Citrix SD-WAN Orchestrator for On-premises 14.4

Routing

The Routing section provides the following options:

  • Routing Policies
  • Route Summarization
  • Routing Domains
  • Import Route Profiles
  • Export Route Profiles
  • Transit Nodes

Routing policies

Routing policies help to enable traffic steering. Based on the selection (Application routes and IP Routes) you can use different ways to steer traffic.

Routing policy

Application Routes

Click + Application Route to create an application route.

  • Custom Application Match Criteria:

    • Match Type: Select the match type as Application/Custom Application/Application Group from the drop-down list.
    • Application: Choose one application from the list.
    • Routing Domain: Select a routing domain.
  • Scope: You can scope the application route at the global level or site and group specific level.

  • Traffic Steering;
    • Delivery Service: Choose one delivery service from the list.
    • Cost: Reflects the relative priority of each route. Lower the cost, the higher the priority.
  • Eligibility Based on Path:
    • Add Path: Choose a site and WAN links. If the chosen path goes down, then the application route does not receive any traffic.

Application route

If a new application route gets added, then the route cost must be in the following range:

  • Custom application: 1–20
  • Application: 21–40
  • Application group: 41–60

IP Routes

Go to IP Routes the tab and click + IP Route to IP Route policy to steer traffic.

IP route

  • IP Protocol Match Criteria:

    • Destination Network: Add the destination network that helps to forward the packets.
    • Use IP Group: You can add a destination network or enable the Use IP Group check box to select any IP group from the drop-down list.
    • Routing Domain: Select a routing domain from the drop-down list.
  • Scope: You can scope the IP route at the global level or site and group specific level.

  • Traffic Steering:
    • Delivery Service: Choose one delivery service from the drop-down list.
    • Cost: Reflects the relative priority of each route. Lower the cost, the higher the priority.

    If a new IP route gets added, then the route cost must be in the 1–20 range.

  • Eligibility Criteria:
    • Export Route: If the Export Route check box is selected and if the route is a local route, then the route is eligible to be exported by default. If the route is an INTRANET/INTERNET based route, then for the export to work, WAN to WAN forwarding has to be enabled. If the Export Route check box is cleared, then the local route is not eligible to be exported to other SD-WAN and has local significance.
  • Eligibility based on Path:
    • Add Path: Choose a site and WAN links. If the added path goes down, then the IP route does not receive any traffic.

Click Verify Config to validate any audit error.

Route Summarization

Route summarization reduces the number of routes that a router must maintain. A summary route is a single route that is used to represent multiple routes. It saves bandwidth by sending a single route advertisement, reducing the number of links between routers. It saves memory because only one route address is maintained. The CPU resources are used more efficiently by avoiding recursive lookups. You can add summary routes without specifying the gateway IP address.

Routing domains

Routing Domains are used for segregate traffic through VLAN. Once the routing domains are created, you can reference them at the global level (for Intranet services) or interface level.

You can also select the default routing domain that applies to all the sites.

Default routing domain

To match routes from a specific routing domain, click + Routing Domain and choose one of the configured Routing Domains from the drop-down list. Click Save.

Network segmentation routing domains

Click Verify Config to validate any audit error.

For more information, see Routing Domain.

Inter-routing domain service

Citrix SD-WAN Orchestrator for On-premises provides Static Inter-Routing Domain Service, enabling route leaking between Routing Domains within a site or between different sites. This eliminates the need for an edge router to handle route leaking. The Inter-VRF routing service can further be used to set up routes, firewall policies, and NAT rules.

For more information see, Inter-routing domain service.

To configure the Inter-Routing Domain service through the Citrix SD-WAN Orchestrator for On-premises:

  1. At the network level, navigate to Configuration > Routing > Routing Domains > Inter-Routing Domain Service.

  2. Click + Inter-Routing Domain and enter values for the following parameters:

  • Name: The name of the Inter-Routing Domain Service.
  • Routing Domain 1: The first Routing Domain of the pair.
  • Routing Domain 2: The second Routing Domain of the pair.
  • Firewall Zone: The Firewall Zone of the Service.
    • Default: The Inter_Routing_Domain_Zone firewall zone is assigned.
    • None: The service behaves like a conduit, which has no Zone and maintains the original zone of the packet.
    • All Zones configured in the network might be selected.

    Inter-routing domain service

To create routes using the Inter-routing domain service, create a route with Service type as Inter-Routing Domain Service and select the inter-routing domain service. For more information on configuring Routes, see Routing policies.

Routing policies

Also add a route from the other Routing Domain pair, to establish connection to and fro between the two routing domains.

You can also configure firewall policies to control the flow of traffic between routing domains. In the firewall policies, select Inter-Routing domain service for the source and destination services and select the required firewall action. For information on configuring Firewall Policies, see Firewall policies.

Firewall policies

You can also choose Intranet service type to configure Static and Dynamic NAT policies. For More information on configuring NAT policies, see Network Address Translation.

Import route profiles

You can configure Filters to fine-tune how route-learning takes place.

Import filter rules are rules that have to be meet before importing dynamic routes into the SD-WAN route database. By default, no routes are imported.

Import route profiles

Add an Import Filter Profile with the Import Profile Name, Profile Availability, and Import Filters along with the following fields:

  • Protocol - Select the protocol from the list.
  • Routing Domain - To match routes from a specific routing domain, choose one of the configured Routing Domains from the list.
  • Source Router - Enter the IP address and netmask of the configured network object that describes the route’s network.
  • Destination IP - Enter the destination IP address.
  • Prefix - To match routes by prefix, choose a match predicate from the list and enter a Route prefix in the adjacent field.
  • Next Hop - Enter the next hop destination.
  • Route Tag - Fill the route tag.
  • Cost - The method (predicate) and the SD-WAN Route Cost that are used to narrow the selection of routes exported.

