Netscaler SD-WAN - Shuttle for "Network Factory"
Not so long ago, I wrote a post about SD-WAN , in which I tried to uncover the essence of this technology, its pros and cons. Now let's talk about one of the solutions designed to create software-configured networks (SDN) between the enterprise and the cloud data center, as well as between the central and remote offices of the enterprise. It becomes especially relevant in cases where the expansion of the bandwidth of an existing WAN takes weeks, if not months, and the organization of an additional WAN channel is difficult and requires significant investment, since the cost of carrier channels is quite high. Interested please under the cat.
Geographically distributed corporate WAN (Wide Area Network) networks are required for companies with several data centers, a large number of branches and points of sale, both within a single city and throughout the country and even the world. However, physical dedicated lines for them require increasing costs (even if they are rented from operators), and sometimes this method is simply impossible. Typically, to build leased lines, virtual private network technologies are used over the Internet VPN (Virtual Private Network), as well as carrier channels with multi-protocol switching using MPLS (Multi-Protocol Label Switching) labels.
However, networks based on them are static in nature. Their topology cannot be changed “on the fly”, and the creation of a new VPN requires a lot of work on its configuration.
And here comes to the aid technology SDN (Software Defined Network), which can be described as a "brain removal". But not at all because it is complex (not so difficult), but because in SDN “brains” (control panel - Control Plane) of network elements (routers, firewalls, boundary controllers, etc.) are really submitted to the upper level. That is, the topology of the traditional network (where each network element itself decided which port to send the next packet to it, and was divided into two planes: control — Control Plane, and data transfer — Data Plane) is replaced with another, where the control plane is separated from network elements. Where the next packet goes, Control Plane decides on the SDN controller, and Data Plane in the network element performs only the forward packets from the input to the output, according to the settings from the controller. At the same time, it is possible to change the topology and create new VPNs remotely and quickly, without causing “courtesy visits” to each network element separately.
')
Initially, SDN was supposed to work inside a single data center. To connect data centers, DCI (Data Center Interconnect), or to connect the local network of a remote branch of an enterprise to the main data center, a new solution is required: Software Defined WAN (SD-WAN), which allows for more efficient use of WAN channels at the expense of flexible redistribute traffic between different network connections.
SD-WAN is not so much a technology as a different approach to the design and deployment of a global enterprise network that uses SDN as the most efficient way to route and manage traffic.
Traditionally, WANs were created like this:
Figure 1.1. Traditional WAN architecture.
Such a network works stably and well until excavator uncle Vasya cuts the operator's cable with a bucket, or if the 3G / LTE network is overloaded, or something unexpected happens. In this case, it may take a long time to restore the normal operation of the enterprise.
To insure against such surprises, just need SD-WAN:
Figure 1.2. SD-WAN architecture.
In SD-WAN, it becomes possible to control traffic centrally using the SDN controller software. VPNs can now be created very quickly, and they can be configured and scaled flexibly. Several previously disconnected connections are combined by the SD-WAN controller into a single “virtual network”. In this case, the network administrator of the head office does not need to go to a remote branch (or hire another administrator there). Now everything can be done quickly from the location of the SD-WAN controller, minimizing or completely eliminating the manual configuration of remote network devices.
SD-WAN makes it possible to more efficiently use expensive MPLS channels leased from a telecom operator by sending low-priority traffic flows through cheaper channels of the public Internet.
Therefore, there are three main advantages that can stimulate an organization to switch to SD-WAN:
Companies that are actively involved in IT infrastructure centralization very often use the following services: virtualization of VDI workstations (Virtual Desktop Infrastructure and / or terminal services) within which critical business applications run, voice communication over an IP network VoIP (voice over IP) and video conferencing . Failure or poor performance of any of them slows down the business process of the enterprise.
NetScaler’s SD-WAN solution has the potential to improve the quality and performance of latency-sensitive services, such as VoIP, or requiring large bandwidth, such as video conferencing through VDI.
Consider a typical scheme for connecting the corporate network of a remote office to a data center. Primary traffic, including critical applications, is configured via a high-speed dedicated MPLS channel. One or two more routes can be set up via broadband Internet access for reserving the main channel.
Figure 2.1. Reservation channels in traditional WAN.
It would seem a good scheme. However, it is not so good.
Firstly, there will always be a lot of unused band in MPLS, because the connections are static (the channel is expensive). On the other hand, with MPLS band saturation, it is not so easy to move some traffic to broadband access, in this case, manual administrator intervention is required. And to expand the existing dedicated channel is not always possible.
