al
MPLS path is chosen, the destination of the outer UDP packet can be the partner
SD-WANs VIP assigned to the MPLS WAN Link.
or
• If the Internet path is chosen, the destination will be the static public IP picked up
d
at the WAN edge of the firewall. A one to one NAT would be needed to port
is
forward the UDP packet to the partners SD-WAN’s VIP address assigned to the
t
• If the public internet path was taken, this is where SD-WAN dynamically learns the
ut
dynamic public IP of the branch office site for the UDP envelope, and stores it for
the return traffic flow destined for the same WAN path.
io
• As the packet exists the SD-WAN tunnel, it returns to the same state as it was
n
when it first entered the tunnel, in the TCP or UDP form. Any packets that were
broken up to fit inside the SD-WAN tunnel are reassembled, and any packets that
arrived out of order are buffered to make sure the end host doesn’t receive any
unexpected packets that would interrupt the communication flow.
• The returning flow form the server, go through the same operation. Source and
Destination being Server to the Client.
• SD-WAN analyzes the packet for application class against the conditions of
available WAN links, then determines the best matching path, then encapsulating
the packet in a UDP envelope with outer source and destination being changed to
SD-WAN Virtual IP addresses based on the desired path.
• On the internet path, the dynamic public IP of the branch is used, which was
•
92 © 2018 Citrix Authorized Content CITRIX
•
learned earlier.
• As the packet arrives at the original SD-WAN, the packet exits the tunnel in its
original format, and again reassembly and buffering is applied if needed.
• The challenges that are typically encountered with this form of packet processing
occurs during the initial installation. The SD-WAN communication between VIP
addresses easily establishes across the private MPLS lines, because of the direct
communication between IPs on the private network. Public Internet lines typically
pose challenges, usually because the Firewalls are not configured properly to
allow the traffic through, and/or are not NATing the traffic accordingly.
Understanding this packet flow, and using the on-board packet capturing capability
in the GUI can help root cause.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
92 © 2018 Citrix Authorized Content CITRIX
•
Packet Processing for Enterprise Edition
Client Server
Enterprise Edition
Router Router
N
ot
fo
CiTR!X
rr
Key Notes:
es
appliance solution at each location, with WANOP sitting on the LAN side of Standard Edition.
e
WANOP would not be able to sit on the side because of the UDP tunnel formed by Standard
Edition which would hinder any optimization attempts.
or
• Traffic flow that is subject to the packet processing of both sets of devices, will segment the
d
• Client to WANOP
t
rib
• WANOP to Server
n
• Now let us follow the path of the packet to understand the different state changes of the packet
traversing this setup.
• Like before, we will start with the client sending out the first SYN packet for a TCP session.
• The first WANOP device will alter the packet, with MSS, WinScale, and identification options in
the header field, while keeping the source and destination unchanged.
• As Standard Edition device receives the packet, it will determine the best WAN path and
encapsulate in UDP, changing the outer packet to a new source and destination to a partner SD-
WAN Virtual IP.
• The packet that exists the tunnel, is delivered to the partner WANOP device with the options in
tact, which will enable the acceleration of that flow.
• Lastly the original packet arrives, with destination to the server host, with one slight change of
two billon being added to the sequence number.
appliance that performs this packet processing capability. Primarily this solution is
ot
targeted for the branch office locations, since they typically numerous amount of
them and hardware consolidation is a more compelling story there. Enterprise
fo
Edition may be deployed at the data center as well, but it is not recommended due
rr
to scale requirements at the data center. A two appliance solution at that head-end
is recommended.
es
•
93 © 2018 Citrix Authorized Content CITRIX
•
Transport Reliable Protocol
Ethernet header
IP header
• Every encapsulated UDP packet includes TRP UDP header
• TRP adds 49 bytes to every packet
TRP header
• Enabling sub-second traffic redirection
• Loss mitigation Aggregated header
• Packet ordering Customer packet 1 with flow header
• Packet aggregation
• TRP probes during lack of traffic
Customer packet 2 with flow header
• MTU auto detect
Trailer
ot
fo
CiTR!X
rr
Key Notes:
es
• The Transport Reliable Protocol, also known as TRP, is the technology that enables NetScaler
al
SD-WAN to be best SD-WAN technology on the market. Every packet that is processed by the
e
SD-WAN and is placed is encapsulated envelope includes the TRP header, essentially making
every packet on the SD-WAN Overlay network a probe that continuously monitors health
or
• TRP adds a 49 byte header on every packet. This is the communication information between
is
MCN and various Client nodes that track what is happening on the WAN paths (BOWT, Latency,
t
Loss, Jitter), in addition to feedback from what's going on in other parts of the network. In here
rib
is the intelligence that allows the system to react at a sub-second level to condition changes on
ut
any one of the WAN paths that are being continuously monitored.
• Each UDP encapsulated packet not only contains timing information about the path, but also
io
information of the next packet and expected time of arrival. Reponses to requests for lost
n
packets have alternative paths of delivery to avoid loss. Loss within the Virtualized WAN is
controlled. It does not cause congestion, jitter, or wasted bandwidth on the WAN. The SD-WAN
node is far more orderly in how it handles congestion because of its knowledge of the network’s
ability and demands than traditional approaches. TCP congestion until loss within the WAN
adversely affect other traffic, such as UDP voice traffic for example. The SD-WAN method
prevents these negative side effects.
• The unique method of path measurement allows the functionality to work on TCP and UDP
applications alike.
• TRP enables packet aggregation, which combines several packets together into one big packet,
using a single set of UDP encapsulation to more efficiently utilize available bandwidth.
• If no traffic flow is available, SD-WAN will still send TRP packets at a rate of 1 every 50ms.
• MTU is also automatically detected so that packets are not fragmented on the WAN.
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
.... , . ... ,
Standard Edition (SE) Enterprise Edition (EE)
.... ....
I- I-
l l
I
• Virtual Path Service
• Intranet Service
• Passthrough Service
• Internet Service
N
97 20 1 ... IX A. 0 ._ .0 te t CiTR!X
rr
Key Notes:
es
• NetScaler SD-WAN Standard Edition and Enterprise Edition are build on the same code base,
al
• Network Serves are logical sets of operations performed on network traffic that designed to
add value and improve end user satisfaction.
or
• Virtual Path Service – provides the tunnel capability across multiple WAN paths between two
is
SD-WAN appliances. Virtual Path process a high service level by constantly measuring and
t
• Intranet Service – provides capability for SD-WAN delivery to Intranet Sites that do not have
ut
an appliance in place. This service uses the underlay network for delivery
io
• Internet Service – provides SD-WAN delivery of traffic directly to the public internet. This
n
Virtual Path
·~~~~----1~1-~ 1
I-
=_=_==... I-
Remote
SD-WAN-SE SD-WAN-SE I-
Data Center
or Cloud
Key Notes:
es
• Traffic that is delivered between two SD-WAN Standard or Enterprise Edition appliances is
al
• The Virtual Path Service delivers the full value of the Virtualized WAN.
• Providing reliable connectivity between sites
or
• Actively manages traffic across multiple WAN links to create the end-to-end path intelligence
is
• The Virtual Path Service ensures reliable delivery of all applications. The primary objective of
the Virtual Path Service is to make sure that business critical applications are delivered across
ut
the optimal WAN paths for the best end user experience.
io
n
.... , I-
.... I-
Remote
SD-WAN-SE SD-WAN-SE I-
Data Center
or Cloud
I-
I-
Intranet Service
• Destined for sites with no known SD-WAN partner
N
Key Notes:
es
• Traffic that is delivered to a site that does not have a partner SD-WAN device in place to
al
• SD-WAN manages Intranet traffic making sure that it is accounted for bandwidth usage of the
underlay network. Primarily to avoid bandwidth content between other services.
or
• The SD-WAN appliance does not encapsulate this traffic, and is similar to traffic that is pass-
d
I-
•••• 1----- ... -1
.... I-
SD·WAN·SE I-
Remote
Data Center
or Cloud
Passthrough
Passthrough Service
• Management GUI of WAN edge devices
N
Key Notes:
es
• Passthrough Service handles traffic that administrators want to transmit unchanged through
al
• Some examples would be management IP of the WAN edge router, or Local LAN traffic that is
expected to flow through the SD-WAN but should be returned back to the LAN from the
or
Gateway Router. It should not be any traffic that utilizes the WAN link bandwidth.
d
• Passthrough traffic should be used sparingly, since it goes unmanaged by SD-WAN and the
is
bandwidth is unaccounted for. This means that if any passthrogh traffic utilizes the WAN
t
paths that are being measured by SD-WAN, SD-WAN’s monitoring capabilities will be
rib
negatively effected. Each path that terminates into SD-WAN is configured for a setup upload
ut
and download speed. SD-WAN uses that to send traffic across a path, and if contending
traffic is causing SD-WAN to see dropped packets, it will back off using that path and falsely
io
think there are poor network conditions on that path, when in fact there is contention on that
n
~Internet
-
I-
I-
• --f ,,
- _, - -- ~- - - ' - - - -
SD-WAN-SE SD-WAN-SE I-
Remote I Data Center
or Cloud
• Load Balance
ot
fo
CiTR!X
rr
Key Notes:
es
• SD-WAN’s Internet Service is a feature in itself. The Internet Service can be enabled at any
al
SD-WAN equipped site, and simply provides access to the public internet. But the feature
provides ability to either load balance internet traffic across available WAN links, or to use in a
e
• Direct internet access at branch offices is a security concern, it is difficult to manage and
d
expensive to maintain. More importantly it opens a backdoor for hackers to the secure
is
datacenters.
t
• The recommendation would be to force all internet traffic through a solid DC DMZ that
rib
includes all the security infrastructure, and anomaly detection. This is called backhaul of
ut
internet traffic.
io
• One limitation would be that backhaul of all remote site internet traffic to the datacenter is
taxing on the Virtualized WAN path and can quickly saturate the links at the datacenter, adding
n
additional WAN link or bumping up capacity on existing links is a quick solution, but breaking
off directly for access at the site utilizing SD-WAN firewall and secure web gateway
interoperability is an other option. We will cover that as a next topic.
• The backhaul of internet traffic from the branch sites can be accomplished by using the SD-
WAN overlay route table and creating a default route for the branch site, that points all traffic
through the Virtual Path to the data center SD-WAN appliance.
Inter~~
I-
+-----1_-=..__ = = =-= I I-
SD-WAN-SE SD-WAN-SE I-
Remote
Data Center
or Cloud
• Primary I Secondary
ot
• Load Balance
fo
Key Notes:
es
• Creating an Internet Service at the branch site, enables similar capabilities by providing ability
al
to either load balance internet traffic across available WAN links, or to use in a primary
secondary configuration.
e
Direct internet breakout at the branch means that your site needs to be equipped with the
or
appropriate security devices to protect the network. The majority of security hacks utilize this
entry method to gain access to the headquarters., but owning, maintaining and managing
d
is
• As one possible solution, SD-WAN has interoperability with cloud based secure web gateways
rib
to serve as offsite security and web filtering enforcement for all Internet bound traffic.
ut
• Another solution would be to utilize the on-board Stateful L7 Firewall with Deep Packet
Inspection capabilities on the SD-WAN appliance, implementing consistent security policies
io
I •••
Adm in ••
J li~II~
E:::::JI= = "" 11= =""I
Zero Touch
Deployment
Service
SD-WAN
"'"r--""T"""' 5100-2000-SE
N
ot
Data Center
fo
Key Notes:
es
• The SD-WAN Change Management tool, available in both the MCN and SD-WAN Center GUI,
al
• The packages, generally are then shared with local site Admins that are tasked with directly
logging into the local appliance GUI to upload the package which provides their identity using
or
the Local Change Management. The Admin must also license the appliance and make sure it
d
• Having a knowledgeable SD-WAN Admin at each site is a challenging, especially when having
t
to deal with a large number of branch sites. Reducing the amount of SD-WAN required
rib
knowledge required by that remote site installers is the main objective of Zero Touch
ut
Deployment.
io
• We are able to offload some of that responsibility of the Installer by introducing a Zero Touch
Deployment Service. Which automates the following services:
n
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
103 © 2018 Citrix Authorized Content CITRIX
•
How is the packet delivery different between traffic
delivered across the Virtual Path Service versus traffic
delivered using the Internet Service?
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
Key Notes:
es
critical application utilizing multiple diverse WAN paths, whether that be applications and data
e
being access from the Data Center or websites being accessed directly from the Internet.
or
d is
t
rib
ut
io
n
CiTR!X
rr
es
al
e
or
d is
t rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• The Optional Self Study exercises are added to allow students to continue the hands on
al
experience outside of class time. You are given 30 days of access to the lab environment and
can go in at any time and complete these labs
e
or
d is
trib
ut
io
n
Quality of Service
N
CNS-200W
Version: 1.3
ot
fo
CiTRJX
rr
es
al
e
or
d is
t rib
ut
io
n
•
• •
• •••
•
N
ot
fo
CiTR!X
rr
Key Notes:
es
• NetScaler SD-WAN has intelligent ability to achieve maximum bandwidth and deal with network
al
performance elements like latency, error rate and uptime to provide the optimal user experience
e
traffic and making sure the business critical applications have their fair share of bandwidth and
d
• Real-time: NetScaler SD-WAN adaptive TCP flow control dynamically detects real-time WAN
t
link conditions to mitigate TCP performance penalties from packet loss and retransmission. All
rib
WAN optimization controllers can regulate or meter the flow of data packets onto the WAN link.
ut
However, NetScaler SD-WAN imposes transparent, lossless flow control on each segment of a
io
connection: the LAN segment between branch users and the branch-based NetScaler SD-WAN
appliance; the WAN segment between the branch and datacenter NetScaler SD-WAN
n
appliances; and the LAN segment between the datacenter NetScaler SD-WAN appliance and
the server or application.
• By splitting a connection into three parts, NetScaler SD-WAN can independently manage the
flow control and utilization for each segment independently. This is important when a
connection’s speed needs to be ramped up or down quickly to its fair bandwidth share and to
ensure maximum advantage is taken of enhanced WAN optimization and compression
algorithms.
• Real-time –VoIP or VoIP like applications, such as Skype or ICA audio. In general, we refer to
voice only applications that use small UDP packets, that are business critical.
• Interactive – This is the broadest category, and refers to any application that has a high degree
of user interaction. Some of these applications, for example video conferencing, is sensitive to
latency, and requires high bandwidth. Other applications like HTTPS, may need less bandwidth,
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
111 © 2018 Citrix Authorized Content CITRIX
•
SD-WAN QoS WAN Link Configuration
______
----
20_!1!?~ - - ~
~--~Mbp~,.
LAN to WAN = 20 Mbps
WAN to LAN = 80 Mbps •••
SD-WAN - SE
Core
LAN to WAN = 3 Mbps
Hosts WAN to LAN = 4 Mbps
Router
N
ot
fo
CiTR!X
rr
Key Notes:
es
• When designing a site using the Configuration Editor, each site that is built must have a defined
e
set of WAN links. In that definition, one must identify the upload and download speed
associated with each link, then configure the SD-WAN appropriately to match.
or
• For most deployments, it is recommended to accurately measure the WAN Link speeds, before
d
• Example:
t rib
• For the Internet link, the provider says it is a 100Mbps link, but after running a speedtest on that
internet link, we see 80Mbps download and 20Mbps upload.
ut
• For the MPLS link, the provider says it is a 5Mbps link, but running iperf across the WAN link,
io
• The point here is that typically consumers are not going to receive the bandwidth providers are
contracting for. Taking the time to accurately measure each WAN link will eliminate any
misunderstanding in SD-WAN Quality of Service performance later.
• From the measured numbers, when SD-WAN is placed in the path of both links and sees the
total traffic flow.
• SD-WAN needs to be configured on the WAN links accordingly.
• The defined Internet WAN link on SD-WAN for this site needs to be configured for:
• LAN to WAN at 20Mbps
• WAN to LAN at 80Mbps
• Likewise, the defined MPLS WAN link on SD-WAN for this site needs to be configured for:
• LAN to WAN at 3Mbps
• WAN to LAN at 4Mbps
------),
Internet = 10 Mbps 20_!1!~--_-?-_a::)
••••
BO Mbps
i-----------------------------1.·.,.·.··---------, nternet
;- - -
-------~ WAN to LAN = 10 Mbps Firewall
-
\.
--x
Core SD-WAN - SE
...... ........\
Router
Hosts
.........
LAN to WAN = 3 Mbps
\
...... \ WAN to LAN = 4 Mbps
......... .........
\
_ ...
\
\
CJ CJ CJ '
Warning Signs of Speed Misconfiguration:
INET
Latency spikes
ot
CiTR!X
rr
Key Notes:
es
• With proper definition of the WAN links, the deployment of SD-WAN needs to also be
al
considered.
e
• SD-WAN flexible deployment options could yield different configuration when considering traffic
flow. SD-WAN deployment can be categorized in three network topology types: fully inline,
or
• Regardless of the deployment topology, Quality of Service functionality can be impacted if SD-
is
• When SD-WAN is fully inline, SD-WAN is capable of seeing and accounting for all traffic on the
configured WAN links, as we see here on the path to the MPLS link.
ut
• When SD-WAN is partial inline or one-arm, its more likely that SD-WAN does not see all traffic
io
on the configured WAN links, only what is being redirected to the appliance for SD-WAN
n
operation. Unaccounted for traffic, means SD-WAN will see unexpected contention on usage of
the WAN links, and misreport the finds as poor link quality as apposed to what it true is.
• In this topology we are attempting to showcase an example where we can potentially run into
this: SD-WAN being in direct path of the MPLS link, but being out of path for the Internet Link,
but still having the ability to use that Internet Link as a second WAN path.
• As before, SD-WAN configuration for MPLS link matches the measured speed for that link.
• In this case for the Internet link, there is a chance that SD-WAN encapsulated UDP traffic flow
being directed to the Internet Link will content with underlay traffic which may go directly out to
the Internet.
• During unexpected contention of a WAN link, SD-WAN will back off using the Congestion
Avoidance algorithm, nearly by half, even if congestion occurs below its configured usage rates.
SD-WAN will then slowly step performance up to ensure the link is not being saturated due to
SD-WAN flow, but eventually the contention will be reached again causing again a back off.
• (6) Path Virtual Path status jump between GOOD, BAD, and DEAD frequently
fo
•
113 © 2018 Citrix Authorized Content CITRIX
•
SD-WAN QoS Back-to-Back Solution
---- .
20!1~~--~
~ -- -- Enterprise Edition
- - - - - - I
LAN to WAN ; 20 Mbps y:·--:..·.----
~
-~~Mbp;
-I - - - - ...
LAN to WAN ; 23 Mbps
Hosts WAN to LAN ; 4 Mbps
( :N.: LA: 8~bps
Router
I QoS - disabled QoS - enabled
N
ot
fo
CiTR!X
rr
Key Notes:
es
• For sites that already have existing WANOP equipment, SD-WAN Standard Edition can be
al
• The speed definition for upload and download speeds is the same as we have already practiced
or
• The WANOP device, which also dependent on proper WAN link speed definition, will now need
to be updated with Standard Edition in the path, because the new WAN is what the SD-WAN
d
• With a back to back solution like this, the responsibility of QoS if required to be offloaded to the
t rib
Standard Edition appliance which is more towards the WAN edge and will be required to be
disabled on the WANOP Edition
ut
• With QoS on the WANOP device disabled, proper WAN speed configuration is no longer a
io
concern and the WAN links can be left to default 1Gbps values.
n
• This solution allows for introduction of Standard Edition capabilities in a network that already
has WANOP deployed. When the time is right, for example, the maintenance expires on the
WANOP Edition, the two solutions can be replaced with an…
• Enterprise Edition appliance, which combines the functionality. Typical if this is the end-goal for
customers that deploy like this. The recommendation would be to use the appropriate Standard
Edition models that are capable of upgrade to Enterprise Edition, in order to make sure a
hardware swap is not required with this transition is eventually needed, but rather a simple
software and license upgrade to unlock the WANOP capabilities that transforms Standard
Edition appliance to Enterprise Edition which is available through a SKU.
