+ All Categories
Home > Documents > CloudBridge Virtual WAN 8.1.0 Deployment Planning GuideP a g e | 7 Citrix CloudBridge Virtual WAN...

CloudBridge Virtual WAN 8.1.0 Deployment Planning GuideP a g e | 7 Citrix CloudBridge Virtual WAN...

Date post: 19-Mar-2020
Category:
Upload: others
View: 13 times
Download: 0 times
Share this document with a friend
36
CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide This document provides guidance for designing your Citrix CloudBridge Virtual WAN deployment. CITRIX SYSTEMS, INC | www.citrix.com
Transcript

CloudBridge Virtual WAN 8.1.0

Deployment Planning Guide

This document provides guidance for designing your Citrix CloudBridge

Virtual WAN deployment.

CITRIX SYSTEMS, INC | www.citrix.com

P a g e | 2 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

Copyright and Trademark Notice

© CITRIX SYSTEMS, INC., 2015. ALL RIGHTS RESERVED. NO PART OF THIS DOCUMENT

MAY BE REPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS OR USED

TO MAKE DERIVATIVE WORK (SUCH AS TRANSLATION, TRANSFORMATION, OR

ADAPTATION) WITHOUT THE EXPRESS WRITTEN PERMISSION OF CITRIX SYSTEMS,

INC.

Citrix, Citrix Systems, CloudBridge, Citrix Repeater, Branch Repeater, WANScaler, NetScaler,

XenServer, Orbital Data, Orbital 5500, Orbital 6500, Orbital 6800, TotalTransport,

AutoOptimizer Engine, and Adaptive Rate Control are trademarks of Citrix Systems.

Citrix Systems assumes no responsibility for errors in this document, and retains the right to

make changes at any time, without notice.

Portions licensed under the Apache License, Version 2.0 http://www.apache.org/

licenses/LICENSE-2.0.

Portions licensed under the Gnu Public License, http://www.gnu.org/copyleft/gpl.html, including

xmlrpc++, glibc, rpmlibs, beecrypt.

Portions licensed under the Gnu Public License with product-specific clauses, including the

Linux kernel (http://www.kernel.org/pub/linux/kernel/COPYING), libstdc++, and libgcc.

Portions are free software with vendor-specific licensing, including zlib (http://

www.gzip.org/zlib/zlib_license.html), netsnmp (http://www.net-snmp.org/about/ license.html),

openssl (http://www.openssl.org/source/license.html), krb5-libs (http:/

/web.mit.edu/kerberos/krb5-1.3/krb5-1.3.6/doc/krb5-install.html), tcp_wrappers

(ftp://ftp.porcupine.org/pub/security/tcp_wrappers_license), bzip2-libs (http://

sources.redhat.com/bzip2/), popt (http://directory.fsf.org/libs/COPYING.DOC). Elfutils-libelf is

licensed under the OSL 1.0 license, http://www.opensource.org.

JPGraph licensed under the terms given in http://www.aditus.nu/jpgraph/proversion.php.

LZS licensed from Hifn corporation, http://www.hifn.com.

Iperf licensed under the terms given in http://dast.nlanr.net/Projects/Iperf/ui_license.html.

This product includes PHP, freely available from http://www.php.net/.

P a g e | 3 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

Contents 1 About This Guide .................................................................................................... 5

Purpose ......................................................................................................................... 5

Audience ....................................................................................................................... 5

Related Documents ...................................................................................................... 5

CloudBridge Virtual WAN Documentation ............................................................ 5

CloudBridge Virtual WAN Knowledge Base Articles............................................ 6

2 CloudBridge Virtual WAN Solution Overview ...................................................... 7

Virtual WAN Solution Architecture .............................................................................. 7

Basic Concepts in the Virtual WAN Architecture ....................................................... 9

CloudBridge Virtual WAN Nodes ........................................................................... 9

Virtual IP Addresses (VIP) .....................................................................................10

Virtual Paths ...........................................................................................................10

Virtual WAN Services ............................................................................................11

Virtual WAN Service Provisioning ........................................................................13

Topology Deployment Options ...................................................................................13

1-Arm Topology .....................................................................................................14

In-line Topology .....................................................................................................15

Gateway Mode .......................................................................................................16

3 Deploying High Availability for Virtual WAN ...................................................... 17

Master Control Node (MCN) High Availability ...........................................................17

MCN High Availability in 1-Arm Topology ............................................................18

MCN High Availability in a Parallel In-line Topology ...........................................19

Geographically Distributed MCN High Availability Configuration ......................19

Deploying High Availability for Client Nodes ............................................................20

4 Virtual WAN Deployment Options ....................................................................... 21

Small/Medium Enterprises ..........................................................................................21

Branch-to-Branch traffic .......................................................................................22

Large Enterprises ........................................................................................................22

Inter-Zone Traffic ...................................................................................................23

5 Deploying Virtual WAN with WAN Optimization ................................................ 26

6 Deploying Virtual WAN with MPLS Networks ..................................................... 28

P a g e | 4 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

MPLS Deployment Example ..................................................................................29

Summary ................................................................................................................30

7 Additional Deployment Considerations .............................................................. 31

Firewall Rules and NAT ...............................................................................................31

Deploying Branches without Firewalls ................................................................32

Deploying Intranet Services .......................................................................................32

Completing Configuration by Adding Routes ...........................................................33

Local Access Routes .............................................................................................33

Intranet Routes ......................................................................................................33

Summary of Additional Deployment Considerations ..........................................34

8 Provisioning Guidelines ....................................................................................... 35

Provisioning Groups ...................................................................................................35

Fair Shares ...................................................................................................................36

P a g e | 5 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

About This Guide This section describes the purpose and intended audience of this guide. Also

provided are information and links to additional CloudBridge documentation

resources.

