Purpose and Scope

The intention of this article is to provide the best practices when NetScaler SD-WAN solution is designed, planned, and executed in the your network.

Network Infrastructure Design and Configuration

Verifying ISP Link Health

For new deployments, prior to SD-WAN deployment and/or when adding new ISP link to the existing SD-WAN deployment, verify the link type, such as MPLS, ADSL, 4G, and network characteristics; Bandwidth, Loss, Latency, and Jitter. Note the Network characteristics that will help in SD-WAN configuration as per your requirement. 

Network Topology

It is commonly observed that specific network traffic bypasses SD-WAN appliances, and uses the same underlying link configured in the SD-WAN network. Since SD-WAN does not have complete visibility into link utilization, there are chances that SD-WAN will oversubscribe the link leading to performance and PATH issues.

Configuring Firewall

Following common issues can be identified by verifying upstream Router and Firewall configuration:

• MPLS Queues/QoS settings: Verify that UDP encapsulated traffic between SD-WAN Virtual IP addresses does not suffer due to QoS settings on the intermediate appliances in the network.
• All traffic on the WAN links configured on SD-WAN should be processed by SD-WAN using the right “service”; Virtual Path, Internet, Intranet, and Local.
• If traffic has to bypass SD-WAN and use the same underlying link, proper bandwidth reservations for SD-WAN traffic should be made on the router. Also, the link capacity should be configured accordingly in SD-WAN configuration.
• Verify that the intermediate Router/Firewall does not have any UDP flood and/or PPS limits enforced. This will throttle the traffic when it is sent through the Virtual Path (UDP encapsulated).

NetScaler SD-WAN Configuration

Configuring Links

• Configure the “Permitted” and “Physical” rate as the actual WAN link bandwidth. In cases when the entire WAN link capacity is not supposed to be used by SD-WAN, change the “Permitted” rate accordingly.
• If you are unsure that the bandwidth and links are non-reliable, you can enable the “Auto Learn” feature. “Auto Learn” feature learns underlying link capacity only once, and uses the same value in future.
• If the underlying link is not stable and does not guarantee fixed bandwidth (for example; 4G links), use the “Adaptive Bandwidth Detection” feature.
• It is not recommended to enable “Auto Learn” and “Adaptive Bandwidth Detection” on the same WAN link.
• If the underlying link is not stable, change the PATH settings:
  • Loss Settings
  • Disable Instability Sensitive
  • Silence time
• Use Diagnostic tool to check the link health/capacity.
• When SD-WAN is deployed in one-arm mode, make sure that you do not overrun the physical capacity of the underlying link.
• If NetScaler SD-WAN is on a WAN link that is sharing bandwidth with non NetScaler SD-WAN workload (traffic which does not go through the Virtual Path), consider properly configuring the firewall or router to adequately provide a set bandwidth speed for SD-WAN use and competing traffic use.
• Properly configure NetScaler SD-WAN to the adjusted bandwidth speed.
• NetScaler SD-WAN significantly backs off usage on that link when packet are dropped due to overutilization of a WAN link

 

Configuring Routing

Internet/Intranet Routing Service

When the Internet service is not configured to Internet bound traffic and instead, either a “Local” route OR “Passthrough” route is configured to reach the Gateway router, then the router uses the WAN links configured on the SD-WAN appliance, leading to link over subscription issue.

When an Internet route is configured as “LOCAL” at the MCN, it is learnt by all the branch SD-WAN sites and configured as “Virtual Path Route” by default. This implies that Internet bound traffic at the branch appliance will be routed through the Virtual Path to MCN.

Routing precedence

• Prefix Match: Longest prefix match
• Service: Local, Virtual Path service, Internet, Intranet, Passthrough
• Route Cost

Routing asymmetry

Ensure that there is no Routing asymmetry in the network (SD-WAN appliance is transmitting traffic in only one direction). This will create issues with Firewall connection tracking, and Deep Packet Inspection.

Provisioning

• By default, all branches and WAN services (Virtual Path/Internet/Intranet) receive equal share of the bandwidth.
• Provisioning shares should be modified, if there is high disparity in terms of bandwidth requirement or availability between the connecting sites.
• If DVPs are enabled between maximum available sites, the WAN link capacity will be shared between static Virtual Path to DC and DVPs.

Configuring QoS

• Understand the traffic patterns and requirement. You may have to observe the “QoS class statistics” and modify queue depths and/or change the default QoS class share percentage to avoid tail-drops as shown in QoS statistics.
• For ease of configuration, instead of creating Rules for particular application IP addresses, entire subnet is added to a Rule. This will incorrectly map all the traffic in the subnet to one Rule and therefore in the QoS class associated with that Rule. This might lead to tail drop and/or poor application performance/user experience.

Deployment Specific

Troubleshoot issues specific to type of deployment (Inline, One Arm Mode, Gateway Mode, etc)

• Make sure VLAN ids are set correctly on all the interfaces. VLAN id mismatch will lead to packet drops.

If Intranet/Internet services are not created:

• By default, all the traffic that cannot be routed through VPS (Virtual Path Service) will hit “Passthrough Service”.
• In “Inline” mode “Passthrough” traffic will be not subjected to QoS and will be FTW.
• In Gateway Mode (Virtual Inline mode), Passthrough traffic is dropped by default. Make sure Internet/Intranet services are created appropriately..

The intention of this article is to provide the best practices when NetScaler SD-WAN solution is designed, planned, and executed in the your network.