293
Citrix NetScaler Networking Guide Citrix ® NetScaler ® 10
| Date post: | 20-Oct-2015 |
| Category: |
Documents |
| Upload: | sachin-guda |
| View: | 164 times |
| Download: | 1 times |
Citrix NetScaler Networking Guide
Citrix® NetScaler® 10
Copyright and Trademark Notice© CITRIX SYSTEMS, INC., 2013. ALL RIGHTS RESERVED. NO PART OF THIS DOCUMENT MAY BEREPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS OR USED TO MAKE DERIVATIVE WORK(SUCH AS TRANSLATION, TRANSFORMATION, OR ADAPTATION) WITHOUT THE EXPRESS WRITTENPERMISSION OF CITRIX SYSTEMS, INC.
ALTHOUGH THE MATERIAL PRESENTED IN THIS DOCUMENT IS BELIEVED TO BE ACCURATE, IT ISPRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE ALLRESPONSIBILITY FOR THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS MANUAL.
CITRIX SYSTEMS, INC. OR ITS SUPPLIERS DO NOT ASSUME ANY LIABILITY THAT MAY OCCUR DUE TO THEUSE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS DOCUMENT. INFORMATION IN THISDOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. COMPANIES, NAMES, AND DATA USED INEXAMPLES ARE FICTITIOUS UNLESS OTHERWISE NOTED.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found tocomply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed toprovide reasonable protection against harmful interference when the equipment is operated in a commercialenvironment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used inaccordance with the instruction manual, may cause harmful interference to radio communications. Operation of thisequipment in a residential area is likely to cause harmful interference, in which case users will be required to correct theinterference at their own expense.
Modifying the equipment without Citrix’ written authorization may result in the equipment no longer complying with FCCrequirements for Class A digital devices. In that event, your right to use the equipment may be limited by FCCregulations, and you may be required to correct any interference to radio or television communications at your ownexpense.
You can determine whether your equipment is causing interference by turning it off. If the interference stops, it wasprobably caused by the NetScaler appliance. If the NetScaler equipment causes interference, try to correct theinterference by using one or more of the following measures:
Move the NetScaler equipment to one side or the other of your equipment.
Move the NetScaler equipment farther away from your equipment.
Plug the NetScaler equipment into an outlet on a different circuit from your equipment. (Make sure the NetScalerequipment and your equipment are on circuits controlled by different circuit breakers or fuses.)
Modifications to this product not authorized by Citrix Systems, Inc., could void the FCC approval and negate yourauthority to operate the product.
BroadCom is a registered trademark of BroadCom Corporation. Fast Ramp, NetScaler, and NetScaler Request Switchare trademarks of Citrix Systems, Inc. Linux is a registered trademark of Linus Torvalds. Internet Explorer, Microsoft,PowerPoint, Windows and Windows product names such as Windows NT are trademarks or registered trademarks ofthe Microsoft Corporation. Netscape is a registered trademark of Netscape Communications Corporation. Red Hat is atrademark of Red Hat, Inc. Sun and Sun Microsystems are registered trademarks of Sun Microsystems, Inc. Otherbrand and product names may be registered trademarks or trademarks of their respective holders.
Portions of this software may be redistributed under an open source license. Information about those portions of thesoftware, including a listing of all third party attribution notices and open source license agreements can be found at http://www.citrix.com/lang/English/lp/lp_2305124.asp.
All rights reserved.
Last Updated: January 2013
Document code: April 9 2013 07:54:31
Contents
Preface.................................................................................................. 19Formatting Conventions for NetScaler Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19Documentation Available on the NetScaler Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Getting Service and Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21NetScaler Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
1 IP Addressing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23Configuring NetScaler-Owned IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Configuring the NetScaler IP Address (NSIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24To create the NetScaler IP address by using the NetScaler command line. . . . . 24Parameters for configuring the NSIP address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25To configure the NetScaler IP address by using the configuration utility. . . . . . . . .25
Configuring and Managing Virtual IP Addresses (VIPs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25To create a VIP address by using the NetScaler command line . . . . . . . . . . . . . . . . .26To create a range of VIP addresses by using the NetScaler command line . . . . 26Parameters for configuring VIP addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27To configure a VIP address by using the configuration utility . . . . . . . . . . . . . . . . . . . . 28To create a range of VIP addresses by using the configuration utility. . . . . . . . . . . .29To enable or disable an IPv4 VIP address by using the NetScaler commandline. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30To enable or disable a VIP address by using the configuration utility. . . . . . . . . . . . 31
Configuring ARP response Suppression for Virtual IP addresses (VIPs). . . . . . . . . . . . . 31To configure ARP response suppression by using the NetScaler commandline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Parameter for configuring ARP response suppression. . . . . . . . . . . . . . . . . . . . . . . . . . . 34To configure ARP response suppression by using the configuration utility . . . . . 35
Configuring Subnet IP Addresses (SNIPs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35To configure a SNIP address by using the NetScaler command line . . . . . . . . . . . .36To create a range of SNIP addresses by using the NetScaler command line . . .37Parameters for configuring SNIP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38To configure a SNIP address by using the configuration utility . . . . . . . . . . . . . . . . . . 38To create a range of SNIP addresses by using the configuration utility. . . . . . . . . .38
iii
To enable or disable USNIP mode by using the NetScaler command line. . . . . . .39To enable or disable USNIP mode by using the configuration utility. . . . . . . . . . . . . 39
Configuring Mapped IP Addresses (MIPs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39To create a MIP address by using the NetScaler command line . . . . . . . . . . . . . . . . 40To create a range of MIP addresses by using the NetScaler command line . . . . 41Parameters for configuring MIP addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42To configure a MIP address by using the configuration utility . . . . . . . . . . . . . . . . . . . .42To create a range of MIP addresses by using the configuration utility. . . . . . . . . . . 42
Configuring GSLB Site IP Addresses (GSLBIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43Removing a NetScaler-Owned IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
To remove an IP address by using the NetScaler command line. . . . . . . . . . . . . . . . 44To remove an IP address by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . 44
Configuring Application Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44To configure management access for an IP address by using the NetScalercommand line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Parameters for customizing a SNIP or MIP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46To enable management access for an IP address by using the configurationutility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
How the NetScaler Proxies Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47How the Destination IP Address Is Selected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47How the Source IP Address Is Selected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Enabling Use Source IP Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Recommended Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50To globally enable or disable USIP mode by using the NetScaler command line. . . . .51To enable USIP mode for a service by using the NetScaler command line. . . . . . . . . . . 51To globally enable or disable USIP mode by using the configuration utility. . . . . . . . . . . 51To enable USIP mode for a service by using the configuration utility. . . . . . . . . . . . . . . . . 51
Configuring Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Configuring INAT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
To create an INAT entry by using the NetScaler command line. . . . . . . . . . . . . . . . . . 53To modify an INAT entry by using the NetScaler command line . . . . . . . . . . . . . . . . . 54Basic parameters for configuring INAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54To configure an INAT entry by using the configuration utility . . . . . . . . . . . . . . . . . . . . 54To remove an INAT configuration by using the configuration utility. . . . . . . . . . . . . . 55
Coexistence of INAT and Virtual Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Stateless NAT46 Translation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Configuring Stateless NAT46. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58Setting Global Parameters for Stateless NAT46 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Limitations of Stateless NAT46. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Configuring RNAT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Contents
iv
Creating an RNAT Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Monitoring RNAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
RNAT in USIP, USNIP, and LLB Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Configuring RNAT for IPv6 Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
To create an RNAT6 rule by using the NetScaler command line. . . . . . . . . . . . . . . . . 69To modify or remove an RNAT6 rule by using the NetScaler command line. . . . .69Parameters for configuring an RNAT6 rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70To configure an RNAT6 rule by using the configuration utility. . . . . . . . . . . . . . . . . . . . 70
Configuring Prefix-Based IPv6-IPv4 Translation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71To configure prefix-based IPv6-IPv4 translation by using the NetScalercommand line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Parameter for configuring prefix-based IPv6-IPv4 translation. . . . . . . . . . . . . . . . . . . .73To configure prefix-based IPv6-IPv4 translation by using the configurationutility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Configuring Static ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73To add a static ARP entry by using the NetScaler command line. . . . . . . . . . . . . . . . . . . . . 73To remove a static ARP entry by using the NetScaler command line. . . . . . . . . . . . . . . . . 74Parameters for adding a static ARP entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74To add a static ARP entry by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Setting the Timeout for Dynamic ARP Entries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75To set the time-out for dynamic ARP entries by using the NetScaler commandline. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75To set the time-out for dynamic ARP entries to its default value by using theNetScaler command line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75To set the time-out for dynamic ARP entries by using the configuration utility . . . . . . . 76
Configuring Neighbor Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Adding IPv6 Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
To add an IPv6 neighbor by using the NetScaler command line. . . . . . . . . . . . . . . . . 77Neighbor Discovery Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77To add an IPv6 neighbor by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . .78
Removing IPv6 Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78To remove a neighbor discovery entry by using the NetScaler command line. . .78To remove all neighbor discovery entries by using the NetScaler commandline. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78To remove a neighbor discovery entry by using the configuration utility. . . . . . . . . 78To remove all neighbor discovery entries by using the configuration utility. . . . . . 79
Configuring IP Tunnels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79NetScaler as an Encapsulator (Load Balancing with DSR Mode). . . . . . . . . . . . . . . . . . . . .79
Citrix NetScaler Networking Guide
v
NetScaler as a Decapsulator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Creating IP Tunnels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
To create an IP tunnel by using the NetScaler command line. . . . . . . . . . . . . . . . . . . .80To remove an IP tunnel by using the NetScaler command line. . . . . . . . . . . . . . . . . . 80Parameters for creating an IP tunnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80To create an IP Tunnel by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . . .80To create an IPv6 tunnel by using the NetScaler command line. . . . . . . . . . . . . . . . . 81To remove an IPv6 tunnel by using the NetScaler command line. . . . . . . . . . . . . . . .81Parameters for creating an IPv6 tunnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81To create an IPv6 Tunnel by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . 81
Customizing IP Tunnels Globally. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82To globally customize IP tunnels by using the NetScaler command line. . . . . . . . .82Parameters for customizing IP tunnels globally. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83To globally customize IP tunnels by using the configuration utility. . . . . . . . . . . . . . . 83To globally customize IPv6 tunnels by using the NetScaler command line. . . . . . 83Parameters for customizing IPv6 tunnels globally. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84To globally customize IPv6 tunnels by using the configuration utility. . . . . . . . . . . . .84
2 Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Configuring MAC-Based Forwarding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
To enable or disable MAC-based forwarding by using the NetScaler commandline. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
To enable or disable MAC-based forwarding by using the configurationutility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Configuring Network Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Setting the Network Interface Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
To set the network interface parameters by using the NetScaler commandline. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88Parameters for setting a Network Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89To set the network interface parameters by using the configuration utility. . . . . . . 90
Enabling and Disabling Network Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91To enable or disable a network interface by using the NetScaler commandline. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91To enable or disable a network interface by using the configuration utility. . . . . . .92
Resetting Network Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92To reset a network interface by using the NetScaler command line. . . . . . . . . . . . . 92To reset a network interface by using the configuration utility. . . . . . . . . . . . . . . . . . . . 93
Monitoring a Network Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93To display the statistics of the network interfaces by using the NetScalercommand line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Contents
vi
To display the statistics of an Interface by using the configuration utility. . . . . . . . .95To clear a network interface’s statistics by using the NetScaler commandline. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95To clear a network interface’s statistics by using the configuration utility. . . . . . . . 95
Configuring Forwarding Session Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95To create a forwarding session rule by using the NetScaler command line. . . . . . . . . . .96Parameters for configuring a forwarding session rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96To configure a forwarding session rule by using the configuration utility. . . . . . . . . . . . . . 97
Understanding VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97Applying Rules to Classify Frames. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
VLANs and Packet Forwarding on the NetScaler. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99Configuring a VLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
Creating or Modifying a VLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100To create a VLAN by using the NetScaler command line. . . . . . . . . . . . . . . . . . . . . . . 100To bind an interface to a VLAN by using the NetScaler command line. . . . . . . . . 101To bind an IP address to a VLAN by using the NetScaler command line. . . . . . .101To remove a VLAN by using the NetScaler command line. . . . . . . . . . . . . . . . . . . . . .101Parameters for configuring a VLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101To configure a VLAN by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . . . 102
Monitoring VLANS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103To view the statistics of a VLAN by using the NetScaler command line. . . . . . . . 103To view the statistics of a VLAN by using the configuration utility. . . . . . . . . . . . . . 103
Configuring VLANs in an HA Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Configuring VLANs on a Single Subnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Configuring VLANs on Multiple Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Configuring Multiple Untagged VLANS across Multiple Subnets . . . . . . . . . . . . . . . . . . . .105Configuring Multiple VLANs with 802.1q Tagging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Configuring NSVLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108To configure NSVLAN by using the NetScaler command line. . . . . . . . . . . . . . . . . . . . . . . .108To restore the default NSVLAN configuration by using the NetScaler commandline. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109Parameters for configuring NSVLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110To configure NSVLAN by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Configuring Bridge Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110To add a bridge group and bind VLANs by using the NetScaler command line. . . . . 111To remove a bridge group by using the NetScaler command line. . . . . . . . . . . . . . . . . . . .112Parameters for configuring bridge groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112To configure a bridge group by using the configuration utility . . . . . . . . . . . . . . . . . . . . . . . .112
Configuring VMACs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Configuring Link Aggregation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Citrix NetScaler Networking Guide
vii
Configuring Link Aggregation Manually. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114To create a link aggregation channel by using the NetScaler command line. . . 114To bind an interface to or unbind an interface from an existing linkaggregation channel by using the NetScaler command line. . . . . . . . . . . . . . . . . . . . 114To modify a link aggregation channel by using the NetScaler command line. . .114Parameters for configuring a link aggregation channel. . . . . . . . . . . . . . . . . . . . . . . . . .115To configure a link aggregation channel by using the configuration utility. . . . . . 115To remove a link aggregation channel by using the NetScaler command line. .116To remove a link aggregation channel by using the configuration utility. . . . . . . . 117
Configuring Link Aggregation by Using the Link Aggregation Control Protocol. . . . . .117Creating Link Aggregation Channels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117Modifying Link aggregation Channels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118Removing a Link Aggregation Channel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
Binding an SNIP address to an Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121To configure the example settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
Monitoring the Bridge Table and Changing the Aging time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125To display the bridge table by using NetScaler command line. . . . . . . . . . . . . . . . . . . . . . . 125To display the bridge table by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . . 126To change the aging time by using the NetScaler command line. . . . . . . . . . . . . . . . . . . . 126Parameter for changing the aging time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126To change the aging time by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . . . .127To view the statistics of a bridge table by using the NetScaler command line. . . . . . .127To view the statistics of a bridge table by using the configuration utility. . . . . . . . . . . . . 127
Understanding NetScaler Appliances in Active-Active Mode Using VRRP. . . . . . . . . . . . . . . 127Health Tracking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Preemption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130Sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Configuring Active-Active Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Adding a VMAC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
To add a VMAC by using the NetScaler command line. . . . . . . . . . . . . . . . . . . . . . . . . 131Parameters for configuring a VMAC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131To add a VMAC by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131To bind a VMAC by using the NetScaler command line. . . . . . . . . . . . . . . . . . . . . . . . .132To bind a VMAC to a VIP by using the NetScaler configuration utility. . . . . . . . . . 132
Configuring Send to Master. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132To enable send to master by using the NetScaler command line. . . . . . . . . . . . . . .133Parameter for enabling send to master. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134To enable send to master by using the configuration utility. . . . . . . . . . . . . . . . . . . . . 134
An Active-Active Deployment Scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Using the Network Visualizer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Contents
viii
To open the Network Visualizer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136To locate a VLAN or bridge group in the Visualizer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136To view the configuration details of an entity by using the Visualizer. . . . . . . . . . . . . . . . 137To modify the network settings of the appliance by using the Visualizer. . . . . . . . . . . . .137To add a channel by using the Visualizer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137To add a VLAN by using the Visualizer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137To add a bridge group by using the Visualizer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137To modify the settings of an interface or channel by using the Visualizer. . . . . . . . . . . 138To enable or disable an interface or channel by using the Visualizer. . . . . . . . . . . . . . . . 138To remove a configured channel, VLAN, or bridge group by using the Visualizer. . .138To view statistics for a node, channel, interface, or VLAN by using the Visualizer. . 138To set up an HA deployment by using the Visualizer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138To view the high availability details of a node by using the Visualizer. . . . . . . . . . . . . . . 139To force the secondary node to take over as the primary by using the Visualizer. . .139To synchronize the secondary node's configuration with the primary node byusing the Visualizer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139To remove the peer node from the HA configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139To copy the properties of a node or network entity by using the Visualizer. . . . . . . . . . 139
3 Access Control Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141ACL Precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Configuring Simple ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Creating Simple ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143To create a simple ACL by using the NetScaler command line. . . . . . . . . . . . . . . . . 144Parameters for configuring a Simple ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144To create a simple ACL by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . 145
Monitoring Simple ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145To view simple ACL statistics by using the NetScaler command line . . . . . . . . . . 145To display simple ACL statistics by using the configuration utility . . . . . . . . . . . . . .146
Removing Simple ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146To remove a single simple ACL by using the NetScaler command line . . . . . . . .146To remove all simple ACLs by using the NetScaler command line . . . . . . . . . . . . .146To remove a single simple ACL by using the configuration utility . . . . . . . . . . . . . . 146To remove all simple ACLs by using the configuration utility . . . . . . . . . . . . . . . . . . . 147
Configuring Extended ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Creating and Modifying an Extended ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
To create an extended ACL by using the NetScaler command line . . . . . . . . . . . . 148Parameters for configuring an extended ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148To create an extended ACL by using the configuration utility . . . . . . . . . . . . . . . . . . 150
Applying an Extended ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Citrix NetScaler Networking Guide
ix
To apply an ACL by using the NetScaler command line . . . . . . . . . . . . . . . . . . . . . . . .151To apply an ACL by using the configuration utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Disabling and Enabling Extended ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151To disable or enable an extended ACL by using the NetScaler commandline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152To disable or enable an extended ACL by using the configuration utility . . . . . . 153
Renumbering the priority of Extended ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153To renumber the ACLs by using the NetScaler command line . . . . . . . . . . . . . . . . . 153To renumber the ACLs by using the configuration utility . . . . . . . . . . . . . . . . . . . . . . . .154
Configuring Extended ACL Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154To configure ACL Logging by using the NetScaler command line . . . . . . . . . . . . . 154Logging parameters of an extended ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155To configure ACL Logging by using the configuration utility . . . . . . . . . . . . . . . . . . . .155
Monitoring the Extended ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156To display the statistics of an extended ACL by using the NetScalercommand line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156To display the statistics of an extended ACL by using the configurationutility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Removing Extended ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157To remove a single extended ACL by using the NetScaler command line . . . . .157To remove all extended ACLs by using the NetScaler command line . . . . . . . . . 157To remove a single extended ACL by using the configuration utility . . . . . . . . . . . 157To remove all extended ACLs by using the configuration utility . . . . . . . . . . . . . . . . 158
Configuring Simple ACL6s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158Creating Simple ACL6s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
To create a simple ACL6 by using the NetScaler command line. . . . . . . . . . . . . . . .158Parameters for configuring a simple ACL6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159To create a simple ACL6 by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . 159To remove a single simple ACL6 by using the NetScaler command line. . . . . . . 160To remove all simple ACL6s by using the NetScaler command line. . . . . . . . . . . . 160To remove one or all simple ACL6s by using the configuration utility. . . . . . . . . . .160
Monitoring Simple ACL6s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160To display simple ACL6 statistics by using the NetScaler command line. . . . . . .161To display simple ACL6 statistics by using the configuration utility. . . . . . . . . . . . . 161
Configuring ACL6s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Creating and Modifying ACL6s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
To create an ACL6 by using the NetScaler command line . . . . . . . . . . . . . . . . . . . . . 162To modify or remove an ACL6 by using the NetScaler command line. . . . . . . . . .162Parameters for configuring an ACL6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163To create an ACL6 by using the configuration utility . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
Contents
x
Applying ACL6s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165To apply ACL6s by using the NetScaler command line . . . . . . . . . . . . . . . . . . . . . . . . 166To apply ACL6s by using the configuration utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Enabling and Disabling ACL6s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166To disable or enable an ACL6 by using the NetScaler command line . . . . . . . . . 166To disable or enable an ACL6 by using the configuration utility . . . . . . . . . . . . . . . .167
Renumbering the Priority of ACL6s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167To renumber the priorities of the ACL6s by using the NetScaler commandline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168To renumber the priority of ACL6s by using the configuration utility . . . . . . . . . . . 168
Monitoring ACL6s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168To display the statistics for an ACL6s by using the NetScaler command line . 168To display the statistics for an ACL6 by using the configuration utility . . . . . . . . . 169
Removing ACL6s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169To remove an extended ACL6 by using the NetScaler command line . . . . . . . . . 170To remove all extended ACL6s by using the NetScaler command line . . . . . . . . 170To remove an extended ACL6 by using the configuration utility . . . . . . . . . . . . . . . .170To remove all extended ACLs by using the configuration utility . . . . . . . . . . . . . . . . 170
Terminating Established Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170To terminate all established IPv4 connections that match any of your configuredsimple ACLs by using the NetScaler command line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171To terminate all established IPv4 connections that match any of your configuredsimple ACLs by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171To terminate all established IPv6 connections that match any of your configuredsimple ACL6s by using the NetScaler command line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171To terminate all established IPv6 connections that match any of your configuredsimple ACL6s by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
4 IP Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173Configuring Dynamic Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Routing Tables in the NetScaler. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174NS Kernel Routing Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174FreeBSD Routing Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Network Services Module (NSM) FIB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
High Availability Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Non-Stop Forwarding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175Black Hole Avoidance Mechanism. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176Interfaces for Configuring Dynamic Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Configuring RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176Enabling and Disabling RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Citrix NetScaler Networking Guide
xi
Advertising Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177Limiting RIP Propagations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177Verifying the RIP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178
Configuring OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179Enabling and Disabling OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179Advertising OSPF Routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180Limiting OSPF Propagations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181Verifying the OSPF Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Configuring BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182Prerequisites for IPv6 BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182Enabling and Disabling BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182Advertising IPv4 Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183Advertising IPv6 BGP Routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184Verifying the BGP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185
Configuring IPv6 RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185Prerequisites for IPv6 RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185Enabling IPv6 RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185Advertising IPv6 RIP Routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186Limiting IPv6 RIP Propagations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187Verifying the IPv6 RIP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Configuring IPv6 OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188Prerequisites for IPv6 OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188Enabling IPv6 OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188Advertising IPv6 Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189Limiting IPv6 OSPF Propagations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190Verifying the IPv6 OSPF Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Configuring ISIS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Prerequisites for configuring ISIS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Enabling ISIS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Creating an ISIS Routing Process and Starting It on a VLAN. . . . . . . . . . . . . . . . . . 191Advertising Routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Limiting ISIS Propagations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Verifying the ISIS Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194
Installing Routes to the NetScaler Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195To install various routes to the internal routing table by using the VTYSHcommand line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195
Configuring Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196Monitored Static Routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196Weighted Static Routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198Null Routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198
Contents
xii
Configuring IPv4 Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198To create a static route by using the NetScaler command line. . . . . . . . . . . . . . . . . 198To create a monitored static route by using the NetScaler command line. . . . . .199To create a null route by using the NetScaler command line. . . . . . . . . . . . . . . . . . . 199To remove a static route by using the NetScaler command line. . . . . . . . . . . . . . . . 200Parameters for configuring static routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200To configure a static route by using the configuration utility. . . . . . . . . . . . . . . . . . . . .201To remove a route by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Configuring IPv6 Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202To create an IPv6 route by using the NetScaler command line. . . . . . . . . . . . . . . . . 202To create a monitored IPv6 static route by using the NetScaler commandline. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203To remove an IPv6 route by using the NetScaler command line. . . . . . . . . . . . . . . .203Parameters for configuring IPv6 static routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203To configure an IPv6 route by using the configuration utility . . . . . . . . . . . . . . . . . . . 204To remove an IPv6 route by using the configuration utility . . . . . . . . . . . . . . . . . . . . . 205
Configuring Policy-Based Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205Configuring a Policy-Based Routes (PBR) for IPv4 Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Creating or Modifying a PBR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206Applying a PBR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210Enabling or Disabling PBRs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211Renumbering PBRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212Use Case - PBR with Multiple Hops. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Configuring a Policy-Based Routes (PBR6) for IPv6 Traffic. . . . . . . . . . . . . . . . . . . . . . . . . .217Creating or Modifying a PBR6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218Applying PBR6s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221Enabling or Disabling a PBR6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222Renumbering PBR6s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Troubleshooting Routing Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223Generic Routing FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223Troubleshooting OSPF-Specific Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
5 Internet Protocol version 6 (IPv6). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227Implementing IPv6 Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229
To enable or disable IPv6 by using the NetScaler command line. . . . . . . . . . . . . . . . . . . . 229To enable or disable IPv6 by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . . . 229
VLAN Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229Simple Deployment Scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230
To create IPv4 services by using the NetScaler command line. . . . . . . . . . . . . . . . . . . . . . 231To create IPv4 services by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . .232
Citrix NetScaler Networking Guide
xiii
To create IPv6 vserver by using the NetScaler command line. . . . . . . . . . . . . . . . . . . . . . . 232To create IPv6 vserver by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .232To bind a service to an LB vserver by using the NetScaler command line. . . . . . . . . . 233To bind a service to an LB vserver by using the configuration utility. . . . . . . . . . . . . . . . . 233
Host Header Modification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233To change the IPv6 address in the host header to an IPv4 address by using theNetScaler command line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233To change the IPv6 address in the host header to an IPv4 address by using theconfiguration utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
VIP Insertion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234To configure a mapped IPv6 address by using the NetScaler command line. . . . . . . 234To configure a mapped IPv6 address by using the configuration utility. . . . . . . . . . . . . . 234To enable VIP insertion by using the NetScaler command line. . . . . . . . . . . . . . . . . . . . . . 235To enable VIP insertion by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . .235
6 CloudBridge 1.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237About the CloudBridge. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238Setting Up a CloudBridge - Method 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Configuring IPSec on a GRE tunnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240To configure IPSec on a GRE tunnel by using the NetScaler command line. . .240To remove an IPSec config by using the NetScaler command line. . . . . . . . . . . . . 241Parameters for configuring IPSec on a GRE tunnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . .241To configure IPSec on a GRE tunnel by using the configuration utility. . . . . . . . . 242
Creating IP Tunnels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242To create an IP tunnel by using the NetScaler command line. . . . . . . . . . . . . . . . . . 242To remove an IP tunnel by using the NetScaler command line. . . . . . . . . . . . . . . . . 243Parameters for creating an IP tunnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243To create an IP Tunnel by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . 243To create an IPv6 tunnel by using the NetScaler command line. . . . . . . . . . . . . . . .244To remove an IPv6 tunnel by using the NetScaler command line. . . . . . . . . . . . . . 244Parameters for creating an IPv6 tunnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244To create an IPv6 Tunnel by using the configuration utility. . . . . . . . . . . . . . . . . . . . . .244
Configuring a CloudBridge. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244To create a CloudBridge by using the NetScaler command line. . . . . . . . . . . . . . . . 245To bind GRE tunnels, VLANs, and IP Subnets to a CloudBridge by usingthe NetScaler command line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245To modify or remove an CloudBridge by using the NetScaler command line. . 245Parameters for configuring a CloudBridge. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245To configure a CloudBridge by using the configuration utility. . . . . . . . . . . . . . . . . . . 245
Configuring the CloudBridge—Method 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .246
Contents
xiv
Parameters for configuring a network bridge. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247To configure a CloudBridge by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . 247
Setting Up CloudBridge to SoftLayer Enterprise Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248To configure a CloudBridge by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . 249
7 High Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251Considerations for a High Availability Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253Configuring High Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Adding a Remote Node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255To add a node by using the NetScaler command line. . . . . . . . . . . . . . . . . . . . . . . . . . .255To disable an HA monitor by using the NetScaler command line. . . . . . . . . . . . . . . 256Parameters for adding a remote node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256To add a remote node by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . . 257
Disabling or Enabling a Node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257To disable or enable a node by using the NetScaler command line. . . . . . . . . . . . 257To disable or enable a node by using the configuration utility. . . . . . . . . . . . . . . . . . .257
Removing a Node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258To remove a node by using the NetScaler command line. . . . . . . . . . . . . . . . . . . . . . .258To remove a node by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Configuring the Communication Intervals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258To set the hello and dead intervals by using the NetScaler command line. . . . . . . . . . 258Parameters for setting the hello and dead intervals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259To set the hello and dead intervals by using the configuration utility. . . . . . . . . . . . . . . . .259
Configuring Synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259Disabling or Enabling Synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259
To disable or enable automatic synchronization by using the NetScalercommand line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .260To disable or enable synchronization by using the configuration utility. . . . . . . . . 260
Forcing the Secondary Node to Synchronize with the Primary Node. . . . . . . . . . . . . . . . 260To force synchronization by using the NetScaler command line. . . . . . . . . . . . . . . .260To force synchronization by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . 261
Synchronizing Configuration Files in a High Availability Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . 261To synchronize files in a high availability setup by using the NetScaler commandline. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261Parameters for synchronizing files in a high availability setup. . . . . . . . . . . . . . . . . . . . . . . 261To synchronize files in a high availability setup by using the configuration utility. . . .263
Configuring Command Propagation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263To disable or enable command propagation by using the NetScaler commandline. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .264To disable or enable command propagation by using the configuration utility. . . . . . .264
Citrix NetScaler Networking Guide
xv
Configuring Fail-Safe Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .264To enable fail-safe mode by using the NetScaler command line. . . . . . . . . . . . . . . . . . . . .265To enable fail-safe mode by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Configuring Virtual MAC Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266Configuring IPv4 VMACs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Creating or Modifying an IPv4 VMAC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267Removing an IPv4 VMAC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Configuring IPv6 VMAC6s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268Creating or Modifying a VMAC6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269Removing a VMAC6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .270
Configuring High Availability Nodes in Different Subnets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .270Adding a Remote Node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272
To add a node by using the NetScaler command line. . . . . . . . . . . . . . . . . . . . . . . . . . .272To disable an HA monitor by using the NetScaler command line. . . . . . . . . . . . . . . 273Parameters for adding a remote node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273To add a remote node by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . . 274
Removing a Node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274To remove a node by using the NetScaler command line. . . . . . . . . . . . . . . . . . . . . . .274To remove a node by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Configuring Route Monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275Adding a Route Monitor to a High Availability Node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
To add a route monitor by using the NetScaler command line. . . . . . . . . . . . . . . . . .277Parameters for adding a route monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277To add a route monitor by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . 277
Removing Route Monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278To remove a route monitor by using the NetScaler command line. . . . . . . . . . . . . .278To remove a route monitor by using the configuration utility. . . . . . . . . . . . . . . . . . . . 278
Configuring FIS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278Creating or Modifying an FIS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
To add an FIS and bind interfaces to it by using the NetScaler command line 279To unbind an interface from an FIS by using the NetScaler command line. . . . .279Parameters for configuring an FIS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279To configure an FIS by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . . . . .280
Removing an FIS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280To remove an FIS by using the NetScaler command line. . . . . . . . . . . . . . . . . . . . . . . 280To remove an FIS by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Understanding the Causes of Failover. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280Forcing a Node to Fail Over. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Forcing Failover on the Primary Node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282To force failover on the primary node by using the NetScaler command line. . 282
Contents
xvi
To force failover on the primary node by using the configuration utility. . . . . . . . .282Forcing Failover on the Secondary Node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
To force failover on the secondary node by using the NetScaler commandline. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282To force failover on the secondary node by using the configuration utility. . . . . .283
Forcing Failover When Nodes Are in Listen Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283To force failover when nodes are in listen mode by using the NetScalercommand line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283To force failover when nodes are in listen mode by using the configurationutility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283
Forcing the Secondary Node to Stay Secondary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283To force the secondary node to stay secondary by using the NetScalercommand line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284To force the secondary node to stay secondary by using the configuration utility. . . 284
Forcing the Primary Node to Stay Primary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284To force the primary node to stay primary by using the NetScaler command line. . .284To force the primary node to stay primary by using the configuration utility. . . . . . . . . 285
Understanding the High Availability Health Check Computation. . . . . . . . . . . . . . . . . . . . . . . . . . 285Troubleshooting High Availability Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
To retrieve the current system configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286High Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
A Documentation Library. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291Release Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292Quick Start Guides. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292Configuration Guides. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293Reference Guides. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293
Citrix NetScaler Networking Guide
xvii
Contents
xviii
Preface
Learn about the Citrix® NetScaler® collection of documentation, including informationabout support options and ways to send us feedback.
In This Preface:
w Formatting Conventions for NetScaler Documentation
w Documentation Available on the NetScaler Appliance
w Getting Service and Support
w NetScaler Documentation Feedback
Formatting Conventions for NetScalerDocumentation
The NetScaler documentation uses the following formatting conventions.
Table 1. Formatting Conventions
Convention Meaning
Boldface In text paragraphs or steps in aprocedure, information that you typeexactly as shown (user input), or anelement in the user interface.
Monospace Text that appears in a command-lineinterface. Used for examples ofcommand-line procedures. Also used todistinguish interface terms, such asnames of directories and files, fromordinary text.
<angle brackets> A term enclosed in angle brackets is avariable placeholder, to be replaced withan appropriate value. Do not enter theangle brackets.
[ brackets ] Optional items in command statements.For example, in the following command,[ -range <positiveInteger> ] means thatyou have the option of entering a range,but it is not required:
19
Convention Meaning
add lb vserver <name> <serviceType><IPAddress> <port> [ -range<positiveInteger>]
Do not type the brackets themselves.
| (vertical bar) A separator between options in braces orbrackets in command statements. Forexample, the following indicates that youchoose one of the following loadbalancing methods:
<lbMethod> = ( ROUNDROBIN |LEASTCONNECTION |LEASTRESPONSETIME | URLHASH |DOMAINHASH | DESTINATIONIPHASH |SOURCEIPHASH | SRCIPDESTIPHASH |LEASTBANDWIDTH | LEASTPACKETS |TOKEN | SRCIPSRCPORTHASH | LRTM |CALLIDHASH | CUSTOMLOAD )
… (ellipsis) You can repeat the previous item oritems in command statements. Forexample, /route:<DeviceName>[ ,…]means you can type additional<DeviceNames> separated by commas.
Documentation Available on the NetScalerAppliance
A complete set of Citrix® NetScaler® documentation is available on the Documentationtab of your NetScaler appliance and at http://support.citrix.com/ (PDF version), and at http://edocs.citrix.com (HTML version). (The PDF version of the documents requireAdobe Reader, available at http://adobe.com/.)
To view the documentation
1. From a Web browser, log on to the NetScaler Appliance.
2. Click the Documentation tab.
3. To view a short description of each document, hover the mouse pointer over thetitle. To open a document, click the title.
Preface
20
Getting Service and SupportCitrix® offers a variety of resources for support with your Citrix environment, includingthe following:
w The Knowledge Center is a self-service, Web-based technical support database thatcontains thousands of technical solutions, including access to the latest hotfixes,service packs, and security bulletins.
w Technical Support Programs for both software support and appliance maintenanceare available at a variety of support levels.
w The Subscription Advantage program is a one-year membership that gives you aneasy way to stay current with the latest product version upgrades andenhancements.
w Citrix Education provides official training and certification programs on virtually allCitrix products and technologies.
For more information about Citrix services and support, see the Citrix Systems SupportWeb site at http://www.citrix.com/lang/English/support.asp.
You can also participate in and follow technical discussions offered by the experts onvarious Citrix products at the following sites:
w http://community.citrix.com
w http://twitter.com/citrixsupport
w http://forums.citrix.com/support
NetScaler Documentation FeedbackYou are encouraged to provide feedback and suggestions so that we can enhance thedocumentation. You can send an email to [email protected]. In the subjectline, specify "Documentation Feedback." Please include the title of the guide and thepage number in the email message.