Purpose

This guide provides an overview of deployment options for the CloudBridge Virtual

WAN solution, and an explanation of fundamental concepts of Virtual WAN

architecture.

Audience

This guide is intended for Network Administrators defining a deployment approach for

CloudBridge Virtual WAN. Readers are assumed to be familiar with the physical setup

and operation of networking equipment.

Related Documents

This section provides information and links to additional CloudBridge documentation

resources.

CloudBridge Virtual WAN Documentation

The following additional CloudBridge Virtual WAN documentation is available on the

Citrix Documentation Portal (http://docs.citrix.com/):

Citrix CloudBridge Virtual WAN 8.1.0 Installation and Configuration Guide

Citrix CloudBridge Virtual WAN Center 8.1.0 Installation and Configuration Guide

P a g e | 6 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

To view CloudBridge documentation, select CloudBridge from the

Select Solution/Product drop-down menu, and then click a topic in the

documentation list that displays.

CloudBridge Virtual WAN Knowledge Base Articles

The following CloudBridge Knowledge Base support articles are recommended:

CloudBridge Virtual WAN PBR Mode Deployment Steps (CTX201577)

http://support.citrix.com/article/CTX201577

CloudBridge Virtual WAN Gateway Mode Deployment Steps (CTX201576)

http://support.citrix.com/article/CTX201576

My Account All Licensing Tools User Guide (CTX131110)

http://support.citrix.com/article/ctx131110

Path Continuously Flipping Between GOOD/BAD/DEAD on a Newly Installed

WAN Link of CloudBridge (CTX201619)

http://support.citrix.com/article/CTX201619

Path DEAD on Newly Installed or Existing WAN Link of CloudBridge (CTX201618)

http://support.citrix.com/article/CTX201618

The following section provides an overview of the CloudBridge Virtual WAN solution.

P a g e | 7 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

CloudBridge Virtual WAN Solution Overview The primary features of CloudBridge Virtual WAN are as follows:

Provides bandwidth aggregation from all available WAN paths into one Virtual

Path to the WAN.

Provides seamless failover in the event of failure in one of the WAN paths.

Application awareness protects critical applications in the event of WAN failure. If

failure occurs, critical applications are prioritized over non-critical applications.

Provides packet duplication for applications with extreme sensitivity to packet loss

(for example, VoIP applications).

Virtual WAN Solution Architecture

This section explains the basic concepts of CloudBridge Virtual WAN architecture,

and how the solution is organized to maximize results in a typical incumbent

Enterprise network environment.

CloudBridge Virtual WAN maximizes WAN performance for all applications by making

optimal use of all available WAN resources. The Virtual WAN enables you to combine

traditional WAN private circuits (for example, MPLS), with a variety of other cost

effective links (for example, Internet and LTE cellular).

Figure 1 provides an example of a basic Virtual WAN topology for maximizing results

in a typical Enterprise network environment.

P a g e | 8 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

Figure 1. Example Enterprise topology

The typical Enterprise topology comprises the following application elements and

connectivity characteristics:

An IP network consisting of switches, routers, and firewalls implements the WAN

and access to the Internet.

Branches are connected to the Private WAN, and can differ as to whether they

connect to the Internet.

On-premises applications are hosted in an Enterprise datacenter. Users scattered

across branch sites access those applications through a private MPLS WAN.

Applications in secondary service provider data centers are accessed through

MPLS or VPNs over the Internet.

Cloud-based applications are hosted by third parties and are reachable through

the Internet.

Internet access is available in some WAN sites.

P a g e | 9 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

Basic Concepts in the Virtual WAN Architecture

To deliver the main features outlined in the typical Enterprise scenario above,

CloudBridge Virtual WAN implements an overlay IP network on top of the existing IP

networking infrastructure. The Virtual WAN dominates this overlay network. For a

WAN site to receive the full benefits of the Virtual WAN, it must be connected to a

secondary WAN link, in addition to the primary MPLS link.

The following sections describe the fundamental architectural elements of the

CloudBridge Virtual WAN.

CloudBridge Virtual WAN Nodes

The CloudBridge Virtual WAN architecture comprises one Master Control Node

(MCN) located in the Enterprise data center, and several client nodes installed at

each branch site within the scope of the Virtual WAN.

Figure 2 depicts how the Virtual WAN nodes are inserted into our typical incumbent

Enterprise network. In this scenario, the topology has been modified to add Internet

links at all locations.