Secondly, the restoration of the "fallen" channel may take a few seconds, or even minutes. At the same time, user applications will not respond to requests, and all current active sessions may need to be reinstalled, and in the case of using normal client-server applications that are not running in a VDI or terminal server environment, you will have to cancel unconfirmed transactions. It is clear that the normal course of the enterprise’s processes will be disturbed.
Thirdly, after an emergency transition to backup channels, the performance of critical business applications can seriously decline, since all other applications will also use these channels. The percentage of packet loss in VoIP will increase (which will lower the voice quality), interference will appear in the video conference, and VDI applications will slow down a lot.
Fourth, the connection of additional branches can be quite expensive, because need to buy new devices (routers, firewalls, etc.). This increases the cost of ownership of the branch network, adds work to service personnel and leads to the need to expand the staff of the IT department. Travel expenses will also increase.
Fifthly, the administration of such a network is quite complicated and time consuming. The traffic of each application must be configured on its route. If a route to a remote office takes more than one “hop” between routers, and even through different types of networks, it will be difficult to maintain quality of service (QoS) and it is difficult to monitor such a route.
All the listed problems will multiply, both with the increase in the number of branches, and the communication channels between them and the data center (s). And the addition of cloud applications to this scheme will further complicate the situation.
NetScaler SD-WAN controllers measure packet transmission times, jitter and loss percentage. This data is used to automatically select the most appropriate routes for different flows and types of traffic.
Figure 2.2. Add tags to WAN traffic to create a route map in NetScaler SD-WAN.
The Citrix solution selects the best routes for different types of connections to ensure the best possible quality for the transmission of various types of traffic over the WAN. The system can automatically determine the "fingerprint" of more than 4000 different applications. The NetScaler devices in the center and on the remote site create a “map” of the available WAN routes between the sites. The map includes data on performance and quality, as well as the "cost" of each route. When an application initiates a session, the NetScaler SD-WAN controller on the departure side selects a route based on a set of several metrics, taking into account “application importance” and “channel cost” or several such routes if one is not enough.
However, the quality of the route may change over time. The NS SD-WAN controller on the source side adds a tag (tag) to each packet that passes through it. The controller on the receiving side reads these “tags” and records the time of packet transfer over the network, and also analyzes the sequence of packets in order to obtain information on packet loss, jitter and other parameters of this route. It also makes this information available to other SD-WAN devices on the network, which constantly modify their “maps” with this information to select the best paths based on current data.
NetScaler SD-WAN can quickly reconnect after a crash. For example, if the MPLS channel is overloaded or not responding to requests, the receiver will quickly determine that there are not enough packets in the stream, and within a few milliseconds, it moves the current sessions to the best remaining WAN routes. Users will not experience any interruption in the current call.
NetScaler SD-WAN is also more economical than traditional DCI methods. Of course, the broadband channels or the mobile network may also experience a degradation of quality, but it is very unlikely that quality will fall in all channels at once. NetScaler SD-WAN can dynamically and “per packet” move traffic to the best available channel, thus, the overall quality of the stream is not worse than with the static use of operator MPLS. This is especially true when you consider that the solution to the issue of expanding the bandwidth of a regular WAN takes weeks, if not months, not to mention the cost of expanding the allocated channels.
Another important advantage of NetScaler SD-WAN is the assignment of priority level to traffic and the possibility of granular quality of service (QoS) management depending on the specific application. Applications, in the settings of NetScaler, by default, can be “laid out” in three main categories: “real-time” (real-time), “interactive” (interactive) and “bulk” (passive). If greater accuracy is required, relative priorities may be entered for factors such as IP address, DSCP tag, source or destination port.
For example, voice traffic in business sessions can be given the highest priority relative to other applications, or given the same quality as real-time applications, such as video conferencing or VDI, or critical enterprise business applications.
If you want to ensure the highest possible availability of the service, you can use a function such as “packet duplication” of a “business critical” application, which sends two copies of each packet along routes that are independent of each other. The quality of service depends, among other things, on the percentage of packet loss, and if duplicated, this percentage will be almost zero.
Figure 2.3. Duplication of packages in NetScaler SDWAN.
The receiving side controller uses the first packet received and ignores the second one. Of course, for duplication of packets, an additional band is needed, but at the same time excellent quality is achieved, for example, voice messages by using the fastest channel. In addition, high reliability of the network component in the operation of business applications is ensured, since the probability that both packages in both channels will be lost is extremely low.
The solution also has other useful features that increase the quality and performance of latency-sensitive applications: VoIP, video conferencing, and virtualization.