11 I I I
SO-WAN-SE
Remote
l~tenq,toss jinwcon,.
100 Mbps I-
I-
----- 100 Mbps SO-WAN-SE I-
Data Center
SO-WAN-SE or Cloud
Remote
N
ot
fo
CiTR!X
rr
Key Notes:
es
• SD-WANs capabilities of per packet processing and unidirectional path measurements enables
al
WAN solutions. Competing solutions typically are single-ended QoS and that can cause issues
in the network with multiple remote boxes possibly overdriving a single receiving device,
or
• As an example, with the two 100Mbps devices on the left sending traffic flow to the data center
is
on the right, they can simultaneously push up 200Mbps to the data center and quickly overdrive
t
the head-end device causing poor overall user experience. Most competition solutions, lack of
rib
last-mile awareness, which can potentially result in a choke point at the destination.
ut
• NetScaler SD-WAN’s dual-ended or end-to-end QoS ensures delivery and efficiency across the
io
WAN. The design allows for QoS configuration globally from a single source, and that central
configuration knowledge is shared network-wide to all SD-WAN devices. Path measurements
n
are continuously shared and updated amongst peers. This information is used by SD-WAN to
proactively react to network conditions with retransmissions and/or redirection, as well as share
the last mile condition to sending peers.
• SD-WANs measurement sharing capabilities makes the systems aware of last-mile, and prevent
oversubscription and wasted bandwidth utilization before it can occur!
• With that knowledge, SD-WAN devices sending packets will throttle down their send rate, based
on the feedback the receiving device is dynamically advertising.
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t rib
ut
io
n
<custom>
XenDeslctop
<custom>
FTP
<custom>
ot
fo
CiTR!X
rr
Key Notes:
es
• Realtime: Used for low latency, low bandwidth, time-sensitive traffic. Real-time applications are
al
time sensitive but don't really need high bandwidth (for example voice over IP). Real-time
e
applications are very sensitive to latency and jitter, but can tolerate some loss.
• Interactive: Used for interactive traffic with low to medium latency requirements and low to
or
medium bandwidth requirements. Interactive applications involve human input in the form of
d
mouse clicks or cursor moves. The interaction is typically between a client and a server. The
is
communication might not need high bandwidth but is sensitive to loss and latency. However,
t
server to client does need high bandwidth to transfer graphical information, which might not be
rib
sensitive to loss.
ut
• Bulk: Used for high bandwidth traffic that can tolerate high latency. Applications that handle file
io
transfer and need high bandwidth are categorized as bulk class. These applications involve very
little human interference and are mostly handled by the systems themselves.
n
• The Quality of Service on the Standard and Enterprise Edition is strategically designed to
prioritize business critical applications and realtime traffic above other traffic flows. By design,
SD-WAN enables scale of WAN bandwidth by enabling easy addition of inexpensive broadband
internet to join already existing WAN infrastructure. Because of this easy addition of bandwidth,
most of QoS is assigning prioritized applications to the appropriate path that matches the
applications needed conditions to perform well.
• SD-WAN QoS is based on three main categories of application traffic: real time, interactive, and
bulk
• Categories can be provisioned with guaranteed minimums
• The real time category has absolute priority over everything until the provisioned rate is met.
And Interactive has absolute priority over bulk.
• Low latency, low bandwidth, time-sensitive apps are prioritized within the realtime category.
•
118 © 2018 Citrix Authorized Content CITRIX
•
QoS Levels Defined by Classes
El Otf,uttS.-t; 7
8 Virtull P.th DefiM1ft ~
0 +?
EJ MSIJ)tflUI\_Stt 11)0
,? ?
• 17 Class levels
E){IH!M
..._.,
...
r---,
• Qos within Categories
..
"::''
0 HOX pnonfy laq O RHIIMl'le 30 30 • WANOP adds DSCP
..
·~
• RED queuing discipline
1 HOXJNlortb' taq 1 lnte,ac:bve 20 20
.. .
2 HOXJK)Ollty lag_ 2 ln1trat1v,
• Classes 0-3 are set for Citrix HDX traffic
'dns_4 .
l o_l-etone Bulk
.. . user configurable.
7 dass_7 Bulk 0 0
.. .
8 csass_a Bulk
10 rtalMnt_cta
ss RUlllltnt 30 30
by the default rules.
.
11 lnteractve_hiQh_dass kiter active 0 20 20
..
12 ln1eracwe_med,um_da» klterac;ve 13 13
..
13 lnteraarve_low_dlu lnltfadlve
N
..
14 Jn1eraave_very_low_dass lnte1ac:bve 0
..
15 bulk_batlo.Qroum:l_tlHS Bulk 100
ot
16 bulk_unus.cl
_dass Bulk
0 .....
fo
[!IIP$«Stttings
119 @r CiTR!X
rr
Key Notes:
es
• The SD-WAN system provides 17 classes (0-16). Classes 0-3 are predefined for Citrix HDX
al
• These classes are used to classify HDX traffic with different ICA priority tags. You can edit the
is
class types and their assigned bandwidth sharing to obtain the optimal quality of service, but
trib
types. Each type can be configured further to optimize quality of service for its type of traffic.
io
• WAN Standard and Enterprise editions enable global configuration of classes and rules that can
be distributed to all SD-WAN appliances, this global configuration of classes and rules is called
the “Default Sets.” Site specific customization can be done on each site specific device in
another part of the Configuration Editor. Here is a screenshot of the Configuration Editor
highlighting the creation of the default set.
• SD-WAN offers up to 17 customizable classes for QoS, and each can be associated with one of
the 3 main categories
• The SD-WAN QoS model is dual-ended and therefore provides guaranteed delivery, even
capable of last mile congestion detection.
• Within individual categories of real time, interactive, and bulk, Classes can be further defined for
quality of service in order to provide granular prioritization between apps that fall within the
same category type and allow allocation of a larger or smaller share of bandwidth.
Customization can be done here, or the preset classes can be called when defining application
packet and marks a DSCP priority bit with class-id for reclassified flows, where
ot
Standard Edition then can check if DSCP is marked and update the flow
classification and delivery across the appropriate path that matches the HDX
fo
channels priority.
rr
• SD-WAN utilizing Random Early Drops, also known as RED, queuing discipline for
es
queuing discipline starts dropping packets probabilistically when the queue has
e
occurring. The effect is that no TCP flow can monopolize the path scheduler and
all TCP flows gets a fair share.
d is
trib
ut
io
n
•
119 © 2018 Citrix Authorized Content CITRIX
•
WANOP Edition Application Classifiers
.,.,·-· ,
,,
,
,,
,,
_... ...,.._.
...,..,_.
,,
,,
--·
• 250+ predefined apps
_...., ,
,,
,, Reporting
,,
- ,, Service Classes
.......... ,,
,,
,
,,
N
-..,·-· ,,
-·--
... -~ ,,
ot
fo
CiTR!X
rr
Key Notes:
es
• The WANOP engine on SD-WAN contains a predefined list of 250+ applications, which are
al
defined based on TCP port number. Here is a screenshot of the Application Classifiers list in the
e
defaults.
• Additional ones can be added, and existing ones can be edited to reassign ports to other apps.
or
• Reporting. NetScaler MAS extracts data from optimized sessions and provides visibility into the
is
• Service Class definition, which is filtering capability for granular control on Optimization levels.
ut
io
n
s
ICA ENASLEO ,? 0 " ., En.ableid
Wlb Pnvc@) ENABLEO ,? 0
w.o-....seani ENAS.ED ,? 0 Acct tnbOn ~i<y
Web -
ENAS..EO ,? 0
WK! lrtemet-Stan ENAS-LEO ,? 0 BlclucM from SSI.. Tunnt
--
CFS ENABLED ,? 0
........ -...
foll•• RulH ng
IES ENAS.£0 ,? 0
,,_Ex.._ ENA!..EO ,? 0 """""- """'•
• Cllw) ENASLED ,? 0 CA.ICACG> 31 :,, =t..=<:T10NA:. ,? 0
---
VOIPrdL~ ENAS.EO ,? 0
FTPO... ENAS.£0 ,? 0 II.I Cancel
0.-.-
FTP~ EN.Aa.EO ,? 0
ENASLEO ,? 0
--
,? 0 Acceleration Policy:
__
ENAS.E:>
s.. ..... -
Dndoy .....Seady ENASLED ,? 0
ENAS.ED ,? 0 • Flow Control Only
0
....
ENASLEO ,?
......
N
QtwTCPT ENAS.EO ,? 0
Unc:m.s,&d Trd,c ENAS.EO ,? 0 • Memory based compression
fo
CiTR!X
rr
Key Notes:
es
• The WANOP engine on SD-WAN utilizes the Service Classes definitions to individually enable
al
optimization for a specific protocol. By default all the Service Class policies are enabled, but
e
• Flow control only, should be selected for chatting apps with little to no data payload
is
• Disk should be selected for heavy data payload applications, since lookup from Disk takes
t rib
longer and a bigger hit for deduplication bits will yield positive results even with longer lookup
time
ut
• Memory should be select for light data payload applications that wont consume a lot of memory
io
space but will benefit from expiated lookups using memory as opposed to disk.
n
depth. All flows matching the same rule will share the
same queue.
• The lower the application priority the larger the queue
depth needs to be. For Real-time applications, this
queue depth has not only a buffer size in bytes but
also in time. The theory here is it is bad to buffer Real-
time traffic for a long period of time because it can
introduce jitter. That being said if the real-time class
does not get serviced fast enough then you may have
N
bigger problems.
ot
fo
CiTR!X
rr
Key Notes:
es
• Set the queue depth to 80-125 ms and not more than 200 Kbytes
e
• If you have a lot of real-time traffic and you see packet drops in the Monitor > Classes view,
or
duplication.
is
• For all other types of classes queue depth is less critical but it is recommended to set these to
t
rib
be fairly large. You can use different depths to throw less important applications away by setting
them slightly shorter. Again, it is good to look at the classes and see if any of the classes are
ut
dropping. Note, drops in the class view is not the same as packets lost in the WAN. We do not
io
recover drops from the queue. We can retransmit packets lost in the WAN.
n
CiTR!X
rr
Key Notes:
es
• When creating a new rule think about what the application is and how you want it to behave.
al
Also, remember that other traffic may be using the same class so prioritize the application
e
appropriately. There are benefits and drawbacks to the transmit modes and settings.
or
d is
t rib
ut
io
n
• Direction specific
• Transmission Modes
ot
fo
CiTR!X
rr
Key Notes:
es
• Where Classes are associated with data delivered across the Virtual Path Network Service and
al
affect how traffic flows are categorized then scheduled and shaped Rules are filters to define
e
applications and tie them to a Class to determine QoS and bandwidth share and also the
Transmission Mode. Here you can see a screenshot of the Rules for a particular client node.
or
Defaults will be prepopulated and grayed out, and custom rules can be added to the top of the
d
• SD-WAN comes equipped with a default set of rules and classes which capture all the
t
commonly found protocols in an Enterprise network, but these rules are extendable and
rib
customizable to provide more granular control ether globally with the Default Set or Local Site
ut
• Custom rules can be creating using a 7-tuple filtering mechanism, which is based on…
• Source and destination IP address,
n
Matttllwe Apcil,,11,on;
Awtclllrin S~l
' .....
D!wbl•O,,pcll~·
same settings and elements still apply. The -. ll'llbil P«lo.tt lltw:ii.ot11e:1110
1,s."Jt11CeHoldn,1t(1111)
PJ Dtkn Llw llt1tqutracl P'UktU
CiTR!X
rr
es
al
e
or
d is
t rib
ut
io
n
protocol DSCP port class transmit type retransmit queue depth (bytes) reorder time misc
.
ICAUDP ICAUDP 11 int LB yes 30000/350ms 250 RED off
CiTR!X
rr
Key Notes:
es
• Slide 1 of 3
al
protocol DSCP port class transmit type retransmit queue depth (bytes) reorder time misc
CiTR!X
rr
Key Notes:
es
• Slide 2 of 3
al
protocol DSCP port class transmit type retransmit queue depth (bytes) reorder time misc
CiTR!X
rr
Key Notes:
es
• Slide 3 of 3
al
CiTR!X
rr
es
al
e
or
d is
trib
ut
io
n
a) UDP Protocol
Lesson Objective b) TCP Protocol
Review c) IP Subnet
d) Service Provider ID
e) All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
a) UDP Protocol
Lesson Objective b) TCP Protocol
Review c) IP Subnet
d) Service Provider ID
e) All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
• Override Service
• Duplication Paths
N
ot
fo
CiTR!X
rr
Key Notes:
es
• SD-WAN Transmit Modes determine the behavior of packet delivery across the Virtual Path
al
Service. Transmission modes are designed to further enhance the end-user experience, which
e
include:
• Load Balance Paths. In this mode, the application will select the best available path based on its
or
overall class and the other application traffic currently transmitting. If the bandwidth demand for
d
an individual flow exceeds a single path WAN link’s bandwidth, it will intelligently load balance
is
the packets to multiple paths. It does this in such a way to minimize the re-ordering time on the
t
receive side. Note, it will only load balance as needed, it is not simple round robin.
rib
• Persistent Path. In this mode when the app flow starts the best path is selected. The application
ut
will stay on the path unless the latency of said path changes by 50ms (Default Persistent
io
Impedance). It will then select the next best path. This means the flow generally will pin to a
given path unless the quality changes dramatically. If the path goes BAD (die to loss) it will also
n
move. If the application’s bandwidth demand exceeds the path it is on the app is allowed to flow
across multiple paths (similar to Load Balanced transmit mode).
• Duplicate Paths. This mode is used for VoIP applications. The flow is duplicated and sent to the
two best and most diverse paths available based on Service Provider IDs. Use this for VoIP like
applications only, as it consumes 2X the application bandwidth.
I-
I-
Remote
SD-WAN-SE SD-WAN-SE I-
Data Center
or Cloud
Load Balance
Load Balance Paths Transmit Mode • Quality of Service with application categorization
• Balance a single session across multiple paths • Packet scheduling with in-sequence delivery
• Intelligent per packet delivery decision making • Advanced reorder algorithms to minimize wait time
N
• Overflow capabilities onto other paths • Maximized good-put utilizing lowest latency WAN paths first
• Packet retransmission
ot
fo
CiTRJX
rr
Key Notes:
es
• Load Balance Paths Transmit Mode allows the flow for a filtered application to be balanced
al
across multiple paths simultaneously across the virtualized WAN. However it is not your typical
e
load balancer…it is much more intelligent then that. SD-WAN is capable of dynamically
matching every packet to the application’s priority and matching it up with the WAN path that
or
• With load balance, apps are allowed to spill over when more bandwidth is required. This is a
is
differentiator against competing SD-WAN solutions, in that WAN bandwidth is truly aggregated
t
and applications are not limited to the bandwidth of the assigned path. From the perspective of
rib
the application, it just sees a thicker pipe for delivery and as applications are assigned to a path
ut
they are not limited to the capacity limits of that single path. Packets are sent across the best
path until it is completely used. The remaining packets are then sent across the next best path.
io
• There is much more that goes into SD-WAN intelligence, including Quality of Service to make
n
sure one session does not consume the bandwidth, and that business critical applications are
not displaced by lower priority applications. With utilizing multiple paths of various different
conditions, SD-WAN schedules packets to the WAN so that they arrive close to in-sequence for
efficient reordering on the receiving end, before being delivered to the end host. SD-WAN
maximizes best good-put by utilizing lowest latency WAN paths first. Also, packet
retransmission optimized to determine packet lose and retransmit before TCP is aware of lost
packets. This even works for non-TCP traffic as well, by utilizing the SD-WAN overlay packet
sequence algorithm, and innate time knowledge of the network and next packet expected time
windows.
CiTR!X
rr
Key Notes:
es
• Persistent Paths transmit mode is designed purposely to address those application needs.
or
• Persistent path binds a session to the best available WAN path when the session is established.
• SD-WAN will persist using that path for further packets as long as the path is viable and the
d
• If needed, the session will be moved, but typically bound to one path for its duration.
t rib
• If the path is no longer available or latency worsens, greater than 50ms, vs. alternatives, then
the session will be moved to the next best WAN path.
ut
• If the traffic load for the session exceeds the WAN path bandwidth, then the session will be
io
• Persistent path should be configured for real-time and interactive traffic only, and not for bulk
data unless the exact amount of bandwidth per application is known and available.
• SD-WAN path measurements and intelligent is also applied with this transmit mode. Admins are
not burdened with statically assigning applications to paths. However, there are available knobs
to adjust if desired to have more control of application path assignment, but SD-WAN is
designed to be automated and static Admin assignments take away from the intelligence of the
box to make the correct delivery decision at all moments in time with live and accurate
measurements of the available WAN paths. Even MPLS links with their high cost and promised
SLA are subject to failure and poor conditions during times of peak utilization. An Admin
customizing SD-WAN to force applications down a desired WAN path are not necessarily doing
the appropriate thing for that application, since Admins are not typically monitoring that path
every minute of every day, to make the adjustment when necessary. SD-WAN is designed to do
this automatically for you.
•
134 © 2018 Citrix Authorized Content CITRIX
•
SD-WAN Transmit Mode: Duplicate Paths
Duplicate
l
I-
I-
Remote
SD-WAN-SE SD-WAN-SE I-
Data Center
or Cloud
• Second path select again based on priority, but also variance in provider as first path
fo
CiTR!X
rr
Key Notes:
es
• Voice Over IP is a very important and sensitive protocol, which SD-WAN has a special designed
al
Duplicate Paths transmit mode for. This feature is not required to be enabled in order for Voice
Over IP to benefit from reliability and intelligent path delivery which SD-WAN will provide by
e
default, but this transmit mode is specially designed to improve the quality of VoIP, again with
or
• Applications enabled for Duplicate Paths will have a copy of every packet simultaneously sent
is
across a distinct path as the original packet. The packet that makes it to the destination first will
t
be used, the other discarded. This results in the best end-user experience with VoIP calls, in
rib
that every packet essentially is guaranteed to arrive eliminating the chance for any lost packets.
ut
• The duplicated packets are assigned to WAN paths that match the real-time criteria when
determining the path conditions. The first path selected is the lowest latency path, and the
io
second path selected would be again based on latency but also based on least amount of
n
similarities to the first path, to guarantee variety. Typically Service Provider identifier is used to
make that distinction between paths.
Deployment
I- :::: 1---UOP--"""'----2S98
lntomol/MPU
----
Service ............