Figure 2. Inserting CloudBridge Virtual WAN nodes into the Enterprise network

To achieve the full benefits of the Virtual WAN, it is crucial that you deploy the Virtual

WAN nodes in a scheme that enables CloudBridge Virtual WAN to control all of the

traffic over the WAN. Ideally, Virtual WAN clients should be deployed in all of the sites

across the WAN, and at endpoints where Enterprise application flows initiate and

terminate.

P a g e | 10 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

Virtual IP Addresses (VIP)

CloudBridge Virtual WAN establishes an overlay IP network, defined privately among

the MCN and the client nodes. From the perspective of the surrounding network

elements, CloudBridge Virtual WAN is a collection of L2 devices, and traffic is most

typically ingested in L2 mode.

CloudBridge Virtual WAN forwards each IP packet to specific interfaces in the

destination node, therefore steering these packets through specific paths in the WAN.

To carry out the forwarding operation, each physical interface in the MCN and in all

client nodes must be assigned at least one routable IP Address, deemed a Virtual

IP Address (VIP). VIPs are not advertised to the surrounding network elements for

routing. As they are known only to the MCN and Virtual WAN clients, the VIPs

constitute the endpoints of all circuits in the overlay network implemented by

CloudBridge Virtual WAN.

Logical Links between two VIPs are defined as WAN paths. Traffic sent over a WAN

path is encapsulated using the Virtual Path Control Protocol (UDP port 4980).

Virtual Paths

All of the WAN paths between two specific CloudBridge Virtual WAN sites create the

Virtual Path connecting those sites.

Figure 3 illustrates the relationship between the WAN paths and the Virtual Paths.

Figure 3. Relationship between the WAN paths and Virtual Paths.

P a g e | 11 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

In the example illustrated above, there are two WAN Paths connecting each branch to

the main data center; one over MPLS, and one over the Internet. The combination of

both WAN paths constitute the Virtual Path between the data center and each branch

site.

Virtual Paths are statically defined between the MCN and the client nodes when you

initially configure the Virtual WAN. In this way, all benefits of the CloudBridge Virtual

WAN solution are automatically delivered in the resulting hub-and-spoke Virtual WAN.

For branch-to-branch traffic, Dynamic Virtual Paths can be configured to provide

bandwidth aggregation, seamless failover, and application awareness features,

without requiring an extra hop over the MCN.

Virtual WAN Services

In some cases, the ideal situation of having CloudBridge Virtual WAN nodes in all

sites and application endpoints is not always possible. This is due to the fact that

some applications could be hosted in third-party environments on the Internet itself.

However, in all cases, all active application flows consume WAN resources, and

contend for bandwidth against one another in the Enterprise WAN. CloudBridge

Virtual WAN is designed to manage available bandwidth across the WAN, assigning

resources to each application according to its criticality. This is accomplished by

means of the CloudBridge Virtual WAN Services. The Virtual WAN Services manage

the provisioning, control, and tracking of all flows over the WAN.

There are four Virtual WAN Services, defined as follows:

Virtual Path Service – This is traffic within the Virtual WAN. Such traffic

originates and terminates in locations that have a CloudBridge Virtual WAN node

(MCN or client), and is conveyed over static or dynamic Virtual Paths.

Internet service – This is traffic traveling out to the public Internet. Traffic of this

mode is not encapsulated. During times of contention, CloudBridge Virtual WAN

actively manages bandwidth by rate-limiting Internet traffic relative to the Virtual

Path and Intranet traffic as provisioned by the administrator.

P a g e | 12 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

Intranet service – This is traffic that travels across a Virtual WAN node in only

one end of the flow. This traffic is never encapsulated, and does not experience

any of the solution benefits. Cloudbridge Virtual WAN manages bandwidth only by

rate-limiting this traffic relative to other services as specified in the provisioning

configuration, during times of contention. Note that under certain conditions—and

if configured—traffic between a pair of Virtual WAN Appliances that ordinarily

travels over a Virtual Path, may instead be treated as Intranet traffic in order to

maintain network reliability.

Passthrough service – This is traffic not matching any of the categories above,

or deemed not to be of interest. Note that Virtual WAN does not account for this

traffic in terms of the bandwidth it uses.

All of the features and benefits of the CloudBridge Virtual WAN solution described

above can be realized only in the context of Virtual Path Service traffic; hence, the

importance of installing CloudBridge Virtual WAN clients in as many application

endpoints as possible. Traffic conveyed by the Virtual Path Service can thereby be

maximized.

While the core features do not apply to the Intranet and Internet services, setting up

those services correctly is highly important. CloudBridge Virtual WAN can then fully

manage the WAN traffic, as these services coexist with the Virtual Path Service on

the WAN, and contend for the same resources.

In normal L2 deployment mode, CloudBridge Virtual WAN operates as follows:

For traffic intake, Virtual WAN behaves as a Layer 2 device.

When sending packets out, Virtual WAN forwards (on a packet-by packet basis)

IP traffic matching the Virtual Path Services over the best available WAN link.

Virtual WAN shapes traffic matching Intranet or Internet services to match

provisioned bandwidth.

Traffic not matching any defined services is bridged as Passthrough.