You can also provide feedback through the Knowledge Center at http://support.citrix.com/.
To provide feedback at the Knowledge Center home page
1. Go to the Knowledge Center home page at http://support.citrix.com/.
2. On the Knowledge Center home page, under Products, expand NetScaler, and thenclick the NetScaler release for which you want to provide feedback.
3. On the Documentation tab, click the guide name, and then click ArticleFeedback.
4. On the Documentation Feedback page, complete the form, and then click Submit.
Citrix NetScaler Networking Guide
21
Preface
22
Chapter 1
IP Addressing
Topics:• Configuring NetScaler-
Owned IP Addresses
• How the NetScaler ProxiesConnections
• Enabling Use Source IP Mode
• Configuring NetworkAddress Translation
• Configuring Static ARP
• Setting the Timeout forDynamic ARP Entries
• Configuring NeighborDiscovery
• Configuring IP Tunnels
Before you can configure the NetScaler® appliance, you mustassign the NetScaler IP Address (NSIP), also known as theManagement IP address. You can also create other NetScaler-owned IP addresses for abstracting servers and establishingconnections with the servers. In this type of configuration,the appliance serves as a proxy for the abstracted servers. Youcan also proxy connections by using network addresstranslations (INAT and RNAT). When proxying connections, theappliance can behave either as a bridging (Layer 2) device oras a packet forwarding (Layer 3) device. To make packetforwarding more efficient, you can configure static ARPentries. For IPv6, you can configure neighbor discovery (ND).
23
Configuring NetScaler-Owned IP AddressesThe NetScaler-owned IP Addresses—NetScaler IP Address (NSIP), Virtual IP Addresses(VIPs), Subnet IP Addresses (SNIPs), Mapped IP Addresses (MIPs), and Global Server LoadBalancing Site IP Addresses (GSLBIPs)—exist only on the NetScaler appliance. The NSIPuniquely identifies the NetScaler on your network, and it provides access to theappliance. A VIP is a public IP address to which a client sends requests. The NetScalerterminates the client connection at the VIP and initiates a connection with a server.This new connection uses a SNIP or a MIP as the source IP address for packetsforwarded to the server. If you have multiple data centers that are geographicallydistributed, each data center can be identified by a unique GSLBIP.
You can configure some NetScaler-owned IP addresses to provide access formanagement applications.
Configuring the NetScaler IP Address (NSIP)The NetScaler IP (NSIP) address is the IP address at which you access the NetScaler formanagement purposes. The NetScaler can have only one NSIP, which is also called theManagement IP address. You must add this IP address when you configure the NetScalerfor the first time. If you modify this address, you must reboot the NetScaler. You cannotremove an NSIP address. For security reasons, NSIP should be a non-routable IP addresson your organization's LAN.
Note: Configuring the NetScaler IP address is mandatory.
To create the NetScaler IP address by using the NetScalercommand lineAt the NetScaler command prompt, type:
w set ns config [-IPAddress <ip_addr> -netmask <netmask>]
w show ns config
Example
> set ns config -ipaddress 10.102.29.170 -netmask 255.255.255.0 Done
> sh ns config NetScaler IP: 10.102.29.170 (mask: 255.255.255.0) Number of MappedIP(s): 0 Node: Standalone System Time: Tue Mar 20 16:16:59 2012
Chapter 1 IP Addressing
24
Last Config Changed Time: Tue Mar 20 16:05:10 2012 Last Config Saved Time: Tue Mar 20 16:05:11 2012 Done
Parameters for configuring the NSIP addressIPAddress
Unique identification used to represent an entity. This is a mandatory parameter.
netmaskSubnet mask associated with the IP address. This is a mandatory parameter.
To configure the NetScaler IP address by using theconfiguration utility1. In the navigation pane, click NetScaler.
2. On the System Overview page, click Setup Wizard.
3. In the Setup Wizard dialog box, click Next.
4. Under System Configuration, specify values for the following parameters, whichcorrespond to parameters described in "Parameters for configuring the NetScaler IPaddress" as shown:
• IP Address*—IPAddress
• Netmask*—netmask
* A required parameter
5. Follow the instructions in the Setup Wizard to complete the configuration.
Configuring and Managing Virtual IP Addresses(VIPs)
Configuration of a virtual server IP address (VIP) is not mandatory during initialconfiguration of the NetScaler. When you configure load balancing, you assign VIPs tovirtual servers.
For more information about configuring the load balancing setup, see the "LoadBalancing" chapter of the Citrix NetScaler Traffic Management Guide at http://support.citrix.com/article/CTX132359.
In some situations, you need to customize VIP attributes or enable or disable a VIP. AVIP is usually associated with a virtual server, and some of the attributes of the VIP arecustomized to meet the requirements of the virtual server. You can host the samevirtual server on multiple NetScaler appliances residing on the same broadcast domain,by using ARP and ICMP attributes. After you add a VIP (or any IP address), the NetScalersends, and then responds to, ARP requests. VIPs are the only NetScaler-owned IP
Citrix NetScaler Networking Guide
25
addresses that can be disabled. When a VIP is disabled, the virtual server using it goesdown and does not respond to ARP, ICMP, or L4 service requests.
As an alternative to creating VIPs one at a time, you can specify a consecutive range ofVIPs.
To create a VIP address by using the NetScaler commandlineAt the NetScaler command prompt, type:
w add ns ip <IPAddress> <netmask> -type <type>
w show ns ip <IPAddress>
Example
> add ns ip 10.102.29.59 255.255.255.0 -type VIP Done> show ns ip 10.102.29.59
IP: 10.102.29.59 Netmask: 255.255.255.0 Type: VIP state: Enabled arp: Enabled icmp: Enabled vserver: Enabled management access: Disabled telnet: Disabled ftp: Disabled ssh: Disabled gui: Disabled snmp: Enabled Restrict access: Disabled dynamic routing: Disabled hostroute: Disabled Warning: management access is disabled Done
To create a range of VIP addresses by using the NetScalercommand lineAt the NetScaler command prompt, type:
w add ns ip <IPAddress> <netmask> -type <type>
w show ns ip <IPAddress>
Example
> add ns ip 10.102.29.[60-64] 255.255.255.0 -type
Chapter 1 IP Addressing
26
VIPip "10.102.29.60" addedip "10.102.29.61" addedip "10.102.29.62" addedip "10.102.29.63" addedip "10.102.29.64" added Done
> show ip Ipaddress Type Mode Arp Icmp Vserver State --------- ---- ---- --- ---- ------- ------1) 10.102.29.170 NetScaler IP Active Enabled Enabled NA Enabled2) 10.102.29.171 MIP Active Enabled Enabled NA Enabled..46) 10.102.29.60 VIP Active Enabled Enabled Enabled Enabled47) 10.102.29.61 VIP Active Enabled Enabled Enabled Enabled48) 10.102.29.62 VIP Active Enabled Enabled Enabled Enabled49) 10.102.29.63 VIP Active Enabled Enabled Enabled Enabled50) 10.102.29.64 VIP Active Enabled Enabled Enabled Enabled Done
Parameters for configuring VIP addressesipAddress (IP Address)
Unique identification used to represent an entity. This is a required parameter.
netmask (Netmask)Subnet mask associated with the IP address. This is a required parameter.
type (Type)Type of the IP address. Specify VIP.
arp (ARP)Use Address Resolution Protocol (ARP) to map IP addresses to the correspondinghardware addresses. Possible values: Enabled, Disabled. Default: Enabled.
icmpresponse (ICMP Response)NetScaler sends ICMP responses to PING requests according to this value. The usernetwork applications that use ICMP are PING and TRACEROUTE. This parameter canbe set only if type is set as VIP. Possible values: NONE, ONE_VSERVER, ALL_VSERVERS,and VSVR_CNTRLD. Default value: NONE.
w When you select NONE, NetScaler always responds (even when the virtual serveris DOWN).
Citrix NetScaler Networking Guide
27
w When you select ONE_VSERVER, NetScaler responds if at least one virtual serveron this IP address is UP.
w When you select ALL_VSERVERS, NetScaler responds only if all the virtual serverson this IP address are UP.
w When you select VSVR_CNTRLD, the behavior depends on the ICMP VSERVERRESPONSE setting on the virtual server.
The following settings can be made on a virtual server:
w When you set ICMP VSERVER RESPONSE to PASSIVE on all virtual servers, NetScaleralways responds.
w When you set ICMP VSERVER RESPONSE to ACTIVE on all virtual servers, NetScalerresponds even if one virtual server is UP.
w When you set ICMP VSERVER RESPONSE to ACTIVE on some and PASSIVE on others,NetScaler responds even if one virtual server set to ACTIVE is UP.
arpresponse (ARP Response)NetScaler appliance sends ARP responses according to this value. This parameter canbe set only if type is set as VIP. Possible values: NONE, ONE_VSERVER. Default value:NONE.
w When you select NONE, NetScaler always responds (even when the virtual serveris DOWN).
w When you select ONE_VSERVER, NetScaler responds if at least one virtual serveron this IP address is UP.
w When you select ALL_VSERVERS, NetScaler responds only if all the virtual serverson this IP address are UP.
vServer (Virtual Server)Apply the vserver attribute to this IP address. Possible values: Enabled, Disabled.Default: Enabled.
state (State)State of the VIP. Possible values: Enabled, Disabled. Default: Enabled.
To configure a VIP address by using the configurationutility1. In the navigation pane, expand Network, and then click IPs.
2. In the details pane, do one of the following:
• To create a new IP, click Add.
• To modify an existing IP, select the IP, and then click Open.
3. In the Create IP or Configure IP dialog box, set the following parameters:
• IP Address*
Chapter 1 IP Addressing
28
• Netmask*
• IP Type: Select VIP.
• ARP Response
• ICMP Response
• ARP
• Virtual Server
• Dynamic Routing
• Host Route
• Gateway IP*
• Metric
• V Server RHI Level
• OSPF LSA Type
• Area
*A required parameter
4. Click Create or OK, and then click Close. The IP address that you configuredappears in the details pane.
To create a range of VIP addresses by using theconfiguration utility1. In the navigation pane, expand Network, and then click IPs.
2. In the details pane, click Add Range.
3. In the Create IP – Range dialog box, set the following parameters:
• IP Address*
• Netmask*
• Type—type. Select VIP.
• IP Type
• ARP
• ICMP Response
• Virtual Server
• Dynamic Routing
• Host Route
• Gateway IP*
• Metric
Citrix NetScaler Networking Guide
29
• V Server RHI Level
• OSPF LSA Type
• Area
*A required parameter
4. Click Create, and then click Close. The range of IP addresses that you createdappears in the details pane.
To enable or disable an IPv4 VIP address by using theNetScaler command lineAt the NetScaler command prompt, type one of the following sets of commands toenable or disable a VIP and verify the configuration:
w enable ns ip <IPAddress>
w show ns ip <IPAddress>
w disable ns ip <IPAddress>
w show ns ip <IPAddress>
Example
> enable ns ip 10.102.29.79 Done> show ns ip 10.102.29.79
IP: 10.102.29.79 Netmask: 255.255.255.255 Type: VIP state: Enabled arp: Enabled icmp: Enabled vserver: Enabled management access: Disabled telnet: Disabled ftp: Disabled ssh: Disabled gui: Disabled snmp: Disabled Restrict access: Disabled dynamic routing: Disabled hostroute: Disabled Done> disable ns ip 10.102.29.79 Done> show ns ip 10.102.29.79
IP: 10.102.29.79 Netmask: 255.255.255.255 Type: VIP state: Disabled arp: Enabled
Chapter 1 IP Addressing
30
icmp: Enabled vserver: Enabled management access: Disabled telnet: Disabled ftp: Disabled ssh: Disabled gui: Disabled snmp: Disabled Restrict access: Disabled dynamic routing: Disabled hostroute: Disabled Done
To enable or disable a VIP address by using theconfiguration utility1. In the navigation pane, expand Network, and then click IPs.
2. In the details pane, on the IPv4s tab, select the VIP address and do one of thefollowing:
• To enable the selected IP address, click Enable.
• To disable the selected IP address, click Disable.
3. In the details pane, verify that the VIP address is enabled or disabled, asappropriate.
Configuring ARP response Suppression for VirtualIP addresses (VIPs)
You can configure the NetScaler appliance to respond or not respond to ARP requestsfor a Virtual IP (VIP) address on the basis of the state of the virtual servers associatedwith that VIP.
For example, if virtual servers V1, of type HTTP, and V2, of type HTTPs, share VIPaddress 10.102.29.45 on a NetScaler appliance, you can configure the appliance to notrespond to any ARP request for VIP 10.102.29.45 if both V1 and V2 are in the DOWNstate.
The following three options are available for configuring ARP-response suppression fora virtual IP address.
w NONE. The NetScaler appliance responds to any ARP request for the VIP address,irrespective of the state of the virtual servers associated with the address.
w ONE VSERVER. The NetScaler appliance responds to any ARP request for the VIPaddress if at least one of the associated virtual servers is in UP state.
w ALL VSERVER. The NetScaler appliance responds to any ARP request for the VIPaddress if all of the associated virtual servers are in UP state.
Citrix NetScaler Networking Guide
31
Following table shows the sample behavior of NetScaler appliance for a VIP configuredwith two virtual servers:
Associatedvirtual serversfor a VIP
STATE 1 STATE 2 STATE 3 STATE 4
NONE
V1 UP UP DOWN DOWN
V2 UP DOWN UP DOWN
Respond to anARP requestfor this VIP?
Yes Yes Yes Yes
ONE VSERVER
V1 UP UP DOWN DOWN
V2 UP DOWN UP DOWN
Respond to anARP requestfor this VIP?
Yes Yes Yes No
ALL VSERVER
V1 UP UP DOWN DOWN
V2 UP DOWN UP DOWN
Respond to anARP requestfor this VIP?
Yes No No No
Consider an example where you want to test the performance of two virtual servers, V1and V2, which have the same VIP address but are of different types and are eachconfigured on NetScaler appliances NS1 and NS2. Let's call the shared VIP address VIP1.
V1 load balances servers S1, S2, and S3. V2 load balances servers S4 and S5.
On both NS1 and NS2, for VIP1, the ARP suppression parameter is set to ALL_VSERVER.If you want to test the performance of V1 and V2 on NS1, you must manually disable V1and V2 on NS2, so that NS2 does not respond to any ARP request for VIP1.
Chapter 1 IP Addressing
32
Figure 1-1.
The execution flow is as follows:
1. Client C1 sends a request to V1. The request reaches R1.
2. R1 does not have an APR entry for the IP address (VIP1) of V1, so R1 broadcasts anARP request for VIP1.
3. NS1 replies with source MAC address MAC1 and source IP address VIP1. NS2 doesnot reply to the ARP request.
4. SW1 learns the port for VIP1 from the ARP reply and updates its bridge table, andR1 updates the ARP entry with MAC1 and VIP1.
5. R1 forwards the packet to address VIP1 on NS1.
6. NS1's load balancing algorithm selects server S2, and NS1 opens a connectionbetween one of its SNIP or MIP addresses and S2. When S2 sends a response to theclient, the response returns by the same path.
7. Now you want to test the performance of V1 and V2 on NS2, so you enable V1 andV2 on NS2 and disable them on NS1. NS2 now broadcasts an ARP message for VIP1.In the message, MAC2 is the source MAC address and VIP1 is the source IP address.
8. SW1 learns the port number for reaching MAC2 from the ARP broadcast andupdates its bridge table to send subsequent client requests for VIP1 to NS2. R1updates its ARP table.
9. Now suppose the ARP entry for VIP1 times out in the ARP table of R1, and client C1sends a request for V1. Because R1 does not have an APR entry for VIP1, itbroadcasts an ARP request for VIP1.
Citrix NetScaler Networking Guide
33
10. NS2 replies with a source MAC address and VIP1 as the source IP address. NS1 doesnot reply to the ARP request.
To configure ARP response suppression by using theNetScaler command lineAt the NetScaler command prompt, type:
w set ns ip -arpResponse <arpResponse>]w show ns ip <IPAddress>
Example
> set ns ip 10.102.29.96 -arpResponse ALL_VSERVERS Done> show ns ip 10.102.29.96
IP: 10.102.29.96 Netmask: 255.255.255.255 Type: VIP state: Enabled arp: Enabled arpResponse: ALL_VSERVERS icmp: Enabled icmpResponse: NONE vserver: Enabled management access: Disabled telnet: Disabled ftp: Disabled ssh: Disabled gui: Disabled snmp: Enabled Restrict access: Disabled dynamic routing: Disabled hostroute: Disabled Warning: management access is disabled Done
Parameter for configuring ARP response suppressionarpresponse (ARP Response)
NetScaler appliance sends ARP responses according to this value. This parameter canbe set only if type is set as VIP. Possible values: NONE, ONE_VSERVER. Default value:NONE.
w When you select NONE, NetScaler always responds (even when the virtual serveris DOWN).
w When you select ONE_VSERVER, NetScaler responds if at least one virtual serveron this IP address is UP.
w When you select ALL_VSERVERS, NetScaler responds only if all the virtual serverson this IP address are UP.
Chapter 1 IP Addressing
34
To configure ARP response suppression by using theconfiguration utility1. In the navigation pane, expand Network, and then click IPs.
2. In the details pane, select the IP, and then click Open.
3. In the Configure IP dialog box, set the following parameter:
• ARP Response
*A required parameter
4. Click OK, and then click Close.
Configuring Subnet IP Addresses (SNIPs)A subnet IP (SNIP) address is used in connection management and server monitoring. Itis not mandatory to specify a SNIP when you initially configure the NetScaler appliance.In a multiple-subnet scenario, the NetScaler IP (NSIP) address, the mapped IP (MIP)address, and the IP address of a server can exist on different subnets. To eliminate theneed to configure additional routes on devices such as servers, you can configuresubnet IP addresses (SNIPs) on the NetScaler. With Use SNIP (USNIP) mode enabled, aSNIP is the source IP address of a packet sent from the NetScaler to the server, and theSNIP is the IP address that the server uses to access the NetScaler. This mode is enabledby default.
The SNIP enables the NetScaler appliance to connect to the subnet, which is differentthan that of the MIP and NSIP addresses, similar to local network of the appliance. Thisfunctionality is very useful in the topology where backend servers are connecteddirectly to the NetScaler appliance through an L2 switch and are in different subnetsthat that of MIP and NSIP addressed servers.
When you add a SNIP, a route corresponding to the SNIP is added to the routing table.The NetScaler determines the next hop for a service from the routing table, and if theIP address of the hop is within the range of a SNIP, the NetScaler uses the SNIP tosource traffic to the service. When multiple SNIPs cover the IP addresses of the nexthops, the SNIPs are used in round robin manner.
The following figure illustrates USNIP mode.
Citrix NetScaler Networking Guide
35
Figure 1-2. USNIP Mode
As an alternative to creating SNIPs one at a time, you can specify a consecutive rangeof SNIPs.
To configure a SNIP address by using the NetScalercommand lineAt the NetScaler command prompt, type:
w add ns ip <IPAddress> <netmask> -type <type>
w show ns ip <IPAddress>
Example
> add ns ip 10.102.29.203 255.255.255.0 -type SNIP Done> sh ns ip 10.102.29.103
IP: 10.102.29.103 Netmask: 255.255.255.0 Type: SNIP state: Enabled arp: Enabled icmp: Enabled vserver: NA management access: Disabled telnet: Enabled ftp: Enabled ssh: Enabled gui: Enabled snmp: Enabled Restrict access: Disabled dynamic routing: Disabled
Chapter 1 IP Addressing
36
hostroute: Disabled # free ports: 1032111 Warning: management access is disabled Done
To create a range of SNIP addresses by using the NetScalercommand lineAt the NetScaler command prompt, type:
w add ns ip <IPAddress> <netmask> -type <type>
w show ns ip <IPAddress>
Example
> add ns ip 10.102.29.[205-209] 255.255.255.0 -type SNIPip "10.102.29.205" addedip "10.102.29.206" addedip "10.102.29.207" addedip "10.102.29.208" addedip "10.102.29.209" added Done
> sh ns ip Ipaddress Type Mode Arp Icmp Vserver State --------- ---- ---- --- ---- ------- ------1) 10.102.29.170 NetScaler IP Active Enabled Enabled NA Enabled2) 10.102.29.171 MIP Active Enabled Enabled NA Enabled..51) 10.102.29.205 SNIP Active Enabled Enabled NA Enabled52) 10.102.29.206 SNIP Active Enabled Enabled NA Enabled53) 10.102.29.207 SNIP Active Enabled Enabled NA Enabled54) 10.102.29.208 SNIP Active Enabled Enabled NA Enabled55) 10.102.29.209 SNIP Active Enabled Enabled NA Enabled Done
Citrix NetScaler Networking Guide
37
Parameters for configuring SNIP addressesIPAddress
Unique identification used to represent an entity. This is a required parameter.
netmaskSubnet mask associated with the IP address. This is a required parameter.
typeType of the IP address. Specify SNIP.
To configure a SNIP address by using the configurationutility1. In the navigation pane, expand Network, and then click IPs.
2. In the details pane, do one of the following:
• To create a new IP address, click Add.
• To modify an existing IP address, select the address, and then click Open.
3. In the Create IP or Configure IP dialog box, specify values for the followingparameters, which correspond to parameters described in “Parameters forconfiguring SNIP addresses” as shown:
• IP Address*—IPAddress
• Netmask*—netmask
• Type—type (Select SNIP.)
*A required parameter
4. Click Create or OK, and then click Close. The IP address that you configuredappears in the details pane.
To create a range of SNIP addresses by using theconfiguration utility1. In the navigation pane, expand Network, and then click IPs.
2. In the details pane, click Add Range.
3. In the Create IP – Range dialog box, specify values for the following parameters,which correspond to parameters described in “Parameters for configuring SNIPaddresses” as shown:
• IP Address*—IPAddress
• Netmask*—netmask
• Type—type (Select SNIP.)
*A required parameter
Chapter 1 IP Addressing
38
4. Click Create, and then click Close. The range of IP addresses that you createdappears in the details pane.
To enable or disable USNIP mode by using the NetScalercommand lineAt the NetScaler command prompt, type one of the following commands:
w enable ns mode usnip
w disable ns mode usnip
To enable or disable USNIP mode by using theconfiguration utility1. In the navigation pane, expand System and click Settings.
2. In the details pane, in the Modes and Features group, click Change modes.
3. In the Configure Modes dialog box, do one of the following:
• To enable USNIP, select the Use Subnet IP check box.
• To disable USNIP, clear the Use Subnet IP check box.
4. Click OK.
5. In the Enable/Disable Feature(s)? dialog box, click Yes.
Configuring Mapped IP Addresses (MIPs)Mapped IP addresses (MIP) are used for server-side connections. A MIP can beconsidered a default Subnet IP (SNIP) address, because MIPs are used when a SNIP isnot available or Use SNIP (USNIP) mode is disabled.
If the mapped IP address is the first in the subnet, the NetScaler appliance adds a routeentry, with this IP address as the gateway to reach the subnet. You can create or deletea MIP during run time without rebooting the appliance.
As an alternative to creating MIPs one at a time, you can specify a consecutive range ofMIPs.
The following diagram shows the use of the MIP and SNIP addresses in a NetScalerappliance that connects to the backend servers across the subnets.
Citrix NetScaler Networking Guide
39
Figure 1-3. MIP and SNIP addresses
In the setup, if the NetScaler appliance and the backend servers are in the 10.1.1.0/24subnet, then the appliance uses the MIP address to communicate to the servers.However, if the setup has backend servers on additional subnets, such as 10.2.2.0/24,and there is no router between the NetScaler appliance and the subnet, then you canconfigure a SNIP address that has a range of 10.2.2.x/24, such as 10.2.2.9 in this case,to communicate to the additional subnet.
You can enable to NetScaler appliance to use MIP to communicate the additionalsubnet. However, if the setup has a Firewall application between the appliance and theserver, then the Firewall might prevent the traffic other than 10.2.2.0/24. In suchcases, you need a SNIP address to communicate to the servers.
To create a MIP address by using the NetScaler commandlineAt the NetScaler command prompt, type:
w add ns ip <IPAddress> <netmask> -type <type>
w show ns ip <IPAddress>
Example
> add ns ip 10.102.29.171 255.255.255.0 -type MIP Done> sh ns ip 10.102.29.171
Chapter 1 IP Addressing
40
IP: 10.102.29.171 Netmask: 255.255.255.0 Type: MIP state: Enabled arp: Enabled icmp: Enabled vserver: NA management access: Disabled telnet: Enabled ftp: Enabled ssh: Enabled gui: Enabled snmp: Enabled Restrict access: Disabled dynamic routing: Disabled hostroute: Disabled # free ports: 1031960 Warning: management access is disabled Done
To create a range of MIP addresses by using the NetScalercommand lineAt the NetScaler command prompt, type:
w add ns ip <IPAddress> <netmask> -type <type>
w show ns ip <IPAddress>
Example
> add ns ip 10.102.29.[173-175] 255.255.255.0 -type MIPip "10.102.29.173" addedip "10.102.29.174" addedip "10.102.29.175" addedDone
> sh ns ip Ipaddress Type Mode Arp Icmp Vserver State --------- ---- ---- --- ---- ------- ------1) 10.102.29.170 NetScaler IP Active Enabled Enabled NA Enabled2) 10.102.29.171 MIP Active Enabled Enabled NA Enabled..56) 10.102.29.173 MIP Active Enabled Enabled NA Enabled57) 10.102.29.174 MIP Active Enabled Enabled NA Enabled
Citrix NetScaler Networking Guide
41
58) 10.102.29.175 MIP Active Enabled Enabled NA Enabled Done
Parameters for configuring MIP addressesIPAddress
Unique identification used to represent an entity. This is a required parameter.
netmaskSubnet mask associated with the IP address. This is a required parameter.
typeType of the IP address. Specify MIP.
To configure a MIP address by using the configurationutility1. In the navigation pane, expand Network, and then click IPs.
2. In the details pane, do one of the following:
• To create a new IP address, click Add.
• To modify an existing IP address, select the address, and then click Open.
3. In the Create IP or Configure IP dialog box, specify values for the followingparameters, which correspond to parameters described in “Parameters forconfiguring MIP addresses” as shown:
• IP Address*—IPAddress
• Netmask*—netmask
• Type—type (Select MIP.)
*A required parameter
4. Click Create or OK, and then click Close. The IP address that you configuredappears in the details pane.
To create a range of MIP addresses by using theconfiguration utility1. In the navigation pane, expand Network, and then click IPs.
2. In the details pane, click Add Range.
3. In the Create IP – Range dialog box, specify values for the following parameters,which correspond to parameters described in “Parameters for configuring MIPaddresses” as shown:
• IP Address*—IPAddress
• Netmask*—netmask
Chapter 1 IP Addressing
42
• Type—type (Select MIP.)
*A required parameter
4. Click Create, and then click Close. The range of IP addresses that you createdappears in the details pane.
Configuring GSLB Site IP Addresses (GSLBIP)A GSLB site IP (GSLBIP) address is an IP address associated with a GSLB site. It is notmandatory to specify a GSLBIP address when you initially configure the NetScalerappliance. A GSLBIP address is used only when you create a GSLB site.
For more information about creating a GSLB site IP address, see the "Load Balancing"chapter of the Citrix NetScaler Traffic Management Guide at http://support.citrix.com/article/CTX132359.
Removing a NetScaler-Owned IP AddressYou can remove any IP address except the NSIP. The following table providesinformation about the processes you must follow to remove the various types of IPaddresses. Before removing a VIP, remove the associated virtual server.
Table 1-1. Implications of Removing a NetScaler-Owned IP Address
IP address type Implications
Subnet IP address (SNIP) If IP address being removed is the last IPaddress in the subnet, the associatedroute is deleted from the route table. Ifthe IP address being removed is thegateway in the corresponding routeentry, the gateway for that subnet routeis changed to another NetScaler-owned IPaddress.
Mapped IP address (MIP) If a SNIP exists, you can remove the MIPs.The NetScaler uses NSIP and SNIPs tocommunicate with the servers when theMIP is removed. Therefore, you must alsoenable use SNIP (USNIP) mode.
For information about enabling anddisabling USNIP mode, see ConfiguringSubnet IP Addresses (SNIPs).
Virtual Server IP address (VIP) Before removing a VIP, you must firstremove the vserver associated with it.
Citrix NetScaler Networking Guide
43
IP address type Implications
For information about removing thevserver, see the "Load Balancing" chapterof the Citrix NetScaler TrafficManagement Guide at http://support.citrix.com/article/CTX132359.
GSLB-Site-IP address Before removing a GSLB site IP address,you must remove the site associated withit.
For information about removing the site,see the "Global Server Load Balancing"chapter of the Citrix NetScaler TrafficManagement Guide at http://support.citrix.com/article/CTX132359.
To remove an IP address by using the NetScaler commandlineAt the NetScaler command prompt, type:
rm ns ip <IPaddress>
Example
rm ns ip 10.102.29.54
To remove an IP address by using the configuration utility1. In the navigation pane, expand Network, and then click IPs.
2. On the IPs page, on the IPv4s tab, select the IP address that you want to remove,and then click Remove.
3. In the Remove dialog box, click Yes. A message appears in the status bar, statingthat the IP address has been removed successfully.
Configuring Application Access ControlsApplication access controls, also known as management access controls, form a unifiedmechanism for managing user authentication and implementing rules that determineuser access to applications and data. You can configure MIPs and SNIPs to provideaccess for management applications. Management access for the NSIP is enabled bydefault and cannot be disabled. You can, however, control it by using ACLs.
For information about using ACLs, see "Access Control Lists (ACLs)".
Chapter 1 IP Addressing
44
The NetScaler appliance does not support management access to VIPs.
The following table provides a summary of the interaction between managementaccess and specific service settings for Telnet.
Management Access Telnet (State Configuredon the NetScaler)
Telnet (Effective State atthe IP Level)
Enable Enable Enable
Enable Disable Disable
Disable Enable Disable
Disable Disable Disable
The following table provides an overview of the IP addresses used as source IPaddresses in outbound traffic.
Application/ IP NSIP MIP SNIP VIP
ARP Yes Yes Yes No
Server sidetraffic
No Yes Yes No
RNAT No Yes Yes Yes
ICMP PING Yes Yes Yes No
Dynamicrouting
Yes No Yes Yes
The following table provides an overview of the applications available on these IPaddresses.
Application/ IP NSIP MIP SNIP VIP
SNMP Yes Yes Yes No
System access Yes Yes Yes No
You can access and manage the NetScaler by using applications such as Telnet, SSH,GUI, and FTP.
Note: Telnet and FTP are disabled on the NetScaler for security reasons. To enablethem, contact the customer support. After the applications are enabled, you can applythe controls at the IP level.
To configure the NetScaler to respond to these applications, you need to enable thespecific management applications. If you disable management access for an IP address,
Citrix NetScaler Networking Guide
45
existing connections that use the IP address are not terminated, but no newconnections can be initiated.
Also, the non-management applications running on the underlying FreeBSD operatingsystem are open to protocol attacks, and these applications do not take advantage ofthe NetScaler appliance's attack prevention capabilities.
You can block access to these non-management applications on a MIP, SNIP, or NSIP.When access is blocked, a user connecting to a NetScaler by using the MIP, SNIP, or NSIPis not be able to access the non-management applications running on the underlyingoperating system.
To configure management access for an IP address byusing the NetScaler command lineAt the NetScaler command prompt, type:
set ns ip <IPAddress> -mgmtAccess <value> -telnet <value> -ftp <value> -gui <value> -ssh <value> -snmp <value> -restrictAccess (ENABLED | DISABLED)
Example
set ns ip 10.102.29.54 -mgmtAccess enabled -restrictAccess ENABLED
Parameters for customizing a SNIP or MIP addresstelnet
Allow Telnet access to the IP address. Possible values: ENABLED, DISABLED. Default:ENABLED.
ftpAllow File Transfer Protocol (FTP) access to the IP address. Possible values: ENABLED,DISABLED. Default: ENABLED.
guiAllow Graphical User Interface (GUI) access to the IP address. Possible values:ENABLED, SECUREONLY, DISABLED. Default: ENABLED.
sshAllow Secure Shell (SSH) access to the IP address. Possible values: ENABLED,DISABLED. Default: ENABLED.
snmpAllow Simple Network Management Protocol (SNMP) access to the IP address. Possiblevalues: ENABLED, DISABLED. Default: ENABLED.
mgmtAccessAllow external access to the IP address. Possible values: ENABLED, DISABLED.Default: DISABLED.
Chapter 1 IP Addressing
46
dynamicRoutingAllow dynamic routing on the IP address. Specific to SNIP. Possible values: Enabled,Disabled. Default: Disabled.
restrictAccessBlock access to non-management applications on this IP. This options is applicable forMIPs, SNIPs, and NSIP, and is disabled by default. Non-management applications mayrun on the underlying NetScaler Free BSD operating system. Possible values:ENABLED, DISABLED. Default: DISABLED.
To enable management access for an IP address by usingthe configuration utility1. In the navigation pane, expand Network and click IPs.
2. On the IPs page, select the IP address that you want to modify (for example,10.102.29.54), and then click Open.
3. In the Configure IP dialog box, under Application Access Control, select theEnable Management Access control to support the below listed applicationscheck box.
4. Select the application or applications that you want to enable.
5. To block access to non-management applications on an IP address, select the Allowaccess only to management applications check box.
6. Click OK.
How the NetScaler Proxies ConnectionsWhen a client initiates a connection, the NetScaler appliance terminates the clientconnection, initiates a connection to an appropriate server, and sends the packet tothe server. The appliance does not perform this action for service type UDP or ANY.
For more information about service types, see the "Load Balancing" chapter of theCitrix NetScaler Traffic Management Guide at http://support.citrix.com/article/CTX132359.
You can configure the NetScaler to process the packet before initiating the connectionwith a server. The default behavior is to change the source and destination IP addressesof a packet before sending the packet to the server. You can configure the NetScaler toretain the source IP address of the packets by enabling Use Source IP mode.
How the Destination IP Address Is SelectedTraffic sent to the NetScaler appliance can be sent to a virtual server or to a service.The appliance handles traffic to virtual servers and services differently. The NetScalerterminates traffic received at a virtual server IP (VIP) address and changes thedestination IP address to the IP address of the server before forwarding the traffic tothe server, as shown in the following diagram.
Citrix NetScaler Networking Guide
47
Figure 1-4. Proxying Connections to VIPs
Packets destined for a service are sent directly to the appropriate server, and theNetScaler does not modify the destination IP addresses. In this case, the NetScalerfunctions as a proxy.
How the Source IP Address Is SelectedWhen the NetScaler appliance communicates with the physical servers or peer devices,by default, it does not use the IP address of the client. NetScaler maintains a pool ofmapped IP addresses (MIPs) and subnet IP addresses (SNIPs), and selects an IP addressfrom this pool to use as the source IP address of a connection to the physical server.Depending on the subnet in which the physical server is placed, NetScaler decideswhether a MIP should be used or SNIP.
Note: If the Use Source IP (USIP) option is enabled, NetScaler uses the IP address ofthe client.
Enabling Use Source IP ModeWhen the NetScaler appliance communicates with the physical servers or peer devices,by default, it uses one of its own IP addresses as the source IP. The appliance maintains
Chapter 1 IP Addressing
48
a pool of mapped IP addresses (MIPs) and subnet IP addresses (SNIPs), and selects an IPaddress from this pool to use as the source IP address for a connection to the physicalserver. The decision of whether to select a MIP or a SNIP depends on the subnet inwhich the physical server resides.