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Zero Touch Deployment (ZTD) Cloud Service is a Citrix operated and managed cloud-based
e
service which allows discovery of new appliances in the NetScaler SD-WAN network, primarily
focused on streamlining the deployment process for NetScaler SD-WAN at remote or branch
or
office locations. The ZTD Cloud Service is publicly accessible from any point in a network via
d
public Internet access. The ZTD Cloud Service is accessed over Secure Socket Layer (SSL)
is
Protocol.
t
• The ZTD Cloud Services securely communicates with backend Citrix services hosting stored
rib
identification of Citrix customers who have purchased Zero Touch capable appliances (e.g.
ut
NetScaler SD-WAN 410-SE, 2100-SE). The backend services are in place to authenticate any
io
Zero Touch Deployment request, properly validating association between the Customer Account
and the Serial Numbers of NetScaler SD-WAN appliances.
n
•
136 © 2018 Citrix Authorized Content CITRIX
•
SD-WAN Transmit Mode: Override Service
I-
Remote
~---------
SD-WAN-SE
·-- ..... ' \
·~~~~------11~1_-- :_:_:_:1
SD-WAN-SE
I-
I-
\ Data Center
\ or Cloud
Internet,
Intranet,
Passthrough,
Discard
CiTR!X
rr
Key Notes:
es
• The Override Service transmit mode, allows applications that are filtered to be transmitted using
al
• Options for override service include: Internet, Intranet, Passthrough, and Discard
or
dis
t
rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
• -, ------·---
do
Firewall
~
Core
SD-WAN-SE
/
ce:)
tt
Hosts
Router
N
ot
fo
Key Notes:
es
• SD-WAN Provisioning allows for bidirectional (ingress and egress) distribution of bandwidth for
al
each WAN link among the various services associated with that link.
e
• Control is provided, allowing SD-WAN to portion a segment of the bandwidth for Internet Service
and a port of bandwidth for Virtual Path Service on the Internet links
or
• Separate control is provided to portion bandwidth on your Private MPLS links for the different
d
a-,1
CiTR!X
rr
Key Notes:
es
• There are two steps for provisioning bandwidth amongst the services in a simple and effective
al
way, here is a screenshot of the Configuration Editor highlighting the ability of:
e
• Creating Groups
or
and each set of groups and services can be adjusted separately for LAN to WAN traffic flow and
is
Name"' • Group
Ion
( bps)
lax
(kbps)
Shares
of
Group
Faor
(kbps)
Min
(kbps)
la
( bps)
Shares
of
Group
Fair
(kbps)
• Dynamic Virtual Paths Default 1000 2460 Oto O no hmt 1000 1940
• Internet Default j 500 1000 1000 1000 100 no lirmt 1000 2040
Totals· 580 1000 3000 6000 180 0 3000 6000
CiTR!X
rr
Key Notes:
es
• Fair Shares provides further granular control and allows distribution of the permitted bandwidth
al
• With Shares, the total number of shares is up to the user, allowing any granularity or precision
when allocating bandwidth among the different Groups and Services.
or
• As an example, provisioning the Internet Service for this specific Internet WAN links with a total
d
cap of 1000kbps, we can set a minimum of 500kbps for LAN to WAN flow, which will provision
is
• If a single user is on the Internet Service, they will be allocated the Maximum of 1000kbps for
upload, but as soon as a second user joins on that Internet Service, fair share is provided and
ut
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t rib
ut
io
n
Key Notes:
es
• NetScaler SD-WAN Quality of Service functionality is designed to provide overall improved user
al
experience for all applications managed for delivery across WAN links. Regardless if the
e
application is bound for a partner site or bound for the Internet, SD-WAN will make sure a fair
share of bandwidth is allocated for each user, and one user or application does not starve out
or
another.
d is
trib
ut
io
n
CiTR!X
rr
Key Notes:
es
• The Optional Self Study exercises are added to allow students to continue the hands on
al
experience outside of class time. You are given 30 days of access to the lab environment and
can go in at any time and complete these labs
e
or
d is
trib
ut
io
n
CiTR!X
rr
Key Notes:
es
• The Self-Paced Bonus Exercises are added to allow students to continue the hands on
al
experience outside of class time. You are given 30 days of access to the lab environment and
can go in at any time and complete these labs
e
or
d is
trib
ut
io
n
CNS-200W
Version: 1.3
ot
fo
• Typically:
• Datacenter: Deployl-arm/pbrwith HA
• Branch Office: lnlineorGateway/Edgemode
• Option 1/2: HA Pair or Single SD-WAN: 1-arm/PBR with MPLS router and Firewall
• Option 3: Single SD-WAN in 1-arm PBR configured with the Core Switch
• Option 4: HA Pair: In line mode between new pair of switches and pair of core switches
• Option 5: Single SD-WAN in lnline mode between routers/firewalls and the core switch, in fail-to-wire
N
• Option 6**: Single SD-WAN deployed in in line mode, between MPLS router and core switch with direct
ot
CiTR!X
rr
Key Notes:
es
• Traffic Types:
al
• Pass through traffic: goes through appliance, but appliance doesn't accelerate
e
• One-arm mode: packets flow in one port and out same port
is
• Forwarding Modes:
t rib
• Inline mode, in which the appliance transparently accelerates traffic flowing between its two
Ethernet ports. In this mode, the appliance appears (to the rest of the network) to be an
ut
Ethernet bridge. Inline mode is recommended, because it requires the least configuration.
io
• Virtual inline mode, in which a router sends WAN traffic to the appliance and the appliance
n
returns it to the router. In this mode, the appliance appears to be a router, but it uses no routing
tables. It sends the return traffic to the real router. Virtual inline mode is recommended when
inline mode and high-speed WCCP operation are not practical.
• High availability mode, which allows to appliances to operate as an active/standby high
availability pair. If the primary appliance fails, the secondary appliance takes over.
• Additional traffic types are listed here for completeness:
• Pass-through traffic refers to any traffic that the appliance does not attempt to accelerate. It is a
traffic category, not a forwarding mode.
• Direct access, where the appliance acts as an ordinary server or client. The GUI and CLI are
examples of direct access, using the HTTP, HTTPS, SSH, or SFTP protocols. Direct access
traffic can also include the NTP and SNMP protocols.
• Appliance-to-appliance communication, which can include signaling connections (used in secure
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
150 © 2018 Citrix Authorized Content CITRIX
•
Deployment Modes - Preview
Reviewfrom the Environment Overview
• Option 1: Single SD-WAN: in line mode, between routes/firewalls and core switch
• Option 2: Single SD-WAN: in line mode, between MPLS Router and Core Switch with direct termination of
internet into the SD-WAN
• Option 3: Single SD-WAN: 1-arm/PBR configured with the MPLS router and Firewall
• Option G**: Single SD-WAN: edge mode on the LAN side of the existing MPLS router/firewall
• Option 7: Single SD-WAN: Gateway/edge mode replacing the Firewall and Router
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Least configuration
• In inline mode, traffic passes into one of the appliance's Ethernet ports and out of the other.
d
When two sites with inline appliances communicate, every TCP connection passing between
is
them is accelerated. All other traffic is passed through transparently, as if the appliance were not
t rib
there.
ut
• Router sends WAN traffic to appliance and the appliance returns to router
n
• Appliances appears to be a router, but it is using no routing tables; real router routes.
• Used when inline or high-speed WCCP operation are not practical
• Do not mix inline and virtual inline modes within the same appliance. However, you can mix
virtual inline and WCCP modes within the same appliance. Citrix does not recommend virtual
inline mode with routers that do not support health monitoring.
• In virtual inline mode, the router uses policy based routing (PBR) rules to redirect incoming and
outgoing WAN traffic to the appliance for acceleration, and the appliance forwards the
processed packets back to the router. Almost all of the configuration tasks are performed on the
router. The only thing to be configured on the appliance is the forwarding method, and the
default method is recommended.
• Like WCCP, Virtual inline deployment requires no rewiring and no downtime, and it provides a
solution for asymmetric routing issues faced in a deployment with two or more WAN links.
•
151 © 2018 Citrix Authorized Content CITRIX
•
NetScaler SD-Wan Deployment Methods
Supported Platforms:
.•.........................•.•
lnline Mode ----
·---·
••••
Firewall
Ct:'\_,_
w SD-WAN
::::1-I :x: I :-
Servers
:
Standard Edition
Enterprise Edition
WANOP Edition
•.............•
:- :
................. Standard Edition (PBR)
Virtual lnline Mode Servers
Enterprise Edition ( PBR)
I- ===:I
SD-WAN
WANOP Edition (PBR & WCCP}
Edge/Gateway Mode
I- ::::I •.............• Standard Edition (PBR)
. ..............
:- :
N
SD-WAN
Enterprise Edition (PBR}
Servers
ot
fo
CiTR!X
rr
Key Notes:
es
• The NetScaler SD-WAN solution is very flexible in deployment and is designed to sit as an
al
overlay to any existing infrastructure without major change. SD-WAN deployment modes
e
include:
• Inline Mode-NetScaler SD-WAN SE needs to be configured to pass traffic to the proper
or
gateway. Traffic intended for the Virtual Path is directed towards the SD-WAN SE and then
d
• Gateway mode places the SD-WAN appliance physically in the path (two-arm deployment) and
requires changes in the existing network infrastructure to make the SD-WAN appliance the
ut
default gateway for the entire LAN network for that site. One thing to take note of is that each
io
• For example, all three editions of SD-WAN support Inline deployment mode. Where Standard
and Enterprise Edition are similar from a configuration standpoint, WANOP edition also support
Inline mode but is deployed a little differently.
• Virtual Inline Mode is also supported by all three Editions, but the difference is that WANOP
Edition has the added support of WCCP in addition to Policy Based Routing (or PBR).
• Edge mode deployment is only supported on the Standard Edition and Enterprise Edition
appliances. WANOP Edition has a different set of features and can only be deployed behind
existing routers and firewalls.
4) lnline Mode
N
CiTR!X
rr
Key Notes:
es
• Deployment modes and options are numerous and all depend on the existing underlay
al
environment.
e
• SD-WAN is recommended to be deployed in Inline mode at the branch offices, where SD-WAN
sits as an overlay in the existing environment in the path of all traffic, typically between the
or
existing WAN edge router and the core switch. Inline is recommended due to simplicity and
d
ease of traffic management, since the appliance being in the direct path will see all traffic, and
is
also the hardware bypass capability will allow the network to operate on the existing underlay
t
network should the SD-WAN become unavailable due to power failure or other anomalies.
rib
• For Branch deployments , the second recommended option would be Virtual Inline mode
ut
leveraging Policy Base Routing (PBR) allowing placement of the SD-WAN out of direct path of
io
traffic flow. PBR on network devices are needed to direct traffic to SD-WAN on outgoing traffic
flows, returning traffic flow will be returned to the SD-WAN for Standard Edition and Enterprise
n
Edition since a tunnel is built, but for WANOP Edition, additional PBR configuration is needed to
make sure returning traffic is also redirected to WANOP. PBR is typically used in networks
where direct inline is not feasible, most of the time due to inability of down-time to cable-in a
appliance in direct path. The WANOP Edition has the added benefit of leveraging WCCP for
redirection, where Standard and Enterprise currently do not have that as an option.
• Two appliances can be used at any branch site to operate in high-availability to continue SD-
WAN operation even during power failure issues or other anomalies that may occur. High
Availability would eliminate the need for bypass mode fail-to-wire, since one of the two SD-WAN
appliances are always expected to be active.
• Cloud deployed SD-WAN machines must be deployed in Edge or Gateway mode. In this
deployment, the SD-WAN is the WAN edge device, deployed similarly to a customer edge
router. All backend machines are pointing to the SD-WAN for their default gateway.
•
153 © 2018 Citrix Authorized Content CITRIX
•
SD-WAN Deployment: lnline Mode
r1-BR . R
(1/1) (1/3) (1/5)
LJ
Se,-al MGMT A B C - I "9
Cl c::::J" . • ciC:O - --
(1/2) (1/4) [1/6)
Standard
and
----a;:)
Enterprise
Edition
Hosts
Router
__ ___,1/2
WAN OP
N
Edition Router
ot
WAN OP
Hosts
fo
CiTR!X
rr
Key Notes:
es
• SD-WAN appliances come equipped with multiple data interfaces paired together as bypass
al
• Generally SD-WAN Standard and Enterprise Edition have similar features and capabilities and
typically are similar with deployment approach.
or
• SD-WAN WANOP Edition is unique with its feature set and may be slightly different in
d
• For the most part all Editions are very similar in deployment approach when it comes to Inline
t rib
Mode.
• Each appliance leverages the available data interfaces and when sitting as an overlay solution,
ut
• For Standard and Enterprise Edition, Inline mode typically means multiple WAN Links are
n
expected and in some cases there are two links between the core and the WAN edge of the
network where SD-WAN can be placed in the path of, one path to the Internet Firewall and one
path to the MPLS Router.
• WANOP Edition generally optimizes a single WAN link, and when deployed in path, usually
utilizing a single pair of interfaces.
••••
···--·---cC:)
···
Firewall ~
I I
I I
L - - - - - - - - _I ,~--~~
Hosts Management
Router
·~FLil
(fiber or cooper), speeds and bridged pairs ·O..-·~
fo
CiTR!X
rr
Key Notes:
es
• Some general things to be aware of for Inline Mode deployment involve typical layer 2 issues,
al
which include proper cabling and correct speed/duplex negotiation between neighboring
e
devices. SD-WAN Ethernet interfaces are equipped with MDI-X feature allowing for auto-
detection of the signaling convention the device on the other end of the cable is expecting and
or
negotiates use of the transmit and receive wires accordingly. Only one-end of the connection is
d
• More often then not, speed and duplex is typically the culprit in performance issues when SD-
t
WAN is deployed. The appliance is typically shipped with auto-negociate set by default, but if
rib
an existing network has the speed and duplex hard-coded, then SD-WAN must be configured to
ut
• The system GUI of each SD-WAN Editions has this negotiated interface speed/duplex reported.
This is the screenshot form the Standard and Enterprise Edition.
n
• For Inline Deployments, SD-WAN sit directly in path of all traffic and per the data sheet these
appliances are spec’d for a particular speed. Overutilizing the appliances is not recommended,
and typically yields poor performance. Its better to err on the side caution and to oversize the
appliance rather then undersize. This may become even more important as you enable all the
features and functionality SD-WAN has to offer, including SSL optimization and Data Encryption
which generally adds performance impact.
• Another important aspect of the SD-WAN to consider for Inline Mode is the number of available
data interfaces, the speeds associated with them and the availability of bridged pairs. This may
become important in deployment where SD-WAN is expected to be deploy in multi WAN link
deployments, or in path with network devices that only support copper or fiber interfaces, SD-
WAN has to have matching interfaces.
• Also be aware that even though the topology diagrams don’t always show the management
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
155 © 2018 Citrix Authorized Content CITRIX
•
Virtual lnline Mode
Standard and Enterprise SD-WAN
---cCJ
Edition
1/1
PBR Router
Hosts
Router
CiTRJX
rr
Key Notes:
es
• An alternate method of deployment is generally needed when SD-WAN can not directly be
al
placed in the data path, either to prevent business disruption in introduction of SD-WAN or
e
• Standard and Enterprise Edition rely on policy based routing (or PBR) to redirect LAN to WAN
d
traffic over to SD-WAN for reliable delivery across the Wide Area Network and for Virtualized
is
• The return flow does not need redirection by the underlay since a tunnel is built and the
returning packets will have a destination address of the SD-WAN for processing before being
ut
• WANOP edition has the same capability if being deployed in Virtual Inline Mode and PBR can
n
be leveraged for traffic redirection for LAN to WAN traffic flow. However WANOP Edition is
coded differently and does not have the same tunnel establishment as Standard and Enterprise
Edition with partner devices, which means returning traffic flow WAN to LAN typically does not
have WANOP Edition as the destination address of the returning packet.
• What this means is that returning flows for WANOP Edition also need traffic redirection in place
so that the flow is also redirected to the WANOP appliance for symmetric acceleration,
otherwise the optimization will not successfully be established.
• In addition to PBR, the WANOP Edition has support for WCCP which enables the WANOP
Edition be deployed in WCCP clusters scaling the bandwidth capacity for WANOP far beyond
the limits of a single box.
1/1
Firewall Gateway:
192.168.1.1 ·.·.:-.·--+--
••••
+- . .
LAN Subnets: Firewall
VLAN 100: 192.168.100.0/24 1Gbps i!1Gbps
VLAN 200: 192.168.200.0/24 SD-WAN Gateway:
192.168.10.1
SOOMbps
Hosts
Router CPU
Be cautious of contention for the WAN links between SD-WAN and non-SD-WAN traffic
fo
Key Notes:
es
• In deployment of SD-WAN in Virtual Inline mode it is helpful to know some caveats that would
al
• PBR is done at layer 2 in hardware, so for the most part it is not very impactful to most high-end
routers, but the recommendation would be to do an incremental approach of applying a few
or
PBR policies and monitor for the CPU usage and TCAM usage on the PBR enabled device.
d
This helps prevent unexpected results and ensure that the network devices are capable of
is
• Also for PBR deployments, it is important to enable heartbeat probes or IP SLA on the PBR
rib
router to make sure it is checking the health of the SD-WAN before redirecting traffic to it. If this
ut
is not in place, traffic can easily be black-holed if SD-WAN has a power failure or any type of
io
understand.
• As an example, lets say that this interface is a 1Gbps full/duplex. Meaning it can send 1Gbps
and receive and send simultaneously. Now with this in mind, as SD-WAN processes packets
and sends them to the LAN and WAN networks, (3) it can really only push 500Mbps for each
LAN and WAN destination.
• This is important to understand that because SD-WAN is expected to delivery across a
Virtualized WAN and in this example, that Virtual WAN would be capped at 500Mbps maximum.
If each of these WAN links were 1Gbps each, then the interface used for SD-WAN would need
to be a 10Gbps interface and the appropriate 10Gbps fiber port on the SD-WAN would also
need to be used.
• With policy based routing, the use of access lists can potentially limit the traffic SD-WAN has
visibility to. If only a small test subnet is redirected to SD-WAN, but SD-WAN is configured for
•
157 © 2018 Citrix Authorized Content CITRIX
•
Standard and Enterprise Edition
SD-WAN
114
-- .. r-...----f X i--------m
1/1 ----~
••••
Core
Hosts
--
--·
El ~m
Edge/ Gateway Deployment Mode:
1/1. 1n 11.f 1/S I/Ci
--·
......... +
• Deployed like a VPN r:: - -
, 0
• Appliance becomes the gateway for all subnets
1/S Ill
,
auto-configure the Virtual IP address per link
ot
·- 0
......... +
r:: - -
fo
0
CiTR!X
rr
Key Notes:
es
• Standard Edition and Enterprise Edition appliance have another deployment mode that is not
al
• This deployment is very much similar to how IPVPN networks are deployed, and essentially is a
replacement of that technology.
or
• In Edge Mode, SD-WAN becomes an L3 termination point for every subnet on the LAN.
d
Bypass bridge interface pairs are not involved, and if the SD-WAN goes down then that means
is
the gateway would also be down for that site. So its typically recommended with HA.
t rib
• When SD-WAN is deployed in Edge mode on internet links, there is a feature that is introduced
in release 9.1 that allows the data interfaces to automatically assign an IP to themselves using
ut
DHCP. When an interface is enabled as DHCP Clients, the WAN links are also set to Auto
io
Detect the Public IP. Typically these links are marked as untrusted since they are directly
connected to the internet, and also are configured to fail-to-block, which would prevent the
n
network from being directly exposed to the Internet during power failure.
• Also in Edge Mode, a LAN interface is created and associated with a Virtual IP address to act as
the default Gateway for the LAN.
Hosts
Standby HA
.
Availability:
-
I
• Standby HA is forced to be in hardware
• "' ... iq
1-.A~•"-" ,_,__ S,.,,N ..... W£:
lr....:IIHA MMM.DOOOOO
- - .
N
{!l lNHOI
a
• Some loss occurs during fail over of SD-WAN
•
fo
Key Notes:
es
• The Edge Mode deployment for NetScaler SD-WAN can be coupled with High Availability to
al
provide a highly available site. Even though the HA setup is in active and standby mode, the
e
WAN links are both active. This is targeted for customers that want to replace their edge routers
with SD-WAN devices and want to retain redundancy of SD-WAN in case of failure. This design
or
is specific to Edge/Gateway mode, otherwise a typical HA deployment for Inline would require
d
both WAN links to terminate into both appliances (usually accomplished with additional
is
router/switch hardware).
t
• Edge Mode with High Availability is only available on the Standard and Enterprise Appliance,
rib
• Interfaces 1 & 2 on the bottom Standby SD-WAN and interfaces 1 & 2 on the top Active SD-
ut
• When all is working well, the active SD-WAN takes interface 2 for Internet WAN and interface 3
via partners interface 1-2 for MPLS WAN.
n
• If Primary goes down and the Secondary takes over, the new SD-WAN Primary takes 2 for
MPLS WAN and 3 via partners 1-2 for Internet WAN.
• Its important to note that you must enable the “HA Fail-to-Wire” Mode option in the GUI for this
Edge mode deployment to be accepted in the configuration editor. Normally HA restricts Fail-to-
Wire to prevent traffic bypassing the Active appliance.
• One word of caution here is that Edge Mode with HA is not completely hitless as the Fail-to-wire
pairs have to transition from Bypass to active, so expect a short period of loss -1-5s depending
on switch port configurations upstream and downstream. Also note this HA setup is designed
specifically for Edge mode deployments.