P a g e | 13 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

Virtual WAN Service Provisioning

CloudBridge Virtual WAN Provisioning allows for allocating WAN resources to all

defined services (Virtual Paths, Intranet, Internet), with very high granularity for all

WAN links in the network. Provisioning constitutes the last step in the setup process,

where traffic engineering design for the Enterprise WAN is applied to the overlay

Virtual Network.

In all WAN sites, provisioning configuration ensures that in a fully-loaded WAN

scenario, bandwidth is shared among all services in each WAN Link according to

design specifications.

To provide for highly granular, fair bandwidth provisioning, CloudBridge Virtual WAN

enables you to specify bandwidth Shares. A Share is a configurable numeric value

that allocates for each active service a fraction of the bandwidth considered as fair for

such service. During high WAN utilization periods, CloudBridge Virtual WAN makes

best efforts to hold the specified fair bandwidth portion for each service.

In addition, you can define a minimum bandwidth for each service. CloudBridge

Virtual WAN then guarantees that each service receives the specified minimum

bandwidth.

Fair and minimum bandwidth are used to control traffic during congestion. They do

not come into effect when traffic is light.

NOTE: For additional information regarding Virtual WAN provisioning, see the section

entitled, “Provisioning Guidelines” at the end of this guide.

Topology Deployment Options

This section describes topology options for inserting the data center (MCN) and

branch (client) CloudBridge Virtual WAN nodes into your Enterprise network. The

following two topology options are available for both node types:

1-arm

In-line

P a g e | 14 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

To maximize the benefit of a CloudBridge Virtual WAN solution, the following general

considerations apply to all topology scenarios:

All traffic over the WAN in any direction should travel through the Virtual WAN

MCN and clients.

For both the Enterprise data center and branch sites, you should deploy the

CloudBridge Virtual WAN nodes as the last network elements to process WAN

traffic before the edge router.

Virtual WAN nodes should also have full visibility of the links connecting each site

to the WAN.

The following sections describe in detail the available topology options. All diagrams

are logical. The same concepts should be mapped to concrete topologies at your

Enterprise site.

1-Arm Topology

This topology requires modifications to routing tables. For this topology, you must

define policy-based routing (PBR) rules in the corresponding routers for steering

traffic to the Virtual WAN nodes. You should also configure PBR rules for the

Enterprise data center and branches, as follows:

LAN to WAN direction: The Virtual WAN should be the last hop before

forwarding traffic over the WAN, or to the Internet.

WAN to LAN Direction: The Virtual WAN should be the first hop after receiving

WAN traffic from a remote site or from the Internet.

Figure 4 shows an example 1-arm topology.

P a g e | 15 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

Figure 4. Example 1-Arm topology

In-line Topology

In an in-line topology, the Virtual WAN operates at Layer 2 between the WAN side

and the LAN side. This topology is minimally intrusive to the incumbent network

routing scheme. No modifications at the L3 level are required. The insertion requires

L2 changes, which may result in rearrangement of switch connections of routers, or

the configuration of additional VLANs.

In in-line mode, the Virtual WAN receives traffic on the LAN side as an L2 device, and

performs IP forwarding for traffic matching predefined services, as follows:

Virtual Path is utilized for traffic going to other CloudBridge Virtual WAN sites.

Intranet service is utilized for destinations within the private network outside the

scope of the Virtual WAN.

Internet service is utilized for traffic going out to the Internet.

For traffic that does not match any of the above, Virtual WAN acts as a bridge in the

context of the Passthrough service.

In a multi-router scenario, Proxy ARP must be enabled.

Figure 5 depicts an in-line topology for WAN sites.

P a g e | 16 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

Figure 5. Example In-line topology

Gateway Mode

You can deploy Virtual WAN appliances in Gateway mode (L3), if this scenario befits

your Enterprise network. In this case, you must fully insert the Virtual WAN nodes into

the network routing scheme. This might require that you also configure static routes

within the Virtual WAN solution.

The following section discusses the deployment of High Availability for Virtual WAN.

P a g e | 17 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

Deploying High Availability for Virtual WAN This section discusses the deployment of High Availability (HA) and redundancy for

CloudBridge Virtual WAN.

CloudBridge Virtual WAN supports High Availability configurations for both types of

nodes in the CloudBridge Virtual WAN architecture. These are as follows:

Master Control Node (MCN)

Client node(s)

In general, CloudBridge Virtual WAN supports 1+1 redundancy for both node types.

The following subsections provide an overview of High Availability configuration and

deployment for each of the node types.

Master Control Node (MCN) High Availability

The Master Control Node (MCN) is the center of the Virtual WAN. The MCN provides

configuration to the remote appliances (client nodes), and builds and maintain the

status of all services in the Virtual WAN.

Only one active MCN can exist in the entire network. Due to its criticality in the Virtual

WAN operation, High Availability for the MCN node is of utmost importance. To that

end, the implementation of 1+1 redundancy is highly recommended for MCN nodes.

To implement Virtual WAN High Availability, you must configure a pair of MCNs to

form an Active/Standby cluster.

Both MCNs in an HA pair are configured and connected in the same way as dictated

by your deployment design.

Configuration is mirrored across both MCNs.

Each MCN has a unique set of Virtual IP Addresses.

VIPs in both MCNs must be selected for health-check traffic.