If necessary, you can configure the NetScaler appliance to use the client's IP address assource IP. Some applications need the actual IP address of the client. The following usecases are a few examples:
w Client's IP address in the web access log is used for billing purposes or usageanalysis.
w Client's IP address is used to determine the country of origin of the client or theoriginating ISP of the client. For example, many search engines such as Goggleprovide content relevant to the location to which the user belongs.
w The application must know the client's IP address to verify that the request is from atrustworthy source.
w Sometimes, even though an application server does not need the client's IP address,a firewall placed between the application server and the NetScaler may need theclient's IP address for filtering the traffic.
Enable Use Source IP mode (USIP) mode if you want NetScaler to use the client's IPaddress for communication with the servers. By default, USIP mode is disabled. USIPmode can be enabled globally on the NetScaler or on a specific service. If you enable itglobally, USIP is enabled by default for all subsequently created services. If you enableUSIP for a specific service, the client's IP address is used only for the traffic directed tothat service.
As an alternative to USIP mode, you have the option of inserting the client's IP address(CIP) in the request header of the server-side connection for an application server thatneeds the client's IP address.
In earlier NetScaler releases, USIP mode had the following source-port options forserver-side connections:
w Use the client's port. With this option, connections cannot be reused. For everyrequest from the client, a new connection is made with the physical server.
w Use proxy port. With this option, connection reuse is possible for all requests fromthe same client. Before NetScaler release 8.1 this option imposed a limit of 64000concurrent connections for all server-side connections.
In the later NetScaler releases , if USIP is enabled, the default is to use a proxy port forserver-side connections and not reuse connections. Not reusing connections may noteffect the speed of establishing connections.
By default, the Use Proxy Port option is enabled if the USIP mode is enabled. For moreinformation about the Use Proxy Port option, see Using the Client Port WhenConnecting to the Server.
Note: If you enable the USIP mode, it is recommended to enable the Use Proxy Portoption.
The following figureshows how the NetScaler uses IP addresses in USIP mode.
Citrix NetScaler Networking Guide
49
Figure 1-5. IP Addressing in USIP Mode
Recommended UsageEnable USIP in the following situations:
w Load balancing of Intrusion Detection System (IDS) servers
w Stateless connection failover
w Sessionless load balancing
w If you use the Direct Server Return (DSR) mode
Note: When USIP is required in the one-arm mode installation of the NetScalerappliance, make sure that the server's gateway is one of the IP addresses owned bythe NetScaler. For more information about NetScaler owned IP addresses, see Configuring NetScaler owned IP addresses.
w If you enable USIP, set the idle timeout for server connections to a value lower thanthe default value, so that idle connections are cleared quickly on the server side.
For more information about setting an idle time-out value, see "Load Balancing"chapter of the Citrix NetScaler Traffic Management Guide at http://support.citrix.com/article/CTX132359.
w For transparent cache redirection, if you enable USIP, enable L2CONN also.
w Because HTTP connections are not reused when USIP is enabled, a large number ofserver-side connections may accumulate. Idle server connections can blockconnections for other clients. Therefore, set limits on maximum number ofconnections to a service. Citrix also recommends setting the HTTP server time-outvalue, for a service on which USIP is enabled, to a value lower than the default, sothat idle connections are cleared quickly on the server side.
Chapter 1 IP Addressing
50
To globally enable or disable USIP mode by usingthe NetScaler command line
At the NetScaler command prompt, type one of the following commands:
w enable ns mode usip
w disable ns mode usip
To enable USIP mode for a service by using theNetScaler command line
At the NetScaler command prompt, type:
set service <ServiceName> -usip (YES | NO)
Example
set service Service-HTTP-1 -usip YES
To globally enable or disable USIP mode by usingthe configuration utility
1. In the navigation pane, expand System and click Settings.
2. On the Settings page, under Modes and Features, click Configure modes.
3. In the Configure Modes dialog box, do one of the following:
• To enable Use Source IP mode, select the Use Source IP check box.
• To disable Use Source IP mode, clear the Use Source IP check box.
4. Click OK.
5. In the Enable/Disable Feature(s)? dialog box, click Yes.
To enable USIP mode for a service by using theconfiguration utility
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details pane, select the service for which you want to enable the USIPmode, and then click Open.
3. In the Configure Service dialog box, click the Advanced tab.
Citrix NetScaler Networking Guide
51
4. Under Settings, select the Use Source IP check box.
5. Click OK.
Configuring Network Address TranslationNetwork address translation (NAT) involves modification of the source and/ordestination IP addresses and/or the TCP/UDP port numbers of IP packets that passthrough the NetScaler appliance. Enabling NAT on the appliance enhances the securityof your private network, and protects it from a public network such as the Internet, bymodifying your network's source IP addresses when data passes through the NetScaler.Also, with the help of NAT entries, your entire private network can be represented by afew shared public IP addresses. The NetScaler supports the following two types ofnetwork address translation:
w Inbound NAT (INAT), in which the NetScaler replaces the destination IP address inthe packets generated by the client with the private IP address of the server.
w Reverse NAT (RNAT), in which the NetScaler replaces the source IP address in thepackets generated by the servers with the public NAT IP addresses.
Configuring INATWhen a client sends a packet to a NetScaler appliance that is configured for InboundNetwork Address Translation (INAT), the appliance translates the packet's publicdestination IP address to a private destination IP address and forwards the packet tothe server at that address.
The following configurations are supported:
w IPv4-IPv4 Mapping: A public IPv4 address on the NetScaler appliance listens toconnection requests on behalf of a private IPv4 server. The NetScaler appliancetranslates the packet's public destination IP address to the destination IP address ofthe server and forwards the packet to the server at that address.
w IPv4-IPv6 Mapping: A public IPv4 address on the NetScaler appliance listens toconnection requests on behalf of a private IPv6 server. The NetScaler appliancecreates an IPv6 request packet with the IP address of the IPv6 server as thedestination IP address.
w IPv6-IPv4 Mapping: A public IPv6 address on the NetScaler appliance listens toconnection requests on behalf of a private IPv4 server. The NetScaler appliancecreates an IPv4 request packet with the IP address of the IPv4 server as thedestination IP address.
w IPv6-IPv6 Mapping: A public IPv6 address on the NetScaler appliance listens toconnection requests on behalf of a private IPv6 server. The NetScaler appliancetranslates the packet's public destination IP address to the destination IP address ofthe server and forwards the packet to the server at that address.
When the appliance forwards a packet to a server, the source IP address assigned to thepacket is determined as follows:
Chapter 1 IP Addressing
52
w If use subnet IP (USNIP) mode is enabled and use source IP (USIP) mode is disabled,the NetScaler uses a subnet IP address (SNIP) as the source IP address.
w If USNIP mode is disabled and USIP mode is disabled, the NetScaler uses a mapped IPaddress (MIP) as the source IP address.
w If USIP mode is enabled, and USNIP mode is disabled the NetScaler uses the client IP(CIP) address as the source IP address.
w If both USIP and USNIP modes are enabled, USIP mode takes precedence.
w You can also configure the NetScaler to use a unique IP address as the source IPaddress, by setting the proxyIP parameter.
w If none of the above modes is enabled and a unique IP address has not beenspecified, the NetScaler attempts to use a MIP as the source IP address.
w If both USIP and USNIP modes are enabled and a unique IP address has beenspecified, the order of precedence is as follows: USIP-unique IP-USNIP-MIP-Error.
To protect the NetScaler from DoS attacks, you can enable TCP proxy. However, if otherprotection mechanisms are used in your network, you may want to disable them.
You can create, modify, or remove an INAT entry.
To create an INAT entry by using the NetScaler commandlineAt the NetScaler command prompt, type the following commands to create an INATentry and verify its configuration:
w add inat <name> <publicIP> <privateIP> [-tcpproxy ( ENABLED | DISABLED )] [-ftp( ENABLED | DISABLED )] [-usip ( ON | OFF )] [-usnip ( ON | OFF )] [-proxyIP<ip_addr|ipv6_addr>]
w show inat [<name>]
Example
> add inat ip4-ip4 172.16.1.2 192.168.1.1 -proxyip 10.102.29.171 Done> show inat ip4-ip4
1) NAME: ip4-ip4 Public IP: 172.16.1.2 Private IP: 192.168.1.1 Tcpproxy: DISABLED Ftp: DISABLED USNIP : ON USIP: ON Proxy IP: 10.102.29.171 Done
Citrix NetScaler Networking Guide
53
To modify an INAT entry by using the NetScaler commandlineTo modify an INAT entry, type the set inat command, the name of the entry, and theparameters to be changed, with their new values.
To remove an INAT configuration by using the NetScaler command lineAt the NetScaler command prompt, type:
rm inat <name>
Example
> rm inat ip4-ip4 Done
Basic parameters for configuring INATname
Name of the Inbound NAT entry being added.
publicIPPublic destination IP address of packets received on the NetScaler. This IP addresscan be an IPv4 or IPv6 address. Possible values: NetScaler-owned VIPs.
privateIPPrivate destination IP address of the server to which the packet is sent by theNetScaler. This IP address can be an IPv4 or IPv6 address. Possible values: IPaddresses of the servers.
usipUse source IP mode. Possible values: Enabled, Disabled. Default: Enabled.
usnipUse subnet IP mode. Possible values: Enabled, Disabled. Default: Enabled.
proxyIPA unique IP address used as the source IP address in packets sent to the server.
tcpproxyAllow TCP traffic. Possible values: Enabled, Disabled. Default: Disabled.
ftpAllow FTP. Possible values: Enabled, Disabled. Default: Disabled.
To configure an INAT entry by using the configuration utility1. In the navigation pane, expand Network, and then click Routes.
2. On the Routes page, on the INAT tab, do one of the following:
• To create a new INAT entry, click Add.
Chapter 1 IP Addressing
54
• To modify an existing INAT entry, select the entry, and then click Open.
3. In the Create INAT or Configure INAT dialog box, specify values for the followingparameters, which correspond to parameters described in "Basic parameters forconfiguring INAT" as shown:
• Name*—name
• Public IP Address*—publicIP
Note: To use an IPv6 address, select the IPv6 check box and enter theaddress in IPv6 format.
• Private IP Address*—privateIP
Note: To use an IPv6 address, select the IPv6 check box and enter theaddress in IPv6 format.
• Proxy IP Address—proxyIP
• TCP Proxy Mode—tcpproxy
• FTP Mode—ftp
• Use Source IP Mode—usip
• Use Subnet IP Mode—usnip
* A required parameter
4. Click Create or OK, and then click Close. A message appears in the status bar,stating that the INAT entry has been configured successfully.
To remove an INAT configuration by using the configurationutility1. In the navigation pane, expand Network, and then click Routes.
2. On the INAT tab, select the name of the INAT configuration that you want toremove.
3. Click Remove, and then click Close. A message appears in the status bar, statingthat the INAT has been removed successfully.
Coexistence of INAT and Virtual ServersIf both INAT and RNAT are configured, the INAT rule takes precedence over the RNATrule. If RNAT is configured with a network address translation IP (NAT IP) address, theNAT IP address is selected as the source IP address for that RNAT client.
The default public destination IP in an INAT configuration is the virtual IP (VIP) addressof the NetScaler device. virtual servers also use VIPs. When both INAT and a virtualserver use the same IP address, the Vserver configuration overrides the INATconfiguration.
Citrix NetScaler Networking Guide
55
Following are a few sample configuration setup scenarios and their effects.
Case Result
You have configured a virtual server anda service to send all data packetsreceived on a specific NetScaler port tothe server directly. You have alsoconfigured INAT and enabled TCP.Configuring INAT in this manner sends alldata packets received through a TCPengine before sending them to theserver.
All packets received on the NetScaler,except those received on the specifiedport, pass through the TCP engine.
You have configured a virtual server anda service to send all data packets ofservice type TCP, that are received on aspecific port on the NetScaler, to theserver after passing through the TCPengine. You have also configured INATand disabled TCP. Configuring INAT in thismanner sends the data packets receiveddirectly to the server.
Only packets received on the specifiedport pass through the TCP engine.
You have configured a virtual server anda service to send all data packetsreceived to either of two servers. You areattempting to configure INAT to send alldata packets received to a differentserver.
The INAT configuration is not allowed.
You have configured INAT to send allreceived data packets directly to aserver. You are attempting to configure avirtual server and a service to send alldata packets received to two differentservers.
The vserver configuration is not allowed.
Stateless NAT46 TranslationThe stateless NAT46 feature enables communication between IPv4 and IPv6 networksthrough IPv4 to IPv6 packet translation, and vice versa, without maintaining any sessioninformation on the NetScaler appliance.
For a stateless NAT46 configuration, the appliance translates an IPv4 packet to IPv6 oran IPv6 packet to IPv4 as defined in RFCs 6145 and 2765.
Note: This feature is supported only on NetScaler 10.e and later.
Chapter 1 IP Addressing
56
A stateless NAT46 configuration on the NetScaler appliance has the followingcomponents:
w IPv4-IPv6 INAT entry—An INAT entry defining a 1:1 relationship between an IPv4address and an IPv6 address. In other words, an IPv4 address on the appliancelistens to connection requests on behalf of an IPv6 server. An IPv4 request packetfor this IPv4 address is translated into an IPv6 packet, and then the IPv6 packet issent to the IPv6 server.
The appliance translates an IPv6 response packet into an IPv4 response packet withits source IP address field set as the IPv4 address specified in the INAT entry. Thetranslated packet is then sent to the client.
w NAT46 IPv6 prefix—A global IPv6 prefix of length 96 bits (128-32=96) configured onthe appliance. During IPv4 packet to IPv6 packet translation, the appliance sets thesource IP address of the translated IPv6 packet to a concatenation of the NAT46 IPv6prefix [96 bits] and the IPv4 source address [32 bits] that was received in therequest packet.
During IPv6 packet to IPv4 packet translation, the appliance sets the destination IPaddress of the translated IPv4 packet to the last 32 bits of the destination IP addressof the IPv6 packet.
Consider an example in which an enterprise hosts site www.example.com on server S1,which has an IPv6 address. To enable communication between IPv4 clients and IPv6server S1, NetScaler appliance NS1 is deployed with a stateless NAT46 configurationthat includes an IPv4-IPv6 INAT entry for server S1, and a NAT46 Prefix. The INAT entryincludes an IPv4 address at which the appliance listens to connection requests fromIPv4 clients on behalf of the IPv6 server S1.
The following table lists the settings used in this example:
Entities Name Value
IP address of the client Client_IPv4 (for referencepurposes only)
192.0.2.60
IPv6 address of the server Sevr_IPv6 (for referencepurposes only)
2001:DB8:5001::30
Citrix NetScaler Networking Guide
57
Entities Name Value
IPv4 address defined in theINAT entry for IPv6 serverS1
Map-Sevr-IPv4 (forreference purposes only)
192.0.2.180
IPv6 prefix for NAT 46translation
NAT46_Prefix (forreference purposes only)
2001:DB8:90::
Following is the traffic flow in this example:
1. IPv4 Client CL1 sends a request packet to the Map-Sevr-IPv4 (192.0.2.180) addresson the NetScaler appliance.
2. The appliance receives the request packet and searches the NAT46 INAT entries forthe IPv6 address mapped to the Map-sevr-IPv4 (192.0.2.180) address. It finds theSevr-IPv6 (2001:DB8:5001::30) address.
3. The appliance creates a translated IPv6 request packet with:
• Destination IP address field = Sevr-IPv6 = 2001:DB8:5001::30
• Source IP address field = Concatenation of NAT Prefix (First 96 bits) andClient_IPv4 (last 32 bits) = 2001:DB8:90::192.0.2.60
4. The appliance sends the translated IPv6 request to Sevr-IPv6.
5. The IPv6 server S1 responds by sending an IPv6 packet to the NetScaler appliancewith:
• Destination IP address field = Concatenation of NAT Prefix (First 96 bits) andClient_IPv4 (last 32 bits)= 2001:DB8:90::192.0.2.60
• Source IP address field = Sevr-IPv6 = 2001:DB8:5001::30
6. The appliance receives the IPv6 response packet and verifies that its destination IPaddress matches the NAT46 prefix configured on the appliance. Because thedestination address matches the NAT46 prefix, the appliance searches the NAT46INAT entries for the IPv4 address associated with the Sevr-IPv6 address(2001:DB8:5001::30 ). It finds the Map-Sevr-IPv4 address (192.0.2.180).
7. The appliance creates an IPv4 response packet with:
• Destination IP address field = The NAT46 prefix stripped from the destinationaddress of the IPv6 response = Client_IPv4 (192.0.2.60)
• Source IP address field = Map-Sevr-IPv4 address (192.0.2.180)
8. The appliance sends the translated IPv4 response to client CL1.
Configuring Stateless NAT46Creating the required entities for stateless NAT46 configuration on the NetScalerappliance involves the following procedures:
1. Create an IPv4-IPv6 mapping INAT entry with stateless mode enabled.
Chapter 1 IP Addressing
58
2. Add a NAT46 IPv6 prefix.
To configure an INAT mapping entry by using the NetScaler command lineAt the NetScaler command prompt, type:
w add inat <name> <publicIPv4> <privateIPv6> -mode STATELESS
w show inat <name>
To add an NAT46 prefix by using the NetScaler command lineAt the NetScaler command prompt, type:
w set inatparam -nat46v6Prefix <ipv6_addr|*>
w show inatparam
Example
> add inat exmpl-com-stls-nat46 192.0.2.1802001:DB8:5001::30 -mode statelessDone > sh inat exmpl-com-stls-nat461) NAME: exmpl-com-stls-nat46 Public IP: 192.0.2.180 Private IP: 2001:db8:5001::30 Mode: StatelessDone
> set inatparam -nat46v6Prefix 2001:DB8:90::/96Done
> show inatparam INAT related Configuration Parameters INAT related Configuration Parameters
Nat46v6Prefix : 2001:db8:90::/96 Nat46IgnoreTOS : NO Nat46ZeroCheckSum : ENABLED Nat46v6Mtu : 1280 Nat46FragHeader : ENABLED Done
Parameters for configuring an INAT mapping entryname (Name)
Name for the INAT entry. Must begin with an ASCII alphabetic or underscore (_)character, and must contain only ASCII alphanumeric, underscore, hash (#),period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannotbe changed after the INAT rule is created.
The following requirement applies only to the NetScaler CLI: If the nameincludes one or more spaces, enclose the name in double or single quotationmarks (for example, "my inat" or 'my inat').
Citrix NetScaler Networking Guide
59
publicIPv4 (Public IP Address)A NetScaler-owned IPv4 VIP address at which to listen for requests on behalf ofan IPv6 server.
privateIP (Private IP Address)IP address of the IPv6 server for which to translate IPv4 requests received at theaddress specified by the Public IP address parameter.
Parameters for adding a NAT46 prefixnat46v6Prefix (NAT46 Prefix)
A global IPv6 prefix of length 96 bits (128-32=96) configured on the appliance.During IPv4 packet to IPv6 packet translation, the appliance sets the source IPaddress of the translated IPv6 packet to a concatenation of NAT46 IPv6 prefix [96bits] and the IPv4 source address [32 bits] that was received in the request packet.During IPv6 packet to IPv4 packet translation, the appliance sets the destination IPaddress of the translated IPv4 packet to the last 32 bits of the destination IPaddress of the IPv6 packet.
To configure an INAT mapping entry by using the configuration utility
1. In the navigation pane, expand Network, and then click Routes.
2. In the details pane, on the INAT tab, do one of the following:
• To create a new INAT entry, click Add.
• To modify an existing INAT entry, select the entry, and then click Open.
3. In the Create INAT or Configure INAT dialog box, set the following parameters:
• Name*
• Public IP Address*
• Private IP Address* (Select the IPv6 check box and enter the address in IPv6format.)
• Mode (Select Stateless from the drop down list.)
* A required parameter
4. Click Create or OK, and then click Close.
To add a NAT46 prefix by using the configuration utility
1. In the navigation pane, expand Network.
2. In the details pane, under Settings , click Configure INAT Parameters .
3. In the Configure INAT Parameters dialog box, set the NAT46 Prefix parameter.
4. Click OK.
Chapter 1 IP Addressing
60
Setting Global Parameters for Stateless NAT46The appliance provides some optional global parameters for stateless NAT46configurations.
To set global parameters for stateless NAT46 by using the NetScaler command lineAt the NetScaler command prompt, type:
w set inatparam [-nat46IgnoreTOS ( YES | NO )] [-nat46ZeroCheckSum ( ENABLED |DISABLED )] [-nat46v6Mtu <positive_integer>] [-nat46FragHeader ( ENABLED |DISABLED )]
w show inatparam
Example
> set inatparam -nat46IgnoreTOS YES -nat46ZeroCheckSum DISABLED -nat46v6Mtu 1400 -nat46FragHeader DISABLED Done> show inatparam INAT related Configuration Parameters
Nat46v6Prefix : 2001:db8:90::/96 Nat46IgnoreTOS : YES Nat46ZeroCheckSum : DISABLED Nat46v6Mtu : 1400 Nat46FragHeader : DISABLED Done
Global parameters for stateless NAT46nat46v6Mtu (NAT46 MTU)
Maximum size, in bytes, of the translated IPv6 packet that the NetScaler appliancesends to the IPv6 destination. If the translated IPv6 packet exceeds this value, theappliance fragments the IPv6 packet and sends the fragments to the IPv6destination.
nat46IgnoreTOS (NAT46 Ignore TOS)Set the TOS field to zero in the IPv6 or IPv4 translated packet, regardless of theTOS value of the IPv4 or IPv6 packet before translation.
nat46ZeroCheckSum (NAT46 Zero Checksum)Calculate checksum for IPv4 UDP packets that contain zero checksum, beforetranslating them into IPv6 UDP packets. If this parameter is disabled, the appliancedrops IPv4 UDP packets that contain zero checksum.
nat46FragHeader (NAT46 Fragment Header)Insert a fragmentation header in an IPv6 packet translated from an IPv4 packetsthat has the DF bit set to zero.
To set global parameters for stateless NAT46 by using the configuration utility
1. In the navigation pane, expand Network.
Citrix NetScaler Networking Guide
61
2. In the details pane, under Settings, click Configure INAT Parameters.
3. In the Configure INAT Parameters dialog box, set the following parameters:
• NAT46 MTU
• NAT46 Ignore TOS
• NAT46 Zero Checksum
• NAT46 Fragment Header
4. Click OK.
Limitations of Stateless NAT46The following limitations apply to stateless NAT46:
w Translation of IPv4 options is not supported.
w Translation of IPv6 routing headers is not supported.
w Translation of hop-by-hop extension headers of IPv6 packets is not supported.
w Translation of ESP and EH headers of IPv4 packets is not supported.
w Translation of multicast packets is not supported.
w Translation of destination option headers and source routing headers is notsupported.
w Translation of fragmented IPv4 UDP packets that do not contain UDP checksum isnot supported.
Configuring RNATIn Reverse Network Address Translation (RNAT), the NetScaler appliance replaces thesource IP addresses in the packets generated by the servers with public NAT IPaddresses. By default, the appliance uses a Mapped IP address (MIP) as the NAT IPaddress. You can also configure the appliance to use a unique NAT IP address for eachsubnet. You can also configure RNAT by using Access Control Lists (ACLs). Use Source IP(USIP), Use Subnet IP (USNIP), and Link Load Balancing (LLB) modes affect theoperation of RNAT. You can display statistics to monitor RNAT.
Note: The ephemeral port range for RNAT on the NetScaler appliance is 1024-65535.
You can use either a network address or an extended ACL as the condition for an RNATentry:
w Using a Network address. When you use a network address, RNAT processing isperformed on all of the packets coming from the specified network.
w Using Extended ACLs. When you use ACLs, RNAT processing is performed on allpackets that match the ACLs. To configure the NetScaler appliance to use a unique
Chapter 1 IP Addressing
62
IP address for traffic that matches an ACL, you must perform the following threetasks:
a. Configure the ACL.
b. Configure RNAT to change the source IP address and Destination Port.
c. Apply the ACL.
The following diagram illustrates RNAT configured with an ACL.
Figure 1-6. RNAT with an ACL
You have the following basic choices for the type of NAT IP address:
w Using a MIP or SNIP as the NAT IP Address. When using a MIP as the NAT IP address,the NetScaler appliance replaces the source IP addresses of server-generatedpackets with the a MIP. Therefore, the MIP address must be a public IP address. IfUse Subnet IP (USNIP) mode is enabled, the NetScaler can use a subnet IP address(SNIP) as the NAT IP address.
w Using a Unique IP Address as the NAT IP Address. When using a unique IP addressas the NAT IP address, the NetScaler appliance replaces the source IP addresses ofserver-generated packets with the unique IP address specified. The unique IPaddress must be a public NetScaler-owned IP address. If multiple NAT IP addressesare configured for a subnet, NAT IP selection uses the round robin algorithm.
This configuration is illustrated in the following diagram.
Citrix NetScaler Networking Guide
63
Figure 1-7. Using a Unique IP Address as the NAT IP Address
Creating an RNAT EntryThe following instructions provide separate command-line procedures for creating RNATentries that use different conditions and different types of NAT IP addresses. In theconfiguration utility, all of the variations can be configured in the same dialog box, sothere is only one procedure for configuration utility users.
To create an RNAT entry by using the NetScaler command lineAt the NetScaler command prompt, type one the following commands to create,respectively, an RNAT entry that uses a network address as the condition and a MIP orSNIP as the NAT IP address, an RNAT entry that uses a network address as the conditionand a unique IP address as the NAT IP address, an RNAT entry that uses an ACL as thecondition and a MIP or SNIP as the NAT IP address, or an RNAT entry that uses an ACL asa condition and a unique IP address as the NAT IP address:
w set rnat <IPAddress> <netmask>
w set rnat IPAddress <netMask> -natip <NATIPAddress>
w set rnat <aclname> [-redirectPort <port>]
w set rnat <aclname> [-redirectPort <port>] -natIP <NATIPAddress>
Use the following command to verify the configuration:
w show rnat
Examples
A network address as the condition and a MIP or SNIP as the NAT IP address:
Chapter 1 IP Addressing
64
> set rnat 192.168.1.0 255.255.255.0 Done> show rnat1) Network: 192.168.1.0 Netmask: 255.255.255.0 NatIP: * Done
A network address as the condition and a unique IP address as the NAT IP address:
> set rnat 192.168.1.0 255.255.255.0 -natip 10.102.29.50 Done> show rnat1) Network: 192.168.1.0 Netmask: 255.255.255.0 NatIP: 10.102.29.50 Done
If instead of a single NAT IP address you specify a range, RNAT entries are created with all the NetScaler-owned IP addresses, except the NSIP, that fall within the range specified:
> set rnat 192.168.1.0 255.255.255.0 -natIP 10.102.29.[50-110] Done> show rnat1) Network: 192.168.1.0 Netmask: 255.255.255.0 NatIP: 10.102.29.592) Network: 192.168.1.0 Netmask: 255.255.255.0 NatIP: 10.102.29.663) Network: 192.168.1.0 Netmask: 255.255.255.0 NatIP: 10.102.29.674) Network: 192.168.1.0 Netmask: 255.255.255.0 NatIP: 10.102.29.795) Network: 192.168.1.0 Netmask: 255.255.255.0 NatIP: 10.102.29.906) Network: 192.168.1.0 Netmask: 255.255.255.0 NatIP: 10.102.29.1027) Network: 192.168.1.0 Netmask: 255.255.255.0 NatIP: 10.102.29.103 Done
An ACL as the condition and a MIP or SNIP as the NAT IP address:
> set rnat acl1
Citrix NetScaler Networking Guide
65
Done> show rnat1) ACL Name: acl1 NatIP: * Done
An ACL as a condition and a unique IP address as the NAT IP address:
> set rnat acl1 -natIP 209.165.202.129Done> show rnat1) ACL Name: acl1 NatIP: 209.165.202.129 Done
If instead of a single NAT IP address you specify a range, RNAT entries are created with all the NetScaler-owned IP addresses, except the NSIP, that fall within the range specified:
> set rnat acl1 -natIP 10.102.29.[50-70] Done> show rnat1) ACL Name: acl1 NatIP: 10.102.29.592) ACL Name: acl1 NatIP: 10.102.29.663) ACL Name: acl1 NatIP: 10.102.29.67Done
Parameters for creating an RNAT entryIPAddress
Address of the network or subnet from which the traffic is flowing.
netmaskSubnet mask associated with the network.
aclnameThe name of an extended ACL. The rule of the ACL will be used as an RNAT rule.
redirectPortThe redirect port.
natipAny NetScaler-owned IPv4 address except the NSIP address. The NetScaler appliancereplaces the source IP addresses of server-generated packets with the IP addressspecified. The IP address must be a public NetScaler-owned IP address. If you specifymultiple NetScaler-owned IP addresses for this field, NAT IP selection uses the roundrobin algorithm for each session. At the NetScaler command line, you can specify a
Chapter 1 IP Addressing
66
range of IP addresses for this field. All the NetScaler-owned IP addresses, except theNSIP, that fall within the range specified will be set for this field.
To create an RNAT entry by using the configuration utility
1. In the navigation pane, expand Network, and then click Routes.
2. On the Routes page, click the RNAT tab.
3. In the details pane, click Configure RNAT.
4. In the Configure RNAT dialog box, do one of the following:
• If you want to use the network address as a condition for creating an RNATentry, click Network. Specify values for the following parameters, whichcorrespond to parameters described in "Parameters for creating an RNAT entry"as shown:
w Network—IPAddress
w Netmask—netmask
• If you want to use an extended ACL as a condition for creating an RNAT entry,click ACL. Specify values for the following parameters, which correspond toparameters described in "Parameters for creating an RNAT entry" as shown:
w ACL Name—aclname
w Redirect Port—redirectPort
5. To set a MIP or SNIP as a NAT IP, jump to Step 7.
6. To set a unique IP address as a NAT IP, in the Available NAT IP (s) list, select the IPaddress that you want to set as the NAT IP, and then click Add. The NAT IP youselected appears in the Configured NAT IP(s) list.
7. Click Create, and then Close. A message appears in the status bar, stating that theRNAT has been configured successfully.
Monitoring RNATYou can display RNAT statistics to troubleshoot issues related to IP address translation.
To view RNAT statistics by using the NetScaler command lineAt the NetScaler command prompt, type:
stat rnat
Example
> stat rnat
RNAT summary Rate (/s) Total
Citrix NetScaler Networking Guide
67
Bytes Received 0 0Bytes Sent 0 0Packets Received 0 0Packets Sent 0 0Syn Sent 0 0Current RNAT sessions -- 0 Done>
The following tables describes the statistics associated with RNAT and RNAT IP.
Table 1-2. RNAT Statistics
Statistic Description
Bytes received Bytes received during RNAT sessions
Bytes sent Bytes sent during RNAT sessions
Packets received Packets received during RNAT sessions
Packets sent Packets sent during RNAT sessions
Syn sent Requests for connections sent duringRNAT sessions
Current sessions Currently active RNAT sessions
To monitor RNAT by using the configuration utility
1. In the navigation pane, expand Network, and then click Routes.
2. In the details pane, on the RNAT tab, click Statistics. The Statistics dialog boxappears, displaying the RNAT statistics.
RNAT in USIP, USNIP, and LLB ModesWhen RNAT and Use Source IP (USIP) are both configured, RNAT takes precedence.When RNAT and USNIP are configured, selection of the source IP address is based on thestate of USNIP, as follows:
w If USNIP is off, the NetScaler appliance uses the mapped IP addresses.
w If USNIP is on, the NetScaler uses a SNIP as the NAT IP address.
This behavior does not apply when a unique NAT IP address is used.
Chapter 1 IP Addressing
68
In a topology where the NetScaler appliance performs both Link Load Balancing (LLB)and RNAT for traffic originating from the server, the appliance selects the source IPaddress based on the router. The LLB configuration determines selection of the router.
For more information about LLB, see "the Citrix NetScaler Traffic Management Guide at http://support.citrix.com/article/CTX132359.
Configuring RNAT for IPv6 TrafficReverse Network Address Translation (RNAT) rules for IPv6 packets are called RNAT6s.When an IPv6 packet generated by a server matches the conditions specified in theRNAT6 rule, the appliance replaces the source IPv6 address of the IPv6 packet with aconfigured NAT IPv6 address before forwarding it to the destination. The NAT IPv6address is one of the NetScaler owned SNIP6 or VIP6 addresses.
When configuring an RNAT6 rule, you can specify either an IPv6 prefix or an ACL6 as thecondition:
w Using a IPv6 network address. When you use an IPv6 prefix, the appliance performsRNAT processing on those IPv6 packets whose IPv6 address matches the prefix.
w Using ACL6s. When you use an ACL6, the appliance performs RNAT processing onthose IPv6 packets that match the conditions specified in the ACL6.
You have one of the following options to set the NAT IP address:
w Specify a set of NetScaler owned SNIP6 and VIP6 addresses for an RNAT6 rule. TheNetScaler appliance uses any one of the IPv6 addresses from this set as a NAT IPaddress for each session. The selection is based on the round robin algorithm and isdone for each session.
w Do not specify any NetScaler owned SNIP6 or VIP6 address for an RNAT6 rule. TheNetScaler appliance uses any one of the NetScaler owned SNIP6 or VIP6 addresses asa NAT IP address. The selection is based on the next hop network to which an IPv6packet that matches the RNAT rule is destined.
To create an RNAT6 rule by using the NetScaler commandlineAt the NetScaler command prompt, to create the rule and verify the configuration,type:
w add rnat6 <name> (<network> | (<acl6name> [-redirectPort <port>]))
w bind rnat6 <name> <natIP6> ...
w sh rnat6
To modify or remove an RNAT6 rule by using the NetScalercommand linew To modify an RNAT6 rule whose condition is an ACL6, type the set rnat6 <name>
command, followed by a new value for the redirectPort parameter.
Citrix NetScaler Networking Guide
69
w To remove an RNAT6 rule, type the clear rnat6 <name> command.
w sh rnat6
Parameters for configuring an RNAT6 ruleName (Name)
The name of the RNAT6 rule. Must begin with a letter, a number, or the underscoresymbol, and can consist of from 1 to 31 letters, numbers, and the hyphen (-), period(.) pound (#), space ( ), at sign (@), equals (=), colon (:), and underscore (_)characters. Choose a name that helps identify the RNAT6 rule.
Network (Network)IPv6 address of the network on whose traffic you want the NetScaler appliance to doRNAT processing.
aclname (ACL6 Name)The name of any configured ACL6 whose action is ALLOW. The rule of the ACL6 isused as an RNAT6 rule.
redirectPort (Redirect Port)The port number to which the IPv6 packets are redirected. Applicable to TCP andUDP protocols. Minimum value: 1. Maximum value: 65535.
natIP6 (IP6 Binding)Any NetScaler-owned IPv6 address except the NSIP6 address. The NetScaler appliancereplaces the source IP addresses of the server-generated packets with the IP addressspecified. The IP address must be a public NetScaler-owned IP address. If you specifymultiple NetScaler-owned IPv6 addresses for this parameter, NAT IP selection usesthe round robin algorithm for each session.
To configure an RNAT6 rule by using the configurationutility1. In the navigation pane, expand Network, and then click Routes.
2. On the Routes page, click the RNAT6 tab.
3. In the details pane, do one of the following:
• To create an RNAT6 rule, click Add.
• To modify an RNAT6 rule whose condition is an ACL6, select the RNAT6 rule, andthen click Open.
4. In the Create RNAT6 dialog box, do one of the following:
• If you want to use an IPv6 network address as the condition for an RNAT6 rule,click Network and set the Network parameter.
• If you want to use an ACL6 as the condition for an RNAT6 rule, click ACL, andthen set the ACL6 Name parameter and, optionally, the Redirect Portparameter.
5. In the Configure RNAT6 dialog box, set the Redirect Port parameter.
Chapter 1 IP Addressing
70
6. To set a NetScaler owned IPv6 address as a NAT IP address, in the Available list,select the IPv6 address that you want to set as the NAT IP address, and then click+. The NAT IP address you selected appears in the Configured list.
7. Click Create or OK, and then Close. A message appears in the status bar, statingthat RNAT6 rule has been configured successfully.