, : Heartbeat VIPs: :
'
: : ln.20.20.3 (P) :
\ :_ 1n.20.20.2_LS __ :
-......-- ......
--
---:l>- -----fail to block
:X:·--- -----------------------·
I
: INET VIP: 192.168.10.2
Mgmt: 172.10.10.2 :_ MPLS VIP: 192.168.20.2 ,
-----------'
I
~fa_i_l-to~b-lo_c_k~~~~~~---::..•.ii:-.:
Failover of one WAN link will force failure of SD-WAN and second WAN link
fo
CiTR!X
rr
Key Notes:
es
• Standard and Enterprise Edition High Availability in Inline Mode is very easy to configure, since
al
• The WAN Link Virtual IP assignment is identical between the two appliances.
or
• The only differences between the two appliances is the management IP addresses and (3)
Heartbeat address which are unique per appliance.
d
• Inline HA deployment, we need to understand bridge pairs and fail-to-block operation which
is
• The two firewall are operating in active/passive, and the two MPLS routers running VRRP or
HSRP also running in an active/passive in this example environment.
ut
• What we need to make sure in the event of either one of those WAN link failures,
io
• SD-WAN also fails over forcing the failover on the second WAN link as well, so that the partner
n
HA SD-WAN appliance has full control of both WAN paths and path selection.
• Key point is that even in HA fail-over the applications continue to stay alive, the failover
convergence is so fast that there is no disruption in the network.
-------------------
: Heartbeat VIPs: :
: 172.20.20.3 (P) :
!_ 172.20.20.2 (S) !
I
_ Mgmt: 172.10.10.2 ~
loops
fo
CiTR!X
rr
Key Notes:
es
• Standard and Enterprise Edition High Availability in Virtual Inline Mode is also very easy to
al
configure, since the configuration for both appliances is very much identical.
e
• The WAN Link Virtual IP assignment is identical between the two appliances.
or
• The only differences between the two appliances is the (2) management IP addresses and (3)
Heartbeat address which are unique per appliance. Optionally one can directly attach the data
d
interfaces between appliances for the heartbeat communication to work directly as opposed to
is
• Also with Virtual Inline, HA fail-over is seamless and applications continue to function without
disruption, due to the fast failover convergence.
ut
io
n
-----···· Firewall
... ·---------
ce:)
~
1---((C)
Router
Hosts
Direct termination
fo
CiTR!X
rr
Key Notes:
es
overlay into any network, and are flexible with the various deployment mode options. Mixed
e
deployment mode enables the deployment of SD-WAN (1) directly inline with respect to one
WAN link, while simultaneously supporting (2) Virtual Inline from the perspective of another
or
WAN link, as well as ability to (3) directly terminate new WAN link into the appliance.
d
• This becomes significant when SD-WAN needs to be deployed at sites where the existing
is
infrastructure needs to stay as is, yet SD-WAN technology needs to be integrated and tested.
t
• In this example, the existing network consisted of a MPLS link and a Standby Internet link. SD-
rib
WAN was introduced inline on the MPLS path, and Virtual Inline using PBR on the Firewall to
ut
leverage SD-WAN by bringing up the standby internet link into an active state. Soon the
io
capacity needs of grew, so a third Internet link was added terminating directly into the appliance.
• Traffic is normally delivered form the LAN network to the default gateway. The intermediate
n
Router diverts any traffic to the firewall that is bound for internet, but for the most part the traffic
is destined to the gateway. With SD-WAN in the path, it is able to intercept that traffic and
determine which of the three WAN links is better suited to delivery the flow. Once that
determination is made, SD-WAN can change the normal route of the packet via delivery across
the Virtual Path.
• If that default gateway happens to go down, then that impacts SD-WANs ability to intercept
traffic, thus the need for a feature called Proxy Arp. Proxy ARP can only be enabled when SD-
WAN sits in the path of a gateway in Inline Mode. This feature allows the end hosts to continue
to send traffic as if the gateway was still operational, allowing SD-WAN to intercept and delivery
across the Virtual WAN.
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t
rib
ut
io
n
CiTR!X
rr
es
al
e
or
d is
t
rib
ut
io
n
Virtual I Addresses
EIDHCP
GwANLlnks
[±] Certificates
NetScaler EJ High Ava1lab1llty
SD-WAN
Interface Groups
N
ot
fo
Key Notes:
es
• Generally the layout of the Interface Groups leads to the deployment mode chosen for SD-
al
WAN. Interface Groups allows for one or more Ethernet Interfaces to share a common subnet
to be configured together. Keep in mind that each appliance has different Ethernet and Fiber
e
ports and the labeling may be unique per appliance model. This is an example image of the
or
Hosts
Trusted SD-WAN-SE
·---&)
Router
Untrusted Interface
Port that connects non-security no firewal I networks
N
Public internet
ot
Key Notes:
es
• On SD-WAN Standard and Enterprise Edition, each interface can be configured to act
al
differently. The concept of interface groups is not applicable to the WANOP Edition platform.
e
secure part of the network, and is allowed to pass through traffic without concern of opening the
d
network up to security risks. Generally these are LAN networks, private MPLS networks,
is
even networks that are connected to the public internet, but are being protected by a firewall.
rib
• The WAN paths that are configured as trusted interfaces can optionally be configured for data
ut
encryption, or opt for no encryption. This is primarily because of different deployment modes
io
options like Virtual Inline, where SD-WAN would not directly sit facing each WAN link, and in
that case a single interface would be used and marked as trusted, but would still need
n
encryption enabled because that single interface would handle both public and private WAN
links.
• Interfaces can also be configured as “Untrusted” which are denoted as ports that are connected
to public networks with no security or firewall provided to protect the network. SD-WAN on
these untrusted interfaces will drop all incoming packets, with exception to partner SD-WAN
UDP 4980, ARP, and ICMP packets.
• Lastly the management network is zone separately from the data interfaces, and is on a
separate IP stack. This interface typically gets connected to a detected management network,
but can be connected directly to the LAN network for sites with limited subnet blocks.
Hosts
IPsec
encrypt data Packet Authentication Trailer
ot
67 IXA
Virtual Path ciTR!X
rr
Key Notes:
es
• Depending on your WAN link interface assigned characteristic, trusted or untrusted, SD-WAN
al
• Regardless of the assigned characteristic, data encryption can be setup as a global parameter.
This global parameter can be more granularly controlled per site.
or
• Network encryption defines the algorithm used for all encrypted paths in a SD-WAN appliance.
d
This encryption setting does not apply to non-encrypted paths, but can be enabled for all and
is
• AES 256-bit
io
• As you go down the list and enable more advanced encryption mechanism keep in mind that the
performance specs on the Data Sheet may be impacted. So it is important to size accordingly if
encryption is intended to be enabled.
• In addition to securing the payload with advanced encryption algorithms, the relationship
between SD-WAN partners is also hardened with levels of security. By default SD-WAN’s global
parameters enables Encrypted Key Rotation which checks the integrity of every Virtual Path by
regenerating an encryption key at intervals of 10-15 minutes. Optionally, one can also enable
Extended Packet Encryption Header, which will randomizes the output of the encryption,
providing strong message indistinguishability. Optionally, Extended Packet Authentication
Trailer can also be enabled, which will allow for verification that the packets are not modified in
transit.
• Again keep in mind that the more advanced security features are enabled, the bigger the impact
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n
•
167 © 2018 Citrix Authorized Content CITRIX
•
Interface Bypass Modes: Fail-to-Block or Fail-to-Wire
I
Fa i I-to-Block
Core
l/\
\
SD-WAN/1/2
/ Trusted
, ce:)
Hosts
Fail-to-Wire Router
CiTR!X
rr
Key Notes:
es
• How the interfaces behave during operational times is great, but that same level of security
al
must also be enacted should the SD-WAN device go offline. A pair of appliances can be used in
e
high availability mode to make sure the SD-WAN service is always available, but in some
branch offices a two appliance solution may not always be a cost effective approach.
or
• SD-WAN Standard and Enterprise Edition appliance enable configurable settings for how the
d
bridge pair behave when the appliance fails or has lost power.
is
• Pass-through of traffic may be enabled between two Ethernet Interfaces by creating a Bridge
t
Pair. Setting the Bypass Mode to Fail-to-Wire will enable a physical connection between the
rib
bridge pairs, allowing traffic to flow in the event of Appliance restart or failure. Only interfaces
ut
•
168 © 2018 Citrix Authorized Content CITRIX
•
Interface Group: VLAN
Hosts
Router
(3 111tffl.;t Groups + t? ? 0
I ... . ., ,. .
SD-WAN Interface Group VLANs: ~.-"
Irrespective of configuration, SD-WAN will not B MPLS· 10011001.MPIS-20014 f113
1/4 1/S 1,6 T;;.. 0
block the traffic or drop the packets
V,~ lnttrfKtt + 8ndgtPui +
Only if the traffic needs to go through the Virtual ~ o.~.
N..,.
I 111 ... 1/2 0
SD-WAN
Multicastand Unicast traffic handling: B 111 112 116 Fili4o--Blod< 0 A
N
INET·,nd-'GI()) Unlrustfd
0 1/3 ++ 114 0
~
Ncne
Unicast or Multicast on VLAN 300 - Passthrough
---
fo
CiTR!X
rr
Key Notes:
es
• Interface Groups also provide capability to create Virtual Interfaces to help with VLAN traffic
al
routing. Traffic matching the given VLAN ID will be routed by the SD-WAN appliance based on
e
user configuration while undefined VLAN traffic will simply pass through.
• This enables SD-WAN to be directly deployed on a VLAN truck and still be capable of handling
or
• Irrespective of whether we configured VLAN tags or not, SD-WAN will not block the traffic or
is
• Only if SD-WAN needs to send the traffic through the Virtual Path, is when configuration for
Interface Groups need VLANs identified
ut
• As an example, lets focus on the bottom path leading to the MPLS WAN link. SD-WAN is
io
deployed on that path as inline mode utilizing interface 1/1 (1 slash 1) and 1 / 2.
n
• Here is the screenshot of the configuration build out for that Interface Group.
• When creating the Interface Group for MPLS, Ethernet Interfaces 1/1 and 1/2 are selected
• Bypass Mode is set to Fail-to-Wire because the desired effect for this example is to have the
network fall back to the MPLS link on the underlay network should the SD-WAN appliance go
down.
• The bridge pair interfaces are identified as 1/1 and 1/2
• Lastly, two Virtual Interfaces are created to address VLAN 100 and VLAN 200 traffic, which is
desired to go through the SD-WAN Overlay network. The are other VLANs on this network, but
based on this configuration the other VLANS will be pass-through through the underlay network
to the MPLS Router.
• With this sample configuration, lets walk through the behavior of both multicast and unicast
traffic flows.
•
169 © 2018 Citrix Authorized Content CITRIX
•
In what scenario is not recommended to set an
interface group to trusted?
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
Configuring
~;;MW
[i)a.sec:SffllngJ
[i) lbn"'9 Dom.Im
l!S:1PAddrc,snl
Virtual IP ~ ~--1~
;:::ET
{i)WANLJnb
[i)ce1111,u,1ts
Addresses
@""'-
(EHigt,A~~!ty
NetScaler SD-WAN
VIPM~ / ~IP4G/LTE
. I r::, 0 .Li.DJ]
Ll t Jl 1f1
l-=_!
...
C\do ,
(1/2] (1/4) (1/6]
~
N
ot
fo
Key Notes:
es
• The next step in configuration build out involves Virtual IP Addresses which can be assigned to
al
interfaces. The Virtual IP address is used for communication between Sites across the Virtual
e
Path and can be used as next-hop routes for traffic transmitted across the Virtual WAN Service.
Each Interfaces can have multiple Virtual IP Addresses, allowing SD-WAN to terminate more
or
WAN links then the number of physical interfaces that are available.
d is
t rib
ut
io
n
LAN Subnets:
VLAN 100: 192.168.100.0/24
VLAN 200: 192.168.200.0/24
Hosts
VIP MPLS-100: 192.168.100.2
VIP MPLS-200: 192.168.200.2 ·----~
=
MPLS Gateway:
192.168.100.1 Router
Trunk Link (VLANlOO + VLAN 200) 192.168.200.1
Trusted
173 @20 " A Unicast or Multicast on VLAN 300 - Passthrough CiTR!X
rr
Key Notes:
es
• After Interface Groups are identified. The next step in configuration involves identifying the
al
Virtual IP Addresses and associating them with the Virtual Interfaces previously created.
e
• Looking first at the Interface Group defining interfaces 1/3 and 1/4 which sit on the path to the
Internet and 4G/LTE links. We will need a single Virtual Interface that can be associated with
or
two unique WAN Links. Because this Interface Group sits in path of a single line with only the
d
default VLAN available, two available IP addresses are need to be used as SD-WAN VIPs and
is
associated with each WAN link but must be created in the same Subnet available on the line.
t
• The Firewall in this example use case will receive two sets of SD-WAN encapsulated UDP port
rib
4980 packets, because SD-WAN will want to delivery across the two available WAN links along
ut
this paths separately. In order for the SD-WAN paths to be distinguished accordingly between
io
the two Internet WAN links, there is dependency on the underlay network to help route the UDP
traffic accordingly to the two desired paths separately.
n
• In this case, that task is on the Firewall, which needs policy based routing to ensure that all SD-
WAN packets with source port 4980 and source IP address of a VIP get properly routed
outbound, regardless of the destination IP address and port number. This example use case will
involves creation of two access list to filter for the traffic of the two unique VIP addresses both
on port 4980, then a route-map for each to deliver the filtered traffic to their respective next-
hops. The returning flow doesn’t need any additional configuration because the destination
packet will be one of the two VIPs which the underlay network already has the ability to deliver.
• The Virtual IP Address in the configuration identifies the two VIPs for those WAN links and ties
them to the Virtual Interface that identifies with the Interface Group, and the configuration is
simple.
• Next we will take a look at the Interface Group defining 1/1 and 1/2 which sit on the path to the
MPLS WAN Link, this example use case forces the usage of two VIP for the single MPLS link,
•
173 © 2018 Citrix Authorized Content CITRIX
•
Virtual IP Addresses for Virtual lnline Deployment
SD-WAN
-:-.•·~~~-,er~
VIP tNET: 192.168.10.2
VIP MPLSl: 192.168.10.3 Firewall Gateway: •••• ~
VIP MPLS2: 192.168.10.4 I 79216811
.• ..
11
LAN Subnets: Firewall
VLAN 100: 192.168.100.0/24 Src: VIP !NET
VLAN 200: 192.168.200.0/24 SD-WANGateway: Ost: Public IP
192.168.10. ~
Router
CiTR!X
rr
Key Notes:
es
• Virtual IP Address are required in all the various different deployment possibilities for SD-WAN.
al
Virtual Inline Mode allows for a controlled introduction of SD-WAN into any environment.
e
Access lists and policy based routing allow an admin to selectively choose which traffic to
redirect over to SD-WAN for Virtual Path delivery, even down to a single host. This allows for
or
vetting of the solutions before committing it to all traffic. Be aware when performing this type of
d
operation, since SD-WAN traffic will be competing with non SD-WAN traffic, during times of
is
• When SD-WAN is deployed out of path of traffic and in Virtual Inline Mode, SD-WAN is again
rib
dependent on the underlay network delivering the traffic accordingly when the path is
ut
• The Interface Group for Virtual Inline Deployments typically consists of one interface being
used, and that single interface group handing all the WAN links.
n
• In this example, SD-WAN will need three Virtual IP Address, each mapped accordingly, one per
WAN link. Take note that these VIP addresses are all in the same subnet. This SD-WAN
subnet can be newly added to the network if there is an available interface on the router, or can
be place on a LAN subnet if required.
• When SD-WAN makes a route decision for the overlay network, the delivered packet is an
encapsulated 4980 UPD packet that will be sourced from one of the three VIPs, the dependency
is on the underlay network to help deliver across to the correct WAN link.
• In this example, we only have one internet WAN link, so traffic SD-WAN wants to be delivered
on the Internet link will naturally be routed to the correct path. This is because the UDP packet
will have a source IP of the Internet VIP, but more importantly, the destination packet will be a
public IP address of a partner SD-WAN appliance, recall that the Firewall needs to before a NAT
operation on the Internet WAN links. The router only having one Internet link, generally will
•
174 © 2018 Citrix Authorized Content CITRIX
•
What can Virtual IP Addresses be used for?
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t rib
ut
io
n
.
(3 Ro,,uno Dotrlllns
(!)1ncffll{@Gfoups
{!IVW1UIIIPAddr.sses
Configuring
Upload/Download Upload/Download Upload/Download
Cr'). --------
WAN Links Q7~ ;:,~~
NetScaler SD-WAN
.~1
'~
1 g D.
CJ
u.ClD
CJIUtJr-14c:to
_ ...
.
~I
N
ot
fo
Key Notes:
es
• With Interface Groups and Virtual IP Addresses complete, WAN Link definition is the next
al
component in configuration. WAN Links can consist of Private MPLS, Public Internet like
Cable, DSL, fiber, or other Internet Service Providers, MPLS, IPsec, or other site-to-site VPN
e
---
Firewall Gateway:
192.168.1.1 ••••
·-----~
1/l SD-WAN 112
Core
--- -- -
Access Type
o Public Internet
o Private Intranet
~.
o Private MPLS
N
--
-
Tracking IP Address
Autodetect Public IP
ot
-~~~~~~~~-
-
'
'
Metered Link '
Cl-
Access interface
fo
CiTR!X
rr
Key Notes:
es
• A WAN Link definition provides detail of individual private and public connections out to the
al
WAN.
e
• From the Basic Settings you can define every WAN link for the site, and set the physical rate for
ingress and egress for each link.
or
• Public Internet – which would be a public WAN link which provides internet connection via an
is
ISP
t rib
• Private Intranet – which would be a private WAN link to provide connectivity to only sites within
your organization
ut
• Private MPLS – which is the same as a Private Intranet Access Type, but provides an option
io
for when that line uses one or more DSCP tags to control service provider MPLS Quality of
n
Service Queues.
• There are some additional Advanced settings in the link definitions that can for the most part be
left default. Two to point out that are more frequently used are:
• Tracking IP Address – which can track the availability of a WAN link by pinging for a specific IP
address, This proves to be useful when SD-WAN is not in direct site of the gateway and can
help prevent delivery on that path if it becomes unavailable.
• AutoDetect Public IP is more often used on the Internet access types. This option should be
enabled for all branch nodes so that the SD-WAN environment can auto learn all remote site
public IP address, which can dynamically change. This option should also be disabled for the
head-end node for the Internet link, but should replaced with a Static Public IP address, which
is needed for every Internet link at the head-end. The configuration shares this static public IP
with remote sites so that they can initiate their Virtual Path connection by calling home.
• Additional Advanced Settings and Eligibility settings are available, but can be left default for
•
178 © 2018 Citrix Authorized Content CITRIX
•
WAN Links
SD-WAN
....
1/1
----
--·
---- er;:)
ce:)
PBR Router
Hosts
Router
CiTR!X
rr
Key Notes:
es
• NetScaler SD-WAN Standard and Enterprise Edition are capable handling up to 8 public WAN
al
links to a single appliance. This maximum is not limited by the number of physical interfaces,
e
but rather the need for encryption to be enabled typically on the Internet links. Virtual IP
addresses are used to allow a single Interface to handle more then just one WAN link,
or
• When encryption is not enabled, the maximum is up to 32 private WAN links, again making use
d
of the Virtual IP address to handle more then then available interfaces would typically allow.
is
This flexibility along with the license pay-grown model, allows SD-WAN to live longer in a
t
network, without the need for hardware upgrade to handle more capacity.
rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
~·latN-
C~~Cof6.;,lr-..U>-W,11Htil.Zlfl
~
~tt.t.o..tn.544171
•
---· c...--.-
'-"'
c- .......
w-.,
s...,..
'-""
,.- ...........
,_ ....
locO.,Mti
loco,,,..
-
-··--
_,..,..