P a g e | 18 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

Upon failure of the Active MCN, the Standby MCN takes control. After this transition,

there is a period of convergence in which the Virtual WAN will be reestablished, and

the backup MCN will rebuild the state of the Virtual WAN.

It is important to note that in the event of a failure of the active MCN, the underlying

network infrastructure will not be affected. Therefore, the private WAN will continue to

allow all sites in the network to access internal application. In addition, Internet links

will allow for Internet/cloud access in all sites.

However, during the transition period, the core Virtual WAN features are inactive until

the Standby MCN becomes fully active. The most critical situation is that the lack of

bandwidth aggregation may cause temporary congestion on the MPLS links until

MCN is reestablished.

The following sections describe how MCN High Availability can be implemented for

Virtual WAN topologies.

MCN High Availability in 1-Arm Topology

High Availability in a 1-arm topology requires policy-based routing (PBR) at the core

router. PBR must be coupled with IP SLA, which is then used to determine which of

the two MCNs is currently active.

Figure 6 illustrates the High Availability arrangement for a 1-arm topology.

Figure 6. MCN High Availability implemented in a 1-arm topology

P a g e | 19 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

MCN High Availability in a Parallel In-line Topology

The recommended High Availability configuration for an in-line topology is also simple

and minimally intrusive to the routing tables in the network. Some changes to the L2

configuration are required for insertion of the two MCNs (two new VLANs).

The recommended High Availability configuration provides for the following:

The active MCN bridges traffic between LAN and WAN sides.

The standby MCN remains inactive and does not bridge any traffic until the Active

MCN fails.

Fail-to-block interface configuration is required in both MCNs.

No specific router configuration is required for L2 mode.

Figure 7 depicts an MCN High Availability configuration in a parallel in-line topology.

Figure 7. MCN High Availability in a parallel in-line topology

Geographically Distributed MCN High Availability Configuration

Geographically distributed High Availability enables one Virtual WAN client in the

network to take over the MCN function, in the event that the primary MCN fails. You

can designate only one client node as the backup MCN. The designated client

continues to function as a client node, until the primary MCN fails.

This option may be useful for leveraging secondary data centers, or large branches in

the Enterprise network that host on-premise application servers in normal operation.

Figure 8 illustrates a geographically distributed MCN High Availability configuration.

P a g e | 20 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

Figure 8. Geographically distributed MCN High Availability configuration

Deploying High Availability for Client Nodes

High Availability can be enabled and deployed for any Virtual WAN branch node or

MCN in a site of any size. There are two ways to deploy redundancy for protecting

sites connected by client nodes:

Large sites: For large sites with client nodes—for example, headquarters,

regional offices, and secondary data centers—1+1 redundancy is recommended

to ensure uninterrupted operation of Virtual WAN.

Smaller sites: For smaller sites, you can implement client redundancy by using a

Fail-to-Wire or Fail-to-Block configuration in the client physical interfaces. This

approach will ensure that even when the overlay Virtual WAN is down, underlying

network connectivity is preserved, and applications will not be disrupted in the

event of a Virtual WAN node failure. The exact configuration depends upon how

the client node is inserted in the network of the remote site.

The following section discusses some of the Virtual WAN deployment options.

P a g e | 21 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

Virtual WAN Deployment Options This section covers the deployment of CloudBridge Virtual WAN in different Customer

scenarios. The main factor to be considered is the size of the incumbent WAN on

which CloudBridge Virtual WAN will be deployed. Each Virtual WAN node in the

network can support up to 256 Virtual Paths, which gives rise to two basic scenarios,

as follows:

Small/Medium Enterprises, with less than 256 WAN sites

Large Enterprises, with a total number of sites exceeding 256

The reminder of this section covers recommendations for deploying High-availability,

branch-to-branch communication, Internet and Intranet access in the scenarios

mentioned above.

Small/Medium Enterprises

In this scenario, a single pair of MCNs is required for 1+1 redundancy. You can

implement this using any of the topologies discussed in the previous sections.

L2 in-line is the recommended topology. It is minimally invasive, as it only requires

two extra VLANs, and leaves incumbent routing tables unaffected.

The alternative 1-Arm topology requires a new PBR and IP SLA routing configuration

to detect MCN failure.

Figure 9 illustrates both the recommended and the alternative topology options.

P a g e | 22 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

Figure 9. In-line and 1-arm topologies for a small to medium Enterprise

Branch-to-Branch traffic

In the small/medium Enterprise scenario, branch-to-branch traffic can be handled in

either of the following ways:

Permanent Virtual Paths for high traffic volume

Dynamic Virtual Paths

The following section discusses the scenario for large Enterprises.

Large Enterprises

In a large Enterprise scenario, the total number of WAN sites exceeds 256. Therefore,

several MCN pairs are required. To accommodate all sites, WAN Zones must be

defined. Each WAN Zone is a group of WAN sites that can be easily collectively

referenced collectively by CloudBridge Virtual WAN.

Best practice is to define WAN zones adhering to an existing IP Addressing scheme,

identifying groups of 256 sites with IP subnets that can be referenced by a single

summary IP subnet.