Configuring Prefix-Based IPv6-IPv4 TranslationPrefix-based translation is a process of translating packets sent from private IPv6servers into IPv4 packets, using an IPv6 prefix configured in the NetScaler appliance.This prefix has a length of 96 bits (128-32=96). The IPv6 servers embed the destinationIP address of the IPv4 servers or hosts in the last 32 bits of the destination IP addressfield of the IPv6 packets. The first 96 bits of the destination IP address field are set asthe IPv6 NAT prefix.
The NetScaler appliance compares the first 96 bits of the destination IP address of allthe incoming IPv6 packets to the configured prefix. If there is a match, the NetScalerappliance generates an IPv4 packet and sets the destination IP address as the last 32bits of the destination IP address of the matched IPv6 packet. IPv6 packets addressedto this prefix have to be routed to the NetScaler so that the IPv6-IPv4 translation isdone by the NetScaler.
In the following diagram, 3ffe::/96 is configured as the IPv6 NAT prefix on NetScalerNS1. The IPv6 host sends an IPv6 packet with destination IP address 3ffe::74.125.91.105. NS1 compares the first 96 bits of the destination IP address of all theincoming IPv6 packets to the configured prefix, and they match. NS1 then generates anIPv4 packet and sets the destination IP address as 74.125.91.105.
Citrix NetScaler Networking Guide
71
Figure 1-8. IPv6-IPv4 Prefix-Based Translation
To configure prefix-based IPv6-IPv4 translation by using theNetScaler command lineAt the NetScaler command prompt, type the following commands to set a NAT prefixand verify its configuration:
w set ipv6 [-natprefix <ipv6_addr|*>]
w show ipv6
Example
> set ipv6 -natprefix 3ffe::/96 Done> show ipv6 IPv6 NAT prefix : 3ffe::/96 IPv6 RA learning : DISABLED ND6 base reachable time : 30000 ms ND6 computed reachable time : 16848 ms ND6 retransmission time : 1000 ms Done
Chapter 1 IP Addressing
72
Parameter for configuring prefix-based IPv6-IPv4translationnatprefix
The prefix used for translating packets from private IPv6 servers to IPv4 packets. Thisprefix has a length of 96 bits (128-32=96). The IPv6 servers embed the destination IPaddress of the IPv4 servers or hosts in the last 32 bits of the destination IP addressfield of the IPv6 packets. The first 96 bits of the destination IP address field are setas the IPv6 NAT prefix. IPv6 packets addressed to this prefix have to be routed to theNetScaler so that the IPv6-IPv4 translation is done by the NetScaler.
To configure prefix-based IPv6-IPv4 translation by using theconfiguration utility1. In the navigation pane, expand Network.
2. In the details pane, in the Settings group, click Change IPv6 Settings.
3. In the Configure IPv6 settings dialog box, set the following parameter, whichcorresponds to the parameter described in "Parameter for configuring prefix-basedIPv6-IPv4 translation” as shown:
• IPv6 NAT prefix—natprefix
4. Click OK. A message appears in the status bar, stating that the IPv6 NAT prefixentry has been configured successfully.
Configuring Static ARPYou can add static ARP entries to and remove static ARP entries from the ARP table.After adding an entry, you should verify the configuration. If the IP address, port, orMAC address changes after you create a static ARP entry, you must remove or manuallyadjust the static entry. Therefore, creating static ARP entries is not recommendedunless necessary.
To add a static ARP entry by using the NetScalercommand line
At the NetScaler command prompt, type:
w add arp -IPAddress <ip_addr> -mac<mac_addr> -ifnum <interface_name>
w show arp <IPAddress>
Example
> add arp -ip 10.102.29.6 -mac 00:24:e8:73:ca:ec -ifnum 1/1
Citrix NetScaler Networking Guide
73
Done> show arp 10.102.29.6 IP MAC Iface VLAN Origin -- --- ----- ---- ------1) 10.102.29.6 00:24:e8:73:ca:ec 1/1 1 DYNAMIC Done
To remove a static ARP entry by using the NetScalercommand line
At the NetScaler command prompt, type the rm arp command and the IP address.
Parameters for adding a static ARP entryIPAddress
The IP address of the server.
macThe MAC address of the server. Type the MAC address with colons (:) as shown in theexample above.
ifnumThe physical interface for the ARP entry. Use the show interface command to viewthe valid interface names.
To add a static ARP entry by using the configurationutility
1. In the navigation pane, expand Network, and then click ARP Table.
2. On the ARP Table page, in the details pane, click Add.
3. In the Create ARP entry dialog box, specify values for the following parameters,which correspond to parameters described in "Parameters for adding an ARP entry"as shown:
• IP Address*—ip
• MAC Address*—mac
• Interface Number*—ifnum
*A required parameter
4. Click Create or OK, and then click Close. A message appears in the status bar,stating that the ARP entry has been configured successfully.
Chapter 1 IP Addressing
74
Setting the Timeout for Dynamic ARP EntriesYou can globally set an aging time (time-out value) for dynamically learned ARPentries. The new value applies only to ARP entries that are dynamically learned afterthe new value is set. Previously existing ARP entries expire after the previouslyconfigured aging time.
You can specify an ARP time-out value of from 1 through 1200 seconds.
To set the time-out for dynamic ARP entries byusing the NetScaler command line
At the NetScaler command prompt, type the following commands to set the time-outfor dynamic ARP entries and verify its configuration:
w set arpparam -timeout <positive_integer>]w show arpparam
Example> set arpparam -timeout 500 Done> show arpparam ARP Parameters Aging time for ARP table entry : 500 Done
To set the time-out for dynamic ARP entries to itsdefault value by using the NetScaler command line
At the NetScaler command prompt, type the following commands to set the time-outfor dynamic ARP entries to its default value and verify its configuration:
w unset arpparamw show arpparam
Example> unset arpparam Done> show arpparam ARP Parameters Aging time for ARP table entry : 1200 Done
Citrix NetScaler Networking Guide
75
To set the time-out for dynamic ARP entries byusing the configuration utility
1. In the navigation pane, click Network.
2. In the details pane, in the Settings group, click Configure ARP Global Parameters.
3. In the Configure ARP Global Parameters dialog box, type a value for ARP TableEntry Timeout.
4. Click OK. A message appears in the status bar, stating that the ARP Global settingshave been changed successfully.
Configuring Neighbor DiscoveryNeighbor discovery (ND) is one of the most important protocols of IPv6. It is a message-based protocol that combines the functionality of the Address Resolution Protocol(ARP), Internet Control Message Protocol (ICMP), and Router Discovery. ND allows nodesto advertise their link layer addresses and obtain the MAC addresses or link layeraddresses of the neighboring nodes. This process is performed by the NeighborDiscovery protocol (ND6).
Neighbor discovery can perform the following functions:
Router DiscoveryEnables a host to discover the local routers on an attached link and automaticallyconfigure a default router.
Prefix DiscoveryEnables the host to discover the network prefixes for local destinations.
Note: Currently, the NetScaler does not support Prefix Discovery.
Parameter DiscoveryEnables a host to discover additional operating parameters, such as MTU and thedefault hop limit for outbound traffic.
Address AutoconfigurationEnables hosts to automatically configure IP addresses for interfaces both with andwithout stateful address configuration services such as DHCPv6. The NetScaler doesnot support Address Autoconfiguration for Global IPv6 addresses.
Address ResolutionEquivalent to ARP in IPv4, enables a node to resolve a neighboring node's IPv6address to its link-layer address.
Neighbor Unreachability DetectionEnables a node to determine the reachability state of a neighbor.
Chapter 1 IP Addressing
76
Duplicate Address DetectionEnables a node to determine whether an NSIP address is already in use by aneighboring node.
RedirectEquivalent to the IPv4 ICMP Redirect message, enables a router to redirect the hostto a better first-hop IPv6 address to reach a destination.
Note: The NetScaler does not support IPv6 Redirect.
To enable neighbor discovery, you create entries for the neighbors.
Adding IPv6 NeighborsAdding IPv6 neighbors enables neighbor discovery.
To add an IPv6 neighbor by using the NetScaler commandlineAt the NetScaler command prompt, type:
w add nd6 <neighbor> <mac> <ifnum> [-vlan <integer>]
w show nd6
Example
> add nd6 2001::1 00:04:23:be:3c:06 1/1 –vlan 1 Done> show nd6 Neighbor MAC-Address(Vlan, Interface) State TIME -------- ---------------------------- ----- --------1) ::1 00:d0:68:0b:58:da( 1, LO/1) REACHABLE PERMANENT2) fe80::2d0:68ff:fe0b:58da 00:d0:68:0b:58:da( 1, LO/1) REACHABLE PERMANENT3) 2001::1 00:04:23:be:3c:06( 1, 1/1) REACHABLE STATIC Done
Neighbor Discovery Parametersneighbor
IPv6 neighbor entry. Mandatory.
macUnique address assigned to identify the network appliance. Mandatory.
Citrix NetScaler Networking Guide
77
ifnumThe interface on which the MAC resides. Mandatory.
vlanVirtual LAN (VLAN) that the neighbor is part of.
To add an IPv6 neighbor by using the configuration utility1. In the navigation pane, expand Network and click IPv6 Neighbors.
2. In the details pane, click Add.
3. In the CreateIPv6 Neighbor dialog box, in the Neighbor and MAC Address textboxes, respectively, type IPv6 address and MAC Address of the neighbor (forexample, 3ffe:100:100::1, 00:d0:68:0b:58:da).
4. If the neighbor is part of a VLAN, in the and VLAN field, type the VLAN ID (forexample, 1).
5. In the Interface list box, select the interface of the neighbor (for example, LO/1).
6. Click Create, and click Close.
Removing IPv6 NeighborsTo remove a neighbor discovery entry by using theNetScaler command lineAt the NetScaler command prompt, type:
rm nd6 <Neighbor> -vlan <VLANID>
Example
rm nd6 3ffe:100:100::1 -vlan 1
To remove all neighbor discovery entries by using theNetScaler command lineAt the NetScaler command prompt, type:
clear nd6
To remove a neighbor discovery entry by using theconfiguration utility1. In the navigation pane, expand Network and click IPv6 Neighbor.
2. In the details pane, select the neighbor entry that you want to remove (forexample,3ffe:100:100::1).
Chapter 1 IP Addressing
78
3. Click Remove.
To remove all neighbor discovery entries by using theconfiguration utility1. In the navigation pane, expand Network and click IPv6 Neighbor.
2. In the IPv6 Neighbors page, click Clear.
Configuring IP TunnelsAn IP Tunnel is a communication channel, that can be created by using encapsulationtechnologies, between two networks that do not have a routing path. Every IP packetthat is shared between the two networks is encapsulated within another packet andthen sent via the tunnel.
The NetScaler appliance implements IP Tunneling in the following ways:
w NetScaler as an Encapsulator (Load Balancing with DSR mode)
w NetScaler as a Decapsulator
NetScaler as an Encapsulator (Load Balancing withDSR Mode)
Consider an organization that has multiple data centers across different countries,where the NetScaler maybe at one location and the back-end servers are located in adifferent country. In essence, the NetScaler and the back-end servers are on differentnetworks and are connected via a router.
When you configure Direct Server Return (DSR) on this NetScaler, the packet sent fromthe source subnet is encapsulated by the NetScaler and sent via a router and tunnel tothe appropriate back-end server. The back-end server decapsulates the packet andresponds directly to the client, without allowing the packet to pass via the NetScaler.
NetScaler as a DecapsulatorConsider an organization having multiple data centers each having NetScalers and back-end servers. When a packet is sent from data center A to data center B it is usuallysent via an intermediary, say a router or another NetScaler. The NetScaler processesthe packet and then forwards the packet to the back-end server. However, if anencapsulated packet is sent, the NetScaler must be able to decapsulate the packetbefore sending it to the back-end servers. To enable the NetScaler to function as adecapsulator, a tunnel is added between the router and the NetScaler. When theencapsulated packet, with additional header information, reaches the NetScaler, thedata packet is decapsulated i.e. the additional header information is removed, and thepacket is then forwarded to the appropriate back-end servers.
Citrix NetScaler Networking Guide
79
The NetScaler can also be used as a decapsulator for the Load Balancing feature,specifically in scenarios when the number of connections on a vserver exceeds athreshold value and all the new connections are then diverted to a back-up vserver.
Creating IP Tunnels
To create an IP tunnel by using the NetScaler command lineAt the NetScaler command prompt type:
w add iptunnel <name> <remoteIp> <remoteSubnetMask> <localIp> -type -protocol(ipoverip | GRE) -ipsecprofile <name>
w show iptunnel
To remove an IP tunnel by using the NetScaler commandlineTo remove an IP tunnel, type the rm iptunnel command and the name of the tunnel.
Parameters for creating an IP tunnelname
Name of the IP Tunnel. This alphanumeric string is required and cannot be changedafter the service group is created. The name must not exceed 127 characters, andthe leading character must be a number or letter. The following characters are alsoallowed: @ _ - . (period) : (colon) # and space ( ).
remoteIpA public IPv4 address of the remote NetScaler appliance used to set up the tunnel.
remoteSubnetMaskSubnet mask of the remote IP address of the tunnel.
localIpA public IPv4 address of the local NetScaler appliance used to set up the tunnel.Possible values: Auto, MIP, SNIP, and VIP. Default: Auto.
protocolThe protocol to be used in setting up the IP tunnel. Select GRE for using the GenericRouting Encapsulation (GRE) protocol to set up a GRE tunnel.
ipsecProfileNameName of the IPSec profile that is used for securing communication in the GRE tunnel.
To create an IP Tunnel by using the configuration utility1. In the navigation pane, expand Network, and click IP Tunnels.
2. In the details pane, click Add.
3. In the Add IP Tunnel dialog box, specify values for the following parameters:
Chapter 1 IP Addressing
80
• Name*—name
• Remote IP*—remoteIp
• Remote Mask*—remoteSubnetMask
• Local IP Type*—localIp (in the local IP Type drop down list, select one of the IPtype (Mapped IP, Subnet IP, and Virtual). All the configured IPs of the selected IPtype will be populated in the Local IP drop down list. Select the desired IP fromthe list.)
• Protocol—protocol and ipsecProfileName from the corresponding field when youselect protocol as GRE.
*A required parameter.
4. Click Create, and then click Close.
To create an IPv6 tunnel by using the NetScaler commandlineAt the NetScaler command prompt type:
w add ip6tunnel <name> <remoteIp> <local>
w show ip6tunnel
To remove an IPv6 tunnel by using the NetScaler commandlineTo remove an IPv6 tunnel, type the rm ip6tunnel command and the name of thetunnel.
Parameters for creating an IPv6 tunnelname (Name)
A name for the IPv6 Tunnel. This alphanumeric string is required and cannot bechanged after the service group is created. The name must not exceed 127characters, and the leading character must be a number or letter. The followingcharacters are also allowed: @ _ - . (period) : (colon) # and space ( ).
remoteIp (Remote IP)An IPv6 address of the remote NetScaler appliance used to set up the tunnel.
localIp (Local IP Type)An IPv6 address of the local NetScaler appliance used to set up the tunnel. Possiblevalues: SNIP6 and VIP6. Default: Auto.
To create an IPv6 Tunnel by using the configuration utility1. In the navigation pane, expand Network, and click IP Tunnels.
2. On the IPv6 Tunnels tab, click Add.
3. In the Create IPv6 Tunnel dialog box, set the following parameters:
Citrix NetScaler Networking Guide
81
• Name*
• Remote IP*
• Local IP Type* (In the local IP Type drop down list, select one of the IP type(SNIP6 or VIP6). All the configured IPv6 addresses of the selected IPv6 type arebe populated in the Local IP drop down list. Select the desired IP from the list.)
*A required parameter.
4. Click Create, and then click Close.
Customizing IP Tunnels GloballyBy globally specifying the source IP address, you can assign a common source IP addressacross all tunnels. Also, because fragmentation is CPU-intensive, you can globallyspecify that the NetScaler appliance drop any packet that requires fragmentation.Alternatively, if you would like to fragment all packets as long as a CPU threshold valueis not reached, you can globally specify the CPU threshold value.
To globally customize IP tunnels by using the NetScalercommand lineAt the NetScaler command prompt, type the following commands to globally customizeIP tunnels and verify the configuration:
w set iptunnelparam -srcIP <sourceIPAddress> -srcIPRoundRobin ( YES | NO )-dropFrag[YES | NO] -dropFragCpuThreshold <Positive integer>
w show iptunnelparam
Example
> set iptunnelparam –srcIP 12.12.12.22 -dropFrag Yes –dropFragCpuThreshold 50 Done> show iptunnelparamTunnel Source IP: 12.12.12.22Round Robin of Tunnel Source IP: NODrop if Fragmentation Needed: YesCPU usage threshold to avoid fragmentation: 50 Done> set iptunnelparam -srcIPRoundRobin YES -dropFrag Yes –dropFragCpuThreshold 50 Done> show iptunnelparamTunnel Source IP: 0.0.0.0Round Robin of Tunnel Source IP: YesDrop if Fragmentation Needed: YesCPU usage threshold to avoid fragmentation: 50 Done
Chapter 1 IP Addressing
82
Note: To create a new MIP or SNIP address to use as the global source IP address,use the add ns ip command before you type the set iptunnelparam command.
Parameters for customizing IP tunnels globallysrcIP
The common source IP address for all tunnels. Must be a MIP or a SNIP address.
srcIPRoundRobin
Use a different source IP address for each new session through a particular IP tunnel,as determined by round robin selection of one of the SNIP addresses. This setting isignored if a common global source IP address has been specified for all the IPtunnels. This setting does not apply to a tunnel for which a source IP address hasbeen specified. Possible values: YES, NO. Default: NO.
dropFragDrop any packet that requires fragmentation. Possible values: YES, NO. Default: NO.
dropFragCpuThresholdThreshold value, as a percentage of CPU usage, at which to drop packets that requirefragmentation. Applies only if dropFrag is set to NO. Minimum value: 1. Maximumvalue: 100. Default: 0 (Not set).
To globally customize IP tunnels by using the configurationutility1. In the navigation pane, expand Network.
2. In the details pane, in the Settings group, click IPv4 Tunnel Global Settings.
3. In the Configure IP Tunnel Global Parameters dialog box, set the followingparameters, which correspond to parameters described in "Parameters forcustomizing the IP tunnels globally" as shown:
• Source IP—srcIP
• Round Robin of Source IP—srcIPRoundRobin
• Drop Packet if Fragmentation is required—dropFrag
• Don’t fragment and drop packet if CPU usage is >= —dropFragCpuThreshold
4. Click OK and then click Close. A message appears in the status bar, stating that theIP Tunnel Global Parameters have been configured successfully.
To globally customize IPv6 tunnels by using the NetScalercommand lineAt the NetScaler command prompt, type the following commands to globally customizeIPv6 tunnels and verify the configuration:
w set ip6tunnelparam -srcIP <IPv6Address> -srcIPRoundRobin ( YES | NO )-dropFrag[YES | NO] -dropFragCpuThreshold <Positive integer>
Citrix NetScaler Networking Guide
83
w show ip6tunnelparam
Note: To create a new VIP6 or SNIP6 address to use as the global source IP address,use the add ns ip6 command before you type the set ip6tunnelparam command.
Parameters for customizing IPv6 tunnels globallysrcIP (Source IP)
The common source IPv6 address for all IPv6 tunnels. Must be a SNIP6 or VIP6address.
srcIPRoundRobin (Round Robin of Source IP)
Use a different source IPv6 address for each new session through a particular IPv6tunnel, as determined by round robin selection of one of the SNIP6 addresses. Thissetting is ignored if a common global source IPv6 address has been specified for allthe IPv6 tunnels. This setting does not apply to a tunnel for which a source IPv6address has been specified. Possible values: YES, NO. Default: NO.
dropFrag (Drop Packet if Fragmentation is required)Drop any packet that requires fragmentation. Possible values: YES, NO. Default: NO.
dropFragCpuThreshold (Don’t fragment and drop packet if CPU usage is >=)Threshold value, as a percentage of CPU usage, at which to drop packets that requirefragmentation. Applies only if dropFrag is set to NO. Minimum value: 1. Maximumvalue: 100. Default: 0 (Not set).
To globally customize IPv6 tunnels by using theconfiguration utility1. In the navigation pane, expand Network.
2. In the details pane, in the Settings group, click IPv6 Tunnel Global Settings.
3. In the Configure IPv6 Tunnel Global Parameters dialog box, set the followingparameters:
• Source IP
• Round Robin of Source IP
• Drop Packet if Fragmentation is required
• Don’t fragment and drop packet if CPU usage is >=
4. Click OK and then click Close. A message appears in the status bar, stating that theIPv6 Tunnel Global Parameters have been configured successfully.
Chapter 1 IP Addressing
84
Chapter 2
Interfaces
Topics:• Configuring MAC-Based
Forwarding
• Configuring NetworkInterfaces
• Configuring ForwardingSession Rules
• Understanding VLANs
• Configuring a VLAN
• Configuring NSVLAN
• Configuring Bridge Groups
• Configuring VMACs
• Configuring LinkAggregation
• Binding an SNIP address toan Interface
• Monitoring the Bridge Tableand Changing the Aging time
• Understanding NetScalerAppliances in Active-ActiveMode Using VRRP
• Configuring Active-ActiveMode
• Using the Network Visualizer
Before you begin configuring interfaces, decide whether yourconfiguration can use MAC-based forwarding mode, and eitherenable or disable this system setting accordingly. The numberof interfaces in your configuration is different for thedifferent models of the Citrix® NetScaler® appliance. Inaddition to configuring individual interfaces, you can logicallygroup interfaces, using VLANs to restrict data flow within aset of interfaces, and you can aggregate links into channels.In a high availability setup, you can configure a virtual MAC(VMAC) address if necessary. If you use L2 mode, you mightwant to modify the aging of the bridge table.
When your configuration is complete, decide whether youshould enable the system setting for path MTU discovery.NetScaler appliances can be deployed in active-active modeusing VRRP. An active-active deployment, in addition topreventing downtime, makes efficient use of all the NetScalerappliances in the deployment. You can use the NetworkVisualizer tool to view the network configuration of aNetScaler deployment and configure interfaces, channels,VLANs, and bridge groups.
85
Configuring MAC-Based ForwardingWith MAC-based forwarding (MBF) enabled, when a request reaches the NetScalerappliance, the appliance remembers the source MAC address of the frame and uses itas the destination MAC address for the resulting replies. MAC-based forwarding can beused to avoid multiple-route/ARP lookups and to avoid asymmetrical packet flows.MAC-based forwarding may be required when the NetScaler is connected to multiplestateful devices, such as VPNs or firewalls, because it ensures that the return traffic issent to the same device that the initial traffic came from.
MAC-based forwarding is useful when you use VPN devices, because it guarantees thatall traffic flowing through a VPN passes back through the same VPN device.
The following topology diagram illustrates the process of MAC-based forwarding.
Figure 2-1. MAC-Based Forwarding Mode
When MAC-based forwarding (MBF) is enabled, the NetScaler caches the MAC addressof:
w The source (a transmitting device such as router, firewall, or VPN device) of theinbound connection.
w The server that responds to the requests.
When a server replies through the NetScaler appliance, the appliance sets thedestination MAC address of the response packet to the cached address, ensuring thatthe traffic flows in a symmetric manner, and then forwards the response to the client.The process bypasses the route table lookup and ARP lookup functions. However, whenthe NetScaler initiates a connection, it uses the route and ARP tables for the lookupfunction. In a direct server return configuration, you must enable MAC-basedforwarding.
Chapter 2 Interfaces
86
For more information about direct server return configurations, see the "LoadBalancing" chapter of the Citrix NetScaler Traffic Management Guide at http://support.citrix.com/article/CTX132359.
Some deployment topologies may require the incoming and outgoing paths to flowthrough different routers. MAC-based forwarding would break this topology design.
MBF should be disabled in the following situations:
w When you configure link load balancing. In this case, asymmetric traffic flows aredesirable because of link costs.
w When a server uses network interface card (NIC) teaming without using LACP(802.1ad Link Aggregation). To enable MAC-based forwarding in this situation, youmust use a layer 3 device between the NetScaler and server.
Note: MBF can be enabled when the server uses NIC teaming with LACP, becausethe virtual interface uses one MAC address.
w When firewall clustering is used. Firewall clustering assumes that ARP is used toresolve the MAC address for inbound traffic. Sometimes the inbound MAC addresscan be a non-clustered MAC address and should not be used for inbound packetprocessing.
When MBF is disabled, the NetScaler uses L2 or L3 connectivity to forward theresponses from servers to the clients. Depending on the route table, the routers usedfor outgoing connection and incoming connection can be different. In the case ofreverse traffic (response from the server):
w If the source and destination are on different IP subnets, the NetScaler uses theroute lookup to locate the destination.
w If the source is on the same subnet as the destination, the NetScaler looks up theARP table to locate the network interface and forwards the traffic to it. If the ARPtable does not exist, the NetScaler requests the ARP entries.
To enable or disable MAC-based forwarding byusing the NetScaler command line
At the NetScaler command prompt, type:
w enable ns mode mbf
w disable ns mode mbf
To enable or disable MAC-based forwarding by using theconfiguration utility1. In the navigation pane, expand System, and then click Settings.
2. In the details pane, in the Modes and Features group, click Configure modes.
3. In the Configure Modes dialog box, do one of the following:
Citrix NetScaler Networking Guide
87
• To enable MAC-based forwarding, select the MAC-based forwarding check box.
• To disable MAC-based forwarding, clear the MAC-based forwarding check box.
4. Click OK.
5. In the Enable/Disable Feature(s)? dialog box, click Yes. A message appears in thestatus bar, stating that the selected modes are enabled and the unselected modesare disabled.
Configuring Network InterfacesNetwork interfaces in the NetScaler appliance are numbered in <slot>/<port> notation.After configuring your interfaces, you should display the interfaces and their settings toverify the configuration. You can also display this information to troubleshoot aproblem in the configuration.
To manage the network interfaces, you might have to enable some interfaces anddisable others. You can reset an interface to renegotiate its settings. You can clear theaccumulated statistics for an interface. To verify the configuration, you can display theinterface settings. You can display the statistics for an interface to evaluate its health.
Setting the Network Interface ParametersThe network interface configuration is neither synchronized nor propagated. For an HApair, you must perform the configuration on each unit independently.
Network interface parameters include Link Aggregate Control Protocol (LACP) settings.For more information about Link Aggregate Control Protocol (LACP), see "ConfiguringLink Aggregation Using the Link Aggregate Channel Protocol".
To set the network interface parameters by using theNetScaler command lineAt the NetScaler command prompt, type:
w set interface <id> [-speed <speed>] [-duplex <duplex>] [-flowControl <flowControl>][-autoneg ( DISABLED | ENABLED )] [-haMonitor ( ON | OFF )] [ ( ON | OFF )] [-tagall( ON | OFF )] [-lacpMode <lacpMode>] [-lacpKey<positive_integer>] [-lacpPriority<positive_integer>] [-lacpTimeout (LONG | SHORT )] [-ifAlias <string>] [-throughput<positive_integer>][-bandwidthHigh <positive_integer> [-bandwidthNormal<positive_integer>]]
w show interface [<id>]
Example
> set interface 1/8 -duplex full Done> show interface 1/8 Interface 1/8 (Gig Ethernet 10/100/1000
Chapter 2 Interfaces
88
MBits) #2 flags=0x4004000 <ENABLED, DOWN, BOUND to LA/1, down, autoneg, 802.1q> MTU=1514, MAC=00:d0:68:15:fd:3d, downtime 906h53m53s Requested: media UTP, speed AUTO, duplex FULL, fctl OFF, throughput 0 RX: Pkts(0) Bytes(0) Errs(0) Drops(0) Stalls(0) TX: Pkts(0) Bytes(0) Errs(0) Drops(0) Stalls(0) NIC: InDisc(0) OutDisc(0) Fctls(0) Stalls(0) Hangs(0) Muted(0) Bandwidth thresholds are not set.Done
Parameters for setting a Network Interfaceid
The number assigned to the interface.
speedEthernet speed for the interface. Possible values: AUTO, 10, 100, 1000, and 10000Mbps. Default: AUTO. A setting other than AUTO requires the same configuration fordevice at the other end of the link. Mismatched speed or duplex configurations cancause link errors, packet losses, and other errors. Some network interfaces do notsupport certain speeds. An attempt to set an unsupported speed is reported as anerror.
duplexDuplex mode for the interface. Possible values: AUTO, HALF, and FULL. Default:AUTO. AUTO is recommended. If you force HALF or FULL mode, you must manuallyconfigure the same mode and identical speed on both sides of the link.
flowControlApply 802.3x flow control to the interface. Possible values: OFF, RX, TX, RXTX, andON (forced RXTX). Default: OFF. Real flow control status depends on the auto-negotiation results. Link parameter mismatches must be checked for and avoidedbecause, for example, they can cause the NetScaler to drop packets, or the link maynot be accessible.
autonegUse auto negotiation on the interface. Possible values: DISABLED and ENABLED.
haMonitorMonitor the interface for failure events. Possible values: ON and OFF. Default: ON.When ON in an HA configuration, failover occurs when a network interface fails. If anetwork interface is not being used, or if failover is not required, select OFF. (Also, ifthe network interface is not used in the configuration, you must disable it.)
tagall
The appliance adds a four-byte 802.1q tag to every packet sent on this interface. ONapplies tags for all the VLANs that are bound to this interface. OFF, applies the tag
Citrix NetScaler Networking Guide
89
for all VLANs other than the native VLAN. Possible values: ON, OFF. Default value:OFF.
lacpModeLACP mode. Possible values: DISABLED, ACTIVE, and PASSIVE. Default: DISABLED
lacpKeyInteger identifying the LACP LA channel to which the interface is to be bound.
w For an LA channel of the NetScaler appliance, specifies the variable x of an LAchannel in LA/x notation, where x can range from 1 to 4. For example, if youspecify 3 as the LACP key for an LA channel, the interface is bound to the LAchannel LA/3.
w For an LA channel of a cluster configuration, specifies the variable y of a clusterLA channel in CLA/(y-4) notation, where y can range from 5 to 8. For example, ifyou specify 6 as the LACP key for a cluster LA channel, the interface is bound tothe cluster LA channel CLA/2.
lacpPriorityLACP port priority. Possible values: 1 to 65535. Default: 32768.
lacpTimeoutLACP timeout setting. Possible values: LONG and SHORT. Default: LONG.
ifAliasAlias name for the interface.
throughputMinimum required throughput for the interface.
To set the network interface parameters by using theconfiguration utility1. In the navigation pane, expand Network, and then click Interfaces.
2. On the Interfaces pane, select the network interface that you want to modify (forexample, 1/8), and then click Open.
3. In the Configure Interface dialog box, specify values for the following parameters,which correspond to parameters described in "Parameters for configuring anetwork interface" as shown:
• Speed—speed
• Duplex—duplex
• Flow Control—flowControl
• Auto Negotiation—autoneg
• HA Monitoring—haMonitor
• Trunk—trunk
Chapter 2 Interfaces
90
• Alias Name—ifAlias
• Throughput—throughput
• Bandwidth High—bandwidthHigh
• Bandwidth Normal—bandwidthNormal
• LACP Mode—lacpMode
• LACP Key—lacpKey
• LACP Time—out-lacpTimeout
• LACP Priority—lacpPriority
4. Click OK. A message appears in the status bar, stating that the interface has beenconfigured successfully.
Enabling and Disabling Network InterfacesBy default, the network interfaces are enabled. You must disable any network interfacethat is not connected to the network, so that it cannot send or receive packets.Disabling a network interface that is connected to the network in a high availabilitysetup can cause failover.
For more information about high availability, see High Availability.
To enable or disable a network interface by using theNetScaler command lineAt the NetScaler command prompt, type one of the following pairs of commands toenable or disable an interface and verify the setting:
w enable interface <interface_num>
w show interface <interface_num>
w disable interface <interface_num>
w show interface <interface_num>
Example
> enable interface 1/8 Done> show interface 1/8 Interface 1/8 (Gig Ethernet 10/100/1000 MBits) #2 flags=0x4004000 <ENABLED, DOWN, BOUND to LA/1, down, autoneg, 802.1q> MTU=1514, MAC=00:d0:68:15:fd:3d, downtime 906h58m40s Requested: media UTP, speed AUTO, duplex FULL, fctl OFF, throughput 0 RX: Pkts(0) Bytes(0) Errs(0) Drops(0)
Citrix NetScaler Networking Guide
91
Stalls(0) TX: Pkts(0) Bytes(0) Errs(0) Drops(0) Stalls(0) NIC: InDisc(0) OutDisc(0) Fctls(0) Stalls(0) Hangs(0) Muted(0) Bandwidth thresholds are not set.Done
To enable or disable a network interface by using theconfiguration utility1. In the navigation pane, expand Network, and then click Interfaces.
2. On the Interfaces pane, select the network interface that you want to enable ordisable, and do one of the following:
• To enable a network interface, click Enable.
• To disable a network interface, click Disable.
A message appears in the status bar, stating that the network interface has beenenabled or disabled successfully.
Resetting Network InterfacesNetwork interface settings control properties such as duplex and speed. To renegotiatethe settings of a network interface, you must reset it.
To reset a network interface by using the NetScalercommand lineAt the NetScaler command prompt, type the following commands to reset an interfaceand verify the setting:
w reset interface <interface_num>
w show interface <interface_num>
Example
> reset interface 1/8 Done> show interface 1/8 Interface 1/8 (Gig Ethernet 10/100/1000 MBits) #2 flags=0x4004000 <disabled, DOWN, BOUND to LA/1, down, autoneg, 802.1q> MTU=1514, MAC=00:d0:68:15:fd:3d, downtime 907h04m59s Requested: media UTP, speed AUTO, duplex FULL, fctl OFF, throughput 0 RX: Pkts(0) Bytes(0) Errs(0) Drops(0)
Chapter 2 Interfaces
92
Stalls(0) TX: Pkts(0) Bytes(0) Errs(0) Drops(0) Stalls(0) NIC: InDisc(0) OutDisc(0) Fctls(0) Stalls(0) Hangs(0) Muted(0) Bandwidth thresholds are not set.Done
To reset a network interface by using the configurationutility1. In the navigation pane, expand Network, and then click Interfaces.
2. On the Interfaces pane, select the network interface that you want to reset (forexample, 1/8).
3. Click Reset Interface. A message appears in the status bar, stating that thenetwork interface has been reset successfully.
Monitoring a Network InterfaceYou can display network interface statistics to monitor parameters such as packets sentand packets received, throughput, Link Aggregate Control Protocol (LACP) data units,and errors, and use the information to check the health of the network interface. Youcan clear the statistics of a network interface to monitor its statistics from the timethe statistics are cleared.
To display the statistics of the network interfaces by usingthe NetScaler command lineAt the NetScaler command prompt, type:
stat interface <interface_num>
Example
> stat interface 1/8Interface [1/8]:Interface State DOWNLink uptime 00:00:00Link downtime 8.01:01:34
Throughput Statistics Rate (/s) TotalBytes received 0 0Bytes transmitted 0 0
Citrix NetScaler Networking Guide
93
Packets received 0 0Packets transmitted 0 0
Packet Statistics Rate (/s) TotalMulticast packets 0 0NetScaler packets 0 0
LACP Statistics Rate (/s) TotalLACPDUs received 0 0LACPDUs transmitted 0 23166
Error Statistics Rate (/s) TotalError packets received (hw) 0 0Error packets transmitted (hw) 0 0Inbound packets discarded(hw) 0 0Outbound packets discarded(hw) 0 0Packets dropped in Rx (sw) 0 0Packets dropped in Tx (sw) 0 23166NIC hangs -- 0Status stalls -- 0Transmit stalls -- 0Receive stalls -- 0Error-disables -- 0Duplex mismatches -- 0Link re-initializations -- 3MAC moves registered 0 0Times NIC become muted -- 0 Done>
Chapter 2 Interfaces
94
To display the statistics of an Interface by using theconfiguration utility1. In the navigation pane, expand Network and click Interfaces.