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Once you have a complete configuration, SD-WAN utilizes the Change Management tool, to
al
provide a central point to prep configuration and software, and to push the content network-wide
e
in a systematic approach. In a new install a compete configuration will consist of one head-end
node, and at least one branch node built in the Configuration Editor. With the Interface Groups,
or
Virtual IP Addresses, WAN Links, and High Availability all defined. A completed configuration is
d
------- SD-WAN
Change Management
• Configuration
• Software
I-
I-
Remote
SD-WAN-SE I-
Data Center
or Cloud
N
ot
fo
83
ciTR!J(
rr
Key Notes:
es
• The Change Management tool is only available on the Standard and Enterprise Edition
al
appliances, and allows for systematic change control of all nodes across the SD-WAN
environment.
e
• This allows for a central point of configuration and software push to all appliances, allowing
or
them to be staged and prepared to make sure the entire network has all the components in
place to flip over to the new settings.
d is
• Remote appliance need their initial configuration and software to be manually installed via the
local GUI or via the Zero Touch Process, but once they have successfully joined the SD-WAN
t
rib
environment, Change Management tool can be used to send updates and software changes.
• Generally speaking, most configuration changes are non-intrusive and a configuration change
ut
can be pushed to the network with no detection of failover by the end users.
io
• Software changes that accompany the configuration changes force a reboot of the systems to
n
that would ne noticeable by end users, and a maintenance window is recommended for this type
of operation. But since the appliances continue to operate as they are being pushed down the
configuration and software packages, they are quick to flip over to the new settings once the
appliances are activated.
.... I-
••I• I-
Remote
SD·WAN·EE SD·WAN·SE I-
Data Center
OC·INO
.... . . .
... """'""' or Cloud
""'
oc;:-IN[t
.,
IX- n 000 OU M)
N
ot
fo
CiTR!X
rr
Key Notes:
es
• After initial configuration and software is obtained and activated on all SD-WAN nodes. The
al
paths statistics help indicate proper configuration and connectivity on the underlay network to
allow VIP to VIP communication between appliances along the various paths.
e
• Each SD-WAN devices local GUI reports path statics that are specific to it, and help identify the
or
characteristics per path for best one way time, jitter, loss, kbps of usage, and congestion.
These are the measurements that are used to help determine the best path for delivery based
d is
utilizing 3 unique paths, Internet, MPLS, and 4G/LTE. Because SD-WAN measures paths
unidirectional, each direction is represented as a separate entry in the table. 3 WAN links
ut
Good Good when the algorithm which calculates based on loss, latency,
and jitter, identifies that the path is in its ideal state.
-
Bad Bad when the algorithm which calculates based on loss, latency, and jitter,
identifies that the path is not in the ideal state. Packets will only use Bad path if
the circumstances force it to.
Dead when there is no Virtual Path packet received on the path for 1.5 seconds.
No packets will be sent across this path.
N
ot
fo
CiTR!X
rr
Key Notes:
es
• The Virtual Path Service State is generally up and reporting a Good usable state, as long as at
al
• Individual paths states are generally very accurate in reporting the usable health condition of
each WAN link, and could report a Bad or Dead state if:
or
• Bad when the algorithm which calculates based on loss, latency, and jitter, identifies that the
n
path is not in the ideal state. Packets will only use Bad path if the circumstances force it to.
• Dead when there is no Virtual Path packet received on the path for 1.5 seconds. No packets
will be sent across this path.
CiTR!X
rr
es
al
e
or
d is
t
rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• Before you download the software, you must obtain and register a Citrix SD-WAN software
al
license.
e
Additional Resources:
or
sites.
ot
fo
CiTR!X
rr
Key Notes:
es
• Upgrading to 9.3 release is a multi-step process. Virtual WAN software is upgraded centrally
al
Additional Resources:
or
• This upgrade procedure to software release 10.0 assumes that virtual paths are not established
between the MCN and Branches. Upgrade to 10.0 Without Virtual WAN Configuration:
trib
https://docs.citrix.com/en-us/netscaler-sd-wan/10/updating-upgrading/upgrade-new-
appliance.html
ut
io
n
--- ---- --
N
-- -
ot
-
fo
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in class presentation and added for additional student reference.
al
e
or
d is
t
rib
ut
io
n
-· ·~---. ------_
further.
-. -.-..,.
-. ....
N
ot
fo
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in class presentation and added for additional student reference.
al
e
or
d is
trib
ut
io
n
---~- ---- -
-- .
4. After accepting license
-- -- ·-
....... .......
agreement, you are navigated
to Appliance Staging where ·- .
appliances can be staged by
clicking on Stage Appliances.
N
ot
fo
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in class presentation and added for additional student reference.
al
e
or
d is
t rib
ut
io
n
-
'"-- - '"""'' >. """'-"------ .....
Virtual WAN
--
5. Transfer Progress status
is displayed as part of
preparing and staging the
---
-- --
-- 80%
. . . _. '"-~"""""--·-.-. -. . . -t..~----
software packages to the
appliances. ......__...--...- ...... -
·- ---- --
---
-
N
ot
fo
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in class presentation and added for additional student reference.
al
e
or
d is
t rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in class presentation and added for additional student reference.
al
e
or
d
is
t rib
ut
io
n
--
ot
fo
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in class presentation and added for additional student reference.
al
e
or
d is
trib
ut
io
n
CiTRJX
rr
Key Notes:
es
• This slide is hidden from the in class presentation and added for additional student reference.
al
e
or
dis
trib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in class presentation and added for additional student reference.
al
e
or
d is
t rib
ut
io
n
---..._ - ·--·---
Virtual WAN
.........
10. After completion of
activation countdown of 180s
--
--- - ---- --
click Done that gets enabled.
---
N
ot
fo
CiTRJX
rr
Key Notes:
es
• This slide is hidden from the in class presentation and added for additional student reference.
al
e
or
d is
t rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in class presentation and added for additional student reference.
al
e
or
d is
t rib
ut
io
n
=----·----
~";5;~=..E.=-:::.===::.~.:.-:..·
==.:..:...-=--=---=-...:.=~:~.:::...-:.=:::..
... -( ..,
12. Click Stage Appliances once
upload process is successful and
. ---~_..
==--===..._..._-:-.. _
:::=~:;:E.;:;;.=_=::;:..:.::.1:":?:.:s~~=-
-·--- . ---..........--·--··-
..•
-=:==:.:.::--=:::....
-=::!--=-:.·.-::::-..=..:::..:...-=-:=:-.:-;..-: .:
relevant models are displayed that
would be upgraded based on the
configuration file that has
information about each branch
platform models. License
agreement page pop-up for user
N
displayed.
fo
CiTRJX
rr
Key Notes:
es
• This slide is hidden from the in class presentation and added for additional student reference.
al
e
or
d is
t rib
ut
io
n
Upgrade to 9.3
with Working
-- __.-_._.~,---- - ···-_ _____
._. . _..._ .__....... ....
Virtual WAN
13. After accepting license
agreement, you are navigated
to Appliance Staging page which
--
. ---_
---------
_ ...
,.,
. .
- ---
_
shows the status of package 100%
-
N
-
ot
fo
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in class presentation and added for additional student reference.
al
e
or
d is
t rib
ut
io
n
•
page where you can click
on Activate Staged button to
active the staged software.
- - ·--- ....
N
ot
fo
CiTRJX
rr
Key Notes:
es
• This slide is hidden from the in class presentation and added for additional student reference.
al
e
or
d is
t rib
ut
io
n
---
..
with Working
---
.... ....
st.,1
...
Step 1 St-, 2
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in class presentation and added for additional student reference.
al
e
or
d is
t rib
ut
io
n
"'---
'°""'.nt,Oo'f,D-
0-.-,,...,......
~~:!a.:1::ui\4o"--C111-...--......,.1~
e
e
•
t?
t?
t?
Virtual WAN
~,._·-""~=--.---~u--=
1,0.W4.~C.,,U.(.r..•,cQ1:
.)11-05.;•••• t?
~1-0S-:1an.::,xQ-.~--•u-,--........-u.-- e (?
IIOSot!rre 1---
software other than non-SDWAN Edit Sdwto.iltnc Info Few S..ectlfd Snn •
UNt: Days ~
be attempted every day
N
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in class presentation and added for additional student reference.
al
e
or
d is
t rib
ut
io
n
Q C&:lOOlnt : :·.~.,~wi:~===:=~~~'&:.h~
18. For detailed information or (3
O
Cl'th
CS'M!r..-
• Time loc.tl twne d the ,tppl'N'lte wtlel"t the Rt1Uat1C1"1 sl'lcdd belo1' once the ffes •• r«ff>'«I. v,ud fo'mM " HH;JrNritSS
• M,inl"*'"
the Al~ 1re pr_.
'Mndi,w: The,~ d t1me p,en by the._..- for nttllitlQI\. If V 15 pro,,ided nt.tl1Uon wit st.rt wrwnedt.atC'l)' Oflte
on the ,ool*lte ffesoe,ct,,. ol the- d•• wd ,...., ,.tun ""'"...-der d.i;e ....S t- tiel<h.
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in class presentation and added for additional student reference.
al
e
or
d is
t rib
ut
io
n
Prerequisites
1. Have a valid SD-WAN license.
N
CiTR!X
rr
Key Notes:
es
• All SD-WAN appliance models in a Virtual WAN environment are required to be running the
al
• The NetScaler SD-WAN Management Web Interface is supported on the following browsers:
or
• Supported browsers must have cookies enabled, and JavaScript installed and enabled.
t rib
Additional Resources:
ut
us/netscaler-sd-wan/9-3/updating-upgrading/upgrade-with-vw-configuration.html
n
with Working
Virtual WAN
....................
If your master control ,_ -· --·- ------
.--------· - ...-- . . -·----- ... •
node appliance is
running 9.3.x or newer ........... ... .... ...• - -
--
s,.,1
(.J
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in class presentation and added for additional student reference.
al
• If your appliance is already running release version 10.0 and you are upgrading the appliance to
the next build version, uploading the single step upgrade (.zip) package file will display only the
e
MCN software unless you click on the Verify or Stage appliance changement management
or
options.
d is
Additional Resources:
• Convert SD-WAN 1000 / 2000 WANOP Appliances to Enterprise Edition With USB:
t rib
https://docs.citrix.com/en-us/netscaler-sd-wan/9-3/updating-upgrading/convert-usb-wanop-1000-
2000-to-enterprise-edition.html
ut
us/netscaler-sd-wan/9-3/updating-upgrading/convert-platform-standard-edition-to-enterprise-
n
edition.html
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in class presentation and added for additional student reference.
al
e
or
d is
t rib
ut
io
n
-·-
with Working
-- -·----
•
--·- - --
Virtual WAN .... ;:-:..::::~::.-::-·"- .
... . . ...... . ...
•
·-.
.......,-loO(,,
- c....,. -- ,.._
ot
fo
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in class presentation and added for additional student reference.
al
• The various states of software package configuration displayed in the summary table indicates
the following:
e
• Preparing - local processing to prepare update package for transfer to the appliance.
or
• Preparing Region Pkgs - local processing to prepare update package for transfer to RCN.
d
network).
io
• Cancelled - cancelled by user when 'Ignore Incomplete' was checked during Stage Appliances
• Not Needed - prepared staged package does not include this site-appliance name..
• Not Connected - local cannot see the remote's active package information
_ ... _. __
each branches.
with Working ................
... . •
Virtual WAN ........ ._ ··---·..,.---
----·----·-·---
100%
·---- -·
--
N
~....
ot
fo
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in class presentation and added for additional student reference.
al
with Working
-- _................-......
1- ..................
•
-..... ...................
\'°"'9,,- ~
node appliance is
running 9.3.x or newer Ss
proceed with the
following steps: -,._"'.... ~·~-......•I ......._wow,,.,;
.....--~N~_..,.,_,_._....,._
....... .,.,. _..,
N
ot
fo
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in class presentation and added for additional student reference.
al
e
or
d is
t
rib
ut
io
n
node appliance is
running 9.3.x or newer Adw.llion~
_ ...~-
,..~d"~O,OUSSfol!lff'!INO.C DolliltlOKltl'JStaffj'
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in class presentation and added for additional student reference.
al
e
or
d
is
t rib
ut
io
n
with Working
Virtual WAN -- -...--
----·-·--· . --·--....
-----...-- ----·
.... _..,.__ .
•
., ... ,,_
1
.... ..... .... -.
°'=~... ~~ ~
St•p l Step 2 Step 3
- - --- 1.1<i.-M1:s
ot
- - AWJC.-
fo
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in class presentation and added for additional student reference.
al
e
or
d is
t rib
ut
io
n
--
node appliance is
running 9.3.x or newer
proceed with the 0 !tOi.·~ :0~11..:!UXIOtM~..OO.o'llto.n:rlr~-.ry.cl.lj1. ti
ti
following steps:
0 ~~~..,~ :O~llrlUO«ii,.<_.Wll'll::l:llro'llllo,,rtvidr~-,y.41j'l •
O llo.:>it'--.~\'P'I :O~ll.-:ll-:o«>1l,O.--.~oi'~llol.inr'ldr~..o.....,..o.i,1. • t?
Q ~J:8~ ~.A-~1 :O~US.ll.:::!.l~1Y...-~..--. oflhoo,;,1Nr.,..0.....,..4'-il' 0 /?
O .-cv,-:.:1-• ~~~:1r:1~v~, O'!ltio,.,.iroct1tptr.td......-:NJ"-' e ti
Q MIC't,'lJVI,; HA.-~ ~;.6',0S-ll-.:?Ul):00,1,1~•----ll'l'°"Mll~'*t;4tf1-, • ti
N
O c~m ::o~.U..:ll3t'DOa.o!-~~of1tio,,.,,.n1-,,.r..o...,.;41)1. ti
O ~Ut;.:ooo :0.;.6,,0S,ll.ao::!ll'O«l1V.-.-:e..-dcMcl~11o,ot1.1.'1dr~-.ry.41t, ti
ot
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in class presentation and added for additional student reference.
al
e
or
d is
t rib
ut
io
n
-
Upgrading to 10.0 scheduling information.
with Working •
Virtual WAN Schedulinc Information
ToKt.d~~lat.,ondrcn-\'W~b~S V.O.X..S..-hDth•c.pkot-pc.•to"Chlwlfrt~Mlbnf"MbUN~ ... ~'tlt'AH'trM-1l41f
P«fcnnt111~uon1nc._...~
"("""""~
Sct..olAtrf Id~
~ccn..rs
£dit d•lilos ~COl"IUlll'II wtorn9bOnbM o.t. T...,. ._N.ftlll"<e ~-
a.....11" bfMf dftc:r19uon d Ndl t..W
JI...._
Sit• fllmt Sdlld ....... lrlon"l'\Mkll'IInd tid•t opt>Onto141dKe thl KNchMCMUllls for rt'SP«U... bf'an:fwl
Wtrdow
node appliance is
• "'-'le-nine• Window Thi ~d tl'Y'lt p,wiby thl~ tor,~ If Vu pn,,,,ded lNUlllMJon.,.,ll Sl.llt WT'l'Nd-.tttyOI"« tN tq •• ~on tN
~ptu,nc:e 1rrl'IP«U~• d thl dKe -,r:1 n,.,. ,..t\olft p,wi ~ dK• .-.d n.,,. fMMl1
• ~W1ndc,w- f~f/fM"'hctlthlsyst_.._.Udwdi.fOl'1,_..~...,_MdP«form~adeorltr....twi1,- 'WstonnT.-.~
CiTRJX
rr
Key Notes:
es
• This slide is hidden from the in class presentation and added for additional student reference.
al
• Yellow circle: Change Management has not been done, No action is required.
is
• Red cross mark : An error has occurred during installation of OS components. Please try
t rib
Change Management once again, if problem persists, please contact tech support.
• Orange dotted circle: Files are being transferred to the appliance.
ut
a) Software
Lesson Objective b) Configuration
Review c) WAN Links defined for each site
d) Virtual IP address that reside at each site
e) All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t rib
ut
io
n
a) Software
Lesson Objective b) Configuration
Review c) WAN Links defined for each site
d) Virtual IP address that reside at each site
e) All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t rib
ut
io
n
CiTR!X
rr
es
al
e
or
d is
trib
ut
io
n
CiTR!X
rr
Key Notes:
es
• The Optional Self Study exercises are added to allow students to continue the hands on
al
experience outside of class time. You are given 30 days of access to the lab environment and
can go in at any time and complete these labs.
e
or
d is
t rib
ut
io
n
CNS-200W
Version: 1.3
ot
fo
CiTRJX
rr
Key Notes:
es
• NetScaler SD-WAN supports enabling metered links, which can be configured such that user
al
traffic is only transmitted on a specific Internet WAN Link when all other available WAN Links
e
are disabled.
• Metered links conserve bandwidth on links that are billed based on usage. With the metered
or
links you can configure the links as the Last Resort link, which disallows the usage of the link
d
until all other non-metered links are down or degraded. Set Last Resort is typically enabled
is
when there are three WAN Links to a site (i.e. MPLS, Broadband Internet, 4G/LTE) and one of
t
the WAN links is 4G/LTE and may be to costly for a business to allow usage unless it is
rib
absolutely necessary.
ut
support a variety of application delivery strategies, and allows them to select technologies based
on what works best for their environment, now and to plan for the future. For instance,
n
enterprises with bandwidth-intensive, business-critical applications now more than ever require
the use of intelligent routing capabilities to channel traffic through all multiple available WAN
links ultimately to optimize cost but at the same time they have to proactively conserve
bandwidth on those links specially when they are highly billed. This is where NetScaler SD
WAN 9.0 introduces Metered Links. Metered Links is applicable only for the Standard Edition
and Enterprise Edition appliances.
• The metered links feature provides business with a logical approach to conserve bandwidth on
links that are billed based on usage. The feature lowers it path assessment frequency, and
provides ability to email alert on meeting/exceeding user defined byte usage count thresholds.
Links defined as metered also have a Link of Last Resort feature which disallows usage of the
link unless all other non-metered links are in down or degraded state.
,----~
Core
Hosts
Router
8WN4L#lu+ ?
[!J•,r(t.-1'*1
a
Metered Links:
13•-h-m
s~ .. "?
Data Cap for BillingCycle ... ~ ?
.,,t,.. ~~ftORI;
!100 ~ li)'t','2(111
fo
CiTRJX
rr
Key Notes:
es
• Each WAN link has a Metered Links feature that can be optionally be enabled.
al
• When enabled, the admin must provide a Data Cap in MB, Billing Cycle, and Starting Date
e
specific to the agreement with the 4G/LTE service provider. This information is used to provide
alerting when the data usage nears the defined cap. Alerting is triggered if threshold is reached
or
• When the metered links feature is enabled, the SD-WAN will sparingly check the health of that
is
path. Specially health check is lowered from once every 50ms down to once every second.
t
This significantly reduces the amount of data on the wire from 14kbps down to 0.4kbps. In a
rib
day timeframe that is roughly 50 Meg of WAN Path health check reduced down to 1 Meg.
ut
• With Metered Links NetScaler SD WAN can be configured such that user traffic is only
transmitted on a specific WAN Link when all other available WAN Links are disabled. Effectively
io
configuring this link as the Last Resort link, which disallows the usage of the link until all other
n
non-metered links are down or degraded. Metered Links Last resort Link is typically enabled
when there are three or more WAN Links available at a site and one of the WAN links is 4G/LTE
which may be to costly for a business to allow usage unless it is absolutely necessary.
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
af13
af21
•122
af23
af31
MPLS Queues
af32
af33
af41
af42
af43
NetScaler SD-WAN est
cs2
cs3
C54
C55
cs6
cs7
ef
N
ot
fo
Key Notes:
es
• Financial Institutions specially banks along with retailers are believe to be at the forefront of SD-
al
WAN adoption. Largely in part because of their collective need to support huge numbers of
e
branch offices and the complexity and reliability on costly MPLS WAN links and their SLAs.