P a g e | 23 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

After you have defined the WAN zones and assigned them to an MCN pair, PBR is

required at the Enterprise data center for steering traffic to/from each zone to the

assigned MCN pair.

Figure 10 illustrates the logical deployment of CloudBridge Virtual WAN in N WAN

Zones, using a 1-arm topology.

Figure 10. Virtual WAN deployment in multiple WAN Zones in a 1-arm topology

Each zone here is referenced by a single summary IP subnet. The resulting PBR

routing table at the core router will have one entry per zone, which is as follows: for all

packets with a source OR destination IP Address matching the summary IP subnet of

Zone 1, forward traffic to the active MCN Z1.

Inter-Zone Traffic

In a zoned deployment, an MCN pair controlling a given zone is unaware of the

existence of the other zones. As long as traffic flows are contained in the same zone,

traffic will be transported using the Virtual Path Service. And therefore, all of the

benefits of the CloudBridge Virtual WAN solution will be in effect, whether over

Permanent or Dynamic Virtual Paths.

P a g e | 24 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

For inter-zone traffic, special considerations are necessary to ensure optimal

performance. The most common inter-zone traffic scenario is branch-to-branch

interactive communication (Enterprise VoIP systems, Lync, Skype, and so forth). To

avoid an unnecessary hop over the MCN, traffic of that sort should not be sent over a

Virtual Path. Rather, it should be sent over Intranet services.

Intranet service is not mandatory, but is highly recommended. If Intranet service is not

defined, IP traffic sent to IP Addresses outside the zone will be considered as

Passthrough and will still reach its destination as expected. However, since the Virtual

WAN does not account for Passthrough traffic in the provisioning scheme, it is highly

recommended that you configure an Intranet service in all sites where inter-zone

traffic is non-negligible. In that way, inter-zone traffic can be properly provisioned and

taken into consideration.

NOTE: If incidents of high-volume branch-to-branch traffic are detected, a minor zone

rearrangement may be necessary. This is so traffic can be handled by the

same MCN, and therefore transported over Virtual Path Services.

Example

In this example, we consider an Enterprise with 800 branches, with an average of

100+ users per branch. After reviewing the WAN and analyzing its IP Addressing

scheme, it was found that there are four IP subnets that summarize groups of 200

WAN sites each.

Figure 11 illustrates this scenario.

P a g e | 25 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

Figure 11. Example of an inter-zone traffic scenario

Thus, one WAN zone is defined for each of the four summary IP subnets. To

implement the Virtual WAN, the following configuration is applied:

Data center (MCN) site: One MCN node is deployed at the Enterprise data

center to service each zone. PBR is configured at the core router to steer traffic to

and from each zone to the corresponding assigned MCN node.

Branch (client) sites: All client nodes in a given zone are configured to activate

Intranet and Internet services.

The configuration for each MCN and branch site includes the following:

Intranet service is defined, and one route is added for each of the three remaining

zones, using the summary IP subnet for each zone. This is in order to take into

account any inter-zone traffic, and enable provisioning for it.

Internet service each site is configured by specifying the Internet Link(s) for

that site.

The following section discusses the deployment of Virtual WAN with CloudBridge

WAN Optimization.

P a g e | 26 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

Deploying Virtual WAN with WAN

Optimization You can implement joint deployment of CloudBridge WAN Optimization and Virtual

WAN technologies by inserting the Virtual WAN, as shown in Figure 12.

Figure 12. Joint deployment of CloudBridge WAN Optimization and Virtual WAN

CloudBridge WAN Optimization Appliances are not aware of the Virtual WAN, and so

traffic is processed by CloudBridge WAN Optimization as if the WAN consisted of one

or more physical links managed by the core or edge routers.

The scenario depicted in the diagram above can be implemented using various

topologies, a discussion of which is beyond the scope of this document. However, in

all cases, the CloudBridge Virtual WAN nodes should observe the following rules:

The Virtual WAN should be the last logical hop for packets sent over the private

WAN (or to the Internet) before reaching edge routers and firewalls.

The Virtual WAN should be the first logical hop for packets received by edge

routers or firewalls coming from the Private WAN (or the Internet).

As long as these rules are observed, the joint deployment of Virtual WAN and WAN

Optimization can be implemented for a variety of topologies or combinations of

thereof. Both the Virtual WAN Appliances and the WAN Optimization Appliances can

be deployed using either an in-line, or 1-arm topology. The choice as to which to use

depends upon which best suits the specific characteristics of your Enterprise network.

In any event, you must configure neighboring routers and switches to ensure that the

Virtual WAN Appliances and WAN Optimization Appliances are chained correctly.

P a g e | 27 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

Figure 13 illustrates a pure in-line deployment of both Virtual WAN and WAN

Optimization. The connection in this case is restricted to Layer 2; only the LAN

switches would require configuring and patching.

Figure 13. Pure in-line deployment of Virtual WAN and WAN Optimization

Figure 14 shows an example 1-arm deployment.

Figure 14. Example 1-arm deployment

P a g e | 28 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

In this example, the core router must be configured to implement the appliance

chaining configuration as shown, for traffic going out to the WAN (red), and coming in

from the WAN (green). The following rules are required:

Traffic must be forwarded to the Virtual WAN node in both directions, and PBR

rules must be configured at the router.