The receiving side controller uses the first packet received and ignores the second one. Of course, for duplication of packets, an additional band is needed, but at the same time excellent quality is achieved, for example, voice messages by using the fastest channel. In addition, high reliability of the network component in the operation of business applications is ensured, since the probability that both packages in both channels will be lost is extremely low.
The solution also has other useful features that increase the quality and performance of latency-sensitive applications: VoIP, video conferencing, and virtualization.
The dynamic route selection method allows you to assign direct routes between company offices, thereby reducing transmission delays between two sites, and the band involved in the main data center.
The Traffic Shaping function and dynamic bandwidth reservation provide additional features for managing service quality for applications of various classes.
Packet reordering completely eliminates the possibility of packet loss, and also eliminates the need for applications to request packet retransmission.
The Stateful Firewall feature monitors the status and characteristics of a network connection. Stateful Firewall can distinguish allowed packets in traffic from unauthorized or unrecognized. Only packets corresponding to the settings of this connection are passed through the border router.
DPI function (deep packet analysis) - helps cut off traffic types that are not allowed in controller policies with certain types of protocols or workload.
Configuring WAN policies is straightforward, because the NetScaler SD-WAN Center management system has an intuitive interface, as well as custom panels for monitoring WAN route parameters across various external networks.
Depending on the edition, NetScaler SD-WAN provides compression of transmitted data, i.e. removing unnecessary or duplicate characters, and bit-caching, i.e. storage of the bit set, the transmitted traffic both on the receiving side and on the sending device side. This eliminates the need to retransmit traffic of the same type over WAN channels.
So, in brief, the benefits of NetScaler SD-WAN are as follows:
For example, to use NetScaler SD-WAN in the Xen Desktop VDI scenario, the result was a several times lowering of the required band between the office and the data center where users' virtual machines are “located”:
Figure 2.4. Reducing the required bandwidth between the office and data center with NetScaler SD-WAN.
Thank you for your attention, I am ready to answer your questions in the comments.
1. Why do I need SD-WAN
Geographically distributed corporate WAN (Wide Area Network) networks are required for companies with several data centers, a large number of branches and points of sale, both within a single city and throughout the country and even the world. However, physical dedicated lines for them require increasing costs (even if they are rented from operators), and sometimes this method is simply impossible. Typically, to build leased lines, virtual private network technologies are used over the Internet VPN (Virtual Private Network), as well as carrier channels with multi-protocol switching using MPLS (Multi-Protocol Label Switching) labels.
However, networks based on them are static in nature. Their topology cannot be changed “on the fly”, and the creation of a new VPN requires a lot of work on its configuration.
And here comes to the aid technology SDN (Software Defined Network), which can be described as a "brain removal". But not at all because it is complex (not so difficult), but because in SDN “brains” (control panel - Control Plane) of network elements (routers, firewalls, boundary controllers, etc.) are really submitted to the upper level. That is, the topology of the traditional network (where each network element itself decided which port to send the next packet to it, and was divided into two planes: control — Control Plane, and data transfer — Data Plane) is replaced with another, where the control plane is separated from network elements. Where the next packet goes, Control Plane decides on the SDN controller, and Data Plane in the network element performs only the forward packets from the input to the output, according to the settings from the controller. At the same time, it is possible to change the topology and create new VPNs remotely and quickly, without causing “courtesy visits” to each network element separately.
')
Initially, SDN was supposed to work inside a single data center. To connect data centers, DCI (Data Center Interconnect), or to connect the local network of a remote branch of an enterprise to the main data center, a new solution is required: Software Defined WAN (SD-WAN), which allows for more efficient use of WAN channels at the expense of flexible redistribute traffic between different network connections.
SD-WAN is not so much a technology as a different approach to the design and deployment of a global enterprise network that uses SDN as the most efficient way to route and manage traffic.
Traditionally, WANs were created like this:
Figure 1.1. Traditional WAN architecture.
Such a network works stably and well until excavator uncle Vasya cuts the operator's cable with a bucket, or if the 3G / LTE network is overloaded, or something unexpected happens. In this case, it may take a long time to restore the normal operation of the enterprise.
To insure against such surprises, just need SD-WAN:
Figure 1.2. SD-WAN architecture.
In SD-WAN, it becomes possible to control traffic centrally using the SDN controller software. VPNs can now be created very quickly, and they can be configured and scaled flexibly. Several previously disconnected connections are combined by the SD-WAN controller into a single “virtual network”. In this case, the network administrator of the head office does not need to go to a remote branch (or hire another administrator there). Now everything can be done quickly from the location of the SD-WAN controller, minimizing or completely eliminating the manual configuration of remote network devices.