Many of them have MPLS Queues implemented as part of their legacy WAN architecture to
or
• SD-WAN can be easily incorporating with these existing environment that are dependent on
is
MPLS queues and believe that they need to stay intact, with SD-WAN onboard path delivery
t
intelligence, WAN link monitoring and application Quality of Service. SD-WAN 9.0 introduced
rib
WAN link MPLS Queues integration feature for the purposes of simplifying the SD-WAN
ut
configuration when adding a Multiprotocol Layer Switching (MPLS) WAN links that has MPLS
queues implemented. The creation of WAN links with added configuration to separate a WAN
io
links queues is a feature designed for Standard Edition and Enterprise Edition appliances.
n
Although, WANOP Edition SD-WAN also has ability to filter and tag on DSCP to better
interoperate with the underlay network.
L,----1--==;::;:....-i+--
MPLSBulk-
70%
I-
I-
Remote
SD-WAN-SE SD-WAN-SE I-
Data Center
or Cloud
Key Notes:
es
• For most deployments SD-WAN’s path delivery intelligence and link monitoring capability
al
eliminates the need for MPLS queues because it has intelligent path monitoring ability that
e
immediately detects packet loss, where MPLS queues do not and can easily drop packets in
time of over utilizing. However, for deployments that require MPLS Queues to not be impacted,
or
this feature allows for SD-WAN to sit harmoniously in that environment and add additional
d
• The feature of identifying a WAN link on SD-WAN as Private MPLS enables SD-WAN to
t
associate Virtual Path UDP traffic with DSCP markings to match up with the underlay MPLS
rib
providers Queues.
ut
• The bandwidth for the single Private MPLS WAN link is split up amongst the available queues,
as SD-WAN is configured to match the existing MPLS Queues configuration.
io
• For example, if the underlay network has 30% allocated for the EF queue for VoIP traffic, and
n
the remaining 70% allocated for the Bulk Queue, SD-WAN can be
• SD-WAN WAN link creation involves configuring the physical line rate of the MPLS link, plus
sub-configuration of the MPLS QoS Queues and based on percentage of each queue, SD-WAN
gets configured with the appropriate permitted rate per Queue.
• Additional configuration is available on Eligibility of Classes of Service for the individual MPLS
Queues. Eligibility biases a WAN link queue from using that particular path for the set class of
service. This bias, don’t not eliminate the usage of the path fully, and allows the path to be used
by any class if no other path is available.
• SD-WAN then monitors each queue and treats each as yet another path that can be utilized for
the overlay transport.
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t rib
ut
io
n
ciTR!X
rr
Key Notes:
es
• NetScaler SD-WAN 9.0 introduced IPsec data encryption across the Virtual Path. With ability to
al
terminate with third-party VPN devices with IPsec Tunnels either on the LAN or WAN. You can
e
secure site-to-site IPsec Tunnels terminating on an SD-WAN appliance by using a 140-2 Level 1
FIPS certified IPsec cryptographic binary.
or
• SD-WAN also supports resilient IPsec tunneling using a differentiating tunneling mechanism,
d
which protects from tunnel reestablishment, even when an individual path goes down within the
is
Virtual Path.
t
rib
ut
io
n
Remote
SO-WAN-SE
a
VPN
a
VPN SO-WAN-SE
I-
I-
I-
Data Center or
Cloud
w --
--.
8
- _ - ..
8
e-
m--
;-
--
.-.
W·-
,,
N
a-
ot
fo
CiTR!X
rr
Key Notes:
es
• IKEv2
or
• IPsec is an enterprise grade, standards based encryption protocol, with the capability of using
multiple types of encryption algorithms as well as multiple algorithms to ensure data integrity.
ut
IKEv2 is used for initial key negotiation and Security Association (SA) establishment between
io
• SD-WAN provides a differentiated Virtual Path tunneling mechanism (patent pending) that
prevents the need for IPsec tunnel re-initiation even in the event of WAN Path failure. The
IPsec tunnel stays up as long as one WAN Links is up and functioning.
• The VPN tunnel is established before the Virtual Path, so any path fluctuations within the Virtual
Path Service does not effect the IPsec tunnel, more specifically the sessions don’t need to
reconnect and reestablish the tunnel because it stays up and connected.
• IPsec Encryption on SD-WAN intelligently differentiates from a trusted link and an untrusted link
in which it then forces encryption. IPsec supports AES-128 bit, AES-256 bit and 140-2 Level 1
FIPS certified IPsec cryptographic binary.
• SD-WAN interfaces that are not protected by Firewall and are facing the public internet are
recommended to be configured as untrusted links, which forces encryption to be enabled on that
WAN link. The Data Sheet specs for each appliance outline performance numbers for AES-128
bit encryption enabled. Keep in mind that enabling more advanced levels of encryption impacts
•
231 © 2018 Citrix Authorized Content CITRIX
•
True or False?
If a Virtual Path consists of four WAN paths, and three
out of the four paths encounter blackout, the IPsec
Lesson Objective tunnel will automatically reestablish the IPsec
Review negotiation, causing user session reconnects.
N
ot
fo
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t
rib
ut
io
n
CorrectAnswer: False
N
ot
fo
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t
rib
ut
io
n
ciTR!X
rr
Key Notes:
es
• Enterprises are on a constant look for strategies to be more efficient and have more tailored
al
control over performance in both upstream and downstream paths. This is specially challenging
e
for WAN links that are prone to poor connectivity. Path state sensitivity control is a feature
introduce on NetScaler SD WAN 9.0 applicable only for the Standard Edition and Enterprise
or
Edition appliances that provide enterprises with a mechanism to adjust the Virtual Path
d
----------
/ DEAD Path State
-~
SD-WAN-SE
"f- _ SD-WAN-SE
Remote
------------
-- ;If Data Center
or Cloud
GOOD Path State
N
ot
fo
CiTR!X
rr
Key Notes:
es
• The path state sensitivity control becomes useful when dealing with links that are known to be of
poor quality and expected to have high loss. The SD-WAN solution is fined tuned to quickly
d
determine condition changes of a path and to adapt accordingly to protect application delivery
is
and performance. Prior to this feature, lossy links would be dropped automatically by the SD-
t
• In some cases, with remote sites, WAN link instability is not avoidable and for SD-WAN to be
ut
less sensitive to those poor-quality links this feature was added to provide granular control over
io
IOOOOtOefM) ~
ot
fo
CiTR!X
rr
Key Notes:
es
• To enable path state sensitivity control, navigate to the Global section in the Configuration
al
Editor. Here you will encounter the following options for sensitivity control on SD-WAN path
e
state monitoring.
• Bad Loss Sensitive is enabled by default, which allows the system to mark Paths as BAD due to
or
high loss and will incur a Path scoring penalty when compared to other paths. There is an
d
option to disable Bad Loss Sensitive, which may be useful when a WAN Link is inherently poor
is
quality and the high loss of packets is expected, allowing the system to continue using the WAN
t
Path even in high loss conditions (i.e. skip the BAD state). The last option is Custom, which is a
rib
new 9.0 feature which allows granular path state sensitivity control.
ut
io
n
SD-WAN Path
~ 4llow you to 'f»K'Y lit P"n::N\t.ag,e of loss
~ tml!' requll'@d to mft .1 P•th BAD.
State Sensitivity
IP DSCP T~ ng,
lvty S11tnc:t PtnOc::1 "'I
DEFAULT
CiTR!X
rr
Key Notes:
es
• Silence Period: Specify silence duration before a Path state transitions from GOOD to BAD.
e
• Instability Sensitive: If enabled, latency penalties due to the Path being in a BAD state and
is
• With Custom option being selected, users can further control the sensitivity with BAD state %
rib
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t rib
ut
io
n
CiTR!X
rr
es
al
e
or
d is
trib
ut
io
n
CiTR!X
rr
Key Notes:
es
• The Optional Self Study exercises are added to allow students to continue the hands on
al
experience outside of class time. You are given 30 days of access to the lab environment and
can go in at any time and complete these labs.
e
or
d is
t rib
ut
io
n
CNS-200W
Version: 1.3
ot
fo
44 CiTR!X
rr
es
al
e
or
d is
trib
ut
io
n
Hosts
N
ot
fo
CiTR!X
rr
Key Notes:
es
• One of the most important features added with the NetScaler SD-WAN 9.1 release was route
al
learning or dynamic routing. NetScaler SD-WAN Standard and Enterprise Edition appliance's
e
have the ability discover LAN subnets and advertise virtual path routes using the BGP and
OSPF routing protocols. This interoperability with the underlay networks routing protocols
or
allows SD-WAN to seamlessly be deployed in an existing environment without the need for
d
• Route learning further allows consolidation of hardware requirements for the branch by taking
t
Core SD-WAN-CE
Hosts
CiTR!X
rr
Key Notes:
es
• SD-WAN Standard Edition and Enterprise Edition supports popular routing protocols, like OSPF,
al
iBGP, eBGP. And uses those protocols to facilitate advertising SD-WAN routes to the underlay
e
configuration, where previously static subnet definition for each site was mandatory.
d is
t rib
ut
io
n
OSPF/BGP
I- ....
.... ,
SD-WAN
Core SD-WAN-CE
Hosts
CE Router
Dynamic Routing:
LAN Route Learning
WAN Route advertising to partner and non-
N
partner sites
ot
fo
CiTR!X
rr
Key Notes:
es
• SD-WAN appliances perform route discovery of layer 3 routing advertisements within a local
al
underlay network for each desired routing protocols (OSPF and BGP).
e
• In the configuration editor, when building the site, you no longer are required to identify what
subnets reside at that branch.
or
• On the WAN side, SD-WAN can advertise existing routes, plus learned routes to other SD-
d
• NetScaler SD-WAN appliance having an AREA defined as a STUB area by limiting the
t rib
learning of Type 5 AS-external LSA. SD-WAN appliances can advertise the locally learned
dynamic routes with the head-end MCN SD-WAN. The MCN can then relay these routes to
ut
other SD-WAN appliances in the network. The exchange of information dynamically allows
io
• With the latest release, SD-WAN can now advertise routes as intra-area routes (LSA Type 1)
to get higher preferences as per its route cost using the OSPF path selection algorithm. The
route cost can be configured and advertised to the neighbor router. This allows for deploying
SD-WAN appliances in Virtual Inline mode
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• NetScaler SD-WAN 9.1 introduced Routing Domains, also known as Virtual Routing and
al
Forward (VRF) capability that allows multiple instances of a routing table to exist in the SD-WAN
e
overlay network and work simultaneously. Allowing for network segmentation and policy
separation without the need of multiple devices.
or
d is
t rib
ut
io
n
I-
~- .... I I-
....
SD-WAN-SE SD-WAN-SE I-
Remote
CiTR!X
rr
Key Notes:
es
• Routing domains enables distant networks that can only share traffic using external routing, and
al
• Routing domains are useful for physically distinct networks using a shared overlay such as
service provider customers.
or
• Routing domains can also be used to isolate networks where any shared traffic is potentially a
d
security violation.
is
• Some example use cases would be Guest Wi-Fi internet backhaul versus Corporate traffic.
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t
rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t
rib
ut
io
n
---- ---
---
1-
....
···· ....___ ===-=I =='-I-_.....,
=:::::::
SD-WAN-SE SD-WAN-SE .....
Remote
Data Center
or Cloud
N
ot
fo
54 CiTR!X
rr
Key Notes:
es
• NetScaler SD-WAN 9.1 introduced the ability to secure traffic and enforce policies using third-
al
party Secure Web Gateway solutions. For most deployments, Citrix recommends backhauling
e
branch internet traffic to the corporate data center using the Virtual Path, and allowing the data
center hardened security policies and filters to protect the network. For some customers this
or
backhaul of traffic is expensive and is taxing on the head-end appliances and WAN links. It also
d
typically results in poor user experience because the process adds latency and there still
is
However, the cost and complexity increases as you install multiple appliances to maintain
ut
consistent policies across the sites. And if you have a large number of branch offices, it
becomes impractical to manage costs.
io
• For some customers, the ideal solution to enforce security without adding cost, complexity, or
n
latency is to route all branch Internet traffic from the NetScaler SD-WAN appliance to a Secure
Web Gateway solution, and allow that cloud service provide the policing and filtering for Internet
traffic.
Remote
SD-WAN-SE
--- SD-WAN-SE
I-
.... I I-
....
I-
Data Center
or Cloud
• Reduced cost in management of individual appliances • Only supports a single WAN Link Internet Service
• Improved end-user experience
ot
255 @2- ·o
CiTR!X
rr
Key Notes:
es
• With the addition of Secure Web Gateway integration to you NetScaler SD-WAN network, an
al
Admin can create granular security policies. The same policies can be applied globally and
consistently across all sites that perform this operation of sending internet traffic to the secure
e
web gateway.
or
• With this service hosted in the Cloud coupled with SD-WAN providing the secure reliable
d
network delivery. There is significant cost saving in hardware and management to make sure
is
your network is protected. Not to mention improved end-user experience, with reduced latency
t
• For sites that do not have Internet WAN Links, flexibility is provided so that those sites can
ut
utilize the Virtual Path and be configured to have the Internet traffic backhauled to partner sites
to make use of the Secure Web Gateway integration.
io
• With the 9.1 release, only GRE traffic forwarding will be supported. IPsec capability is not
n
supported. There is also a limitation of the number of Routing Domains that can be used, only
one is supported. Also, with Secure Web Gateway, only a single WAN link is configurable for
Internet Service.
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t rib
ut
io
n
Tunnel
Termination yJ .... E=::::J
~
SD-WAN-SE SD-WAN-SE ~
Remote
Appsand
Servers
N
ot
fo
2 8
ciTR!X
rr
Key Notes:
es
• NetScaler SD-WAN 9.1’s IPsec Tunnel Termination enables third-party devices to terminate
al
IPsec VPN tunnels on the LAN or WAN side of a Standard or Enterprise Edition appliance.
e
• The same IPsec tunnel can be used to terminate VPN tunnels between two SD-WAN Standard
or Enterprise appliances.
or
• One of the unique capabilities of terminating the VPN tunnels using a pair of SD-WAN
d
appliances is added resiliency of that VPN tunnel. Since the tunnel is established before the
is
path delivery engine is utilized, any unstable condition of the available paths does not impact the
t
IPsec tunnel. Meaning any given WAN link can fail or degrade, and partner SD-WAN devices
rib
will continue delivery using the same VPN tunnel. No renegotiation or dropped connection will
ut
be experienced by the end-user. This provide differentiating capability with the NetScaler SD-
io
WAN solution providing support for resilient IPsec tunneling using a virtualized wide area
network.
n
I-
-1+-+1 I-
I-
Remote or
SD-WAN-SE
-0-
Data Center Appsand
Servers
IPsecTunnel Termination
• 140-2 Level 1 FIPS certified cryptographic binary
• IKEvl
o Encapsulation types: ESP, AH, or ESP+AH
o Encryption Modes: AES 128, or 256-bit
o Hash Algorithm: SHAl or SHA-256
• IKEV2
N
CiTR!X
rr
Key Notes:
es
• SD-WAN utilizing a Federal Information Processing Standard 140-2 Level 1 cryptographic binary
al
a global parameter that can be picked up by any of the SD-WAN sites. Additional IKEv2
d
settings are available for Peer Authentication, Peer Pre-Shared Keys, Integrity Algorithm.
is
t
rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
ciTR!X
rr
Key Notes:
es
• NetScaler SD-WAN 9.1 introduced ability to use Standard or Enterprise Edition appliances as
al
either a DHCP Server or a DHCP Relay agent. Giving SD-WAN another feature to further
e
• And with DHCP Relay, SD-WAN can forward DHCP packets between clients and servers
d
• The above two mentioned features with the 9.1 release are purposely built to be used with the
is
management interface of SD-WAN. In a later release this capability will be also be introduced
trib
feature. The feature was purposely build for the data interfaces and can aid in simpler
io
Core
--
Mgmt:
DHCP Server
DHCP Clients
DHCPServer:
Configuration> Network Interface:
• Consolidates branch hardware requirements
• Assign IP addresses for host using DHCPthrough
DHCP~Stah.ls;. n.ml'llng
EMblt'OHCP~ ~
OonMoinNtitne: J
Limitations with release 9.1: SWtlPAdd1~1.: 1721610200 J
DHCPServer supports only IP Pool based E!!_ 10 205 J
N
End 19 Addr61.:
address assignment ~
ot
Key Notes:
es
• The DHCP server feature was introduced to help further consolidate branch hardware
al
requirements. This feature also helps in simplifying the SD-WAN enabled site for configuration.
e
In the 9.1 release DHCP Server is available through the management interface only, but in a
later release this capability will be accessible through the data interfaces as well.
or
• SD-WAN DHCP Server can issue IP addresses for hosts using DHCP. SD-WAN can be
d
configured to assign additional parameters such as Domain Name System (DNS) sever, but it is
is
optional. Through DHCP, the clients will also get assigned their default gateway. The feature
t
• The DHCP Server feature accepts broadcasts from locally attached LAN segments. SD-WAN
ut
will issue IP address from the management interface, thus requires the management interface to
io
Core SD-WAN
Mgmt:
DHCP Relay
DHCP Clients
CiTR!X
rr
Key Notes:
es
• The DHCP Relay Agent feature acts as a host or router that forwards DHCP packets between
al
client and servers. Network admins can use the DHCP Relay service on the management port
e
of the SD-WAN (Standard or Enterprise Edition) appliances to relay requests and replies
between local DHCP Clients and a remote DHCP Server. This allows local hosts to acquire
or
• can help forward DHCP packets between clients and servers where the server and clients are in
is
different subnets. The Relay feature receives DHCP messages and generates a new DHCP
t
CiTR!X
rr
es
al
e
or
d is
t rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
SD-WAN
Zero Touch
Deployment
N
ot
fo
Key Notes:
es
• Zero Touch Deployment (ZTD) Cloud Service is a Citrix operated and managed cloud-based
al
service which allows discovery of new appliances in the NetScaler SD-WAN network, primarily
e
focused on streamlining the deployment process for NetScaler SD-WAN at remote or branch
office locations. The ZTD Cloud Service is publicly accessible from any point in a network via
or
public Internet access. The ZTD Cloud Service is accessed over Secure Socket Layer (SSL)
d
Protocol.
is
• The ZTD Cloud Services securely communicates with backend Citrix services hosting stored
t
identification of Citrix customers who have purchased Zero Touch capable appliances (e.g.
rib
NetScaler SD-WAN 410-SE, 2100-SE). The backend services are in place to authenticate any
ut
Zero Touch Deployment request, properly validating association between the Customer Account
and the Serial Numbers of NetScaler SD-WAN appliances.
io
• The Zero Touch Deployment Service works in tandem with the NetScaler SD-WAN Center to
n
•
268 © 2018 Citrix Authorized Content CITRIX
•
NetScaler SD-WAN Zero Touch Deployment Authentication
1~¢11 NetScaler
Q
J i Crrd,doodLoo;o
SD-WAN Center 9.1
I= ""Ii= ""I~
Zero Touch
Deployment Service
r Se,;,1 Number
I-
__ _.. ........_ ::::I-====:
SD-WAN-SE
......._ __ ___, ...._I- ____.
Remote SD-WAN-SE
MCN Data Center
or Cloud
N
Key Notes:
es
• The Citrix Zero Touch Service works in tandem with the NetScaler SD-WAN Center to enable
al
easier deployment of branch office SD-WAN appliances. SD-WAN Center is utilized as the
central management tool for SD-WAN Standard Edition and Enterprise Edition appliances.
e
• In order to utilize the Zero Touch Deployment Service (or ZTD service), an Admin must first
deploy an SD-WAN environment utilizing the SD-WAN Center as the Central point of
d is
management.
• In most cases, in addition to the head-end SD-WAN appliance, typically one or two remote sites
trib
are also deployed to prove the technology. It is recommended that SD-WAN Center be used for
this initial deployment, and a working SD-WAN environment be up and running before
ut
• With SD-WAN Center Release 9.1 installed, with proper IP connectivity to the public internet,
n
SD-WAN will automatically install an Agent that will install the necessary components to unlock
Zero Touch Deployment capabilities.
• With SD-WAN Centers management IP successfully being able to communicate with the ZTD
service, the GUI will make available Zero Touch Deployment option under the Configuration tab.