2. On the Interfaces page, select the network interface whose statistics you want todisplay (for example, 1/8).
3. Click Statistics.
To clear a network interface’s statistics by using theNetScaler command lineAt the NetScaler command prompt, type:
clear interface <interface_num>
Example
> clear interface 1/8 Done
To clear a network interface’s statistics by using theconfiguration utility1. In the navigation pane, expand Network, and then click Interfaces.
2. On the Interfaces pane, select the network interface whose statistics you want toclear (for example, 1/8).
3. Click Clear Statistics. A message appears in the status bar, stating that thestatistics have been successfully cleared.
Configuring Forwarding Session RulesBy default, the NetScaler appliance does not create session entries for traffic that itonly forwards (L3 mode). For a case in which a client request that the applianceforwards to a server results in a response that has to return by the same path, you cancreate a forwarding-session rule. A forwarding-session rule creates forwarding-sessionentries for traffic that originates from or is destined for a particular network and isforwarded by the NetScaler.
Citrix NetScaler Networking Guide
95
To create a forwarding session rule by using theNetScaler command line
At the NetScaler command prompt, type the following commands to create aforwarding-session rule and verify the configuration:
w add forwardingSession <name> [<network> <netmask> ] | [-aclname <string>] -connfailover (ENABLED | DISABLED)
w show forwardingSession
Examples
A network address as the condition:
> add forwardingSession fs-nw-1 10.102.105.51 255.255.255.255 Done
> show forwardingSession fs-nw-11) Forward Session: fs-nw-1 Network: 10.102.105.51 Netmask: 255.255.255.255 Done
An ACL as the condition:
> add forwardingSession fs-acl-1 acl1 Done
> show forwardingSession fs-acl-11) Forward Session: fs-acl-1 ACL Name: acl1 Done
Parameters for configuring a forwarding sessionrule
name (Name)
The name of the forwarding session rule that you are configuring. The name canbegin with a letter, number, or the underscore symbol, and can consist of from one to127 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@),equals (=), colon (:), and underscore (_) symbols.
network (Subnet IP)The network address from which the forwarded traffic originates or to which it isdestined.
Chapter 2 Interfaces
96
netmask (Netmask)Subnet mask associated with the network.
aclname (ACL Name)The name of an extended ACL with action set to ALLOW. The rule specified in theACL is used as a forwarding-session rule.
connfailoverSynchronize connection information with the secondary appliance in the highavailability (HA) pair. When the parameter is set, all connection-related informationfor the forwarding session is synchronized with the secondary appliance. Possiblevalues: ENABLED, DISABLED. Default: DISABLED.
To configure a forwarding session rule by using theconfiguration utility
1. In the navigation pane, expand Network, and then click Forwarding Sessions.
2. In the details pane, click Add.
3. In the Create Forwarding Session dialog box, set the Name parameter:
4. Do one of the following:
• If you want to use the network address as a condition for creating a forwardingsession rule, click Subnet and set the following parameters:
w Subnet IP
w Netmask
• If you want to use an extended ACL as a condition for creating a forwardingsession rule, click ACL and set the ACL Name parameter:
5. If the appliance is configured as a high availability node, and you want tosynchronize the forwarding session's connection information with the secondarynode, select Connection Failover.
6. Click Create, and then Close. A message appears in the status bar, stating that theforwarding session rule has been configured successfully.
Understanding VLANsA NetScaler appliance supports Layer 2 port and IEEE 802.1q tagged VLANs. VLANconfigurations are useful when you need to restrict traffic to certain groups of stations.You can configure a network interface as a part of multiple VLANs by using IEEE 802.1qtagging.
You can configure VLANs and bind them to IP subnets. The NetScaler then performs IPforwarding between these VLANs (if it is configured as the default router for the hostson these subnets).
The NetScaler supports the following types of VLANs:
Citrix NetScaler Networking Guide
97
Port-Based VLANs. The membership of a port-based VLAN is defined by a set ofnetwork interfaces that share a common, exclusive Layer 2 broadcast domain. You canconfigure multiple port-based VLANs. By default, all network interfaces on theNetScaler are members of VLAN 1.
If you apply 802.1q tagging to the port, the network interface belongs to a port-basedVLAN. Layer 2 traffic is bridged within a port-based VLAN, and Layer 2 broadcasts aresent to all members of the VLAN if Layer 2 mode is enabled. When you add an untaggednetwork interface as a member of a new VLAN, it is removed from its current VLAN.
Default VLAN. By default, the network interfaces on the NetScaler are included in asingle, port-based VLAN as untagged network interfaces. This VLAN is the default VLAN.It has a VLAN ID (VID) of 1. This VLAN exists permanently. It cannot be deleted, and itsVID cannot be changed.
When you add a network interface to a to a different VLAN as an untagged member, thenetwork interface is automatically removed from the default VLAN. If you unbind anetwork interface from its current port-based VLAN, it is added to the default VLANagain.
Tagged VLANs. 802.1q tagging (defined in the IEEE 802.1q standard) allows anetworking device (such as the NetScaler) to add information to a frame at Layer 2 toidentify the VLAN membership of the frame. Tagging allows network environments tohave VLANs that span multiple devices. A device that receives the packet reads the tagand recognizes the VLAN to which the frame belongs. Some network devices do notsupport receiving both tagged and untagged packets on the same network interface—inparticular, Force10 switches. In such cases, you need to contact customer support forassistance.
The network interface can be a tagged or untagged member of a VLAN. Each networkinterface is an untagged member of one VLAN only (its native VLAN). This networkinterface transmits the frames for the native VLAN as untagged frames. A networkinterface can be a part of more than one VLAN if the other VLANs are tagged.
When you configure tagging, be sure to match the configuration of the VLAN on bothends of the link. The port to which the NetScaler connects must be on the same VLANas the NetScaler network interface.
Note: This VLAN configuration is neither synchronized nor propagated, therefore youmust perform the configuration on each unit in an HA pair independently.
Applying Rules to Classify FramesVLANs have two types of rules for classifying frames:
Ingress rules. Ingress rules classify each frame as belonging only to a single VLAN.When a frame is received on a network interface, the following rules are applied toclassify the frame:
w If the frame is untagged, or has a tag value equal to 0, the VID of the frame is set tothe port VID (PVID) of the receiving interface, which is classified as belonging to thenative VLAN. (PVIDs are defined in the IEEE 802.1q standard.)
Chapter 2 Interfaces
98
w If frame has a tag value equal to FFF, the frame is dropped.
w If the VID of the frame specifies a VLAN of which the receiving network interface isnot a member, the frame is dropped. For example, if a packet is sent from a subnetassociated with VLAN ID 12 to a subnet associated with VLAN ID 10, the packet isdropped. If an untagged packet with VID 9 is sent from the subnet associated withVLAN ID 10 to a network interface PVID 9, the packet is dropped.
Egress Rules. The following egress rules are applied:
w If the VID of the frame specifies a VLAN of which the transmission network interfaceis not a member, the frame is discarded.
w During the learning process (defined by the IEEE 802.1q standard), the Src MAC andVID are used to update the bridge lookup table of the NetScaler.
w A frame is discarded if its VID specifies a VLAN that does not have any members.(You define members by binding network interfaces to a VLAN.)
VLANs and Packet Forwarding on the NetScalerThe forwarding process on the NetScaler appliance is similar to that on any standardswitch. However, the NetScaler performs forwarding only when Layer 2 mode is on. Thekey features of the forwarding process are:
w Topology restrictions are enforced. Enforcement involves selecting each networkinterface in the VLAN as a transmission port (depending on the state of the networkinterface), bridging restrictions (do not forward on the receiving network interface),and MTU restrictions.
w Frames are filtered on the basis of information in the bridge table lookup in theforwarding database (FDB) table of the NetScaler. The bridge table lookup is basedon the destination MAC and the VID. Packets addressed to the MAC address of theNetScaler are processed at the upper layers.
w All broadcast and multicast frames are forwarded to each network interface that isa member of the VLAN, but forwarding occurs only if L2 mode is enabled. If L2 modeis disabled, the broadcast and multicast packets are dropped. This is also true forMAC addresses that are not currently in the bridging table.
w A VLAN entry has a list of member network interfaces that are part of its untaggedmember set. When forwarding frames to these network interfaces, a tag is notinserted in the frame.
w If the network interface is a tagged member of this VLAN, the tag is inserted in theframe when the frame is forwarded.
When a user sends any broadcast or multicast packets without the VLAN beingidentified, that is, during duplicate address detection (DAD) for NSIP or ND6 for thenext hop of the route, the packet is sent out on all the network interfaces, withappropriate tagging based on either the Ingress and Egress rules. ND6 usually identifiesa VLAN, and a data packet is sent on this VLAN only. Port-based VLANs are common toIPv4 and IPv6. For IPv6, the NetScaler supports prefix-based VLANs.
Citrix NetScaler Networking Guide
99
Configuring a VLANYou can implement VLANs in the following environments:
w Single subnet
w Multiple subnets
w Single LAN
w VLANs (no tagging)
w VLANs (802.1q tagging)
If you configure VLANs that have only untagged network interfaces as their members,the total number of possible VLANs is limited to the number of network interfacesavailable in the NetScaler. If more IP subnets are required with a VLAN configuration,802.1q tagging must be used.
When you bind a network interface to a VLAN, the network interface is removed fromthe default VLAN. If the network interfaces need to be a part of more than one VLAN,you can bind the network interfaces to the VLANs as tagged members.
You can configure the NetScaler to forward traffic between VLANs at Layer 3. In thiscase, a VLAN is associated with a single IP subnet. The hosts in a VLAN that belong to asingle subnet use the same subnet mask and one or more default gateways connectedto that subnet. Configuring Layer 3 for a VLAN is optional. Layer 3 is used for IPforwarding (inter-VLAN routing). Each VLAN has a unique IP address and subnet maskthat define an IP subnet for the VLAN. In an HA configuration, this IP address is sharedwith the other NetScaler appliances. The NetScaler forwards packets betweenconfigured IP subnets (VLANs).
When you configure the NetScaler, you must not create overlapping IP subnets. Doingso impedes Layer 3 functionality.
Each VLAN is a unique Layer 2 broadcast domain. Two VLANs, each bound to separate IPsubnets, cannot be combined into a single broadcast domain. Forwarding trafficbetween two VLANs requires a Layer 3 forwarding (routing) device, such as theNetScaler appliance.
Creating or Modifying a VLANTo configure a VLAN, you create a VLAN entity, and then bind network interfaces and IPaddresses to the VLAN. If you remove a VLAN, its member interfaces are added to thedefault VLAN.
To create a VLAN by using the NetScaler command lineAt the NetScaler command prompt, type:
add vlan <id> [-aliasName <string>] [-ipv6DynamicRouting (ENABLED|DISABLED)]
Chapter 2 Interfaces
100
Example
add vlan 2 –aliasName “Network A”
To bind an interface to a VLAN by using the NetScalercommand lineAt the NetScaler command prompt, type:
bind vlan <id> -ifnum <slot/port>
Example
bind vlan 2 -ifnum 1/8
To bind an IP address to a VLAN by using the NetScalercommand lineAt the NetScaler command prompt, type:
bind vlan <id> -IPAddress <IPAddress> <netMask>
Example
bind vlan 2 -IPAddress 10.102.29.54 255.255.255.0
To remove a VLAN by using the NetScaler command lineAt the NetScaler command prompt, type:
rm vlan <id>
Parameters for configuring a VLANid
An integer that uniquely identifies the VLAN to which a particular frame belongs. TheNetScaler supports a maximum of 4094 VLANs. ID 1 is reserved for the default VLAN.Minimum value: 2. Maximum value: 4094.
aliasName
A name for the VLAN. Must begin with a letter, a number, or the underscore symbol,and can consist of from one to 31 letters, numbers, and the hyphen (-), period (.)pound (#), space ( ), at sign (@), equals (=), colon (:), and underscore (_) symbols.
Citrix NetScaler Networking Guide
101
You should choose a name that helps identify the VLAN. However, you cannotperform any VLAN operation by specifying the alias name instead of the VLAN ID.
ipv6DynamicRoutingEnable or disable IPv6 dynamic routing on this VLAN. Possible values: ENABLED,DISABLED. Default: DISABLED.
ifNumThe name, in <slot>/<port> notation, of an interface to be bound to the VLAN.
IPAddress
The IP address that is to be assigned to the VLAN. An entry for the subnet must be inthe routing table before you issue this command. Overlapping subnets are notallowed. The IP address specified can be used as the default gateway among thehosts in the subnet to allow for IP forwarding between VLANs.
Caution: DO NOT specify an IP address for VLAN 1.
netMaskDefines the network mask for the subnet defined for this VLAN.
To configure a VLAN by using the configuration utility1. In the navigation pane, expand Network, and then click VLANs.
2. In the details pane, do one of the following:
• To create a new VLAN, click Add.
• To modify an existing VLAN, click Open.
3. In the Add VLAN or Configure/Modify VLAN dialog box, specify values for thefollowing parameters, which correspond to parameters described in “Parametersfor configuring a VLAN” as shown:
• VLAN ID*—id
• Enable IPv6 dynamic routing—ipv6DynamicRouting
• Alias Name—aliasName
* A required parameter
4. To bind an IP address to a VLAN, under IPs, select the Active check boxcorresponding to the IP address that you want to bind to the VLAN (for example,10.102.29.54). The Type column displays the IP address type (such as mapped IP,virtual IP, or subnet IP) for each IP address in the IP Addresses column.
5. To bind a network interface to a VLAN, under Interfaces, select the Active checkbox corresponding to the interface that you want to bind to the VLAN (forexample, 1/8).
6. Click Create or OK, and then click Close. A message appears in the status bar,stating that the VLAN has been configured successfully.
Chapter 2 Interfaces
102
Monitoring VLANSYou can display VLAN statistics such as packets received, bytes received, packets sent,and bytes sent, and use the information to identify anomalies and or debug a VLAN.
To view the statistics of a VLAN by using the NetScalercommand lineAt the NetScaler command prompt, type:
stat vlan <vlanID>
Example
stat vlan 2
To view the statistics of a VLAN by using the configurationutility1. In the navigation pane, expand Network and click VLANs.
2. On the VLANs page, select the VLAN whose statistics you want to view (forexample, 2).
3. Click Statistics.
Configuring VLANs in an HA SetupVLAN configuration for a high-availability setup requires that the NetScaler applianceshave the same hardware configuration, and the VLANs configured on them must bemirror images.
The correct VLAN configuration is implemented automatically when the configuration issynchronized between the NetScaler appliances. The result is identical actions on allthe appliances. For example, adding network interface 0/1 to VLAN2 adds this networkinterface to VLAN 2 on all the appliances participating in the high-availability setup.
Note: If you use network-interface-specific commands in an HA setup, theconfigurations you create are not propagated to the other NetScaler appliance. Youmust perform these commands on each appliance in an HA pair to ensure that theconfiguration of the two appliances in the HA pair remains synchronized.
Configuring VLANs on a Single SubnetBefore configuring a VLAN on a single subnet, make sure that Layer 2 Mode is enabled.
The following figure shows a single subnet environment
Citrix NetScaler Networking Guide
103
Figure 2-2. VLAN on a Single Subnet
In the above figure:
1. The default router for the NetScaler and the servers is Router 1.
2. Layer 2 mode must be enabled on the NetScaler for the NetScaler to have directaccess to the servers.
3. For this subnet, a virtual server can be configured for load balancing on theNetScaler.
To configure a VLAN on a single subnet, follow the procedures described in "Creating orModifying a VLAN". VLAN configuration parameters are not required, because thenetwork interfaces are members of this VLAN.
Configuring VLANs on Multiple SubnetsTo configure a single VLAN across multiple subnets, you must add a VIP for the VLANand configure the routing appropriately. The following figure shows a single VLANconfigured across multiple subnets.
Chapter 2 Interfaces
104
Figure 2-3. Multiple Subnets in a Single VLAN
To configure a single VLAN across multiple subnets, perform the following tasks:
1. Disable Layer 2 mode. For the procedure to disable Layer 2 mode, see the"Configuring System Management Settings" chapter of the Citrix NetScaler GettingStarted Guide at http://support.citrix.com/article/CTX132368.
2. Add a VIP.
For the procedure to add a VIP, see "Configuring and Managing Virtual IP Addresses(VIPs)".
3. Configure RNAT ID.
For the procedure to configure the RNAT ID, see "Configuring RNAT".
Configuring Multiple Untagged VLANS acrossMultiple Subnets
In environments with multiple untagged VLANs across multiple subnets, a VLAN isconfigured for each IP subnet. A network interface is bound to one VLAN only. Thefollowing figure shows this configuration.
Citrix NetScaler Networking Guide
105
Figure 2-4. Multiple Subnets with VLANs - No Tagging
To implement the configuration shown in the above figure, perform the following tasks:
1. Add VLAN 2.
For the procedure to create a VLAN, see "Creating or Modifying a VLAN".
2. Bind the 1/2 network interface of the NetScaler to VLAN 2 as an untagged networkinterface.
For the procedure to bind a network interface to a VLAN, see "Creating orModifying a VLAN".
3. Bind the IP address and subnet mask to VLAN 2.
For the procedure to bind a network interface to a VLAN, see "Creating orModifying a VLAN".
Configuring Multiple VLANs with 802.1q TaggingFor multiple VLANs with 802.1q tagging, each VLAN is configured with a different IPsubnet. Each network interface is in one VLAN. One of the VLANs is set up as tagged.The following figure shows this configuration.
Chapter 2 Interfaces
106
Figure 2-5. Multiple VLANs with IEEE 802.1q Tagging
To implement the configuration shown in the above figure, perform the following tasks:
1. Add VLAN 2.
For the procedure to create a VLAN, see "Creating or Modifying a VLAN".
2. Bind the 1/2 network interface of the NetScaler to VLAN 2 as an untagged networkinterface.
For the procedure to bind a network interface to a VLAN, see "Creating orModifying a VLAN".
3. Bind the IP address and netmask to VLAN 2.
For the procedure to bind an IP address to a VLAN, see "Creating or Modifying aVLAN".
4. Add VLAN 3.
For the procedure to create a VLAN, see "Creating or Modifying a VLAN".
5. Bind the 1/2 network interface of the NetScaler to VLAN 3 as a tagged networkinterface.
For the procedure to bind a network interface to a VLAN, see "Creating orModifying a VLAN".
For the procedure to bind a tagged network interface, see "Creating or Modifying aVLAN".
6. Bind the IP address and netmask to VLAN 3.
Citrix NetScaler Networking Guide
107
For the procedure to bind an IP address to a VLAN, see "Creating or Modifying aVLAN".
Configuring NSVLANNSVLAN is a VLAN to which the NetScaler management IP (NSIP) address’s subnet isbound. The NSIP subnet is available only on interfaces that are associated withNSVLAN. By default, NSVLAN is VLAN1, but you can designate a different VLAN asNSVLAN. If you do so, you must reboot the NetScaler appliance for the change to takeeffect. After the reboot, NSIP subnet traffic is restricted to the new NSVLAN.
The traffic from the NetScaler IP subnet can be tagged (802.1q) with the VLAN IDspecified for NSVLAN. You must configure the attached switch interface to tag andallow this same VLAN ID on the connected interface.
If you remove your NSVLAN configuration, the NSIP subnet is automatically bound toVLAN1, restoring the default NSVLAN.
To configure NSVLAN by using the NetScalercommand line
At the NetScaler command prompt, type:
w set ns config -nsvlan <positive_integer> -ifnum <interface_name> ... [-tagged (YES|NO)]
w show ns config
Note: The configuration takes effect after the NetScaler appliance is rebooted.
Example
> set ns config -nsvlan 300 -ifnum 1/1 1/2 1/3 -tagged NO Done
> save config Done
> show ns config NetScaler IP: 10.102.29.170 (mask: 255.255.255.0) Number of MappedIP(s): 6 Node: Standalone NetScaler IP Vlan: 300 Tagged: NO Bound Ports: 1/1 1/2 1/3
Global configuration settings: HTTP port(s): (none) Max connections: 0
Chapter 2 Interfaces
108
Max requests per connection: 0 Client IP insertion: DISABLED Cookie version: 0 Persistence Cookie Secure Flag: ENABLED Min Path MTU: 576 Path MTU entry timeout: 10 FTP Port Range: 0 CR Port Range: 0 Timezone: GMT+05:30-IST-Asia/Colombo System Time: Tue Feb 22 16:50:44 2011 Last Config Changed Time: Tue Feb 22 16:48:02 2011 Last Config Saved Time: Tue Feb 22 16:48:19 2011WARNING: The configuration must be saved and the system rebooted for these settings to take effect Done
To restore the default NSVLAN configuration byusing the NetScaler command line
At the NetScaler command prompt, type:
w unset ns config -nsvlan
w show ns config
Example
> unset ns config -nsvlan Done
> sh ns config NetScaler IP: 10.102.29.170 (mask: 255.255.255.0) Number of MappedIP(s): 6 Node: Standalone
Global configuration settings: HTTP port(s): (none) Max connections: 0 Max requests per connection: 0 Client IP insertion: DISABLED Cookie version: 0 Persistence Cookie Secure Flag: ENABLED Min Path MTU: 576 Path MTU entry timeout: 10 FTP Port Range: 0 CR Port Range: 0 Timezone: GMT+05:30-IST-Asia/Colombo System Time: Mon Feb 28
Citrix NetScaler Networking Guide
109
11:04:48 2011 Last Config Changed Time: Mon Feb 28 11:04:40 2011 Last Config Saved Time: Mon Feb 28 10:14:30 2011 Done
Parameters for configuring NSVLANnsvlan
An integer that uniquely identifies the NSVLAN. Minimum value: 2. Maximum value:4094.
ifNum
Interfaces to be bound to the NSVLAN.
taggedDesignate all interfaces associated with NSVLAN as 802.1q tagged interfaces. Theappliance adds a four-byte 802.1q tag to every packet sent on one of theseinterfaces. The tag identifies the VLAN. Possible values: YES, NO. Default: YES.
To configure NSVLAN by using the configurationutility
1. In the navigation pane, expand System, and then click Settings.
2. In the details pane, under Settings, click Change NSVLAN Settings.
3. In the Configure NSVLAN Settings dialog box, specify values for the followingparameters, which correspond to parameters described in “Parameters forconfiguring NSVLAN” as shown:
• NSVLAN ID—nsvlan
• Tagged—tagged
*A required parameter
4. Under Interfaces, select interfaces from the Available Interfaces list and clickAdd to move them to the Configured Interfaces list.
5. Click OK. In the Warning dialog box, click OK. The configuration takes effect afterthe NetScaler appliance is rebooted.
Configuring Bridge GroupsTypically, when you want to merge two or more VLANs into a single domain, you changethe VLAN configuration on all the devices in the separate domains. This can be a
Chapter 2 Interfaces
110
tedious task. To more easily merge multiple VLANs into a single broadcast domain, youcan use bridge groups.
The bridge groups feature works the same way as a VLAN. Multiple VLANS can be boundto a single bridge group, and all VLANs bound to same bridge group form a singlebroadcast domain. You can bind only Layer 2 VLANs to a bridge group. For Layer 3functionality, you must assign an IP address to a bridge group.
In Layer 2 mode, a broadcast packet received on an interface belonging to a particularVLAN is bridged to other VLANs that belong to the same bridge group. In the case of aunicast packet, the NetScaler appliance searches its bridge table for the learned MACaddresses of all the VLANs belonging to same bridge group.
In Layer 3 forwarding mode, an IP subnet is bound to a bridge group. The NetScaleraccepts incoming packets belonging to the bound subnet and forwards the packets onlyon VLANs that are bound to the bridge group.
IPv6 routing can be enabled on a configured bridge group.
To add a bridge group and bind VLANs by using theNetScaler command line
To add a bridge group and bind VLANs and verify the configuration, type the followingcommands:
w add bridgegroup <id> [-ipv6DynamicRouting ( ENABLED | DISABLED )]
w show bridgegroup <id>
w bind bridgegroup <id> -vlan <positive_integer>
w show bridgegroup <id>
Example
> add bridgegroup 12 Done> show bridgegroup 121) Bridge Group: 12 Member Interfaces : None Member vlans: Done> bind bridgegroup 12 -vlan 4 Done> show bridgegroup 121) Bridge Group: 12 Member Interfaces : 1/8 Tagged: None Member vlans: 4 Done
Citrix NetScaler Networking Guide
111
To remove a bridge group by using the NetScalercommand line
At the NetScaler command prompt, type:
rm bridgegroup <id>
Example
rm bridgegroup 12
Parameters for configuring bridge groupsid
A unique number that identifies a bridge group. Possible values: 1 to 1000.
vlanThe ID of a VLAN to be bound to the bridge group.
-ipv6DynamicRoutingEnable or disable IPv6 dynamic routing on this bridge group. Possible values:ENABLED, DISABLED. Default: DISABLED
To configure a bridge group by using theconfiguration utility
1. In the navigation pane, expand Network, and then click Bridge Groups.
2. In the details pane, do one of the following:
• To create a new bridge group, click Add.
• To modify an existing bridge group, click Open.
3. In the Create Bridge Group or Configure Bridge Group dialog box, specify valuesfor the following parameters, which correspond to parameters described in“Parameters for configuring bridge groups” as shown:
• Bridge Group Id*—id
• Enable IPv6 dynamic routing—ipv6DynamicRouting
* A required parameter
4. To bind a VLAN to a bridge group, under VLANs, select the Active check boxcorresponding to the interface that you want to bind to the bridge group (forexample, 1/8).
Chapter 2 Interfaces
112
5. To bind an IP address to a bridge group, under IPs, select the Active check boxcorresponding to the IP address that you want to bind to the bridge group (forexample, 10.102.29.54).
6. Click Create or OK, and then click Close. A message appears in the status bar,stating that the bridge group has been configured successfully.
Configuring VMACsThe primary and secondary nodes in a high availability (HA) setup share the Virtual MACaddress (VMAC) floating entity. The primary node owns the floating IP addresses (suchas MIP, SNIP, and VIP) and responds to ARP requests for these IP addresses with its ownMAC address. Therefore, the ARP table of an external device, such as an upstreamrouter, is updated with the floating IP address and the MAC address of the primarynode.
When a failover occurs, the secondary node takes over as the new primary node. Theformer secondary node uses Gratuitous ARP (GARP) to advertise the floating IPaddresses that it had learned from the old primary node. The MAC address that the newprimary node advertises is the MAC address of its own network interface. Some devices(a few routers) do not accept these GARP messages. Therefore, these external devicesretain the IP address-to-MAC address mapping that the old primary node hadadvertised. This can result in a GSLB site going down.
Therefore, you must configure a VMAC on both nodes of an HA pair. This means thatboth nodes have identical MAC addresses. When a failover occurs, the MAC address ofthe secondary node remains unchanged, and the ARP tables on the external devices donot need to be updated.
For the procedures to configure a VMAC, see High Availability.
Configuring Link AggregationLink aggregation combines data coming from multiple ports into a single high-speedlink. Configuring link aggregation increases the capacity and availability of thecommunication channel between the NetScaler appliance and other connected devices.An aggregated link is also referred to as a "channel." You can configure the channelsmanually, or you can use Link Aggregation Control Protocol (LACP). You cannot applyLACP to a manually configured channel, nor can you manually configure a channelcreated by LACP.
When a network interface is bound to a channel, the channel parameters haveprecedence over the network interface parameters. (That is, the network interfaceparameters are ignored.) A network interface can be bound only to one channel.
When a network interface is bound to a channel, it drops its VLAN configuration. Whennetwork interfaces are bound to a channel, either manually or by LACP, they areremoved from the VLANs that they originally belonged to and added to the defaultVLAN. However, you can bind the channel back to the old VLAN, or to a new one. Forexample, if you bind the network interfaces 1/2 and 1/3 to a VLAN with ID 2, and then
Citrix NetScaler Networking Guide
113
bind them to a channel LA/1, the network interfaces are moved to the default VLAN,but you can bind them back to VLAN 2.
Configuring Link Aggregation ManuallyWhen you create a link aggregation channel, its state is DOWN until you bind an activeinterface to it. You can modify a channel at any time. You can remove channels, or youcan enable/disable them.
To create a link aggregation channel by using the NetScalercommand lineAt the NetScaler command prompt, type:
w add channel <id> [-ifnum <interfaceName> ...] [-state ( ENABLED | DISABLED )] [-speed <speed>] [-flowControl <flowControl>] [-haMonitor ( ON | OFF )][-tagall ( ON| OFF )] [-ifAlias <string>] [-throughput <positive_integer>] [-bandwidthHigh<positive_integer> [-bandwidthNormal <positive_integer>]]
w show channels
Example
add channel LA/1 -ifnum 1/8show channels
To bind an interface to or unbind an interface from anexisting link aggregation channel by using the NetScalercommand lineAt the NetScaler command prompt, type one of the following commands:
w bind channel <id> <interfaceName>
w unbind channel <id> <interfaceName>
Example
bind channel LA/1 1/8
To modify a link aggregation channel by using theNetScaler command lineAt the NetScaler command prompt, type the set channel command, the channel ID,and the parameters to be changed, with their new values.
Chapter 2 Interfaces
114
Parameters for configuring a link aggregation channelid
LA channel name, in form LA/*
(* An ID number for this channel)
ifnumThe name, in <slot>/<port> notation, of an interface to be bound to the channel.
stateInitial state for the channel. Possible values: ENABLED, DISABLED. Default: ENABLED.
speedSpeed for the channel. Possible values: AUTO, 10, 100, and 1000, and 10000. Defaultvalue:AUTO.
flowControlFlow control for the channel. Possible values: OFF, RX, TX, and RXTX. Default value:OFF.
haMonitorHA-monitoring control for the channel. Possible values: ON and OFF. Default value:ON.
tagallMake this port a trunk port. When ON, port membership in all VLANs is tagged. If802.1q behavior with native VLAN is required, use the OFF setting. Possible values:ON, OFF. Default: OFF.
ifAliasAlias name for the channel. Maximum Length: 31.
throughputMinimum required throughput for the network interface.
bandwidthHighConfigured high threshold of the interface bandwidth usage in Mbps. An SNMP Trapmessage is generated if bandwidth usage of the interface crosses this limit. Thisparameter can be set only by using NetScaler command line.
bandwidthNormalConfigured normal threshold of the interface bandwidth usage in Mbits/s. A trap isgenerated if bandwidth usage of the interface returns to this level after exceedingthe bandWidthHigh limit. This parameter can be set only by using NetScalercommand line.
To configure a link aggregation channel by using theconfiguration utility1. In the navigation pane, expand Network and click Channels.
2. In the details pane, do one of the following:
Citrix NetScaler Networking Guide
115
• To create a new link aggregation channel, click Add.
• To modify an existing link aggregation channel, select a channel and then clickOpen.
3. In the Create Channel or Configure Channel dialog box, specify values for thefollowing parameters, which correspond to parameters described in “Parametersfor configuring a link aggregation channel as shown:
• Channel ID*—id (Select a channel name from the drop-down list.)
• State—state
• Throughput— throughput
4. To bind an interface to the channel, on the Bind/Unbind tab, select an interface(for example, 1/8) and click Add. (To remove an interface, select it and clickRemove.)
5. Optionally, on the Settings tab, specify values for the following parameters, whichcorrespond to parameters described in “Parameters for configuring a linkaggregation channel” as shown:
• Speed—speed
• Flow Control—flowControl
• HA Monitoring—haMonitor
• Tag all VLANs— tagall
• Alias Name—ifAlias
To remove a link aggregation channel by using theNetScaler command line
Important: When a channel is removed, the network interfaces bound to it inducenetwork loops that decrease network performance. You must disable the networkinterfaces before you remove the channel.
At the NetScaler command prompt, type:
rm channel <id>
Example
rm channel LA/1
Chapter 2 Interfaces
116
To remove a link aggregation channel by using theconfiguration utility
Important: Important: When a channel is removed, the network interfaces bound to itinduce network loops that decrease network performance. You must disable thenetwork interfaces before you remove the channel.
1. In the navigation pane, expand Network and click Channels.
2. In the details pane, select the channel that you want to remove (for example,LA/1), and click Remove.
3. In the Remove dialog box, click Yes.
Configuring Link Aggregation by Using the LinkAggregation Control Protocol
The Link Aggregation Control Protocol (LACP) enables network devices to exchange linkaggregation information by exchanging LACP Data Units (LACPDUs). Therefore, youcannot enable LACP on network interfaces that are members of a channel that youcreated manually.
When using LACP to configure link aggregation, you use different commands andparameters for modifying link aggregation channels than you do for creating linkaggregation channels. To remove a channel, you must disable LACP on all interfacesthat are part of the channel.
Note: In an High Availability configuration, LACP configurations are neitherpropagated nor synchronized.
Creating Link Aggregation ChannelsFor creating a link aggregation channel by using LACP, you need to enable LACP andspecify the same LACP key on each interface that you want to be the part of thechannel. For example, if you enable LACP and set the LACP Key to 3 on interfaces 1/1and 1/2, a link aggregation channel LA/3 is created and interfaces 1/1 and 1/2 areautomatically bound to it.
Note: When enabling LACP on a network interface, you must specify the LACP Key.
By default, LACP is disabled on all network interfaces.
To create an LACP channel by using the NetScaler command lineAt the NetScaler command prompt, type:
w set interface <id> [-lacpMode <lacpMode>] [-lacpKey<positive_integer>] [-lacpPriority <positive_integer>] [-lacpTimeout (LONG | SHORT )]
Citrix NetScaler Networking Guide
117
w show interface [<id>]
Parameters for creating an LACP channelid
The number assigned to the interface.
LacpModeLACP mode. Possible values: DISABLED, ACTIVE, and PASSIVE. Default: DISABLED
lacpKeyLACP key for the interface. Possible values: 1 to 4.
lacpPriorityLACP port priority. Possible values: 1 to 65535. Default: 32768.
lacpTimeoutLACP timeout setting. Possible values: LONG and SHORT. Default: LONG.
To create an LACP channel by using the NetScaler the configurationutility
1. In the navigation pane, expand Network, and then click Interfaces.
2. On the Interfaces pane, select the network interface that you want to modify (forexample, 1/8), and then click Open.
3. In the Configure interface dialog box, specify values for the following parameters,which correspond to parameters described in “Parameters for creating a LACPchannel” as shown:
• LACP Mode—lacpMode
• LACP Key—lacpKey
• LACP Time-out—lacpTimeout
• LACP Priority—lacpPriority
4. Click OK. A message appears in the status bar, stating that the interface has beenconfigured successfully.
Modifying Link aggregation ChannelsAfter you have created an LACP channel by specifying interfaces, you can modifyproperties of the channel.
To modify an LACP channel using the NetScaler command line.At the NetScaler command prompt, type:
w set channel <id> [-ifnum <interfaceName> ...] [-state ( ENABLED | DISABLED )] [-speed <speed>] [-flowControl <flowControl>] [-haMonitor ( ON | OFF )] [-ifAlias<string>] [-throughput <positive_integer>] [-tagall (ON | OFF)] [-bandwidthHigh<positive_integer> [-bandwidthNormal <positive_integer>]]
Chapter 2 Interfaces
118
w show channels
Example
set channel LA/3 –state ENABLED –speed 10000show channels
Parameters for modifying an LACP channelid
LA channel name, in form LA/*
(* An ID number for this channel)
stateInitial state for the channel. Possible values: ENABLED, DISABLED. Default: ENABLED.
speedSpeed for the channel. Possible values: AUTO, 10, 100, and 1000, and 10000. Defaultvalue:AUTO.
flowControlFlow control for the channel. Possible values: OFF, RX, TX, and RXTX. Default value:OFF.
haMonitorHA-monitoring control for the channel. Possible values: ON and OFF. Default value:ON.
tagallMake this port a trunk port. When ON, port membership in all VLANs is tagged. If802.1q behavior with native VLAN is required, use the OFF setting. Possible values:ON, OFF. Default: OFF.
ifAliasAlias name for the channel. Maximum Length: 31.
throughputMinimum required throughput for the network interface.
bandwidthHighConfigured high threshold of the interface bandwidth usage in Mbps. An SNMP Trapmessage is generated if bandwidth usage of the interface crosses this limit. Thisparameter can be set only by using NetScaler command line.
bandwidthNormalConfigured normal threshold of the interface bandwidth usage in Mbits/s. A trap isgenerated if bandwidth usage of the interface returns to this level after exceedingthe bandWidthHigh limit. This parameter can be set only by using NetScalercommand line.