SD-WAN makes it possible to more efficiently use expensive MPLS channels leased from a telecom operator by sending low-priority traffic flows through cheaper channels of the public Internet.
Therefore, there are three main advantages that can stimulate an organization to switch to SD-WAN:
- Convenience of building a distributed branch network. SD-WAN solution between data centers and cloud service providers is easy to deploy and administer. You no longer need to send IT professionals on business trips to configure each network device.
- The ability to use a hybrid network. Branches of many companies are already connected via MPLS. These channels can be left to work, but add low-cost Internet channels to them and set traffic policies so that the expensive MPLS will be used very sparingly, only for priority services, such as corporate VoIP (Voice over IP) or other business-critical telephony applications. And if there is enough good bandwidth and quality of the Internet channel, all traffic can be sent via ordinary broadband networks, including 3G / LTE.
- Automatic traffic management. SD-WAN allows you to set priorities for various types of traffic and channels and quickly redirect traffic flows between channels, depending on the changing parameters of network connections.
2. How to build SD-WAN on NetScaler?
Companies that are actively involved in IT infrastructure centralization very often use the following services: virtualization of VDI workstations (Virtual Desktop Infrastructure and / or terminal services) within which critical business applications run, voice communication over an IP network VoIP (voice over IP) and video conferencing . Failure or poor performance of any of them slows down the business process of the enterprise.
NetScaler’s SD-WAN solution has the potential to improve the quality and performance of latency-sensitive services, such as VoIP, or requiring large bandwidth, such as video conferencing through VDI.
Consider a typical scheme for connecting the corporate network of a remote office to a data center. Primary traffic, including critical applications, is configured via a high-speed dedicated MPLS channel. One or two more routes can be set up via broadband Internet access for reserving the main channel.
Figure 2.1. Reservation channels in traditional WAN.
It would seem a good scheme. However, it is not so good.
Firstly, there will always be a lot of unused band in MPLS, because the connections are static (the channel is expensive). On the other hand, with MPLS band saturation, it is not so easy to move some traffic to broadband access, in this case, manual administrator intervention is required. And to expand the existing dedicated channel is not always possible.
Secondly, the restoration of the "fallen" channel may take a few seconds, or even minutes. At the same time, user applications will not respond to requests, and all current active sessions may need to be reinstalled, and in the case of using normal client-server applications that are not running in a VDI or terminal server environment, you will have to cancel unconfirmed transactions. It is clear that the normal course of the enterprise’s processes will be disturbed.
Thirdly, after an emergency transition to backup channels, the performance of critical business applications can seriously decline, since all other applications will also use these channels. The percentage of packet loss in VoIP will increase (which will lower the voice quality), interference will appear in the video conference, and VDI applications will slow down a lot.
Fourth, the connection of additional branches can be quite expensive, because need to buy new devices (routers, firewalls, etc.). This increases the cost of ownership of the branch network, adds work to service personnel and leads to the need to expand the staff of the IT department. Travel expenses will also increase.
Fifthly, the administration of such a network is quite complicated and time consuming. The traffic of each application must be configured on its route. If a route to a remote office takes more than one “hop” between routers, and even through different types of networks, it will be difficult to maintain quality of service (QoS) and it is difficult to monitor such a route.
All the listed problems will multiply, both with the increase in the number of branches, and the communication channels between them and the data center (s). And the addition of cloud applications to this scheme will further complicate the situation.
2.1 Measuring and monitoring network routes
NetScaler SD-WAN controllers measure packet transmission times, jitter and loss percentage. This data is used to automatically select the most appropriate routes for different flows and types of traffic.
Figure 2.2. Add tags to WAN traffic to create a route map in NetScaler SD-WAN.
The Citrix solution selects the best routes for different types of connections to ensure the best possible quality for the transmission of various types of traffic over the WAN. The system can automatically determine the "fingerprint" of more than 4000 different applications. The NetScaler devices in the center and on the remote site create a “map” of the available WAN routes between the sites. The map includes data on performance and quality, as well as the "cost" of each route. When an application initiates a session, the NetScaler SD-WAN controller on the departure side selects a route based on a set of several metrics, taking into account “application importance” and “channel cost” or several such routes if one is not enough.
However, the quality of the route may change over time. The NS SD-WAN controller on the source side adds a tag (tag) to each packet that passes through it. The controller on the receiving side reads these “tags” and records the time of packet transfer over the network, and also analyzes the sequence of packets in order to obtain information on packet loss, jitter and other parameters of this route. It also makes this information available to other SD-WAN devices on the network, which constantly modify their “maps” with this information to select the best paths based on current data.