Traffic must be forwarded to the WAN Optimization node in both directions, and

PBR or WCCP must be configured at the router.

The following section discusses the deployments of Virtual WAN with MPLS networks.

Deploying Virtual WAN with MPLS Networks WAN links like MPLS implement channels to differentiate services levels into classes.

Each class is differentiated within the IP packet stream by using the DSCP field in the

IP packets. Applications mark outgoing TCP/IP traffic with a specific DSCP value, and

routers map DSCP values in traffic flows to service levels.

The most commonly used DSCP values are as follows:

Expedited Forwarding (EF): The ef channel is used by applications that are very

sensitive to packet delay and delay jitter, but can tolerate some packet loss. Real-

time applications such as Voice over IP are the primary users of the MPLS ef

channel.

Assured Forwarding (AF): With several sub-levels of expedition, Assured

Forwarding (AF) is used by applications that are very sensitive to packet loss, but

can tolerate some delay. Interactive applications like Citrix XenDesktop are the

primary users of the different MPLS AF channels

To deliver Differentiated Services, service providers typically engineer MPLS

networks so that capacity is provisioned for each channel, and different queuing

disciplines can be used in routers along the way.

P a g e | 29 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

An MPLS network can be thought of as multiple logical networks overlaid on the same

physical link. Service providers charge differently for traffic using different DSCP tags,

and correspondingly, provide different Service Level Agreements (SLAs) to their

customers for traffic sent through each DSCP channel. In most steady state

environments, MPLS EF/AF services work as designed, delivering the SLAs for which

customers are paying. However, each channel can experience networks issues

individually (congestion, outages, etc.).

For example, excessive VoIP traffic due to an unexpected volume of telephone calls

will directly result in a traffic surge on the ef channel, exceeding the maximum

capacity the carrier is obliged to provide. Dropped calls and audio artifacts due to

packet loss will follow.

CloudBridge Virtual WAN can substantially improve connection performance over an

MPLS network by exploiting the fact that MPLS provides several logical WAN paths

that the Virtual WAN solution can leverage. CloudBridge Virtual WAN can monitor the

status of each MPLS channel, and decide for each packet which DSCP mark is best

to use, regardless of what the original DSCP was. In the previous example, the

excess ef traffic would be re-routed over an AF channel, therefore averting the

congestion.

CloudBridge Virtual WAN can add substantial additional value if enabled to make

routing decisions as to which DSCP value should be used to send packets through

the MPLS network. With CloudBridge Virtual WAN, preserving DSCP tags will simply

lead to a sub-optimal use of the MPLS infrastructure.

MPLS Deployment Example

In this example, CloudBridge Virtual WAN is explicitly configured to implement two

WAN Paths over the MPLS circuit, as follows:

One EF WAN Path, eligible for real-time traffic only

One AF WAN Path, eligible for interactive and bulk traffic only

P a g e | 30 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

In this configuration, CloudBridge Virtual WAN has flexibility to maximize application

performance. Under normal network conditions, real-time traffic would be the primary

user of premium EF service. In case of congestion or failure of the EF WAN Path,

CloudBridge Virtual WAN will choose an alternative WAN Path to maximize

performance for VoIP, as well as all applications that primarily use the EF WAN Path.

Figure 15 shows an example MPLS configuration for Virtual WAN.

Figure 15. MPLS configuration example

Summary

Despite the fact that CloudBridge Virtual WAN can be configured to attempt

preservation of DSCP markings, such strict preservation would hamper the operation

of the Virtual WAN. At certain times, MPLS EF might not be the best path for sending

VoIP traffic. As CloudBridge Virtual WAN has the most updated and accurate status

information for all defined paths, it will instantly learn about issues in the MPLS EF

Path, and route traffic accordingly. CloudBridge Virtual WAN will then maximize

application performance by finding the best alternate route.

The following section discusses some additional deployment considerations.

P a g e | 31 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

Additional Deployment Considerations This section outlines details regarding routing, security, and firewall traversal that

must be considered when configuring CloudBridge Virtual WAN. To facilitate the

discussion, we will use the example environment illustrated in Figure 16.

Figure 16. Example environment

In this example environment, there is a third party data center hosting some

Enterprise applications, and branches that are connected to the Internet without a

firewall (small sites).

Firewall Rules and NAT

In this scenario, for all Virtual WAN sites (both MCN and clients), you must configure

each firewall to permit the Virtual Path Service to establish WAN paths through it to

leverage Internet connectivity.

To enable Internet WAN paths, firewalls in both ends of a Virtual Path must have UDP

port 4980 enabled in both the inbound and outbound directions. CloudBridge Virtual

WAN uses UDP port 4980 by default, as both the source and destination port.

In addition, depending on the incumbent network architecture, NAT rules might be

necessary to properly map the public Internet IP Addresses specified for both

endpoints of the Internet WAN paths in the Virtual WAN configuration.

P a g e | 32 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

Deploying Branches without Firewalls

When configuring virtual interfaces on the CloudBridge Virtual WAN Appliances, an

option is presented to declare each interface as Trusted or Untrusted.