Citrix NetScaler Networking Guide
119
To modify an LACP channel by using the configuration utility
1. In the navigation pane, expand Network and click Channels.
2. In the details pane, select a LACP channel and then click Open.
3. In the Configure Channel dialog box, specify values for the following parameters,which correspond to parameters described in “Parameters for configuring a linkaggregation channel as shown:
• State—state
• Throughput— throughput
4. Optionally, on the Settings tab, specify values for the following parameters, whichcorrespond to parameters described in “Parameters for modifying an LACPchannel” as shown:
• Speed—speed
• Flow Control—flowControl
• HA Monitoring—haMonitor
• Tag all VLANs— tagall
• Alias Name—ifAlias
Removing a Link Aggregation ChannelTo remove a link aggregation channel that was created by using LACP, you need todisable LACP on all the interfaces that are part of the channel.
To remove an LACP channel by using the NetScaler command lineAt the NetScaler command prompt, type:
w set interface <id> -lacpMode Disable
w show interface [<id>]
To remove an LACP channel by using the NetScaler configurationutility
1. In the navigation pane, expand Network, and then click Interfaces.
2. On the Interfaces pane, select the network interface that you want to modify (forexample, 1/8), and then click Open.
3. In the Configure Interface dialog box, clear the Enable LACP check box.
4. Click OK. A message appears in the status bar, stating that the interface has beenconfigured successfully.
Chapter 2 Interfaces
120
Binding an SNIP address to an InterfaceYou can now bind a NetScaler owned SNIP address to an interface without using Layer 3VLANs. Any packets related to the SNIP address will go only through the boundinterface.
This feature can be useful in a scenario where the upstream switch does not supportLink Aggregation channels and you want the NetScaler appliance to load balancetraffic, originated from a server, across the four links to the upstream switch as shownin the following illustration.
Figure 2-6.
The following tables describe the example settings for the scenario:
Citrix NetScaler Networking Guide
121
Entity Name Value
SNIP addresses on NS1 SNIP2 (for referencepurpose only)
10.10.10.2
SNIP3 (for referencepurpose only)
10.10.10.3
SNIP4 (for referencepurpose only)
10.10.10.4
SNIP5 (for referencepurpose only)
10.10.10.5
LLB virtual server on NS1 LLB_VSERVER1 -
Transparent monitor onNS1
TRANS_MON -
LLB services on NS1 LLB_SVC2 10.10.10.240
LLB_SVC3 10.10.10.120
LLB_SVC4 10.10.10.60
LLB_SVC5 10.10.10.30
MAC address of interface1/2 on NS1
NS_MAC_2 (for referencepurpose only)
00:e0:ed:0f:bc:e0
MAC address of interface1/3 on NS1
NS_MAC_3 (for referencepurpose only)
00:e0:ed:0f:bc:df
MAC address of interface1/4 on NS1
NS_MAC_4 (for referencepurpose only)
00:e0:ed:0f:bc:de
MAC address of interface1/5 on NS1
NS_MAC_5 (for referencepurpose only)
00:e0:ed:1c:89:53
IP address of Router R1 Router_IP (for referencepurpose only)
10.10.10.1
MAC address of interfaceof R1
ROUTER_MAC1 (forreference purpose only)
00:21:a1:2d:db:cc
To configure the example settings1. Add four different SNIPs in different subnet ranges. This is for ARP to be resolved
on four different links. For more information on creating a SNIP address, see Configuring Subnet IP Addresses (SNIPs).
Chapter 2 Interfaces
122
Command Line Interface example
> add ns ip 10.10.10.2 255.255.255.0 -type SNIP Done > add ns ip 10.10.10.3 255.255.255.128 –type SNIPDone > add ns ip 10.10.10.4 255.255.255.192 –type SNIPDone > add ns ip 10.10.10.5 255.255.255.224 –type SNIPDone
2. Add four different dummy services in the added SNIP subnets. This is to ensurethat the traffic is sent out with source IP as one of the four configured SNIPs. Formore information on creating a service, see Configuring Services.
Command Line Interface example
> add service LLB_SVC2 10.10.10.240 any * Done> add service LLB_SVC3 10.10.10.120 any * Done> add service LLB_SVC4 10.10.10.60 any * Done> add service LLB_SVC5 10.10.10.30 any * Done
3. Add a transparent ping monitor for monitoring the gateway. Bind the monitor toeach of the configured dummy services. This is to make the state of the services asUP. For more information on creating a transparent monitor, see Creating andBinding a Transparent Monitor.
Command Line Interface example
> add monitor TRANS_MON ping -destIP 10.10.10.1 -transparent YES Done> bind monitor TRANS_MON LLB_SVC2 Done> bind monitor TRANS_MON LLB_SVC3 Done> bind monitor TRANS_MON LLB_SVC4 Done> bind monitor TRANS_MON LLB_SVC5 Done
4. Add a link load balancing (LLB) virtual server and bind the dummy services to it.For more information on creating an LLB virtual server, see Configuring an LLBVirtual Server and Binding a Service.
Command Line Interface example
> add lb vserver LLB_VSERVER1 any
Citrix NetScaler Networking Guide
123
Done> set lb vserver LLB_VSERVER1 -lbmethod ROUNDROBIN Done> bind lb vserver LLB_VSERVER1 LLB_SVC2 Done> bind lb vserver LLB_VSERVER1 LLB_SVC2 Done> bind lb vserver LLB_VSERVER1 LLB_SVC2 Done> bind lb vserver LLB_VSERVER1 LLB_SVC2 Done
5. Add the LLB virtual server as the default LLB route. For more information oncreating an LLB route see Configuring an LLB Route.
Command Line Interface example
> add lb route 0.0.0.0 0.0.0.0 LLB_VSERVER1 Done
6. Add an ARP entry for each of the dummy services with the MAC address of thegateway. This way the gateway is reachable through these dummy services. Formore information on adding an ARP entry, see Configuring Static ARP.
Command Line Interface example
> add arp -ipaddress 10.10.10.240 -mac 00:21:a1:2d:db:cc -ifnum 1/2 Done> add arp -ipaddress 10.10.10.120 -mac 00:21:a1:2d:db:cc -ifnum 1/3 Done> add arp -ipaddress 10.10.10.60 -mac 00:21:a1:2d:db:cc -ifnum 1/4 Done> add arp -ipaddress 10.10.10.30 -mac 00:21:a1:2d:db:cc -ifnum 1/5 Done
7. Bind a specific interface to an SNIP by adding an ARP entry for each of these SNIPs.This is to ensure that the response traffic will reach the same interface throughwhich the request went out. For more information on adding an ARP entry, see Configuring Static ARP.
Command Line Interface example
> add arp -ipAddress 10.10.10.2 -mac 00:e0:ed:0f:bc:e0 -ifnum 1/2 Done> add arp -ipAddress 10.10.10.3 -mac 00:e0:ed:0f:bc:df -ifnum 1/3 Done> add arp -ipAddress 10.10.10.4 -mac 00:e0:ed:0f:bc:de -ifnum 1/4
Chapter 2 Interfaces
124
Done> add arp -ipAddress 10.10.10.5 -mac 00:e0:ed:1c:89:53 -ifnum 1/5 Done
Monitoring the Bridge Table and Changing theAging time
NetScaler appliance bridges frames on the basis of bridge table lookup of thedestination MAC address and the VLAN ID. However, the appliance performs forwardingonly when Layer 2 mode is enabled.
The bridge table is dynamically generated, but you can display it, modify the agingtime for the bridge table, and view bridging statistics.
To display the bridge table by using NetScalercommand line
At the NetScaler command prompt, type:
sh bridgetable
Example
> show bridgetable
Ageing time for bridge table entries : 300 seconds
MAC Iface VLAN --- ----- ----1) 00:d0:68:0b:58:da 1/1 12) 00:00:5e:00:02:21 1/1 13) 00:11:95:1d:87:40 1/1 14) 00:d0:68:07:8b:bf 1/1 15) 00:e0:81:01:13:5a 1/1 16) 00:d0:68:10:6d:7a 1/1 17) 00:30:48:90:fa:d2 1/1 18) 02:d0:68:15:fd:3d 1/1 19) 00:0d:88:24:5f:30 1/1 110) 00:21:55:24:b8:3f 1/1 111) 00:d0:68:15:fd:36 1/1 1 Done
Citrix NetScaler Networking Guide
125
To display the bridge table by using theconfiguration utility
1. In the navigation pane, expand Network and click Bridge Table.
2. Optionally on the Bridge Table page, select an entry to display its properties atthe bottom of the screen.
To change the aging time by using the NetScalercommand line
At the NetScaler command prompt, type:
w set bridgetable -bridgeAge <positive_integer>
w show bridgetable
Example
> set bridgetable -bridgeage 70 Done> show bridgetable
Ageing time for bridge table entries : 70 seconds
MAC Iface VLAN --- ----- ----1) 00:d0:68:0b:58:da 1/1 12) 00:00:5e:00:02:21 1/1 13) 00:11:95:1d:87:40 1/1 14) 00:d0:68:07:8b:bf 1/1 15) 00:e0:81:01:13:5a 1/1 16) 00:d0:68:10:6d:7a 1/1 17) 00:30:48:67:11:00 1/1 18) 00:30:48:90:fa:d2 1/1 19) 02:d0:68:15:fd:3d 1/1 110) 00:0d:88:24:5f:30 1/1 111) 00:21:55:24:b8:3f 1/1 112) 00:d0:68:15:fd:36 1/1 1 Done
Parameter for changing the aging timebridgeAge
The bridge aging time in seconds. Possible values: 60 to 300. Default: 300.
Chapter 2 Interfaces
126
To change the aging time by using the configurationutility
1. In the navigation pane, expand Network, and then click Bridge Table.
2. In the details pane, click Change Ageing Time.
3. In the Change Ageing Time dialog box, in the Ageing Time (seconds) text box,type the aging time (for example, 70).
4. Click OK. All the MAC entries in the bridge table are updated with the aging time.
To view the statistics of a bridge table by using theNetScaler command line
At the NetScaler command prompt, type:
stat bridge
Example
> stat bridgeBridging Statistics Rate (/s) TotalLoops 0 0Collisions 0 0Interface muted 0 0 Done
To view the statistics of a bridge table by using theconfiguration utility
1. On the Bridge Table page, select the MAC address for which you want to view thestatistics (for example, 00:12:01:0a:5f:46).
2. Click Statistics.
Understanding NetScaler Appliances in Active-Active Mode Using VRRP
An active-active deployment, in addition to preventing downtime, makes efficient useof all the NetScaler appliances in the deployment. In active-active deployment mode,the same VIPs are configured on all NetScaler appliances in the configuration, but withdifferent priorities, so that a given VIP can be active on only one appliance at a time.
Citrix NetScaler Networking Guide
127
Note: This feature is supported only on NetScaler nCore builds.
The active VIP is called the master VIP, and the corresponding VIPs on the otherNetScaler appliances are called the backup VIPs. If a master VIP fails, the backup VIPwith the highest priority takes over and becomes the master VIP. All the NetScalerappliances in an active-active deployment use the Virtual Router Redundancy Protocol(VRRP) protocol to advertise their VIPs and the corresponding priorities at regularintervals.
NetScaler appliances in active-active mode can be configured so that no NetScaler isidle. In this configuration, different sets of VIPs are active on each NetScaler. Forexample, in the following diagram, VIP1, VIP2, VIP3, and VIP4 are configured onappliances NS1, NS2, and NS3. Because of their priorities, VIP1 and VIP 2 are active onNS1, VIP3 is active on NS2 and VIP 4 is active on NS3. If, for example, NS1 fails, VIP1 onNS3 and VIP2 on NS2 become active.
Figure 2-7. An Active-Active Configuration
Chapter 2 Interfaces
128
The NetScaler appliances in the above diagram process traffic as follows:
1. Client C1 sends a request to VIP1. The request reaches R1.
2. R1 does not have an APR entry for VIP1, so it broadcasts an ARP request for VIP1.
3. VIP1 is active in NS1, so NS1 replies with a source MAC address as the VMAC (forexample VMAC1) associated with VIP1, and VIP1 as the source IP address.
4. SW1 learns the port for VIP1 from the ARP reply and updates its bridge table.
5. R1 updates the ARP entry with VMAC1 and VIP1.
6. R1 forwards the packet to the VIP1 on NS1.
7. NS1's load balancing algorithm selects server S2, and NS1 opens a connectionbetween one of its SNIP or MIP addresses and S2.
8. S2 replies to the SNIP or MIP on the NetScaler.
9. NS1 sends S2's reply to the client. In the reply, NS1 inserts MAC address of thephysical interface as the source MAC address and VIP1 as the source IP address.
10. Should NS1 fail, the NetScaler appliances use the VRRP protocol to select the VIP1with the highest priority. In this case, VIP1 on NS3 becomes active, and thefollowing two steps update the active-active configuration.
11. NS3 broadcasts a GARP message for VIP1. In the message, VMAC1 is the source MACaddress and VIP1 is the source IP address.
12. SW1 learns the new port for VMAC1 from the GARP broadcast and updates itsbridge table to send subsequent client requests for VIP1 to NS3. R1 updates its ARPtable.
The priority of a VIP can be modified by health tracking. If you enable health tracking,you should make sure that preemption is also enabled, so that a VIP whose priority islowered can be preempted by another VIP.
In some situations, traffic might reach a backup VIP. To avoid dropping such traffic, youcan enable sharing, on a per-node basis, as you create an active-active configuration.Or you can enable the global send to master option. On a node on which sharing isenabled, it takes precedence over send to master.
Health TrackingBase priority (BP-range 1-255) ordinarily determines which VIP is the master VIP, buteffective priority (EP) can also affect the determination.
For example, if a VIP on NS1 has a priority of 101 and same VIP on NS2 has a priority of99, the VIP on NS1 is active. However, if two vservers are using the VIP on NS1 and oneof them goes DOWN, health tracking can reduce the EP of VIP on NS1. VRRP then makesthe VIP on NS2 the active VIP.
Following are the health tracking options for modifying EP:
w NONE. No tracking. EP = BP
Citrix NetScaler Networking Guide
129
w ALL. If all virtual servers are UP, then EP = BP. Otherwise, EP = 0.
w ONE. If at least one virtual server is UP, then EP = BP. Otherwise, EP = 0.
w PROGRESSIVE. If ALL virtual servers are UP, then EP = BP. If ALL virtual servers areDOWN then EP = 0. Otherwise EP = BP (1 - K/N), where N is the total number ofvirtual servers associated with the VIP and k is the number of virtual servers thatare down.
Note: If you specify a value other than NONE, preemption should be enabled, so thatthe backup VIP with the highest priority becomes active if the priority of the master VIPis downgraded.
PreemptionPreemption of an active VIP by another VIP that attains a higher priority is enabled bydefault, and normally should be enabled. In some cases, however, you may want todisable it. Preemption is a per-node setting for each VIP.
Preemption can occur in the following situations:
w An active VIP goes down and a VIP with a lower priority takes its place. If the VIPwith the higher priority comes back online, it preempts the currently active VIP.
w Health tracking causes the priority of a backup VIP to become higher than that ofthe active VIP. The backup VIP then preempts the active VIP.
SharingIn the event that traffic reaches a backup VIP, the traffic is dropped unless the sharingoption is enabled on the backup VIP. This behavior is a per node setting for each VIPand is disabled by default.
In the figure “An Active-Active Configuration”, VIP1 on NS1 is active and VIP1 VIPs onNS2 and NS3 are backups. Under certain circumstances, traffic may reach VIP1 on NS2.If Sharing is enabled on NS2, this traffic is processed instead of dropped.
Configuring Active-Active ModeOn each NetScaler appliance that you want to deploy in active-active mode, you mustadd a VMAC and bind the VMAC to a VIP. The VMAC for a given VIP must be same oneach appliance. For example, if VIP 10.102.29.5, is created on the appliances, a virtualrouter ID must be created on each NetScaler and bound to VIP 10.102.29.5 on eachNetScaler. When you bind a VMAC to a VIP, the NetScaler sends VRRP advertisements toeach VLAN that is bound to that VIP. The VMAC can be shared by different VIPsconfigured on the same NetScaler.
Chapter 2 Interfaces
130
Adding a VMACTo add a VMAC for an active-active configuration, you create a virtual router ID. Tobind a VMAC to a VIP, you associate the VMAC's virtual router ID with the VIP.
To add a VMAC by using the NetScaler command lineAt the NetScaler command prompt, type:
add vrID <value> -priority <value> -preemption (ENABLED|DISABLED) -sharing (ENABLED| DISABLED) -tracking (NONE|ONE|ALL|PROGRESSIVE)
Example
add vrID 125 -priority 100 -sharing ENABLED -tracking ONE
Parameters for configuring a VMACvrID
The VRID that identifies the VMAC. Possible values: 1 - 255.
priorityThe base priority of the VMAC. Range: 1 - 255. Default: 255.
trackingThe health tracking options for this VMAC. Possible values: NONE, ONE, ALL,PROGRESSIVE Default: NONE.
preemptionMake a backup VIP the master if its priority becomes higher than that of a master VIPthat is bound to this VMAC. Possible values: ENABLED, DISABLED. Default: ENABLED.
sharingEnable or disable sharing for this VMAC. Default: Disabled.
To add a VMAC by using the configuration utility1. In the navigation pane, expand Network and click VMAC.
2. On the VMAC page, click Add.
3. In the Add VMAC dialog box, in Virtual Router ID text box, type a number (forexample, 125) to assign as the VMAC ID.
4. In the Priority text box, enter a priority number (for example, 100) that willassociated with VIPs bound this VMAC.
5. In the Tracking drop down box, select a health tracking option (for example, ONE).
6. Select or clear the Preemption check box to disable or enable preemption on VIPsthat are bound to this VMAC.
Citrix NetScaler Networking Guide
131
7. Select or clear the Sharing check box to enable or disable sharing on VIPs that arebound to this VMAC.
8. Click Create.
To bind a VMAC by using the NetScaler command lineAt the NetScaler command prompt, type:
set ns ip VIP <address> -vrid <value>
Example
set ns ip 10.102.29.5 -vrid 125
To bind a VMAC to a VIP by using the NetScalerconfiguration utility1. In the navigation pane, expand Network, and then click IPs.
2. In the details pane, on the IPv4s tab, select the VIP address (for example,10.102.29.5) that you want to bind to a VMAC, and then click Open.
3. In the Configure IP dialog box, in the Virtual Router Id drop down box, select avirtual router ID (for example, 125).
4. Click OK.
Configuring Send to MasterUsually, the traffic destined to a VIP reaches the NetScaler appliance on which the VIPis active, because an ARP request with the VIP and a VMAC on that appliance hasreached the upstream router. But in some cases, such as static routes configured on theupstream router for the VIP subnet, or a topology that blocks this route, the traffic canreach a NetScaler appliance on which the VIP is in backup state. If you want thisappliance to forward the data packets to the appliance on which the VIP is active, youneed to enable the send to master option. This behavior is a per node setting and isdisabled by default.
For example, in the following diagram, VIP1 is configured on NS1, NS2, and NS3 and isactive on NS1. Under certain circumstances, traffic for VIP1 (active on NS1) may reachVIP1 on NS3. When the send to master option is enabled on NS3, NS3 forwards thetraffic to NS1 through NS2 by using route entries for NS1.
Chapter 2 Interfaces
132
Figure 2-8. An Active-Active Configuration with Send to Master Option Enabled
To enable send to master by using the NetScaler commandlineAt the NetScaler command prompt, type:
set vrIDParam -sendToMaster (ENABLED|DISABLED)
Example
set vrIDParam -sendToMaster ENABLED
Citrix NetScaler Networking Guide
133
Parameter for enabling send to mastersendToMaster
Forward the packet to the master node if the VIP bound to the VMAC is in backupstate and sharing is disabled.
Possible values: ENABLED, DISABLED. Default: DISABLED.
To enable send to master by using the configuration utility1. In the navigation pane, expand Network.
2. In the details pane, under Settings, click Virtual Router Parameters.
3. In the Virtual Router Parameters dialog box, select Send to Master option.
4. Click OK.
An Active-Active Deployment ScenarioFollowing is an example of a possible active-active deployment scenario.
In the following diagram, VIP1, VIP 2 and VIP3 are configured on all three appliances,NS1, NS2, and NS3. Base Priorities for each VIPs are as shown in the diagram. Healthtracking is disabled for each VIP. The priorities of VIPs are set so that VIP1, VIP2, andVIP3 are active on NS3. If NS3 fails, VIP1, VIP2, and VIP3 become active on NS1.
Chapter 2 Interfaces
134
Figure 2-9. An Active-Active Deployment Scenario
Using the Network VisualizerThe Network Visualizer is a tool that you can use to view the network configuration of aNetScaler node, including the network configuration of the nodes in a high availability(HA) deployment. You can also modify the configuration of VLANs, interfaces, channels,and bridge groups, and perform HA configuration tasks.
In an HA deployment, you can both view and configure network entities on the node towhich you are logged on, but you can view the details of only the network entities that
Citrix NetScaler Networking Guide
135
are configured on the peer node. However, you can perform certain tasks, such asviewing details and statistics of the peer node and forcing a failover.
When you are logged on to a standalone appliance, you can use the Network Visualizerto do the following:
w View a consolidated graphical summary of key network components, such as VLANs,interfaces, channels, and bridge groups. You can also view the individual details ofvarious network components.
w Modify appliance settings.
w Add, modify, and enable and disable interfaces and channels that are configured onthe NetScaler appliance.
w Add and modify VLANs and bridge groups.
w Configure an HA deployment (add a node).
w View node details, node statistics, and statistics for VLANs and interfaces.
w Copy the properties of a network entity to a document or spreadsheet.
When you are logged on to an appliance in an HA deployment, you can perform theabove tasks only on the appliance to which you are logged on. Following are additionaltasks that you can perform in the Network Visualizer when you are logged on to one ofthe appliances in an HA pair:
w View the configuration details and high availability details of both nodes in an HApair.
w Perform HA configuration tasks, such as synchronization and force failover.
w Remove the peer node from the HA configuration.
w View statistics for the peer node.
w Copy the properties of the peer node to a document or spreadsheet.
To open the Network Visualizer1. In the navigation pane, click Network.
2. In Monitor Connections, click Network Visualizer.
To locate a VLAN or bridge group in the VisualizerOpen the Network Visualizer, and then do the following:
• To locate a VLAN or bridge group, in the Search text field, begin typing the ID of theVLAN or the bridge group that you want to locate.
Alternatively, begin typing the IP address of a bound subnet or the ID of a boundinterface. The VLANs or bridge groups whose names match the typed characters arehighlighted.
Chapter 2 Interfaces
136
To highlight multiple entities simultaneously, separate the IDs and IP addresses withwhite spaces. Entities whose IDs or IP addresses match any of the typed IDs and IPaddresses are highlighted.
• To clear the Search field, click the x adjacent to the field.
To view the configuration details of an entity byusing the Visualizer
Open the Network Visualizer and do one of the following:
• To view a brief summary of the entity, place the pointer on the entity.
A brief summary of the entity appears at the bottom of the viewable area.
• To view the detailed configuration information about the entity, click the entity.
The configuration details for that entity appear in the Details area.
To modify the network settings of the appliance byusing the Visualizer
1. Open the Network Visualizer and click the icon representing the appliance towhich you are logged on.
2. In Related Tasks, click Open.
To add a channel by using the Visualizer1. Open the Network Visualizer and click a network interface.
2. In Related Tasks, click Add Channel.
To add a VLAN by using the VisualizerOpen the Network Visualizer, click the appliance to which you are logged on, and thendo one of the following:
• Click an existing VLAN, and then, in Related Tasks, click Add.
• Click an existing bridge group, and then, in Related Tasks, click Add VLAN.
To add a bridge group by using the VisualizerOpen the Network Visualizer, click the appliance to which you are logged on, and thendo one of the following:
• Click an existing bridge group, and then, in Related Tasks, click Add.
Citrix NetScaler Networking Guide
137
• Click an existing VLAN, and then, in Related Tasks, click Add Bridge Group.
To modify the settings of an interface or channel byusing the Visualizer
1. Open the Network Visualizer and click the interface whose settings you want tomodify.
2. In Related Tasks, click Open.
To enable or disable an interface or channel byusing the Visualizer
1. Open the Network Visualizer and click the interface or channel that you want toenable or disable.
2. In Related Tasks, do one of the following.
• To enable the interface or channel, click Enable.
• To disable the interface or channel, click Disable.
To remove a configured channel, VLAN, or bridgegroup by using the Visualizer
1. Open the Network Visualizer and click the channel, VLAN, or bridge group thatyou want to remove from the configuration.
2. In Related Tasks, click Remove.
To view statistics for a node, channel, interface, orVLAN by using the Visualizer
1. Open the Network Visualizer and click the node, interface, or VLAN whosestatistics you want to view.
2. In Related Tasks, click Statistics.
To set up an HA deployment by using the Visualizer1. Open the Network Visualizer and click the appliance.
2. In Related Tasks, click HA Setup.
Chapter 2 Interfaces
138
To view the high availability details of a node byusing the Visualizer
1. Open the Network Visualizer and click the node whose high availability details youwant to view.
2. In Related Tasks, click Details.
To force the secondary node to take over as theprimary by using the Visualizer
1. Open the Network Visualizer and click one of the nodes.
2. In Related Tasks, click Force Failover.
To synchronize the secondary node's configurationwith the primary node by using the Visualizer
1. Open the Network Visualizer and click one of the nodes.
2. In Related Tasks, click Force Synchronization.
To remove the peer node from the HA configuration1. Open the Network Visualizer and click the peer node.
2. In Related Tasks, click Remove.
To copy the properties of a node or network entityby using the Visualizer
1. Open the Network Visualizer and click the appliance or network entity whoseproperties you want to copy to a document or spreadsheet.
2. In Related Tasks, click Copy Properties.
Citrix NetScaler Networking Guide
139
Chapter 2 Interfaces
140
Chapter 3
Access Control Lists
Topics:• ACL Precedence
• Configuring Simple ACLs
• Configuring Extended ACLs
• Configuring Simple ACL6s
• Configuring ACL6s
• Terminating EstablishedConnections
Access Control Lists (ACLs) filter IP traffic and secure yournetwork from unauthorized access. An ACL consists of a set ofconditions that the NetScaler® appliance uses to allow ordeny access. Consider a small organization that consists of 3departments, Finance, HR, and Documentation, where nodepartment wants another to access its data. Theadministrator of the organization can configure ACLs on theNetScaler to allow or deny access. When the NetScalerreceives a data packet, it compares the information in thedata packet with the conditions specified in the ACL andallows or denies access. The NetScaler supports simple ACLs,extended ACLs, and ACL6s. If both simple and extended ACLsare configured, incoming packets are compared to the simpleACLs first.
Simple ACLs filter packets on the basis of their source IPaddress and, optionally, their destination port and/or theirprotocol. Any packet that has the characteristics specified inthe ACL is dropped. You can create up to 200,000 simple ACLs.
Extended ACLs filter data packets on the basis of variousparameters, such as source IP address, source port, action,and protocol. An extended ACL defines the conditions that apacket must satisfy for the NetScaler to process the packet,bridge the packet, or drop the packet. These actions areknown as "processing modes." You can create up to 10,000extended ACLs.
The processing modes are:
w ALLOW - The NetScaler processes the packet.
w BRIDGE - The NetScaler bridges the packet to thedestination without processing it.
w DENY - The NetScaler drops the packet.
The NetScaler processes an IP packet directly when both ofthe following conditions exist:
w ACLs are configured on the NetScaler.
w The IP packet does not match any of the ACLs.
141
Simple ACL6s filter IPv6 packets on the basis of their sourceIPv6 address and, optionally, their destination port and/ortheir protocol. Any packet that has the characteristicsspecified in the simple ACL6 is dropped. You can create up to200,000 simple ACL6s.
ACL6s are ACLs created specifically for IPv6 addresses. ACL6sfilter packets on the basis of packet parameters, such assource IP address, source port, action, and so on. An ACL6defines the condition that a packet must satisfy for theNetScaler to process the packet, bridge the packet, or dropthe packet. These actions are known as "processing modes."You can create up to 8,000 ACL6s.
The processing modes are:
w ALLOW - The NetScaler processes the packet.
w BRIDGE - The NetScaler bridges the packet to thedestination without processing it.
w DENY - The NetScaler drops the packet.
The NetScaler processes an IP packet directly when both ofthe following conditions exist:
w ACL6s are configured on the NetScaler.
w The IP packet does not match any of the ACL6s.
Chapter 3 Access Control Lists
142
ACL PrecedenceAn IPv4 packet that matches the conditions specified in a simple ACL is dropped. If thepacket does not match any simple ACL, the NetScaler compares the packet'scharacteristics to those specified in any configured extended ACLs. If the packetmatches an extended ACL, the NetScaler applies the action specified in the ExtendedACL, as shown in the following diagram.
Figure 3-1. Simple and Extended ACLs Flow Sequence
IPv6 packets are compared only to ACL6s.
Configuring Simple ACLsA simple ACL, which uses few parameters, cannot be modified once created. Whencreating a simple ACL, you can specify a time to live (TTL), in seconds, after which theACL expires. ACLs with TTLs are not saved when you save the configuration. You canalso remove a simple ACL manually. You can display simple ACLs to verify theirconfiguration, and you can display statistics to monitor their performance.
Creating Simple ACLsUse either of the following procedures to create a simple ACL.
Citrix NetScaler Networking Guide
143
To create a simple ACL by using the NetScaler commandlineAt the NetScaler command prompt, type the following commands to add an ACL andverify the configuration:
w add ns simpleacl <aclname> DENY -srcIP <ip_addr> [-destPort<port> -protocol ( TCP| UDP )] [-TTL <positive_integer>]
w show ns simpleacl [<aclname>]
Example
> add simpleacl rule1 DENY -srcIP 10.102.29.5 -TTL 600 Done
> show simpleacl rule1 Name: rule1 Action: DENY srcIP = 10.102.29.5 Protocol: DestPort: Hits: 0 TTL: 590(seconds) Done
Parameters for configuring a Simple ACLaclName
Alphanumeric name of the ACL. Maximum length: 127 characters.
srcIPIP address of the source machine. You can also specify a range of addresses.
destPortA destination port on the NetScaler. If you do not specify a port, you create an all-ports ACL, which matches any port. In that case, you cannot create another ACLspecifying a specific port and the same source IP address.
protocolUnderlying protocol for this connection. You must specify a value for this parameterif you set the destPort parameter. Possible values: TCP or UDP.
TTLNumber of seconds after which the ACL is to expire. Possible values: 1 to2147483647. Default: The ACL does not expire. (If you do not want the ACL to expire,do not specify a TTL value.)
Chapter 3 Access Control Lists
144
To create a simple ACL by using the configuration utility1. In the navigation pane, expand Network and click ACLs.
2. In the ACLs pane, on the Simple ACLs tab, click Add.
3. In the Add Simple ACL dialog box, specify values for the following parameters:
• Name*—aclName
• Protocol—protocol
• Source IP Address—srcIP
• Destination Port—port
• TTL—TTL (If you do not want the ACL to expire, leave the TTL field blank.)
*A required parameter
4. Click Create, and then click Close.
5. On the Simple ACLs tab, select the ACL that you created and verify that thesettings displayed at the bottom of the screen are correct.
Monitoring Simple ACLsYou can display the simple ACL statistics, which include the number of hits, the numberof misses, and the number of simple ACLs configured.
To view simple ACL statistics by using the NetScalercommand lineAt the NetScaler command prompt, type:
stat ns simpleacl
Example
>stat ns simpleacl
Rate (/s) TotalDeny SimpleACL hits 0 0SimpleACL hits 0 0SimpleACL misses 0 11SimpleACLs count -- 1 Done
The following table describes statistics you can display for simple ACLs.
Citrix NetScaler Networking Guide
145
Table 3-1. Simple ACL Statistics
Statistic Indicates
Deny SimpleACL hits Packets dropped because they match denysimple ACL
SimpleACL hits Packets matching a simple ACL
SimpleACL misses Packets not matching any simple ACL
SimpleACL count Number of simple ACLs configured
To display simple ACL statistics by using the configurationutility1. In the navigation pane, expand Network and click ACLs.
2. In the details pane, select the ACL whose statistics you want to display (forexample, rule1).
3. Click Statistics.
4. View the ACL statistics in the new window that opens.
Removing Simple ACLsIf you need modify a simple ACL, you must remove it and create a new one.
To remove a single simple ACL by using the NetScalercommand lineAt the NetScaler command prompt, type:
w rm ns simpleacl <aclname>
w show ns simpleacl
To remove all simple ACLs by using the NetScalercommand lineAt the NetScaler command prompt, type:
w clear ns simpleacl
w show ns simpleacl
To remove a single simple ACL by using the configurationutility1. In the navigation pane, expand Network and click ACLs.
2. In the details pane, on the Simple ACLs tab, select the simple ACL that you wantto remove (for example, rule1).
Chapter 3 Access Control Lists
146
3. Click Remove.
4. In the Remove dialog box, click Yes.
5. In the details pane, on the Simple ACLs tab, verify that the entry for rule1 hasbeen removed
To remove all simple ACLs by using the configuration utility1. In the navigation pane, expand Network and click ACLs.
2. In the details pane, on the Simple ACLs tab, click Clear.
3. In the Clear Simple ACL (s) dialog box, click Yes.
4. In the details pane, verify that there are no entries in the Simple ACLs tab.
Configuring Extended ACLsTo configure extended ACLs, many users first create extended ACLs and then modifythem.
For any of the following actions to take effect, they must be applied, by clicking theCommit button:
w Activate
w Remove
w Disable
w Change the Priority
Other actions include:
w Configure logging
w Verify the configuration
w Monitor ACL statistics
Note: If you configure both simple and extended ACLs, simple ACLs take precedenceover extended ACLs.
Parameters of Extended ACLs can be configured during creation. Additionally, thefollowing actions can be performed on Extended ACLs: Modify, Remove, Apply, Disable,Enable and Renumber the priority of Extended ACLs.
You can collect statistics of packets using Extended ACLs by enabling logging.
Creating and Modifying an Extended ACL
Citrix NetScaler Networking Guide
147
To create an extended ACL by using the NetScalercommand lineAt the NetScaler command prompt, type:
w add ns acl <aclname> <aclaction> [-srcIP [<operator>] <srcIPVal>] [-srcPort[<operator>] <srcPortVal>] [-destIP [<operator>] <destIPVal>] [-destPort [<operator>]<destPortVal>] [-TTL <positive_integer>] [-srcMac <mac_addr>] [(-protocol<protocol> [-established]) | -protocolNumber <positive_integer>] [-vlan<positive_integer>] [-interface <interface_name>] [-icmpType <positive_integer> [-icmpCode <positive_integer>]] [-priority <positive_integer>] [-state ( ENABLED |DISABLED )] [-logstate ( ENABLED | DISABLED ) [-ratelimit <positive_integer>]]
w show ns acl [<aclname>]
Example
> add ns acl restrict DENY -srcport 45-1024 -destIP 192.168.1.1 -protocol TCP Done> show ns acl restrict Name: restrict Action: DENY Hits: 0 srcIP destIP = 192.168.1.1 srcMac: Protocol: TCP srcPort = 45-1024 destPort Vlan: Interface: Active Status: ENABLED Applied Status: NOTAPPLIED Priority: 10 NAT: NO TTL: Log Status: DISABLED Done
Parameters for configuring an extended ACLaclname
Alphanumeric name of the ACL. Maximum length: 127 characters.
aclactionThe action associated with the ACL. The valid options for this parameter are BRIDGE,DENY, and ALLOW.
srcIPIP address of the source machine. You can also specify a range of addresses, byenclosing the low and high addresses in brackets (for example,[10.102.29.30-10.102.29.189]).