• The login does require a Citrix Workspace Cloud account to be created. The Citrix Cloud
account is important in that the account needs to be tied to the same account used to purchase
the hardware. Specifically the Citrix Customer IDs between the two need to match. This is an
important authentication process, to validate that the correct authority is in place to allow
appliances to join the SD-WAN environment, as well as to validate the serial numbers of the
appliances that call home to use this service.
1-="1~~:~~=-,, -,
Zero Touch
----~Jr~;:1~~--
S) Config,
Software,
3) Deploy New Site
lI
DeploymentService License
1) Configuration Editor
2) Change Management
I-
SD-WAN-SE
Remote
Data Center
4) Power and Cable or Cloud
2. Change Management
ot
Key Notes:
es
• SD-WAN Zero Touch workflow begins with a working SD-WAN environment. And one of the first
al
tasks involves building a new site using the Configuration Editor, either through cloning an
existing site, if the new remote site is similar to an existing site, or by manually create a unique
e
site.
or
• Next the Change Management process must be used to make all the other sites aware of the
new SD-WAN node about to be added.
d is
• With the Zero Touch Deployment option available in the SD-WAN Center GUI, and the SD-WAN
configuration in place for the environment to expect a new site, the Admin at this point initiates
t rib
utilizing the Configuration Editor. With the admin approving the deployment of the new site, they
io
optionally can require that the remote Installer manually enter in the serial number through an
n
activation portal or allow the remote appliance to automatically join the network as soon as it
comes online.
• The Installer is required to power and cable the appliance, and make sure the management port
on the appliance has internet connectivity and DNS is assigned to the appliance through DHCP.
• As soon as the appliance boots up, there is an exchange of information between the appliance,
zero touch deployment service, and the SD-WAN Center. After an authentication process takes
place to validate the serial number against the customer ID, the ZTD service will proxy the
configuration specific to this site, as well as software and license to get the appliance on the SD-
WAN environment without further actions being required by the local installer.
• The end result is a remote site being introduced to the SD-WAN environment in a manor of
minutes, at the same time eliminating the dependencies of a local installer who is knowledgably
enough with the SD-WAN solution to help deploy correctly, now that task can be assigned to
anyone who is able and willing to plug in cables.
1-="1~~:~~=-,, -,
Zero Touch
----~Jr~;:1~~--
S) Config,
Software,
3) Deploy New Site
lI
DeploymentService License
1) Configuration Editor
2) Change Management
I-
SD-WAN-SE
Remote
UDP Port: 4980 Data Center
4) Power and Cable or Cloud
2. Change Management
ot
Key Notes:
es
• SD-WAN Zero Touch workflow begins with a working SD-WAN environment. And one of the first
al
tasks involves building a new site using the Configuration Editor, either through cloning an
existing site, if the new remote site is similar to an existing site, or by manually create a unique
e
site.
or
• Next the Change Management process must be used to make all the other sites aware of the
new SD-WAN node about to be added.
d is
• With the Zero Touch Deployment option available in the SD-WAN Center GUI, and the SD-WAN
configuration in place for the environment to expect a new site, the Admin at this point initiates
t rib
utilizing the Configuration Editor. With the admin approving the deployment of the new site, they
io
optionally can require that the remote Installer manually enter in the serial number through an
n
activation portal or allow the remote appliance to automatically join the network as soon as it
comes online.
• The Installer is required to power and cable the appliance, and make sure the management port
on the appliance has internet connectivity and DNS is assigned to the appliance through DHCP.
• As soon as the appliance boots up, there is an exchange of information between the appliance,
zero touch deployment service, and the SD-WAN Center. After an authentication process takes
place to validate the serial number against the customer ID, the ZTD service will proxy the
configuration specific to this site, as well as software and license to get the appliance on the SD-
WAN environment without further actions being required by the local installer.
• The end result is a remote site being introduced to the SD-WAN environment in a manor of
minutes, at the same time eliminating the dependencies of a local installer who is knowledgably
enough with the SD-WAN solution to help deploy correctly, now that task can be assigned to
anyone who is able and willing to plug in cables.
Cloud Service Configuration Editor- Create New Site (Clone or manually create a
unique site)
Change Management
Zero Touch Deployment- Deploy New Site
Installer powers and cables the appliance
Zero Touch Service proxies configurations, software, and licenses
Virtual Paths are established
Additional steps are required of the SD-WANAdministratorto install
a permanent license file on the appliance.
N
ot
fo
CiTR!X
rr
Key Notes:
es
• After a working SD-WAN environment is up and running registration into the Zero Touch
al
Deployment Service is accomplished through creating a Citrix Cloud account login. With SD-
WAN Center able to communicate with the ZTD service, the GUI will expose the Zero Touch
e
Deployment options under the Configuration tab. Logging into the Zero Touch Service
or
authenticates the Customer ID associated with the particular NetScaler SD-WAN environment
and registers the SD-WAN Center, in addition to unlocking the account for further authentication
d is
4. ApplyingConfiguration
5. Activated
ot
fo
CiTR!X
rr
Key Notes:
es
• With the deployment of every new site, the zero touch service provides an activation URL to
al
respective stages, an error message is provided with detail as to why the failure occurred.
or
• Along with this, the Admin has more granular detail on the SD-WAN Center in appliances that
currently waiting of on-site activity, as well as appliances that have completed the activation
d is
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
CiTR!X
rr
Key Notes:
es
• Slide is hidden from the in class presentation and added for additional student resources.
al
e
or
d is
t
rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• Slide is hidden from the in class presentation and added for additional student resources.
al
e
or
d is
t
rib
ut
io
n
Lesson Objective
a) LSA Type 5
Review b) LSA Type 1
c) Metric Type 2
d) External Type 2
e) None of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Slide is hidden from the in class presentation and added for additional student resources.
al
e
or
d is
t rib
ut
io
n
Lesson Objective
a) LSA Type 5
Review b) LSA Type 1
c) Metric Type 2
d) External Type 2
e) None of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Slide is hidden from the in class presentation and added for additional student resources.
al
e
or
d is
t rib
ut
io
n
a) 2
Lesson Objective
b) 4
Review c) 8
d) 16
e) None of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Slide is hidden from the in class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
a) 2
Lesson Objective
b) 4
Review c) 8
d) 16
e) None of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
• Slide is hidden from the in class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
CiTR!X
rr
Key Notes:
es
• Slide is hidden from the in class presentation and added for additional student resources.
al
e
or
d is
t
rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• Slide is hidden from the in class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
CiTR!X
rr
Key Notes:
es
• Slide is hidden from the in class presentation and added for additional student resources.
al
e
or
d is
t rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• Slide is hidden from the in class presentation and added for additional student resources.
al
e
or
d is
t rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• The Self-Paced Bonus Exercises are added to allow students to continue the hands on
al
experience outside of class time. You are given 30 days of access to the lab environment and
can go in at any time and complete these labs
e
or
d is
t rib
ut
io
n
CNS-200W
Version: 1.3
ot
fo
• Stateful Firewall
Learning
• Network Address Translation
Objectives • Management Enhancements
• Diagnostic Tools
• Platform Enhancements
N
ot
fo
Hosts
N
ot
fo
ciTR!X
rr
Key Notes:
es
• NetScaler SD-WAN 9.2 for Standard and Enterprise Edition introduced an integrated SD-WAN
al
API library that provides Deep Packet Inspection (DPI) technology for real-time classification of
e
packets.
• Using the DPI technology, the NetScaler SD-WAN appliance analyzes the incoming packet and
or
• Once packets are classified, the application identifier can be used on either the rule or firewall
is
Classification
Glob.11
I
EJ Settings ~ ?
00 Apphcat,on objects
00 Search
N
ot
fo
Key Notes:
es
• Deep Packet Inspection (DPI) – enabling SD-WAN to put an identifier on a packet when it enters
e
• Statistics – enabling generated reports for applications in SD-WAN Center, which is enabled by
default.
d
• Once DPI has the packet identifier in place, it can be used either on the SD-WAN rule or firewall
is
-·- -
IP Protocol Application Application Family
......... .........
Appltc.tbOn Match Cntffl41 +
..,.,.__,....,
.:J .:J - .:J
.,
~Fa/Tiiiy•
.,_
..,,.,_.........
"""""
-.
.
TCP(O)
t.CIP(l7}
-
""'(0 Al.ld'lerilU~
....._
-
<Jtf(..7}
.... ($0) CO!CW"eMicll'I
Nl(SI)
°' .......
""""''"'
-(2)
......... -
Cl(J>(])
..........
AltTr-"-'
•(~
""'
.... .,
CS,())
-·
lnlW!t~
"'"'
ll!NJt(C~(IO) ""
""-""""'
Application name
Application family
fo
CiTR!X
rr
Key Notes:
es
• NetScaler SD-WAN 9.2 also provides capability to create Application Objects, which enables
al
ability to group different types of match criteria into a single object that can be used in firewall
e
• Application
d
• Application Family
is
t
rib
ut
io
n
Search ~ ?
DPI Approationf•mily:
Web
Description:
Office 365 is a Microsoft on·hne setVice,. with pay-as-you-go subscription (monthly or annually), giving access to many Microsoft Office
applications from the internet,. as well as cloud storage,. Skype ccmmumcencns, etc. h also grves free sccess to the on-line venion of the most
popular Office applicetlons (Worc;l Excel. Powerpomt).
N
ot
fo
CiTR!X
rr
Key Notes:
es
• A search capability enables quick identification of the DPI application family name, as well as a
al
CiTR!X
rr
es
al
e
or
d is
t
rib
ut
io
n
CiTR!X
rr
es
al
e
or
d is
t
rib
ut
io
n
296 CiTR!X
rr
Key Notes:
es
• NetScaler SD-WAN 9.2 application classification feature enables application identifier can be
al
used on either the rule or firewall filter as a match criterion to identify this type of traffic. These
e
classifiers are also used to generate reporting capabilities with the NetScaler SD-WAN Center
management tool.
or
dis
trib
ut
io
n
m•
Top Applications Top Application Families
Select Site. SelectSneal
~Tm1eJ!l~ltz'c' Select Time.. Lisi 2.t Ho1.n
......
1 '
CiTR!X
rr
Key Notes:
es
• Upgrading SD-WAN Center to release 9.2 installs the needed enhancements to display the top
al
applications and top application families used at the different sites in your network. The report
e
details incoming traffic, outgoing traffic and total traffic of the top applications, sites, and
application families. This provides a holistic view of your network bandwidth usage.
or
• DPI and top application reporting is enabled by default upon upgrade to 9.2 release.
d
• Deep packet inspection (DPI) enables the SD-WAN appliance to parse the traffic passing
is
through it and identify the application and application family types. The number of bytes of
t
incoming and outgoing traffic of every application is recorded and is stored in the SD-WAN
rib
appliance. The SD-WAN Center polls the SD-WAN appliance as per the defined polling interval,
ut
• The SD-WAN Center dashboard displays the top applications and top application families. You
can select the site and time interval (Last 24 Hours, 1 hour, or Last 5 minutes).
n
-"""''"..., ::I
.-
RltponTypr T09~ • S,u.
10 .:J1 , rOP~~
lc,ps-(~, .... ,
...
inall'nl"ITr.tl'lctMes:I (>
. ~.
310l.6l 31169S
'"""'"
1161
1!!,16119"
1161
..
2J.2l
Top Applications
ot
Top Sites
Top Application Families
fo
Review
N
ot
fo
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t
rib
ut
io
n
Review
CorrectAnswer: True
N
ot
fo
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t
rib
ut
io
n
Dynamic Routing
Hosts
SD-WAN
Firewall
@)
Stateful Firewall
You(D.
• Device consolidation and simplicity of
deployment
• Secure direct internet accessat the branch
• L4-L7 Application Firewall
• Application centric Firewall policies
N
CiTR!X
rr
Key Notes:
es
• One of the most important features added with the NetScaler SD-WAN 9.2 release is a firewall
al
built into the SD-WAN technology. The firewall capabilities allows policies between services and
e
deployment at the WAN Edge. Built in firewall also enables secure direct internet access at the
d
• Expect additional enhancements to this feature in later releases with further ability to rate limit
t
• Provide security for user traffic within SD-WAN network (Enterprise and Service Providers)
io
• Using the same IP address space for Multiple customers: NAT Capability (Service Providers)
• Apply multiple firewalls from a global perspective (Service Providers)
• Filtering traffic flows between Zones
• Filtering traffic between services within a Zone
• Filtering traffic between services that reside in different Zones
• Filtering traffic between services at a site
• Defining Filter Policies to Allow, Deny, or Reject flows
• Tracking flow state for selected flows
• Applying Global Policy Templates
• Support for Port Address Translation for traffic to the Internet on an untrusted port, as well as
port forwarding
• inbound and outbound
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n
•
301 © 2018 Citrix Authorized Content CITRIX
•
Global
• Default_LAN_Zone lnternet_Zone
• lnternet_Zone (Trusted) Untrusted_lnternet_Zone
• Untrusted_lnternet_Zone
• Firewall Policy Templates Firewall Policy Templates
N
ot
fo
Key Notes:
es
• Firewall policies are created at the Global configuration level. The global firewall configuration
al
allows Admins to configure global firewall objects, including defining Zones and Firewall Policy
e
Templates.
• By adding a stateful firewall, this enables implementation of consistent security policies across
or
the SD-WAN network in consideration of enabling direct internet access model for the branch.
d
• Firewall zones in the network define policies to control how traffic enters and leaves zones.
is
• Internet_Zones – which applies to traffic to or from the Internet services using Trusted
io
Interfaces
n
SD-WAN-SE SD-WAN-SE
Destination Zone ,_
'''"
ot
CiTR!X
rr
Key Notes:
es
• For example, an Admin may want to define firewall polices so that only traffic from VLAN 30 at
al
Site A is allowed to enter (2) VLAN 10 at Site B. The administrator can assign a zone for each
e
• The screenshot below shows how a user would assign the "ZoneA_Intranet" zone to VLAN
d
10.
is
• The destination zone of a packet is determined based on the destination route match. When
t rib
the appliance looks up the destination subnet in the route table, the packet will match a route,
which has a zone assigned to it.
ut
• Source zone
io
• For Non-virtual path: its determined through the virtual network interface the packet
n
was received on
• For Virtual path: it is determined through source zone field in packet flow header
• For Virtual network interface: it is determined by the network interface the packet was
received on at the source site
• Destination zone
• Determined through destination route lookup of packet
• Routes shared with remote sites in the SD-WAN maintain information about the destination
zone, including routes learned through dynamic routing protocols (BGP, OSPF). Using this
mechanism, zones gain global significance in SD-WAN network and allow end-to-end filtering
within the network. The use of zones provides a network admin an efficient way to segment
network traffic based on customer, business unit, or department.
• The capability of SD-WAN firewall allows the user to filter traffic between services within a
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
303 © 2018 Citrix Authorized Content CITRIX
•
SD-WAN Firewall Policies
Customer Edge
Firewall Policies
ra--
• Allow, Deny, Reject, Log
Firewall Policy Templates (grouping of filters)
m-- .,1
ra--
,._
ra-,
s-
I I 'IE"i
,,,,,._
N
ot
fo
Key Notes:
es
• Firewall Policies provide the ability to allow, deny, reject, or log specific traffic flow. Applying
al
these policies individually to each site would be difficult as the SD-WAN network is expected to
e
continuously grow. To resolve this issue, groups of firewall filters can be created with a Firewall
Policy Template.
or
• A Firewall Policy Template can be applied to all sites in the network or only to specific sites.
d
Template Policies. Both network-wide Pre-Appliance and Post-Appliance Template Policies are
t
configured at the Global level. Local policies are configured at the site level under the
rib
• Pre- Appliance Template Policies are applied before any local site policies. Local site policies
are applied next, followed by Post-Appliance Template Policies. The goal is to simplify the
io
configuration process by allowing you to apply policies while still maintain the flexibility to apply
n
site-specific policies.
100
.:J
:::::::::::::t~::::~IWtOl
Any i;, Any f,l<toOOII: Mlll(l'Kt000li\,....
"""""""'
"""""""' .....,
_.....,_
.:J My ~ P' Allow Fragmuits r Reverse Also r Match Established
My My..:J
ot
fo
CiTR!X
rr
Key Notes:
es
• The classification of traffic as applications and application families allows you to use the
al
application, application families and application objects as match types to filter traffic and apply
e
firewall policies and SD-WAN rules. This applies for all Pre, Post and Local policies.
• The specific configurable attributes for a policy are displayed in this screenshot. These filters
or
I~· ~
lo , Sourct Otshn,tion a-~?
Act,on fro• lo 1111 ?
.....
P<ilityTunp1o1tes
B Post·Po•c•es + if ?
CiTR!X
rr
Key Notes:
es
• Local policies are applied at the site level of each site node.
or
• This screenshot shows the policy template that would be applied to the SD-WAN environment at
the global level. To apply the templates to the sites in the network, the templates can be called
d
upon in the Connections tile, under the site specific Firewall > Settings > Policy Templates.
is
t rib
ut
io
n
Note: Changing the Network Encryption Mode may cause Site Secure Keys to
be truncated or regenerated rf they do not meet the requirements of the new
mode.
CiTR!X
rr
Key Notes:
es
• With firewall policy templates created, admins can use the polices to configure firewall settings
al
for the NetScaler SD-WAN environment using the Global firewall settings.
e
• Global Firewall Settings, can be found in the Global Virtual WAN Network Settings. These are
global firewall parameters, that can be applied to all the sits on the Virtual WAN environment.
or
• In the Global Firewall Settings section, the following options are available:
d
• Default Firewall Actions, select allow to allow packets not matching the filter policy, select drop
t rib
and ICMP flows that do not march a filter policy or NAT rule. This blocks asymmetric flow,
io
• You can also configure these settings at the site level. Site level settings override the global
setting.
Lesson Objective
A. Default - LAN- Zone
Review B. Internet Zone
C. Untrusted - Internet - Zone
D. All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t rib
ut
io
n
Lesson Objective
A. Default - LAN- Zone
Review B. Internet Zone
C. Untrusted - Internet - Zone
D. All of the above
N
ot
fo
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t rib
ut
io
n
Customer Edge
~
Public
.
Translation SD-WAN
SD-WAN Hosts
CiTR!X
rr
Key Notes:
es
• The SD-WAN firewall allows the user to configure static NAT and dynamic NAT for different use
al
• At this time, the NAT capability can only be configured at the site level; there is no global
is
configuration (templates) for NAT. All NAT policies are defined from a Source-NAT (SNAT)
t rib
translation. Corresponding Destination-NAT (DNAT) rules are created automatically for the user.
ut
io
n
4
Private
.. NAT
4
Public
oc
SD-WAN
Hosts
8oc
9
Static NAT Policies
Wl,JUo·WAN Forwatdmg
? •
E) Viftu.l
P.. th:1 Edit Sbtk NAT Polley
-
lntratt~Strtl<H
E)WAHUnb 100
Site> Firewall> Static NAT Policies 9 GRETunnds
El IP'lt<lunntls Dirtct1on; StmuTn,e St'MltNlmt
8f1r_- .. 11
ffiStttinoi
? ::] •::J •.:J
1,u,deZonr lnstdelP4ddrtu. OuU1dt tP AddftU.;
*.:I
N
CiTR!X
rr
Key Notes:
es
• Static NAT configuration allows the admin to configure one-to-one NAT, where an local IP
al
address will match a public IP address. The admin must also define the filter policies to allow
e
• Priority - the order the policy will be applied within all the defined policies. Lower priority
is
• Direction – the direction, from the perspective of the virtual interface or service, that the
translation will operate.
ut
• Outbound – the destination address for a packet will be translated for packets
io
received on the service. The source address will be translated for packets
n
•
311 © 2018 Citrix Authorized Content CITRIX
•
Dynamic NAT Policies
Private
Dynamic NAT
Customer Edge
Core SD-WAN
Hosts
.