Virtual WAN allows traffic of all types over trusted interfaces. Therefore, trusted

interfaces can be used for all of the services Virtual WAN provides: Virtual Path,

Intranet, Internet, and Passthrough.

On the other hand, untrusted interfaces can be used only for the Virtual Path Service,

as the only allowable traffic through them consists of UDP 4980 (used by the Virtual

Path service) and ICMP (for diagnostics).

Combining the restrictions above with the fact that untrusted interfaces are security-

hardened, the Virtual WAN can be deployed without a firewall in branches that do not

require the Internet service for Web browsing, or for accessing cloud applications.

Small locations in certain industries may fit the Virtual WAN use case without a

firewall.

Figure 17 on page 34 illustrates a scenario that includes a branch site without a

firewall.

Deploying Intranet Services

As explained in previous sections, Intranet service must be activated in each location

by adding a route for each WAN location outside the scope of CloudBridge Virtual

WAN. The example in Figure 17 takes into consideration access to an application

hosted in a third-party data center.

By adding Intranet routes within all locations using such applications, the Intranet

Service can be properly provisioned. This then ensures that traffic generated by the

applications receives the fair amount of resources assigned by the Network

Administrator, and will not overly congest the WAN.

As Intranet services are always associated with specific routes, several of them can

be defined and associated with different applications. The definition of multiple

Intranet services is useful for more effective provisioning of WAN bandwidth for

specific applications.

P a g e | 33 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

Completing Configuration by Adding Routes

CloudBridge Virtual WAN automatically builds an internal routing table that includes

all of the VIPs configured in the system, as well as all available Internet links.

However, the Virtual WAN does not automatically learn about adjacent subnets from

routers. With the information you provide when you configure the Virtual WAN, the

system is capable of building a routing table that covers the forwarding of traffic

among VIPs, and out to the Internet. After initial configuration, the Internet service is

the only service that is fully routable and properly configured for provisioning. To

complete the configuration of the Virtual Path and the Intranet services, you must add

more routes.

Further details about adding and configuring routes are provided below.

Local Access Routes

To complete the configuration of the Virtual Path Service and enable end-to-end

connectivity throughout the Virtual WAN, you must configure manual routes in all

locations to reach local data subnets. After you have done this, CloudBridge Virtual

WAN then propagates the new route definitions to all nodes in the Virtual WAN.

Intranet Routes

Intranet routes are used for allowing Intranet services to be managed and

provisioned, covering all traffic traveling to sites outside of the Virtual WAN. An

Intranet route has no Gateway IP Address, but instead is associated with the Intranet

service being activated. There can be multiple Intranet services, each associated with

a WAN site or an application.

For each Intranet service, subnetwork and masks must be configured. For example, in

the previous diagram, Intranet service and associated routes should point to the third-

party data center, as well as the sites hosting the target applications that are not on

the Virtual WAN.

P a g e | 34 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

For effectively controlling Intranet traffic across the Virtual WAN, you must define the

Intranet service and route associated with each Virtual WAN node, and assign them

to a private WAN Link.

Summary of Additional Deployment Considerations

Figure 17 shows all of the routes that must be added to our example environment, for

proper routing and provisioning within the Virtual Path and Intranet services.

Figure 17. Example environment with routes added

The following section provides guidelines for provisioning bandwidth across your

Virtual WAN.

P a g e | 35 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

Provisioning Guidelines Provisioning allows for the bidirectional (Ingress/Egress) distribution of bandwidth for

a WAN Link among the various services associated with that WAN Link. There are

two steps to provisioning that provide for this bandwidth distribution in a simple and

effective way. These are as follows:

Provisioning groups - (Optional.) Create and edit groups of bandwidth.

Services - View and edit bandwidth settings for services within a bandwidth

group.

The following sections discuss these concepts in more detail.

Provisioning Groups

A Provisioning Group is a container for an arbitrary collection of services on any given

WAN Link. They allow the user to allocate bandwidth at a high-level before drilling

down to the individual services within the group for fine-tuning. They also provide a

boundary for the automatic redistribution of bandwidth within the child services of the

Provisioning Group.

You can use Shares to distribute the permitted bandwidth over groups, and services

within groups.

NOTE: Provisioning Groups are available to simplify the provisioning process, but are

not required if they are not needed.

The total number of Shares is unrestricted, enabling you to configure any amount of

granularity or precision when allocating bandwidth among the different groups and

services.

P a g e | 36 Citrix CloudBridge Virtual WAN 8.1.0 Deployment Planning Guide

Fair Shares

In the Provisioning configuration, Shares are used to distribute the WAN-to-

LAN/LAN-to-WAN bandwidth, which is the Permitted Rate minus the total Minimum

Reserved Bandwidth of all services on the WAN Link. All services are initially

assigned to a default group that is allocated all of the eligible bandwidth. You can

create additional groups and allocate bandwidth to its members by specifying some

number of Fair Shares for the group.

All services receive their specified Minimum Reserved Bandwidth allocation before

Fair Share distribution. This can result in groups with equal Fair Shares having

disparate Fair Rates. Fair Rates can also be affected by Service Maximums,

if defined.


Recommended