Chapter 3 Access Control Lists
148
operatorYou can use the following operators while creating ACLs: = and !=.
destIPThe IP address of the destination system. You can also specify a range of addresses,by enclosing the low and high addresses in brackets (for example,[10.102.33.31-10.102.33.100]).
protocolThe protocol field in the IP header. Possible values: ICMP, IGMP, TCP, EGP, IGP, ARGUS,UDP, RDP, RSVP, EIGRP, L2TP, and ISIS.
protocolNumberThe IP protocol number (decimal). Minimum value: 1. Maximum value: 255.
srcPortThe port address of the source system. You can also specify a range of ports, byenclosing the low and high port numbers in brackets (for example [30-90]).
Note: The Source Port can be modified only for TCP and UDP.
destPortThe port address of the destination system. You also can specify a range of ports, byenclosing the low and high port numbers in brackets (for example [30-90]).
Note: The Destination Port can be modified only for TCP and UDP.
establishedUse the ACL for TCP response traffic only.
TTLACLs can be configured to expire after a specified amount of time (in seconds).Possible values: 1 to 2147483647. Default: The ACL does not expire. (If you do notwant the ACL to expire, do not specify a TTL value.)
srcMacThe MAC address of the source system. Only the last 32 bits are considered during alookup.
vlanThe VLAN ID present in the VLAN tag of the packet. Possible values: 1 to 4094.
interfaceThis is the network interface on which the packet arrived.
icmpTypeThe ICMP message type. For example, to block DESTINATION UNREACHABLEmessages, you must specify 3 as the ICMP type. For a complete list of ICMP types, see http://www.iana.org/assignments/icmp-parameters. Possible values: 0 to 255.
icmpCodeThe ICMP message code. For example, to block DESTINATION HOST UNREACHABLEmessages, specify 3 as the ICMP type and 1 as the ICMP code. For a complete list of
Citrix NetScaler Networking Guide
149
ICMP types and codes, see http://www.iana.org/assignments/icmp-parameters.Possible values: 0 to 255.
priorityThe priority of the ACL, which determines the order in which it will be evaluatedrelative to other extended ACLs. Possible values: 0 to 10240.
stateThe state of the ACL. Possible values: ENABLED, DISABLED. Default: Enabled.
ratelimitLog message rate limit for ACL. Possible values: 1 to 10000. Default:100.
To create an extended ACL by using the configurationutility1. In the navigation pane, expand Network and click ACLs.
2. In the details pane, on the Extended ACLs tab, click Add.
3. In the Create ACL window, specify values for the following parameters, whichcorrespond to parameters described in "Parameters for configuring an extendedACL" as shown:
• Name*—aclname
• Action*—aclaction
• Source, Operator—operator
• Source, Low/High—srcIP (To specify a single IP address, type the same addressin both fields.)
• Destination, Operator—operator
• Destination, Low/High—destIP (To specify a single IP address, type the sameaddress in both fields.)
• Protocol—protocol
• Source Port, operator—operator
• Source Port, Low/High—srcPort (To specify a single port, type the same portnumber in both fields.)
• Destination Port, Operator—operator
• Destination Port, Low/High—destPort (To specify a single port, type the sameport number in both fields.)
• Established—established
• ICMP Message Type—icmpType
• ICMP Message Code—icmpCode
• Source Mac—srcMac
Chapter 3 Access Control Lists
150
• VLAN—vlan
• Interface—interface
• Priority—priority
• TTL—TTL
• Enable ACL—state
• Log State—logstate
• Log Rate Limit—ratelimit
*A required parameter
4. Click Create, and then click Close.
5. In the details pane, verify that the settings for ACL that you configured arecorrect.
Applying an Extended ACLAfter you create or modify an extended ACL, you must activate it by using one of thefollowing procedures. These procedures reapply all the ACLs.
For example, if you have created the ACLs rule1 through rule10, and then you createan ACL called rule11, and apply it, all of the ACLs (rule1 through rule11) are appliedafresh.
If a session has a DENY ACL related to it, that session is terminated.
To apply an ACL by using the NetScaler command lineAt the NetScaler command prompt, type:
w apply ns acls
w show ns acl
To apply an ACL by using the configuration utility1. In the navigation pane, expand Network and click ACLs.
2. Click Commit.
3. In the Apply ACL(s) dialog box, click Yes.
4. Verify the information on the Extended ACLs tab.
Disabling and Enabling Extended ACLsBy default, ACLs are enabled. This means when ACLs are applied, the NetScalerappliance compares incoming packets against the ACLs.
Disable an ACL if it will not be used for a certain period. After the ACLs are applied,the NetScaler does not compare incoming packets against disabled ACLs.
Citrix NetScaler Networking Guide
151
To disable or enable an extended ACL by using theNetScaler command lineAt the NetScaler command prompt, type one of the following pairs of commands todisable or enable an ACL and verify the result:
w disable ns acl <aclname>
w show ns acl [<aclname>]
w enable ns acl <aclname>
w show ns acl [<aclname>]
Example
> disable ns acl restrict Done
> show ns acl restrict Name: restrict Action: DENY Hits: 0 srcIP destIP = 192.168.1.1 srcMac: Protocol: TCP srcPort = 45-1024 destPort Vlan: Interface: Active Status: DISABLED Applied Status: NOTAPPLIED Priority: 10 NAT: NO TTL: Log Status: DISABLED Done
> enable ns acl restrict Done
> show ns acl restrict Name: restrict Action: DENY Hits: 0 srcIP destIP = 192.168.1.1 srcMac: Protocol: TCP srcPort = 45-1024 destPort Vlan: Interface: Active Status: ENABLED Applied Status: APPLIED Priority: 10
Chapter 3 Access Control Lists
152
NAT: NO TTL: Log Status: DISABLED Done
To disable or enable an extended ACL by using theconfiguration utility1. In the navigation pane, expand Network and click ACLs.
2. In the details pane, on the Extended ACLs tab, select the ACL (for example, rule1)and click Open.
3. In the Configure ACL dialog box, select the Enable ACL check box to enable, orclear the check box to disable, the ACL.
4. Click OK.
5. If you want to apply the new setting, which reapplies all ACLs, click Commit, andthen, in the Apply ACL(s) dialog box, click Yes.
6. In the details pane, on the Extended ACLs tab, view the list to verify the changedstatus under the column Active Status.
Renumbering the priority of Extended ACLsThe renumber procedure resets the priorities of the ACLs to multiples of 10. Thepriority (an integer value) defines the order in which the NetScaler appliance evaluatesACLs. All priorities are multiples of 10, unless you configure a specific priority to aninteger value. When you create an ACL without specifying a priority, the NetScalerautomatically assigns a priority that is a multiple of 10.
If a packet matches the condition defined by the ACL, the NetScaler performs anaction. If the packet does not match the condition defined by the ACL, the NetScalercompares the packet against the ACL with the next-highest priority.
Consider the following example. Two ACLs, rule1 and rule2, are automatically assignedpriorities 20 and 30 when they are created. You need to add a third ACL, rule3, to beevaluated immediately after rule1. Rule3 must have a priority between 20 and 30. Inthis case, you can specify the priority as 25. Later, you can easily renumber the ACLswith priorities that are multiples of 10, without affecting the order in which the ACLsare applied.
To renumber the ACLs by using the NetScaler commandlineAt the NetScaler command prompt, type:
renumber ns acls
Citrix NetScaler Networking Guide
153
To renumber the ACLs by using the configuration utility1. In the navigation pane, expand Network, and then click ACLs.
2. In the details pane, on the Extended ACLs tab, click Renumber Priority (s).
3. In the Renumber Priority (s) ACL(s) dialog box, click Yes.
4. In the details pane, on the Extended ACLs tab, verify the changed priority.
Configuring Extended ACL LoggingYou can configure the NetScaler appliance to log details for packets that match anextended ACL. In addition to the ACL name, the logged details include packet-specificinformation such as the source and destination IP addresses. The information is storedeither in the syslog file or in the nslog file, depending on the type of global logging(syslog or nslog) enabled.
Logging can be enabled at both the global level and the ACL level. The global settingtakes precedence.
For more information about enabling logging globally, see the Citrix NetScalerAdministration Guide at http://support.citrix.com/article/CTX132357.
To optimize logging, when multiple packets from the same flow match an ACL, only thefirst packet's details are logged, and the counter is incremented for every packet thatbelongs to the same flow. A flow is defined as a set of packets that have the samevalues for the following parameters:
w Source IP address
w Destination IP address
w Source port
w Destination port
w Protocol
If the packet is not from the same flow, or if the time duration is beyond the meantime, a new flow is created. Mean time is the time during which packets of the sameflow do not generate additional messages (although the counter is incremented).
Note: The total number of different flows that can be logged at any given time islimited to 10,000.
To configure ACL Logging by using the NetScalercommand lineAt the NetScaler command prompt, type the following commands to configure loggingand verify the configuration:
w set ns acl <aclName> [-logState (ENABLED | DISABLED)] [-rateLimit<positive_integer>]
Chapter 3 Access Control Lists
154
w show ns acl [<aclName>]
Example
>set ns acl restrict -logstate ENABLED -ratelimit 120
Warning: ACL modified, apply ACLs to activate change
> apply ns acls Done
> show ns acl restrict Name: restrict Action: DENY Hits: 0 srcIP destIP = 192.168.1.1 srcMac: Protocol: TCP srcPort = 45-1024 destPort Vlan: Interface: Active Status: ENABLED Applied Status: APPLIED Priority: 10 NAT: NO TTL: Log Status: ENABLED Log Rate limit: 120 Done
Logging parameters of an extended ACLaclName
The alphanumeric name of the ACL.
logStateState of the logging feature for the ACL. Possible Values: Enabled, Disabled. Default:Disabled.
rateLimitNumber of log messages that a specific ACL can generate. Default: 100.
To configure ACL Logging by using the configuration utility1. In the navigation pane, expand Network and click ACLs.
2. In the details pane, click the Extended ACLs tab, and then select the ACL forwhich you want to configure logging (for example, rule1).
3. Click Open.
Citrix NetScaler Networking Guide
155
4. In the Configure ACL dialog box, specify values for the following parameters,which correspond to parameters described in "Logging parameters of an extendedACL" as shown:
• Log State—logState
• Log Rate Limit—rateLimit
5. Click OK.
6. In the ACL modified, apply ACLs to activate change dialog box, click OK.
7. Select the modified ACL and, under Details, verify the log state.
Monitoring the Extended ACLYou can display statistics for monitoring the performance of an extended ACL.
To display the statistics of an extended ACL by using theNetScaler command lineAt the NetScaler command prompt, type:
stat ns acl
Example
>stat ns acl rule1
ACL: rule1 Rate (/s) TotalHits for this ACL 0 0 Done
The following table lists the statistics associated with extended ACLs and theirdescriptions.
Table 3-2. Extended ACL Statistics
Statistic Specifies
Allow ACL hits Packets matching ACLs with processingmode set to ALLOW. NetScaler processesthese packets.
NAT ACL hits Packets matching a NAT ACL, resulting ina NAT session.
Chapter 3 Access Control Lists
156
Statistic Specifies
Deny ACL hits Packets dropped because they matchACLs with processing mode set to DENY.
Bridge ACL hits Packets matching a bridge ACL, which intransparent mode bypasses serviceprocessing.
ACL hits Packets matching an ACL.
ACL misses Packets not matching any ACL.
To display the statistics of an extended ACL by using theconfiguration utility1. In the navigation pane, expand Network and click ACLs.
2. In the details pane, on the Extended ACLs tab, select the ACL whose statistics youwant to view (for example, rule1).
3. Click Statistics.
4. View the statistics in the new window that opens.
Removing Extended ACLsYou can remove a single extended ACL or all extended ACLs.
To remove a single extended ACL by using the NetScalercommand lineAt the NetScaler command prompt, type:
w rm ns acl <aclName>
w show ns acl
To remove all extended ACLs by using the NetScalercommand lineAt the NetScaler command prompt, type:
w clear ns acls
w show ns acl
To remove a single extended ACL by using theconfiguration utility1. In the navigation pane, expand Network and click ACLs.
2. In the details pane, on the Extended ACLs tab, select the ACL that you want toremove (for example, rule1).
Citrix NetScaler Networking Guide
157
3. Click Remove.
4. In the Remove dialog box, click Yes.
To remove all extended ACLs by using the configurationutility1. In the navigation pane, expand Network and click ACLs.
2. In the details pane, on the Extended ACLs tab, click Clear.
3. In the Clear ACL (s) dialog box, click Yes.
4. In the details pane, on the Extended ACLs tab, verify that no ACLs are listed.
Configuring Simple ACL6sA simple ACL6, which uses few parameters, cannot be modified once created. Instead,you must remove the simple ACL6 and create a new one. When creating a simple ACL6,you must specify its name, and a source IP address value against which to matchpackets. Optionally, you can specify a destination port and a time to live (TTL) value. ATTL is the number of seconds after which the simple ACL6 expires. ACL6s with TTLs arenot saved when you save the configuration. Simple ACL6s can traverse the extensionheaders (if present) of all the incoming IPv6 packets to identify the layer 4 protocoland take a specified action.
Creating Simple ACL6sTo create a simple ACL6, you must specify its name and source IP address. You can alsospecify a destination port and time to live (TTL).
To create a simple ACL6 by using the NetScaler commandlineAt the NetScaler command prompt, type the following commands to create a simpleACL6 and verify the configuration:
w add ns simpleacl6 <aclname> DENY -srcIPv6 <ipv6_addr|null> [-destPort<port> -protocol ( TCP | UDP )] [-TTL <positive_integer>]
w show ns simpleacl6 [<aclname>]
Example
> add ns simpleacl6 rule1 DENY –srcIPv6 3ffe:192:168:215::82 -destPort 80 -Protocol TCP -TTL 9000 Done
> show simpleacl6 rule1 Name: rule1
Chapter 3 Access Control Lists
158
Action: DENY Hits: 5 srcIP6= 3ffe:192:168:215::82 Protocol: TCP DestPort = 80 TTL: 8922(seconds) Done
Parameters for configuring a simple ACL6acl6name (Name)
A name for the simple ACL6. The name can begin with a letter, number, or theunderscore symbol, and can consist of up to 127 letters, numbers, and the hyphen(-), period (.), pound (#), space ( ), at sign (@), equals (=), colon (:), and underscore(_) symbols. (Cannot be changed after the simple ACL6 has been created.)
DENYDrop the packet. This is the only action available for a simple ACL6.
srcIPv6 (Source IP Address)The IP address that the simple ACL6 rule compares to the address in the source IPaddress field of every incoming IPv6 packet.
destPort (Destination Port)A destination port on the NetScaler appliance. If you do not specify a port, youcreate an all-ports ACL6, which matches any port. In that case, you cannot createanother simple ACL6 specifying a specific port and the same source IPv6 address.
protocol (Protocol)Underlying protocol name that the simple ACL6 rule will check in protocol name fieldof all the incoming IPv6 packets. You must specify a value for this parameter if youset the destPort parameter. Possible values: TCP, UDP. Simple ACL6s can traverse theextension headers (if present) of the incoming IPv6 packets to identify the protocolname.
TTL (TTL)Number of seconds after which the ACL6 is to expire. Possible values: 1 to2147483647. Default: The ACL6 does not expire. (If you do not want the ACL6 toexpire, do not specify a TTL value.)
To create a simple ACL6 by using the configuration utility1. In the navigation pane, expand Network, and then click ACLs.
2. In the ACLs pane, on the Simple ACL6s tab, click Add.
3. In the Add Simple ACL6 dialog box, specify values for the following parameters:
• Name*
• Protocol
• Source IP Address
• Destination Port
Citrix NetScaler Networking Guide
159
• TTL
*A required parameter
4. Click Create, and then click Close.
5. On the Simple ACL6s tab, select the ACL that you created and verify that thesettings displayed at the bottom of the screen are correct.
To remove a single simple ACL6 by using the NetScalercommand lineAt the NetScaler command prompt, type:
w rm ns simpleacl6 <aclname>
w show ns simpleacl6
To remove all simple ACL6s by using the NetScalercommand lineAt the NetScaler command prompt, type:
w clear ns simpleacl6
w show ns simpleacl6
To remove one or all simple ACL6s by using theconfiguration utility1. In the navigation pane, expand Network, and then click ACLs.
2. In the details pane, on the Simple ACL6s tab, do one of the following:
• Select the simple ACL6 that you want to remove, and then click Remove.
• To remove all simple ACL6s, click Clear.
3. In the Proceed or Clear Simple ACL6(s) dialog box, click Yes.
4. In the details pane, on the Simple ACL6s tab, verify that the entry or entries havebeen removed.
Monitoring Simple ACL6sYou can display the following simple ACL6 statistics:
Table 3-3. Simple ACL6 Statistics
Statistic Indicates
Deny simpleACL6 hits Packets dropped because they match asimple deny ACL6
Simple ACL6 hits Packets matching a simple ACL6
Chapter 3 Access Control Lists
160
Statistic Indicates
Simple ACL6 misses Packets not matching any simple ACL6
Simple ACL6 count Number of simple ACL6s configured
To display simple ACL6 statistics by using the NetScalercommand lineAt the NetScaler command prompt, type:
stat ns simpleacl6
Example
>stat ns simpleacl6
Rate (/s) TotalDeny SimpleACL6 hits 0 0SimpleACL6 hits 0 0SimpleACL6 misses 0 11SimpleACL6s count -- 1 Done
To display simple ACL6 statistics by using theconfiguration utility1. In the navigation pane, expand Network and click ACLs.
2. In the details pane, on the Simple ACL6s tab, select the simple ACL6 whosestatistics you want to display.
3. Click Statistics.
Configuring ACL6sACL6s can be configured during creation. Additionally, the following actions can beperformed on ACL6s: Modify, Apply, Disable, Enable, Renumber and Remove the priorityof ACL6s.Log files of ACL6s can be configured to collect statistics of packets. If apacket matches the condition defined by the ACL6, the NetScaler performs an action. Ifthe packet does not match the condition defined by the ACL6, the NetScaler comparesthe packet against the ACL6 with the next-highest priority. ACL6s can traverse theextension headers (if present) of all the incoming IPv6 packets to identify the layer 4protocol and take a specified action.
Citrix NetScaler Networking Guide
161
Creating and Modifying ACL6sTo create an ACL6 by using the NetScaler command lineAt the NetScaler command prompt, type:
w add ns acl6 <acl6name> <acl6action> [-srcIPv6 [<operator>] <srcIPv6Val>] [-srcPort[<operator>] <srcPortVal>] [-destIPv6 [<operator>] <destIPv6Val>] [-destPort[<operator>] <destPortVal>] [-TTL <positive_integer>] [-srcMac <mac_addr>] [(-protocol <protocol> [-established]) | -protocolNumber <positive_integer>] [-vlan<positive_integer>] [-interface <interface_name>] [-icmpType <positive_integer> [-icmpCode <positive_integer>]] [-priority <positive_integer>] [-state ( ENABLED |DISABLED )]
w show ns acl6 [<acl6name>]
Example
Example> add ns acl6 rule6 DENY -srcport 45-1024 -destIPv6 2001::45 -protocol TCP Done
> show ns acl6 rule6 Name: rule6 Action: DENY srcIPv6 destIPv6 = 2001::45 srcMac: Protocol: TCP srcPort = 45-1024 destPort Vlan: Interface: Active Status: ENABLED Applied Status: NOTAPPLIED Priority: 10 Hits: 0 TTL: Done
To modify or remove an ACL6 by using the NetScalercommand linew To modify an ACL6, type the set ns ACL6 command, the name of the ACL6, and the
parameters to be changed, with their new values.
w To remove an ACL6, type the rm ns ACL6 command and the name of the <entity>.
Chapter 3 Access Control Lists
162
Parameters for configuring an ACL6acl6name (Name)
A name for the simple ACL6. The name can begin with a letter, number, or theunderscore symbol, and can consist of up to 127 letters, numbers, and the hyphen(-), period (.), pound (#), space ( ), at sign (@), equals (=), colon (:), and underscore(_) symbols. (Cannot be changed after the ACL6 has been created.)
acl6action (Action)The action associated with the ACL6. Possible values: BRIDGE, DENY, ALLOW.
srcIPv6 (Source, Low/High)The IP address that the ACL6 rule checks in source IP address field of all theincoming IPv6 packets. You can also specify a range of addresses, by enclosing thelow and high addresses in brackets.
operator (Operator)The type of operation for matching the ACL6 against packets. Possible values: =(equals), != (does not equal).
destIPv6 (Destination, Low/High)The IP address that the ACL6 rule compares to the address in the destination IPaddress field of every incoming IPv6 packet. You can also specify a range ofaddresses, by enclosing the low and high addresses in brackets, with a hyphenbetween the two addresses.
protocol (Protocol)The protocol field in the IP header. Possible values: TCP, UDP, ICMPv6. ACL6s cantraverse through the extension headers (if present) of the incoming IPv6 packets tofind out the protocol name.
protocolNumberThe IP protocol number (decimal). Minimum value: 1. Maximum value: 255.
srcPort (Source Port, Low/High)The port number that the ACL6 rule compares to the port number in the source portfield of every incoming IPv6 packet. You also can specify a range of ports, byenclosing the low and high port numbers in brackets, with a hyphen between the lowand high port numbers (for example [40-90]).
Note: The Source Port can be modified only for TCP and UDP.
destPort (Destination Port, Low/High)The port number that the ACL6 rule compares to the port number in the destinationport field of every incoming IPv6 packet. You also can specify a range of ports, byenclosing the low and high port numbers in brackets (for example [30-90]).
Note: The Destination Port can be modified only for TCP and UDP.
establishedUse the ACL for TCP response traffic only.
Citrix NetScaler Networking Guide
163
TTL (TTL)
Expire the ACL6 after the specified amount of time (in seconds). Possible values: 1 to2147483647. Default: The ACL does not expire. (If you do not want the ACL to expire,do not specify a TTL value.)
srcMac (Source MACThe MAC address of the source system. Only the last 32 bits are considered during alookup.
vlan (VLAN)The VLAN ID present in the VLAN tag of the packet. Possible values: 1 to 4094.
interface (Interface)The network interface on which the packet arrived.
icmpType (ICMP Message Type)The ICMPv6 message type. For example, to block DESTINATION UNREACHABLEmessages, you must specify 1 as the ICMP type. For a complete list of ICMP types, see http://www.iana.org/assignments/icmp-parameters. Possible values: 0 to 255.
icmpCode (ICMP Message Code)The ICMPv6 message code. For example, to block DESTINATION UNREACHABLE NOROUTE TO DESTINATION messages, specify 1 as the ICMP type and 0 as the ICMPv6code . For a complete list of ICMP types and codes, see http://www.iana.org/assignments/icmp-parameters. Possible values: 0 to 255.
priority (Priority)The priority of the ACL6, which determines the order in which it will be appliedrelative to other ACL6s. Possible values: 0 to 10240.
state (Enable ACL6)The state of the ACL6. Possible values: ENABLED, DISABLED. Default: ENABLED.
To create an ACL6 by using the configuration utility1. In the navigation pane, expand Network and click ACLs.
2. In the details pane, on the ACL6s tab, do one of the following:
• To create a new ACL6, click Add.
• To modify an existing ACL6, select the <entity>, and then click Open.
3. In the Create ACL window, set the following parameters:
• Name*
• Action*
• Source, Operator
• Source, Low/High (To specify a single IP address, type the same address in bothfields.)
• Destination, Operator
Chapter 3 Access Control Lists
164
• Destination, Low/High (To specify a single IP address, type the same address inboth fields.)
• Protocol
• Source Port, operator
• Source Port, Low/High (To specify a single port, type the same port number inboth fields.)
• Destination Port, Operator
• Destination Port, Low/High (To specify a single port, type the same portnumber in both fields.)
• Established
• ICMP Message Type
• ICMP Message Code
• Source Mac
• VLAN
• Interface
• Priority
• TTL
• Enable ACL6
*A required parameter
4. Click Create and click Close.
5. In the details pane, you can view the ACL you created under the ACL6s tab.
Applying ACL6sAfter you create an ACL6, you must activate it. The following procedures reapply allthe ACL6s.
For example, if you have created the ACL6s rule1 through rule10, and then you createan ACL6 called rule11 and apply it, all of the ACL6s (rule1 through rule11) are appliedafresh.
If a session has a DENY ACL related to it, the session is destroyed.
You must apply one of the following procedures after every action you perform on anACL6 (for example, after disabling an ACL6). However, you can add or modify morethan one ACL6 and apply all of them at the same time.
Note: ACL6s created on the NetScaler do not work until they are applied.
Citrix NetScaler Networking Guide
165
To apply ACL6s by using the NetScaler command lineAt the NetScaler command prompt, type:
apply ns acls6
To apply ACL6s by using the configuration utility1. In the navigation pane, expand Network and click ACLs.
2. Click Commit.
3. In the Apply ACL(s) dialog box that appears, click Yes.
4. Verify that the settings displayed on the ACL6s tab are correct.
Enabling and Disabling ACL6sBy default, ACL6s are enabled. Therefore, after the ACL6s are applied, the NetScalerappliance compares incoming packets against the configured ACL6s.
If an ACL6 is not required to be part of the lookup table but needs to be retained in theconfiguration, it must be disabled before the ACL6s are applied. After the ACL6s areapplied, the NetScaler does not compare incoming packets against disabled ACL6s.
To disable or enable an ACL6 by using the NetScalercommand lineAt the NetScaler command prompt, type:
w enable ns acl6 <acl6name>
w show ns acl6 [<acl6name>]
w disable ns acl6 <acl6name>
w show ns acl6 [<acl6name>]
Note: ACL6s created on the NetScaler do not work until they are applied.
Example
> enable ns acl6 rule6 Done
> show ns acl6 rule6 Name: rule6 Action: DENY srcIPv6 destIPv6 = 2001::45 srcMac: Protocol: TCP
Chapter 3 Access Control Lists
166
srcPort = 45-1024 destPort Vlan: Interface: Active Status: ENABLED Applied Status: NOTAPPLIED Priority: 10 Hits: 0 TTL: Done
> disable ns acl6 rule6 Done
> show ns acl6 rule6 Name: rule6 Action: DENY srcIPv6 destIPv6 = 2001::45 srcMac: Protocol: TCP srcPort = 45-1024 destPort Vlan: Interface: Active Status: DISABLED Applied Status: NOTAPPLIED Priority: 10 Hits: 0 TTL: Done
To disable or enable an ACL6 by using the configurationutility1. In the navigation pane, expand Network and click ACLs.
2. In the details pane, on the ACL6s tab, select the ACL (for example, rule1) and doone of the following:
• To disable the extended ACL6, click Disable.
• To enable the extended ACL6, click Enable.
3. If you want to apply the new setting, which reapplies all ACLs, click Commit, andthen, in the Apply ACL6(s) dialog box, click Yes.
4. In the details pane, on the Extended ACL6s tab, view the list to verify thechanged status under the column Active Status.
Renumbering the Priority of ACL6sThe renumber procedure resets the priorities of the ACL6s to multiples of 10. Thepriority (an integer value) defines the order in which the NetScaler appliance evaluatesACL6s. All priorities are multiples of 10, unless you configure a specific priority to an
Citrix NetScaler Networking Guide
167
integer value. When you create an ACL6 without specifying a priority, the NetScalerautomatically assigns a priority that is a multiple of 10.
If a packet matches the condition defined by the ACL6, the NetScaler performs anaction. If the packet does not match the condition defined by the ACL6, the NetScalercompares the packet against the ACL6 with the next-highest priority.
Consider the following example. Two ACL6s, rule1 and rule2, are automaticallyassigned priorities 20 and 30 when they are created. You need to add a third ACL,rule3, to be evaluated immediately after rule1. Rule3 must have a priority between 20and 30. In this case, you can specify the priority as 25. Later, you can easily renumberthe ACL6s with priorities that are multiples of 10, without affecting the order in whichthe ACLs6are applied.
To renumber the priorities of the ACL6s by using theNetScaler command lineAt the NetScaler command prompt, type:
renumber ns acls6
Example
> renumber ns acls6Done
To renumber the priority of ACL6s by using theconfiguration utility1. In the navigation pane, expand Network and click ACLs.
2. In the details pane, on the ACL6s tab, click Renumber Priority (s) ACL(s).
3. In the Renumber Priority (s) ACL(s) dialog box, click Yes.
4. Verify the action in the details pane.
Monitoring ACL6sYou can display statistics for monitoring the performance of an ACL6.
To display the statistics for an ACL6s by using theNetScaler command lineAt the NetScaler command prompt, type:
stat ns acl6 <acl6name>
Chapter 3 Access Control Lists
168
Example
> stat ns acl6 rule6ACL6: rule6 Rate (/s) TotalHits for this ACL6 0 0 Done
The following table lists the statistics associated with ACL6s and their descriptions.
Table 3-4. ACL6 Statistics
Statistic Specifies
Allow ACL6 hits Packets matching IPv6 ACLs withprocessing mode set to ALLOW. TheNetScaler processes these packets.
NAT ACL6 hits Packets matching a NAT ACL6, resultingin a NAT session.
Deny ACL6 hits Packets dropped because they matchIPv6 ACLs with processing mode set toDENY.
Bridge ACL6 hits Packets matching a bridge IPv6 ACL,which in transparent mode bypassesservice processing.
ACL6 hits Packets matching an IPv6 ACL.
ACL6 misses Packets not matching any IPv6 ACL.
To display the statistics for an ACL6 by using theconfiguration utility1. In the navigation pane, expand Network and click ACLs.
2. In the details pane, on the ACL6s tab, select the ACL whose statistics you want toview (for example, rule1).
3. Click Statistics.
4. View the statistics in the new window that opens.
Removing ACL6sYou can remove a single ACL6 or all ACL6s.
Citrix NetScaler Networking Guide
169
To remove an extended ACL6 by using the NetScalercommand lineAt the NetScaler command prompt, type:
w rm ns acl6 <acl6name>
w show ns acl6
To remove all extended ACL6s by using the NetScalercommand lineAt the NetScaler command prompt, type:
clear ns acls6
To remove an extended ACL6 by using the configurationutility1. In the navigation pane, expand Network and click ACLs.
2. In the details pane, on the ACL6s tab, select the ACL that you want to remove (forexample, rule1).
3. Click Remove.
4. In the Remove dialog box, click Yes.
5. In the details pane, on the ACL6s tab, verify that the ACL6 is not listed
To remove all extended ACLs by using the configurationutility1. In the navigation pane, expand Network and click ACLs.
2. In the details pane, on the ACL6s tab, click Clear.
3. In the Clear ACL (s) dialog box, click Yes.
4. In the details pane, on the Extended ACLs tab, verify that no ACLs are listed.
Terminating Established ConnectionsFor a simple ACL, the NetScaler appliance blocks any new connections that match theconditions specified in the ACL. The appliance does not block any packets related toexisting connections that were established before the ACL was created.
However, you can immediately terminate the established connections by running aflush operation from the command line interface or the configuration utility.
Flush can be useful in the following cases:
w You receive a list of blacklisted IP addresses and want to completely block those IPaddresses from accessing the NetScaler appliance. In this case, you create simple
Chapter 3 Access Control Lists
170
ACLs to block any new connections from these IP addresses, and then run flush toterminate any existing connections.
w You want to terminate a large number of connections from a particular networkwithout taking the time to terminate them one by one.
When you run flush, the appliance searches through all of its established connectionsand terminates those that match conditions specified in any of the simple ACLsconfigured on the appliance.
Note: If you plan to create more than one simple ACL and flush existing connectionsthat match any of them, you can minimize the effect on performance by first creatingall of the simple ACLs and then running flush only once.
To terminate all established IPv4 connections thatmatch any of your configured simple ACLs by usingthe NetScaler command line
At the NetScaler command prompt, type:
flush simpleacl -estSessions
To terminate all established IPv4 connections thatmatch any of your configured simple ACLs by usingthe configuration utility
1. In the navigation pane, expand Network and click ACLs.
2. In the ACLs pane, on the Simple ACLs tab, click Flush.
To terminate all established IPv6 connections thatmatch any of your configured simple ACL6s byusing the NetScaler command line
At the NetScaler command prompt, type:
flush simpleacl6 -estSessions
Citrix NetScaler Networking Guide
171
To terminate all established IPv6 connections thatmatch any of your configured simple ACL6s byusing the configuration utility
1. In the navigation pane, expand Network and click ACLs.
2. In the ACLs pane, on the Simple ACL6s tab, click Flush.
Chapter 3 Access Control Lists
172
Chapter 4
IP Routing
Topics:• Configuring Dynamic Routes
• Configuring Static Routes
• Configuring Policy-BasedRoutes
• Troubleshooting RoutingIssues
NetScaler® appliances support both dynamic and staticrouting. Because simple routing is not the primary role of aNetScaler, the main objective of running dynamic routingprotocols is to enable route health injection (RHI), so that anupstream router can choose the best among multiple routes toa topographically distributed virtual server.
Most NetScaler implementations use some static routes toreduce routing overhead. You can create backup static routesand monitor routes to enable automatic switchover in theevent that a static route goes down. You can also assignweights to facilitate load balancing among static routes,create null routes to prevent routing loops, and configure IPv6static routes. You can configure policy based routes (PBRs),for which routing decisions are based on criteria that youspecify.
173
Configuring Dynamic RoutesWhen a dynamic routing protocol is enabled, the corresponding routing processmonitors route updates and advertises routes. Routing protocols enable an upstreamrouter to use the equal cost multipath (ECMP) technique to load balance traffic toidentical virtual servers hosted on two standalone NetScaler appliances. Dynamicrouting on a NetScaler appliance uses three routing tables. In a high-availability setup,the routing tables on the secondary appliance mirror those on the primary.
The NetScaler supports the following protocols:
w Routing Information Protocol (RIP) version 2
w Open Shortest Path First (OSPF) version 2
w Border Gateway Protocol (BGP)
w Routing Information Protocol next generation (RIPng) for IPv6
w Open Shortest Path First (OSPF) version 3 for IPv6
w ISIS Protocol
You can enable more than one protocol simultaneously.
Routing Tables in the NetScalerIn a NetScaler appliance, the NetScaler kernel routing table, the FreeBSD kernelrouting table, and the NSM FIB routing table each hold a different set of routes andserve a different purpose. They communicate with each other by using UNIX routingsockets. Route updates are not automatically propagated from one routing table toanother. You must configure propagation of route updates for each routing table.
NS Kernel Routing TableThe NS kernel routing table holds subnet routes corresponding to the NSIP and to eachSNIP and MIP. Usually, no routes corresponding to VIPs are present in the NS kernelrouting table. The exception is a VIP added by using the add ns ip command andconfigured with a subnet mask other than 255.255.255.255. If there are multiple IPaddresses belonging to the same subnet, they are abstracted as a single subnet route.In addition, this table holds a route to the loopback network (127.0.0.0) and any staticroutes added through the NetScaler command-line interface (CLI). The entries in thistable are used by the NetScaler in packet forwarding. From the NetScaler CLI, they canbe inspected with the show route command.