 Import route profile details

Click Verify Config to validate any audit error.

Export route profiles

Define the rules that have to meet when advertising SD-WAN routes over dynamic routing protocols. By default, all routes are advertised to peers.

Export route profile

Click Verify Config to validate any audit error.

Transit nodes

Virtual overlay Transit Node

Transit nodes are the sites that are able to forward traffic between one or more branches within a region.

The traffic between two nodes can be influenced to pick transit node as an intermediate hop by adjusting the route cost. Transit nodes are used to route data to non-adjacent nodes. For example, if three nodes are connected in series A-B-C, then data from A to C can be routed via B. You can specify the transit node and the sites to be routed through the transit node in the Citrix SD-WAN Orchestrator service. The virtual paths are chosen in the ascending order of cost. Lower the cost, higher the priority.

Transit node architecture

Default global virtual overlay transit nodes

You can specify the control nodes (MCN/RCN) and the geo-control nodes (Geo-MCN/RCN) to act as the default global virtual overlay transit nodes in a network. Enabling spoke-and-spoke communication through Hub as part of global settings allows all the sites to use the configured control nodes as transit nodes, by default, for site-to-site communication.

Virtual overlay transit node

Add the control node and geo-control nodes that you want to use as virtual overlay transit nodes and specify the virtual path cost. The control nodes and geo-control nodes have 6 and 7 as the respective default virtual path costs. You can choose to change the virtual path cost as per your network requirement. Click Restore Default to restore the default virtual path costs for the default transit nodes.

Note

You can add a maximum of 3 control nodes and 3 geo-control nodes as transit nodes.

By default, WAN-to-WAN forwarding is enabled on all the paths associated with the selected control and geo-control nodes. WAN-to-WAN forwarding allows a site to act as an intermediate hop between two adjacent sites for any site-to-site, internet or intranet traffic and to act as a mediator for Dynamic Virtual Paths.

You can override the global transit node settings and choose to enable or disable spoke-to-spoke forwarding only on selected control transit nodes. When Spoke to Spoke Forwarding is enabled, the transit control node exports routes across the sites connected to it. Site-to-Site communication and Dynamic Virtual path across sites connected to the transit node alone gets enabled.

Enabling Route Export enables virtual path-to-virtual path forwarding and route exporting (WAN-to-WAN forwarding) on all the site paths. Disabling the toggle button enables only virtual path-to-virtual path forwarding and disables route exporting on all the site paths. Route Export can be enabled only when Spoke to Spoke Forwarding is enabled.

Enable/disable route exporting

Site specific preferences for virtual overlay transit nodes

Site-specific preferences for virtual overlay transit nodes allow you to override the global virtual overlay transit node settings for all the sites in your network. You can also choose a non-control node as the primary transit node for a site. Choose a control node or geo-control node as the secondary and the tertiary transit nodes. If the primary transit node is down, the sites use the secondary transit node. If both primary and secondary transit nodes are down, the sites use the tertiary transit node. Specify the cost for the transit nodes and select the sites to which the site-specific virtual overlay transit node settings are applied.

Site specific transit node

Internet Transit Node

You can add sites as Internet transit sites to enable Internet access to the sites. Sites that need direct internet connectivity, must have at least one link with Internet service enabled. That means, at least one link set to a non-zero bandwidth share %.

Each transit site can be assigned a route cost. The sites with internet service available access the internet directly since the direct route would be the lowest cost routing path. Sites without internet service can route to the internet through the configured transit sites. When the internet transit sites are configured, routes to the internet through these transit sites are automatically pushed to all the sites. Internet transit sites are the sites with Internet service enabled.

For example, if San Francisco and New York are configured as internet transit sites. Routes to the internet via San Francisco and New York automatically get pushed to all the sites.

The virtual overlay transit node with Internet service enabled acts as the primary internet transit node. If internet service is not enabled on the virtual overlay transit node the secondary / backup internet transit node provides a route to the internet.

Internet Transit Node

Intranet Transit Node

The intranet transit node enables all the non-intranet sites to access the configured intranet networks. Each transit site can be assigned a route cost. The available sites with intranet service, accesses the intranet networks directly since the direct route would be the lowest cost routing path. Sites without intranet service can route to the intranet networks through the configured transit sites. When the transit sites are configured, routes to intranet networks through these transit sites are automatically pushed to all the sites. For example, if 10.2.1.0/24 is an intranet network, and Austin and Dallas are the configured transit sites. Routes to that network address through Austin and Dallas automatically get pushed to all the sites. The virtual overlay transit node with Intranet service enabled acts as the primary intranet transit node. If intranet service is not enabled on the virtual overlay transit node the secondary / backup intranet transit node provides a route to the intranet.

Intranet Transit Node

BGP

You can configure BGP settings for a site by selecting the required site from the drop-down list and clicking GO. This takes you to the site level BGP configuration page. For detailed information on configuring BGP, see BGP.

Network level BGP config

OSPF

You can configure OSPF settings for a site by selecting the required site from the drop-down list and clicking GO. This takes you to the site level OSPF configuration page. For detailed information on configuring OSPF, see OSPF.

Network level OSPF config

Multicast groups

You can configure multicast routing for a site by selecting the required site from the drop-down list and clicking GO. This takes you to the site level multicast groups configuration page. For detailed information on configuring multicast routing, see Multicast groups.

Network level multicast routing

VRRP

You can configure virtual router redundancy protocol (VRRP) for a site by selecting the required site from the drop-down list and clicking GO. This takes you to the site level VRRP configuration page. For detailed information on configuring multicast routing, see VRRP.

Network level multicast routing

Routing