Goe
eJ WAN-to-WAN Fo,w1re11no
Dynamic NAT Policies El VirtualPathl
fnttfnttStMus
LAN to WAN Dynamic NAT Intr1nttStM(U
--
Site> Firewall> Dynamic NAT Policies SwANUnlr.s
13 GRE Tunnels 3 ":-::i •::J •3
EJ lPsec Tunnrls
EJ f11ewall ? ... ::J
(!) Stn1nos r-- r_ ... _.,.. r ~-...._ r_._
N
IBPolidH
ffi
St1hc NAT Pohdu
j~
ot
DyrwmlcNAfPolidu
EJ bib
8 Routt lurning
(B Appl,cation Sttbngs
fo
tt)Br~nchOnt
CiTR!X
rr
Key Notes:
es
• Dynamic NAT can be used by an Admin to forward traffic from a LAN segment to the Internet
al
on an untrusted port. In this case, the Admin would configure the NAT in an outbound
e
direction, as well as make sure the corresponding filter policies are defined to allow traffic back
into the network. By default, once the dynamic NAT has been configured the system will add in
or
• allow any IP host route, Any zone, Any source and destination.
is
• allow match established rule, for reverse traffic of session initiated from the inside of the
t
network
rib
• drop all other traffic from the source zone to the destination zone (zone specific).
ut
• The following screenshot displays the configuration options for the dynamic NAT configuration.
io
• Priority – the order the policy will be applied within all the defined policies. Lower priority
policies are applied before higher priority polices.
• Direction – the direction from the virtual interface or service perspective the translation will
operate.
• Outbound – the destination address for a packet will be translated for packets
received on the service. The source address will be translated for packets
transmitted on the service.
• Example: LAN service to Internet service – for packets outbound, (LAN to
Internet) the source IP address is translated. For packets inbound or
received (Internet to LAN) the destination IP address are translated.
• Inbound - the source address for a packet will be translated for packets received on
the service. The destination address will be translated for packets transmitted on the
remote IP and port. Connections from the same inside IP and port need
es
• Service Type – in reference to a SD-WAN service. For static NAT these include
e
• Service Name – the specific service name that corresponds to the defined
d
• Inside Zone – select the inside zone for the packets that require NAT.
t
requires NAT. This should be an IP address that resides in the Inside Zone.
ut
• Allow Related – allow traffic related to the flow matching the rule. For example,
io
ICMP redirection related to the specific flow that matched the policy, if there was
some type of error related to the flow.
n
•
312 © 2018 Citrix Authorized Content CITRIX
•
? x
Edit Dynamic NAT Policy
with Port
100
Forwarding
Direction:
Inbound
Typo,
Port Restncted . Service
Internet
Type,: Service Name:
*.
Inside IP Address: Outside Zone: Outside IP Address:
lntemet_Zone 172.58.3.20
Dynamic NAT with Port Forwarding Alk,,.v Related IPSK Passthrough GRE/PPTP Passthroogh Port Parrty
.
Port forward specific traffic to a Port Forwardlng Rules +
defined IP address
.
onrKtJOr, tate
~rotocol :>.i.t•
Sun Trxking
* * .
Both • Use Site Setting •
CiTR!X
rr
Key Notes:
es
• Dynamic NAT with port forwarding allows the admin to port forward specific traffic to a defined
al
IP address. This is typically used for inside hosts like web servers. Once the dynamic NAT is
e
NAT example will map an inside IP host (172.16.187.11) to an outside IP host. Port forwarding
d
can then be configured which will define a specific inside and outside port mapped to an inside
is
• Outside Port – outside port the user will port forward into the inside address.
io
• Inside Port – map the packet to the same, or a different, inside port.
• Fragments – allow the forwarding of fragmented packets.
• Log Interval – time in second between logging the number of packets matching the policy to a
syslog server.
• Log Start – selected when a log file is created for new flow.
• Log End – log the data for a flow when the flow is deleted.
• The default Log Interval value of 0 means no logging.
• Connection State Tracking – allows the firewall to track the state of a flow and display this
information in the Monitor > Firewall > Connections table.
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
dis
t rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
dis
t rib
ut
io
n
CiTRJX
rr
Key Note
es
• NetScaler SD-WAN 9.2, new customers with five or more basic sites configuring for the first
al
time will save time when setting up new sites and WAN Links. With the use of templates, you
e
can configure certain settings one-time and then duplicate the settings across more than one
site as required.
or
d is
trib
ut
io
n
+ 54lt
O ApplUlnu:
,.......
DC
VPX((IVP)Q
AWS8R
-.~
.....
...... E~Panl
• M_:,•-to-toct -~.,'°Ad
• V\ANS:O \l,;!IH..$0-Z/J:a
CiTR!X
rr
Key Notes:
es
• This functionality of templates is implemented in two views under the Configuration Editor in
al
Basic Mode.
e
• (1) First, the ability to create and administer WAN Link templates under the Network view
• (2) Second, the ability to setup sites using basic options
or
d is
t
rib
ut
io
n
View:
l ~. ----
.-----
Network Sites
Network view: WAN Link templates
Sites view: Basic site built out
Filter Templates.:
WA Un Template 11110 E 1
Spffds,
BI\..MPlSJ1 Q
BR,.INET_SO I.SM (Auto-learn)/ 1.SM (Auto·leam)
rx:."3 • 1'2111,02
Filter capabilities
ot
•""'·
fo
rr
Key Notes:
es
The Network view’s WAN Link Templates eases the process for initial configuration build out.
al
The WAN Link templates functionality provides a way to setup basic configuration for WAN Links
e
and reuse these across the network to save time. The WAN Link templates feature exists within
both the Basic configuration mode and the advanced configuration mode with minimal differences
or
Once a WAN Link Template is added, the detail is displayed when selected.
is
Providing a descriptive name for the WAN link template allows for easier search using the Filter
t rib
Templates tool.
The Sites view is where the template can be used.
ut
Specifically when creating a new or editing an existing WAN Link for a Site. The template allows
io
for quicker selection of speeds as opposed to manually entering the upload and download speed.
n
FdterSnes:
Applbnce:
oc O
.......
AWSBll
T...SR
YPX(CJ'm()
ThoBll lnt.rla«s:
Twt!!R EtMfMtPon 1
• Mod<!!: fa -~·ll«c. Tn.is~td
• VLANS:0111:IQ.!.:).UJO
EtMme1 Pon 3
• Modes: fa -~·llioc,. TN~ed
• YLANS:0(1&.l.lfl>G.l/29
• WAN Links
• Static Routes
fo
Key Notes:
es
• The concept of the Basic > Sites view is to simplify the configuration creation process to quickly
al
• Appliance
• Interface
d
• WAN Links
is
• Static Routes
trib
• It should be noted that one configuration change on the Basic mode view may modify or change
more than one setting in the Advance mode.
ut
• Existing configurations build on previous firmware releases can still make use of Basic mode
io
• The Basic > Sites view provides a basic site list on the left and displays the site summary on the
right when a site is selected.
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t
rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
t
rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• SD-WAN release 9.2 introduces a couple more diagnostics tools that are specially designed to
al
ease the introduction of SD-WAN into an existing environment and improve on monitoring and
e
reporting capabilities. We will outline the specifics of each of these diagnostic enhancements in
this mini-lesson.
or
d is
t rib
ut
io
n
&-t- - - - - -r-
Remote
SD-WAN-SE SD-WAN-SE
I-
_________ ~1:=::=====:
I ...-
Data Center
_.
Adaptive
or Cloud
Bandwidth _.
Detection
8WANlinb + ?
"?
8BR1J>lfl O
a ........
Adaptive Bandwidth Detection
Reduce rate when loss is encountered before path state change
Set minimum accepted rate to allow for path state change
Use with "Bad Loss Sensitivity" feature
. ....,,_.
N
50
?
t--..1····-
Eiigibaty
fo
Key Notes:
es
• NetScaler SD-WAN 9.2 release adds a new advanced setting in WAN link definition called
al
“Adaptive Bandwidth Detection”. This feature is for a WAN Link which experiences a variance
e
of available bandwidth levels throughout the day. This feature is most useful for networks such
as VSAT, LOS, Microwave, 3G/4G/LTE WAN Links, for which the available bandwidth varies
or
based on weather and atmosphere conditions, location, and line of site obstructions.
d
• This Adaptive Bandwidth Detection feature enables NetScaler SD-WAN to adjust bandwidth rate
is
on the WAN link dynamically based on a defined bandwidth range (minimum and maximum
t
WAN link rate) to use the maximum amount of available bandwidth without marking the path as
rib
,. ,. .,,.
.,,.
___ g ---------- :a,~ .,,. .,,. .,,.
--
.:>
/ .,,. .,,.
I .,,. .,,.
I _,_,
I
,. _,
I
... .- ,.
....A.A.,
N
ot
fo
CiTR!X
rr
Key Notes:
es
• The Adaptive Bandwidth Detection feature is only available on the branch node WAN links. This
al
is by design since the feature was intended to address a specific use case of application
e
delivery across WAN paths of highly variable bandwidth WAN links. As an example ship to
shore communication.
or
• The distance of the ship (the branch node), to the shore (location of the MCN), varied
d
throughout the day and with that the available bandwidth also fluctuated. Where previously SD-
is
WAN WAN link configuration requiring static entry of permitted rate for LAN to WAN and WAN to
t
LAN, now with this feature allows for some deviation from that static configuration, and still allow
rib
the SD-WAN technology to make good use of that the available WAN link resource.
ut
io
n
I-
I-
SD-WAN-SE I-
Data Center or
Cloud
7""~=:_":._:- . ---
ot
_ •• o .. ,-
fo
1
CiTR!X
rr
Key Notes:
es
when the service provider is not providing accurate available bandwidth, or when there is
e
an instant path bandwidth test through any WAN link, or to schedule WAN link bandwidth testing
d
to be completed at specific times on a recurring basis. This feature is useful for demonstrating
is
how much bandwidth is available between two locations during new and existing installations,
t
also for testing paths to determine the outcome of setting and confirmation changes, such as
rib
desired path to test from the drop down list and click the Test button to run a path bandwidth
n
test. Dynamic virtual paths will also be listed when the dynamic virtual path exists.
• The output displays the minimum, maximum, and average bandwidth results of the test. Along
with the ability to test the bandwidth, you can now change the configuration file to use the
learned bandwidth. This is accomplished through the Auto Learn option is under Site > [Site
Name] > WAN Links > [WAN Link Name] > Settings and if enabled, the system will use the
learned bandwidth.
• “Schedule Path Bandwidth Testing”, which configures the appliance to run path bandwidth
testing regularly at certain time. No dynamic virtual path will be listed here. The settings on this
appliance will not be synchronized to the High Available peer.
• Frequency: How often the path bandwidth test should be run for the selected path.
• Day of Week On what day of the week the test should be run. This is only valid when
frequency is set to every week.
•
325 © 2018 Citrix Authorized Content CITRIX
•
SD-WAN DiagnosticTools: DiagnosticTools
I-
I-
SD-WAN-SE I-
Data Center or
Cloud
CiTR!X
rr
Key Notes:
es
• The Diagnostic Tools are extremely helpful when troubleshooting the SD-WAN product. It can
al
help determine if the SD-WAN overlay is at fault if or if the underlay network is not functioning as
e
expected.
• With this new 9.2 enhancement, standard iPerf tool is now packaged and available right in the
or
web interface of SD-WAN Standard and Enterprise Edition appliances. With the iPerf tool,
d
Admins can get insight into the path capacity and provide useful data in questioning proper
is
• This diagnostic tool is useful when troubleshooting network issues that may results in:
rib
• Most often, these problems arise due to rate limiting configured on firewall / router, incorrect
bandwidth settings, low link speed, lower then expected priority queue set by network provider
or misconfiguration of the routers and so on. The diagnostic tools enables Admins to identify the
root cause of such issues and help troubleshoot it.
• The diagnostic tool removes the dependency on third party tools such as iPerf which has to be
manually installed on the Data Center and Branch hosts. It provides more control over the type
of diagnostic traffic sent, the direction in which the diagnostic traffic flows, and the path on which
the diagnostic traffic flows.
• The diagnostic tool allows to generate the following two types of traffic:
• Control: Eliminates SD-WAN processing such as SD-WAN QoS/ Schedulers, optimization and
so on, on the diagnostic traffic. This is used to identify SD-WAN related issues.
• Data: Simulates the traffic generated from the host with SD-WAN traffic processing. This is
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
•
326 © 2018 Citrix Authorized Content CITRIX
•
SD-WAN DiagnosticTools: DiagnosticTools
----oc..wi.
·---- .:I
. . -f- j
--, ·---.:1 -·--K..N'~-
............. ;1
.:J
--
Not supported iPerf arguments
• -c : Client mode
• -s : Server mode
• -B: Binding to IP/Interfaces
.. -
,i, _ ,_
I • 1,., , .,_
.. • -p: Port number
.... .
I '"'
_ , ,,.,
..
. ·-
·- JN ,
_. _
Ut_u_
CiTR!X
rr
Key Notes:
es
• The diagnostic tool provides the ability to allow any SD-WAN device to be in Client or Server
al
test mode. This enables the unidirectional bandwidth measurement on any of the available
e
paths.
• The selected traffic type, port number, and path under test must match on both ends of the test.
or
• With the server listening on the assigned port, another SD-WAN device can be enabled in client
d
mode to starting pumping traffic on the targeted path. (2) The results window will indicate the
is
• The iPerf field does support standard iPerf arguments, but some of these arguments are already
handled by diagnostic tool, thus the following are not needed:
ut
• -c : Client mode
io
• -s : Server mode
n
• -B : Binding to IP/Interfaces
• -p : Port number
CiTR!X
rr
es
al
e
or
d is
t rib
ut
io
n
CiTR!X
rr
es
al
e
or
d is
t rib
ut
io
n
CiTRJX
rr
Key Notes:
es
• With the introduction of the NetScaler SD-WAN 9.2 software release, platform enhancements
al
were also introduced. With primary focus around providing increased performance and
e
• Auto secure peering enhancements with Enterprise Edition capability as the Master Control
t
rib
CiTR!X
rr
Key Notes:
es
• SD-WAN release 9.2 introduced further performance improvements for the virtual appliances or
al
VPX model to address the need for higher throughput and a wider range of supported
e
hypervisors.
• Both the WANOP and Standard Edition virtual appliances are supported on: XenServer, ESXi,
or
• In this table you will find the hardware specifications required for the virtual appliance.
is
• With release 9.2, a new set of virtual hardware with a new CPU profile has been introduced.
t rib
With the appropriate resource allocation, SD-WAN Standard Edition virtual appliances can
achieve higher throughput capacities.
ut
High performance SE
High capacity VPX on-
platform
2100 SE
)
(300 Mbps to 3 Gbps SE)
Previous#: {10 to 100 Mbps VPX-SE) {100 to 300 Mbps SE) 256/32 Virtual Paths {5100)
fo
Key Notes:
es
• NetScaler SD-WAN platforms provides a wide range of appliances enabling application delivery
al
to a variety of locations. To accompany release 9.2, SD-WAN expanded the available virtual and
e
hardware platforms.
• On the cloud side, release 9.2 introduced Standard Edition availability for Microsoft Azure cloud.
or
Also software enhancements have been made to provide a 1Gbps VPX-SE model for the ESXi
d
hypervisor.
is
• On the physical platforms, new hardware has been introduced to provide a higher performance
t
Standard Edition model to support large branch and small data center deployments. (3) Also
rib
• The 5100-SE model can not only increase its capacity through the 9.2 software upgrade, but it
also increases the number of supported remote sites from 256 to now 550.
n
300
Up to 1.5 Gbps bi-directional
4 x lOOOBaseTx (2 pairs of FTW)
NS-SDW-2100-SE 500 Up to 128 remote sites (Virtual
4x lGE SFP
Paths)
1000
1500
••••••••••••••••••••
GI NetScelor SO-WAN
GJ~IE ==:;;;;;£
~.::i::::
Serial __J
bM -
0/1
LJ 10/1
10/2
10/3
10/4
__J
1/1
1/2
10/5
10/6
__J
0/2 1/3
N
1/4
ot
fo
CiTR!X
rr
Key Notes:
es
• The interface layout includes; a serial port, Lights out Management port, 2 x 1000BaseTX
e
• 4x 10G/1G SFP+
• 4 x 1000BaseTX
d
• 2 x 10GBase-SR
is
t
rib
ut
io
n
N
ot
fo
CiTR!X
rr
Key Notes:
es
• The interface layout includes; two USB ports, Lights out Management port, 2 x 1000BaseTX
e
7.4.3.14 9.1.2.26
tOOOWS N/A N/A
Windows Server 2012R2 Windows Server 2012R2
7.4.3.14 9.1.2.26
2000WS N/A N/A
Windows Server 2012R2 Windows Server 2012R2
3000{CU and
N/A N/A 7.4.3.14 9.1.2.26
Fiber)
Users
fl 8 -_
Data Center
~=!,i
NS SD-WAN
I- ·
====r-l1---i,;,
NS
ADC/Gateway
Branch Office Branch Office
overlay network
CiTRJX
rr
es
al
e
or
d is
t rib
ut
io
n
Data Center Enterprise Edition Solution (EE) PoCs and Mid-size deployments
Only on 1000 and 2000
appliances
• 9.2 supports
I- • Appflow
I- • Domain join
N
Remote
Enterprise Enterprise
I- • SSL Acceleration
ot
Data Center
• Enables full acceleration and
or Cloud
visibility
fo
I- .... I
I- Core
I-
I- SD-WAN
Data Center Standard Edition
·-__
Two Box Solution:
• Standard Edition supported
-
---
--
,
s---- -..
o.
appliances: 5100-SE, 4100-
9...__ .,,
I
SE, 4000-SE
1--
--_ ....
• WAN OP Edition supported
N
---
El-
appliances: 5000-WO, 4000- s,-
ei-___
-
__
s- ...
ot
WO ,
m ..........."-,_....
fo
CiTR!X
rr
Key Notes:
es
• In order to accommodate larger scale deployments, and simplify the deployment model for a two
al
appliance solution, WANOP plus Standard Edition, Two Box Mode was introduced in NetScaler
e
limited to the higher-end platforms. From a physical deployment perspective, the WANOP
d
Edition appliance will be deployed one-arm off of an available interface of the Standard Edition
is
appliance. The Standard Edition appliance takes the role of the router performing redirection of
t
• Redirect to WANOP can be found as an option in the Global > Routing Domains node of the
ut
Configuration Editor.
io
n
I-
I-
Remote
Enterprise Enterprise I-
Data Center
or Cloud
,,.,...... .. ...
·--
--
N
/
ot
fo
CiTR!X
rr
Key Notes:
es
• With the 9.2 SD-WAN release, some of the limitations previously preventing Enterprise Edition
al
from being deployed as the head-end SD-WAN appliance and being promoted as the Master
e
make use of extended WAN Optimization feature previously only achievable with the use of a
is
• Data Store Encryption can be performed on the Enterprise Edition appliance through a 9.2
rib
feature enabled from the MCN Configuration Editor under the Optimization node for an
ut
Enterprise Edition appliance. For an Enterprise Edition appliance, secure peering will always be
io
enabled.
• Auto-secure peering is initiated from EE appliance at DC site and Branch site EE appliance
n
• This deployment configures the EE appliance at the DC site in LISTEN ON mode and the
Branch side EE in CONNECT TO mode.
• Reference SD-WAN documentation for proper configuration steps to configure auto-secure
peering on the new Enterprise Edition appliance at the Data Center.
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
CiTR!X
rr
Key Notes:
es
• This slide is hidden from the in-class presentation and added for additional student resources.
al
e
or
d is
trib
ut
io
n
Key Takeaways • Dynamic NAT with port forwarding allows the ad min to
port forward specific traffic to a defined IP address.
throughput capacities.
ot
fo
CiTR!X
rr
es
al
e
or
d is
t rib
ut
io
n
CiTR!X
rr
Key Notes:
es
• The Optional Self Study exercises are added to allow students to continue the hands on
al
experience outside of class time. You are given 30 days of access to the lab environment and
can go in at any time and complete these labs.
e
or
d is
trib
ut
io
n