2.2 Disaster Recovery
NetScaler SD-WAN can quickly reconnect after a crash. For example, if the MPLS channel is overloaded or not responding to requests, the receiver will quickly determine that there are not enough packets in the stream, and within a few milliseconds, it moves the current sessions to the best remaining WAN routes. Users will not experience any interruption in the current call.
2.3 Alternative to traditional use
NetScaler SD-WAN is also more economical than traditional DCI methods. Of course, the broadband channels or the mobile network may also experience a degradation of quality, but it is very unlikely that quality will fall in all channels at once. NetScaler SD-WAN can dynamically and “per packet” move traffic to the best available channel, thus, the overall quality of the stream is not worse than with the static use of operator MPLS. This is especially true when you consider that the solution to the issue of expanding the bandwidth of a regular WAN takes weeks, if not months, not to mention the cost of expanding the allocated channels.
2.4 Prioritization of traffic and QoS
Another important advantage of NetScaler SD-WAN is the assignment of priority level to traffic and the possibility of granular quality of service (QoS) management depending on the specific application. Applications, in the settings of NetScaler, by default, can be “laid out” in three main categories: “real-time” (real-time), “interactive” (interactive) and “bulk” (passive). If greater accuracy is required, relative priorities may be entered for factors such as IP address, DSCP tag, source or destination port.
For example, voice traffic in business sessions can be given the highest priority relative to other applications, or given the same quality as real-time applications, such as video conferencing or VDI, or critical enterprise business applications.
2.5 Duplication of packages
If you want to ensure the highest possible availability of the service, you can use a function such as “packet duplication” of a “business critical” application, which sends two copies of each packet along routes that are independent of each other. The quality of service depends, among other things, on the percentage of packet loss, and if duplicated, this percentage will be almost zero.
Figure 2.3. Duplication of packages in NetScaler SDWAN.
The receiving side controller uses the first packet received and ignores the second one. Of course, for duplication of packets, an additional band is needed, but at the same time excellent quality is achieved, for example, voice messages by using the fastest channel. In addition, high reliability of the network component in the operation of business applications is ensured, since the probability that both packages in both channels will be lost is extremely low.
The solution also has other useful features that increase the quality and performance of latency-sensitive applications: VoIP, video conferencing, and virtualization.
The receiving side controller uses the first packet received and ignores the second one. Of course, for duplication of packets, an additional band is needed, but at the same time excellent quality is achieved, for example, voice messages by using the fastest channel. In addition, high reliability of the network component in the operation of business applications is ensured, since the probability that both packages in both channels will be lost is extremely low.
The solution also has other useful features that increase the quality and performance of latency-sensitive applications: VoIP, video conferencing, and virtualization.
The dynamic route selection method allows you to assign direct routes between company offices, thereby reducing transmission delays between two sites, and the band involved in the main data center.
The Traffic Shaping function and dynamic bandwidth reservation provide additional features for managing service quality for applications of various classes.
Packet reordering completely eliminates the possibility of packet loss, and also eliminates the need for applications to request packet retransmission.
The Stateful Firewall feature monitors the status and characteristics of a network connection. Stateful Firewall can distinguish allowed packets in traffic from unauthorized or unrecognized. Only packets corresponding to the settings of this connection are passed through the border router.
DPI function (deep packet analysis) - helps cut off traffic types that are not allowed in controller policies with certain types of protocols or workload.
Configuring WAN policies is straightforward, because the NetScaler SD-WAN Center management system has an intuitive interface, as well as custom panels for monitoring WAN route parameters across various external networks.
Depending on the edition, NetScaler SD-WAN provides compression of transmitted data, i.e. removing unnecessary or duplicate characters, and bit-caching, i.e. storage of the bit set, the transmitted traffic both on the receiving side and on the sending device side. This eliminates the need to retransmit traffic of the same type over WAN channels.
So, in brief, the benefits of NetScaler SD-WAN are as follows:
- Reduced WAN traffic.
- Routing the fastest route.
- Best QoS for high priority applications.
- High network security.
- Simplicity of administration of the channels connecting remote offices and branches of the enterprise with data centers.
- Use of inexpensive Internet channels (both fixed and mobile), instead of expensive dedicated channels.
- The ability to more effectively use expensive dedicated channels
- Ability to monitor WAN routes for troubleshooting.
For example, to use NetScaler SD-WAN in the Xen Desktop VDI scenario, the result was a several times lowering of the required band between the office and the data center where users' virtual machines are “located”:
Figure 2.4. Reducing the required bandwidth between the office and data center with NetScaler SD-WAN.
Thank you for your attention, I am ready to answer your questions in the comments.
Source: https://habr.com/ru/post/347300/
All Articles