FreeBSD Routing TableThe sole purpose of the FreeBSD routing table is to facilitate initiation and terminationof management traffic (telnet, ssh, etc.). In a NetScaler appliance, these applicationsare tightly coupled to FreeBSD, and it is imperative for FreeBSD to have the necessaryinformation to handle traffic to and from these applications. This routing tablecontains a route to the NSIP subnet and a default route. In addition, FreeBSD addsroutes of type WasCloned(W) when the NetScaler establishes connections to hosts on
Chapter 4 IP Routing
174
local networks. Because of the highly specialized utility of the entries in this routingtable, all other route updates from the NS kernel and NSM FIB routing tables bypass theFreeBSD routing table. Do not modify it with the route command. The FreeBSD routingtable can be inspected by using the netstat command from any UNIX shell.
Network Services Module (NSM) FIBThe NSM FIB routing table contains the advertisable routes that are distributed by thedynamic routing protocols to their peers in the network. It may contain:
Connected routesIP subnets that are directly reachable from the NetScaler. Typically, routescorresponding to the NSIP subnet and subnets over which routing protocols areenabled are present in NSM FIB as connected routes.
Kernel routesAll the VIP addresses on which the -hostRoute option is enabled are present in NSMFIB as kernel routes if they satisfy the required RHI Levels. In addition, NSM FIBcontains any static routes configured on the NetScaler CLI that have the - advertiseoption enabled. Alternatively, if the NetScaler is operating in Static RouteAdvertisement (SRADV) mode, all static routes configured on the NetScaler CLI arepresent in NSM FIB. These static routes are marked as kernel routes in NSM FIB,because they actually belong to the NS kernel routing table.
Static routesNormally, any static route configured in VTYSH is present in NSM FIB. Ifadministrative distances of protocols are modified, this may not always be the case.An important point to note is that these routes can never get into the NS kernelrouting table.
Learned routesIf the NetScaler is configured to learn routes dynamically, the NSM FIB containsroutes learned by the various dynamic routing protocols. Routes learned by OSPF,however, need special processing. They are downloaded to FIB only if the fib-installoption is enabled for the OSPF process. This can be done from the router-config viewin VTYSH.
High Availability SetupIn a high availability setup, the primary node runs the routing process and propagatesrouting table updates to the secondary node. The routing table of the secondary nodemirrors the routing table on the primary node.
Non-Stop ForwardingAfter failover, the secondary node takes some time to start the protocol, learn theroutes, and update its routing table. But this does not affect routing, because therouting table on the secondary node is identical to the routing table on the primarynode. This mode of operation is known as non-stop forwarding.
Citrix NetScaler Networking Guide
175
Black Hole Avoidance MechanismAfter failover, the new primary node injects all its VIP routes into the upstream router.However, that router retains the old primary node's routes for 180 seconds. Because therouter is not aware of the failover, it attempts to load balance traffic between the twonodes. During the 180 seconds before the old routes expire, the router sends half thetraffic to the old, inactive primary node, which is, in effect, a black hole.
To prevent this, the new primary node, when injecting a route, assigns it a metric thatis slightly lower than the one specified by the old primary node.
Interfaces for Configuring Dynamic RoutingTo configure dynamic routing, you can use either the configuration utility or acommand-line interface. The NetScaler supports two independent command-lineinterfaces: the NetScaler CLI and the Virtual Teletype Shell (VTYSH). The NetScaler CLIis the appliance's native shell. VTYSH is exposed by ZebOS. The NetScaler routing suiteis based on ZebOS, the commercial version of GNU Zebra.
Note: Citrix recommends that you use VTYSH for all commands except those that canbe configured only on the NetScaler CLI. Use of the NetScaler CLI should generally belimited to commands for enabling the routing protocols, configuring host routeadvertisement, and adding static routes for packet forwarding.
Configuring RIPRouting Information Protocol (RIP) is a Distance Vector protocol. The NetScaler supportsRIP as defined in RFC 1058 and RFC 2453. RIP can run on any subnet.
After enabling RIP, you need to configure advertisement of RIP routes. Fortroubleshooting, you can limit RIP propagation. You can display RIP settings to verifythe configuration.
Enabling and Disabling RIPUse either of the following procedures to enable or disable RIP. After you enable RIP,the NetScaler appliance starts the RIP process. After you disable RIP, the appliancestops the RIP process.
To enable or disable RIP routing by using the NetScaler command lineAt the NetScaler command prompt, enter one of the following commands to enable ordisable RIP:
w enable ns feature RIP
w disable ns feature RIP
To enable or disable RIP routing by using the configuration utility
1. In the navigation pane, expand System, and then click Settings.
Chapter 4 IP Routing
176
2. In the details pane, under the Modes and Features group, click Change advancedfeatures.
3. In the Configure Advanced Features dialog box, do one of the following:
• To enable RIP routing, select the RIP Routing check box.
• To disable RIP routing, clear the RIP Routing check box.
4. Click OK.
5. In the Enable/Disable Feature(s)? dialog box, click Yes.
Advertising RoutesRIP enables an upstream router to load balance traffic between two identical virtualservers hosted on two standalone NetScaler appliances. Route advertisement enablesan upstream router to track network entities located behind the NetScaler.
To configure RIP to advertise routes by using the VTYSH command lineAt the NetScaler command prompt, type the following commands, in the order shown:
Command Specifies
VTYSH Display VTYSH command prompt.
configure terminal Enter global configuration mode.
router rip Start the RIP routing process and enterconfiguration mode for the routingprocess.
redistribute static Redistribute static routes.
redistribute kernel Redistribute kernel routes.
Example:
>VTYSHNS# configure terminalNS(config)# router ripNS(config-router)# redistribute staticNS(config-router)# redistribute kernel
Limiting RIP PropagationsIf you need to troubleshoot your configuration, you can configure listen-only mode onany given interface.
To limit RIP propagation by using the VTYSH command lineAt the NetScaler command prompt, type the following commands, in the order shown:
Citrix NetScaler Networking Guide
177
Command Specifies
VTYSH Display VTYSH command prompt.
configure terminal Enter global configuration mode.
router rip Start the RIP routing process and enterconfiguration mode for the routingprocess.
passive-interface < vlan_name> Suppress routing updates on interfacesbound to the specified VLAN.
Example
>VTYSHNS# configure terminalNS(config)# router ripNS(config-router)# passive-interface VLAN0
Verifying the RIP ConfigurationYou can display the routing table and other RIP settings.
To view the RIP settings by using the VTYSH command lineAt the NetScaler command prompt, type the following commands in the followingorder:
Command Specifies
VTYSH Display VTYSH command prompt.
sh rip Display updated RIP routing table.
sh rip interface <vlan_name> Displays RIP information for the specifiedVLAN.
Example
NS# VTYSHNS# sh ripNS# sh rip interface VLAN0
Chapter 4 IP Routing
178
Configuring OSPFThe NetScaler supports Open Shortest Path First (OSPF) Version 2 (RFC 2328). Thefeatures of OSPF on the NetScaler are:
w The NetScaler supports OSPF within a single area only.
w If a vserver is active, the host routes to the vserver can be injected into the routingprotocols.
w OSPF can run on any subnet.
w Route learning advertised by neighboring OSPF routers can be disabled on theNetScaler.
w The NetScaler can advertise Type-1 or Type-2 external metrics for all routes.
w The NetScaler can advertise user-specified metric settings for VIP routes. Forexample, you can configure a metric per VIP without special route maps.
w You can specify the OSPF area ID for the NetScaler.
w The NetScaler supports not-so-stubby-areas (NSSAs). An NSSA is similar to an OSPFstub area but allows injection of external routes in a limited fashion into the stubarea. To support NSSAs, a new option bit (the N bit) and a new type (Type 7) of LinkState Advertisement (LSA) area have been defined. Type 7 LSAs support externalroute information within an NSSA. An NSSA area border router (ABR) translates atype 7 LSA into a type 5 LSA that is propagated into the OSPF domain. The OSPFspecification defines only the following general classes of area configuration:
• Type 5 LSA: Originated by routers internal to the area are flooded into thedomain by AS boarder routers (ASBRs).
• Stub: Allows no type 5 LSAs to be propagated into/throughout the area andinstead depends on default routing to external destinations.
After enabling OSPF, you need to configure advertisement of OSPF routes. Fortroubleshooting, you can limit OSPF propagation. You can display OSPF settings toverify the configuration.
Enabling and Disabling OSPFTo enable or disable OSPF, you must use either the NetScaler command line or theconfiguration utility. When OSPF is enabled, the NetScaler starts the OSPF process.When OSPF is disabled, the NetScaler stops the OSPF routing process.
To enable or disable OSPF routing by using the NetScaler commandlineAt the NetScaler command prompt, type one of the following commands:
1. enable ns feature OSPF
2. disable ns feature OSPF
Citrix NetScaler Networking Guide
179
To enable or disable OSPF routing by using the configuration utility
1. In the navigation pane, expand System, and then click Settings.
2. In the details pane, under the Modes and Features group, click Change advancedfeatures.
3. In the Configure Advanced Features dialog box, do one of the following:
• To enable OSPF routing, select the OSPF Routing check box.
• To disable OSPF routing, clear the OSPF Routing check box.
4. Click OK.
5. In the Enable/Disable Feature(s)? dialog box, click Yes.
Advertising OSPF RoutesOSPF enables an upstream router to load balance traffic between two identical virtualservers hosted on two standalone NetScaler appliances. Route advertising enables anupstream router to track network entities located behind the NetScaler.
To configure OSPF to advertise routes by using the VTYSH commandlineAt the NetScaler command prompt, type the following commands, in the order shown:
Command Specifies
VTYSH Display VTYSH command prompt.
configure terminal Enters global configuration mode.
router OSPF Start OSPF routing process and enterconfiguration mode for the routingprocess.
redistribute static Redistribute static routes.
redistribute kernel Redistribute kernel routes.
Example
>VTYSHNS# configure terminalNS(config)# router OSPFNS(config-router)# redistribute staticNS(config-router)# redistribute kernel
Chapter 4 IP Routing
180
Limiting OSPF PropagationsIf you need to troubleshoot your configuration, you can configure listen-only mode onany given VLAN.
To limit OSPF propagation by using the VTYSH command lineAt the NetScaler command prompt, type the following commands, in the order shown:
Command Specifies
VTYSH Display VTYSH command prompt.
configure terminal Enter global configuration mode.
router OSPF Start OSPF routing process and entersconfiguration mode for the routingprocess.
passive-interface < vlan_name> Suppress routing updates on interfacesbound to the specified VLAN.
Example
>VTYSHNS# configure terminalNS(config)# router OSPFNS(config-router)# passive-interface VLAN0
Verifying the OSPF ConfigurationYou can display current OSPF neighbors, and OSPF routes.
To view the OSPF settings by using the VTYSH command lineAt the NetScaler command prompt, type the following commands, in the order shown:
Command Specifies
VTYSH Display VTYSH command prompt.
sh OSPF neighbor Displays current neighbors.
sh OSPF route Displays OSPF routes.
Citrix NetScaler Networking Guide
181
Example
>VTYSHNS# sh OSPF neighborNS# sh OSPF route
Configuring BGPThe NetScaler appliance supports BGP (RFC 4271). The features of BGP on theNetScaler are:
w The NetScaler advertises routes to BGP peers.
w The NetScaler injects host routes to virtual IP addresses (VIPs), as determined bythe health of the underlying virtual servers.
w The NetScaler generates configuration files for running BGP on the secondary nodeafter failover in an HA configuration.
w This protocol supports IPv6 route exchanges.
After enabling BGP, you need to configure advertisement of BGP routes. Fortroubleshooting, you can limit BGP propagation. You can display BGP settings to verifythe configuration.
Prerequisites for IPv6 BGPBefore you begin configuring IPv6 BGP, do the following:
w Make sure that you understand the IPv6 BGP protocol.
w Install the IPv6PT license on the NetScaler appliance.
w After installing the IPv6PT license, enable the IPv6 feature.
Enabling and Disabling BGPTo enable or disable BGP, you must use either the NetScaler command line or theconfiguration utility. When BGP is enabled, the NetScaler appliance starts the BGPprocess. When BGP is disabled, the appliance stops the BGP process.
To enable or disable BGP routing by using the NetScaler command lineAt the NetScaler command prompt, type one of the following commands:
w enable ns feature BGP
w disable ns feature BGP
To enable or disable BGP routing by using the configuration utility
1. In the navigation pane, expand System and click Settings.
Chapter 4 IP Routing
182
2. In the details pane, under the Modes and Features group, click Change advancedfeatures.
3. In the Configure Advanced Features dialog box, do one of the following:
• To enable BGP routing, select the BGP Routing check box.
• To disable BGP routing, clear the BGP Routing check box.
4. Click OK.
5. In the Enable/Disable Feature(s)? dialog box, click Yes.
Advertising IPv4 RoutesYou can configure the NetScaler appliance to advertise host routes to VIPs and toadvertise routes to downstream networks.
To configure BGP to advertise IPv4 routes by using the VTYSHcommand lineAt the NetScaler command prompt, type the following commands, in the order shown:
Command Specifies
VTYSH Display VTYSH command prompt.
configure terminal Enter global configuration mode.
router BGP < ASnumber> BGP autonomous system. < ASnumber> isa required parameter. Possible values: 1to 4,294,967,295.
Neighbor < IPv4 address> remote-as < as-number>
Update the IPv4 BGP neighbor table withthe link local IPv4 address of theneighbor in the specified autonomoussystem.
Address-family ipv4 Enter address family configuration mode.
Neighbor < IPv4 address> activate Exchange prefixes for the IPv4 routerfamily between the peer and the localnode by using the link local address.
redistribute kernel Redistribute kernel routes.
redistribute static Redistribute static routes.
Example
>VTYSHNS# configure terminalNS(config)# router BGP 5
Citrix NetScaler Networking Guide
183
NS(config-router)# Neighbor a1bc::102 remote-as 100NS(config-router)# Address-family ipv4NS(config-router-af)# Neighbor 10.102.29.170 activateNS(config-router)# redistribute kernelNS(config-router)# redistribute static
Advertising IPv6 BGP RoutesBorder Gateway Protocol (BGP) enables an upstream router to load balance trafficbetween two identical virtual servers hosted on two standalone NetScaler appliances.Route advertising enables an upstream router to track network entities located behindthe NetScaler.
To configure BGP to advertise IPv6 routes by using the VTYSHcommand lineAt the NetScaler command prompt, type the following commands, in the order shown:
Command Specifies
VTYSH Display VTYSH command prompt.
configure terminal Enter global configuration mode.
router BGP < ASnumber> BGP autonomous system. < ASnumber> isa required parameter. Possible values: 1to 4,294,967,295.
Neighbor < IPv6 address> remote-as < as-number>
Update the IPv6 BGP neighbor table withthe link local IPv6 address of theneighbor in the specified autonomoussystem.
Address-family ipv6 Enter address family configuration mode.
Neighbor < IPv6 address> activate Exchange prefixes for the IPv6 routerfamily between the peer and the localnode by using the link local address.
redistribute kernel Redistribute kernel routes.
redistribute static Redistribute static routes.
Example
>VTYSHNS# configure terminalNS(config)# router BGP 5NS(config-router)# Neighbor a1bc::102 remote-as 100
Chapter 4 IP Routing
184
NS(config-router)# Address-family ipv6NS(config-router-af)# Neighbor a1bc::102 activateNS(config-router)# redistribute kernelNS(config-router)# redistribute static
Verifying the BGP ConfigurationYou can use VTYSH to display BGP settings.
To view the BGP settings using the VTYSH command lineAt the NetScaler command prompt, type:
VTYSHYou are now in the VTYSH command prompt. An output similar to the following appears:NS170#At the VTYSH command prompt, type:NS170# sh ip BGPNS170# sh BGPNS170# sh ip BGP neighborsNS170# sh ip BGP summaryNS170# sh ip BGP route-map <map-tag>
Configuring IPv6 RIPIPv6 Routing Information Protocol (RIP) or RIPng is a Distance Vector protocol. Thisprotocol is an extension of RIP to support IPv6. After enabling IPv6 RIP, you need toconfigure advertisement of IPv6 RIP routes. For troubleshooting, you can limit IPv6 RIPpropagation. You can display IPv6 RIP settings to verify the configuration.
Prerequisites for IPv6 RIPBefore you begin configuring IPv6 RIP, do the following:
w Make sure that you understand the IPv6 RIP protocol.
w Install the IPv6PT license on the NetScaler appliance.
w Enable the IPv6 feature.
Enabling IPv6 RIPYou can enable or disable IPv6 RIP by using VTYSH. After you enable IPv6 RIP, theNetScaler starts the IPv6 RIP daemon. After you disable IPv6 RIP, the NetScaler stopsthe RIP daemon.
To enable IPv6 RIP by using the VTYSH command lineAt the NetScaler command prompt, type the following commands, in the order shown:
Citrix NetScaler Networking Guide
185
Command Specifies
VTYSH Display VTYSH command prompt.
configure terminal Enter global configuration mode.
ns IPv6-routing Start IPv6 dynamic routing daemon.
interface < vlan_name> Enter VLAN configuration mode.
router ipv6 RIP Start IPv6 RIP routing process on theVLAN.
Example
> VTYSHNS# configure terminalNS(config)# ns IPv6-routingNS(config)# interface vlan0NS(config-if)# router ipv6 RIP
Advertising IPv6 RIP RoutesIPv6 RIP enables an upstream router to load balance traffic between two identicalvservers hosted on two standalone NetScaler devices. Route advertisement enables anupstream router to track network entities located behind the NetScaler.
To configure IPv6 RIP to advertise IPv6 routes by using the VTYSHcommand lineAt the NetScaler command prompt, type the following commands, in the order shown:
Command Specifies
VTYSH Display VTYSH command prompt.
configure terminal Enter global configuration mode.
router ipv6 rip Start IPv6 RIP routing process and enterconfiguration mode for the routingprocess.
redistribute static Redistribute static routes.
redistribute kernel Redistribute kernel routes.
Chapter 4 IP Routing
186
Example
>VTYSHNS# configure terminalNS(config)# router ipv6 ripNS(config-router)# redistribute staticNS(config-router)# redistribute kernel
Limiting IPv6 RIP PropagationsIf you need to troubleshoot your configuration, you can configure the listen-only modeon any given interface.
To limit IPv6 RIP propagation by using the VTYSH command lineAt the NetScaler command prompt, type the following commands, in the order shown:
Command Specifies
VTYSH Display VTYSH command prompt.
configure terminal Enter global configuration mode.
router ipv6 rip Start IPv6 RIP routing process and enterconfiguration mode for the routingprocess.
passive-interface < vlan_name> Suppress routing updates on interfacesbound to the specified VLAN.
Example
>VTYSHNS# configure terminalNS(config)# router ipv6 ripNS(config-router)# passive-interface VLAN0
Verifying the IPv6 RIP ConfigurationYou can use VTYSH to display the IPv6 RIP routing table and IPv6 RIP information for aspecified VLAN.
To view the IPv6 RIP settings by using the VTYSH command lineAt the NetScaler command prompt, type the following commands, in the order shown:
Citrix NetScaler Networking Guide
187
Commands Specifies
VTYSH Display VTYSH command prompt.
sh ipv6 rip Display updated IPv6 RIP routing table.
sh ipv6 rip interface <vlan_name> Display IPv6 RIP information for thespecified VLAN.
Example
NS# VTYSHNS# sh ipv6 ripNS# sh ipv6 rip interface VLAN0
Configuring IPv6 OSPFIPv6 OSPF or OSPF version 3 (OSPF v3) is a link state protocol that is used to exchangeIPv6 routing information. After enabling IPv6 OSPF, you need to configureadvertisement of IPv6 OSPF routes. For troubleshooting, you can limit IPv6 OSPFpropagation. You can display IPv6 OSPF settings to verify the configuration.
Prerequisites for IPv6 OSPFBefore you begin configuring IPv6 OSPF, do the following:
w Make sure that you understand the IPv6 OSPF protocol.
w Install the IPv6PT license on the NetScaler appliance.
w Enable the IPv6 feature.
Enabling IPv6 OSPFTo enable IPv6 OSPF, you must use the VTYSH command line. When IPv6 OSPF isenabled, the NetScaler appliance starts the IPv6 OSPF daemon. When IPv6 OSPF isdisabled, the appliance stops the IPv6 OSPF daemon.
To enable IPv6 OSPF by using the VTYSH command lineAt the NetScaler command prompt, type the following commands, in the order shown:
Command Specifies
VTYSH Display VTYSH command prompt.
configure terminal Enter global configuration mode.
ns IPv6-routing Start IPv6 dynamic routing process.
Chapter 4 IP Routing
188
Command Specifies
interface < vlan_name> Enter the VLAN configuration mode.
ipv6 router OSPF area < area-id> Start IPv6 OSPF routing process on aVLAN.
Example
>VTYSHNS# configure terminalNS(config)# ns IPv6-routingNS(config)# interface vlan0NS(config-if)# ipv6 router OSPF area 3
Advertising IPv6 RoutesIPv6 OSPF enables an upstream router to load balance traffic between two identicalvservers hosted on two standalone NetScaler devices. Route advertising enables anupstream router to track network entities located behind the NetScaler.
To configure IPv6 OSPF to advertise IPv6 routes by using the VTYSHcommand lineAt the NetScaler command prompt, type the following commands, in the order shown:
Commands Specifies
VTYSH Display VTYSH command prompt.
configure terminal Enter global configuration mode.
router ipv6 OSPF Start IPv6 OSPF routing process and enterconfiguration mode for the routingprocess.
redistribute static Redistribute static routes.
redistribute kernel Redistribute kernel routes.
Example
>VTYSHNS# configure terminalNS(config)# router ipv6 OSPF
Citrix NetScaler Networking Guide
189
NS(config-router)# redistribute staticNS(config-router)# redistribute kernel
Limiting IPv6 OSPF PropagationsIf you need to troubleshoot your configuration, you use VTYSH to configure listen-onlymode on any given VLAN.
To limit IPv6 OSPF propagation by using the VTYSH command lineAt the NetScaler command prompt, type the following commands, in the order shown:
Commands Specifies
VTYSH Display VTYSH command prompt.
configure terminal Enter global configuration mode.
router ipv6 OSPF Start IPv6 OSPF routing process and enterconfiguration mode for the routingprocess.
passive-interface < vlan_name > Suppress routing updates on interfacesbound to the specified VLAN.
Example
>VTYSHNS# configure terminalNS(config)# router ipv6 OSPFNS(config-router)# passive-interface VLAN0
Verifying the IPv6 OSPF ConfigurationYou use VTYSH to display IPv6 OSPF current neighbors and IPv6 OSPF routes.
To view the IPv6 OSPF settings by using the VTYSH command lineAt the NetScaler command prompt, type the following commands, in the order shown:
Command Specifies
VTYSH Display VTYSH command prompt.
sh ipv6 OSPF neighbor Display current neighbors.
sh ipv6 OSPF route Display IPv6 OSPF routes.
Chapter 4 IP Routing
190
Example
>VTYSHNS# sh ipv6 OSPF neighborNS# sh ipv6 OSPF route
Configuring ISISThe NetScaler appliance supports the Intermediate System-to-Intermediate System (IS-IS or ISIS) dynamic routing protocol. This protocol supports IPv4 as well as IPv6 routeexchanges. IS‑IS is a link state protocol and is therefore less prone to routing loops.With the advantages of faster convergence and the ability to support larger networks,ISIS can be very useful in Internet Service Provider (ISP) networks.
Prerequisites for configuring ISISBefore you begin configuring ISIS, do the following:
w Make sure that you understand the ISIS protocol.
w For IPV6 routes, enable:
• IPv6 protocol translation feature.
• IPv6 Dynamic Routing option on the VLANs on which you want to run ISISprotocol.
Enabling ISISUse either of the following procedures to enable the ISIS routing feature on theNetScaler appliance.
To enable ISIS routing by using the NetScaler command lineAt the NetScaler command prompt, type:
enable ns feature ISIS
To enable ISIS routing by using the configuration utility
1. In the navigation pane, expand System, and then click Settings.
2. In the details pane, under Modes and Features, click Configure advancedfeatures.
3. In the Configure Advanced Features dialog box, select the ISIS Routing check box.
4. Click OK.
Creating an ISIS Routing Process and Starting It on a VLANTo create an ISIS routing process, you must use the VTYSH command line.
At the NetScaler command prompt, type the following commands, in the order shown:
Citrix NetScaler Networking Guide
191
Command Description
VTYSH Displays VTYSH command prompt.
configure terminal Enters the global configuration mode.
router isis [tag] Creates an ISIS routing process andconfiguration mode for the routingprocess.
net XX....XXXX.YYYY.YYYY.YYYY.00 Specifies a NET value for the routingprocess, where:
w · XX. .. .XXXX is the Area Address (canbe 1-13 bytes)
w · YYYY.YYYY.YYYY is the System ID (6bytes)
w · 00 is the N-selector (1 byte)
A NET value can be 8 to 20 bytes inlength. The last byte is always the n-selector, and must be zero. The n-selector indicates that there is notransport entity and means that thepacket is for the routing software of theappliance. The six bytes directlypreceding the n-selector are the systemID. The system ID length is fixed andcannot be changed. The system ID mustbe unique throughout each area (Level 1)and throughout the backbone (Level 2).The bytes preceding the system ID arethe area ID, which can be from 1 to 13bytes in length. A maximum of threeNETs per routing process are allowedwith different area ID, but the system IDshould be the same for all NETs.
is-type (level-1|level-1-2|level-2-only) Sets the ISIS routing process to thespecified level of routing. Default:level-1-2.
ns IPv6-routing Starts the IPv6 dynamic routing daemon.
interface <vlan_name> Enters the VLAN configuration mode.
ip router isis Enables the ISIS routing process on theVLAN for IPv4 route exchanges.
ipv6 router isis Enables the ISIS routing process on theVLAN for IPv6 route exchanges.
Chapter 4 IP Routing
192
Example
> VTYSHNS# configure terminalNS(config)# router isis 11NS(config-router)# net 15.aabb.ccdd.0097.00NS(config-router)# is-type level-1NS(config-router)# exitNS(config)# ns IPv6-routingNS(config)# interface vlan0NS(config-if)# ip router isis 11NS(config-if)# ipv6 router isis 11
Advertising RoutesRoute advertisement enables an upstream router to track network entities locatedbehind the NetScaler appliance.
To configure ISIS to advertise routes by using the VTYSH commandlineAt the NetScaler command prompt, type the following commands, in the order shown:
Command Description
VTYSH Displays the VTYSH command prompt.
configure terminal Enters the global configuration mode.
router isis [tag] Starts the ISIS routing instance and enterconfiguration mode for the routingprocess.
redistribute connected (level-1|level-1-2|level-2)
Redistributes connected routes, where
w level-1 : Redistribute connectedroutes into Level-1.
w level-1-2 : Redistribute connectedroutes into Level-1 and Level-2.
w level-2 : Redistribute connectedroutes into Level-2.
redistribute kernel(level-1|level-1-2|level-2)
Redistributes kernel routes, where:
w level-1 : Redistribute kernel routesinto Level-1.
w level-1-2 : Redistribute kernel routesinto Level-1 and Level-2.
w level-2 : Redistribute kernel routesinto Level-2.
Citrix NetScaler Networking Guide
193
Example
>VTYSHNS# configure terminalNS(config)# router isis 11NS(config-router)# redistribute connected level-1NS(config-router)# redistribute kernel level-1
Limiting ISIS PropagationsIf you need to troubleshoot your configuration, you can configure the listen-only modeon any given VLAN.
To limit ISIS propagation by using the VTYSH command lineAt the NetScaler command prompt, type the following commands, in the order shown:
Command Description
VTYSH Displays the VTYSH command prompt.
configure terminal Enters the global configuration mode.
router isis [tag] Enters the configuration mode for therouting process.
passive-interface <vlan_name> Suppresses routing updates on interfacesbound to the specified VLAN.
Example
>VTYSHNS# configure terminalNS(config)# router isis 11NS(config-router)# passive-interface VLAN0
Verifying the ISIS ConfigurationYou can use VTYSH to display the ISIS routing table and ISIS information for a specifiedVLAN.
To view the ISIS settings by using the VTYSH command lineAt the NetScaler command prompt, type the following commands, in the order shown:
Commands Description
VTYSH Displays the VTYSH command prompt.
show ip isis route Displays updated IPv4 ISIS routing table.
show ipv6 isis route Displays updated IPv6 ISIS routing table.
Chapter 4 IP Routing
194
Commands Description
sh isis interface <vlan_name> Displays IPv6 ISIS information for thespecified VLAN.
Example
NS# VTYSHNS# show ip isis routeNS# show ipv6 isis routeNS# sh isis interface VLAN0
Installing Routes to the NetScaler Routing TableThe NetScaler appliance can use routes learned by various routing protocols after youinstall the routes in the appliance's routing table.
To install various routes to the internal routing table byusing the VTYSH command lineAt the NetScaler command prompt, type the following commands as appropriate forthe routes that you want to install:
Commands Specifies
VTYSH Display VTYSH command prompt.
configure terminal Enter global configuration mode.
ns route-install Default Install IPv4 default routes to the internalrouting table.
ns route-install RIP Install IPv4 RIP specific routes to theinternal routing table.
ns route-install BGP Install IPv4 BGP specific routes to theinternal routing table.
ns route-install OSPF Install IPv4 OSPF specific routes to theinternal routing table.
ns route-install IPv6 Default Install IPv6 default routes to the internalrouting table.
ns route-install IPv6 RIP Install IPv6 RIP specific routes to theinternal routing table.
ns route-install IPv6 BGP Install IPv6 BGP specific routes to theinternal routing table.
Citrix NetScaler Networking Guide
195
Commands Specifies
ns route-install IPv6 OSPF Install IPv6 OSPF specific routes to theinternal routing table.
Example
>VTYSHNS# configure terminalNS# ns route-install DefaultNS(config)# ns route-install RIPNS(config)# ns route-install BGPNS(config)# ns route-install OSPFNS# ns route-install IPv6 DefaultNS(config)# ns route-install IPv6 RIPNS(config)# ns route-install IPv6 BGPNS(config)# ns route-install IPv6 OSPF
Configuring Static RoutesStatic routes are manually created to improve the performance of your network. Youcan monitor static routes to avoid service disruptions. Also, you can assign weights toECMP routes, and you can create null routes to prevent routing loops.
Monitored Static RoutesIf a manually created (static) route goes down, a backup route is not automaticallyactivated. You must manually delete the inactive primary static route. However, if youconfigure the static route as a monitored route, the NetScaler appliance canautomatically activate a backup route.
Static route monitoring can also be based on the accessibility of the subnet. A subnet isusually connected to a single interface, but it can be logically accessed through otherinterfaces. Subnets bound to a VLAN are accessible only if the VLAN is up. VLANs arelogical interfaces through which packets are transmitted and received by the NetScaler.A static route is marked as DOWN if the next hop resides on a subnet that isunreachable.
Note: In a high availability (HA) setup, the default value for monitored state routes(MSRs) on the secondary node is UP. The value is set to avoid a state transition gapupon failover, which could result in dropping packets on those routes.
Consider the following simple topology, in which a NetScaler is load balancing traffic toa site across multiple servers.
Chapter 4 IP Routing
196
Router R1 moves traffic between the client and the NetScaler appliance. The appliancecan reach servers S1 and S2 through routers R2 or R3. It has two static routes throughwhich to reach the servers' subnet, one with R2 as the gateway and another with R3 asthe gateway. Both these routes have monitoring enabled. The administrative distanceof the static route with gateway R2 is lower than that of the static route with gatewayR3. Therefore, R2 is preferred over R3 to forward traffic to the servers. Also, thedefault route on the NetScaler points to R1 so that all Internet traffic exits properly.
If R2 fails while monitoring is enabled on the static route, which uses R2 as thegateway, the NetScaler marks it as DOWN. The NetScaler now uses the static route withR3 as the gateway and forwards the traffic to the servers through R3.
The NetScaler supports monitoring of IPv4 and IPv6 static routes. You can configure theNetScaler to monitor an IPv4 static route either by creating a new ARP or PING monitoror by using existing ARP or PING monitors. You can configure the NetScaler to monitoran IPv6 static route either by creating a new Neighbor discovery for IPv6 (ND6) or PINGmonitor or by using the existing ND6 or PING monitors.
Citrix NetScaler Networking Guide
197
Weighted Static RoutesWhen the NetScaler appliance makes routing decisions involving routes with equaldistance and cost, that is, Equal Cost Multi-Path (ECMP) routes, it balances the loadbetween them by using a hashing mechanism based on the source and destination IPaddresses. For an ECMP route, however, you can configure a weight value. TheNetScaler then uses both the weight and the hashed value for balancing the load.
Null RoutesIf the route chosen in a routing decision is inactive, the NetScaler appliance chooses abackup route. If all the backup routes become inaccessible, the appliance mightreroute the packet to the sender, which could result in a routing loop leading tonetwork congestion. To prevent this situation, you can create a null route, which addsa null interface as a gateway. The null route is never the preferred route, because ithas a higher administrative distance than the other static routes. But it is selected ifthe other static routes become inaccessible. In that case, the appliance drops thepacket and prevents a routing loop.
Configuring IPv4 Static RoutesYou can add a simple static route or a null route by setting a few parameters, or youcan set additional parameters to configure a monitored or monitored and weightedstatic route. You can change the parameters of a static route. For example, you mightwant to assign a weight to an unweighted route, or you might want to disablemonitoring on a monitored route.
To create a static route by using the NetScaler commandlineAt the NetScaler command prompt, type the following commands to create a staticroute and verify the configuration:
w add route <network> <netmask> <gateway>[-cost <positive_integer>] [-advertise( DISABLED | ENABLED )]
w show route [<network> <netmask> [<gateway>]] [<routeType>] [-detail]
Example
> add route 10.102.29.0 255.255.255.0 10.102.29.2 -cost 2 -advertise ENABLED Done> show route 10.102.29.0 255.255.255.0 10.102.29.2 Network Netmask Gateway/OwnedIP State Type ------- ------- --------------- ----- ----1) 10.102.29.0 255.255.255.0
Chapter 4 IP Routing
198
10.102.29.2 UP STATIC Distance: 1 Cost: 2 Weight: 1
Done
To create a monitored static route by using the NetScalercommand lineAt the NetScaler command prompt, type the following commands to create amonitored static route and verify the configuration:
w add route <network> <netmask> <gateway> [-distance <positive_integer>] [-weight<positive_integer>][-msr ( ENABLED | DISABLED ) [-monitor <string>]]
w show route [<network> <netmask> [<gateway>]] [<routeType>] [-detail]
Example
> add route 10.102.29.0 255.255.255.0 10.102.29.3 -distance 5 -weight 6 -msr ENBLED -monitor PING Done> show route 10.102.29.0 255.255.255.0 10.102.29.3 Network Netmask Gateway/OwnedIP State Type ------- ------- --------------- ----- ----1) 10.102.29.0 255.255.255.0 10.102.29.3 UP STATIC Distance: 5 Cost: 0 Weight: 6 MSR: ENABLED Monitor: ping Probes: 3 Failed: [Total: 3 Current: 3] Last response: Failure - Probe timed out.Done
To create a null route by using the NetScaler command lineAt the NetScaler command prompt type:
w add route <network> <netmask> null
w show route <network> <netmask>
Example
> add route 10.102.29.0 255.255.255.0 null Done
Citrix NetScaler Networking Guide
199
> show route 10.102.29.0 255.255.255.0 Network Netmask Gateway/OwnedIP State Type ------- ------- --------------- ----- ----1) 10.102.29.0 255.255.255.0 10.102.29.200 UP DIRECT2) 10.102.29.0 255.255.255.0 null UP STATIC3) 10.102.29.0 255.255.255.0 10.102.29.1 UP STATIC|ADV4) 10.102.29.0 255.255.255.0 10.102.29.2 UP STATIC5) 10.102.29.0 255.255.255.0 10.102.29.3 DOWN STATIC Done
To remove a static route by using the NetScaler commandlineAt the NetScaler command prompt, type:
rm route <network> <netmask> <gateway>
Example
> rm route 10.102.29.0 255.255.255.0 10.102.29.3 Done
Parameters for configuring static routesnetwork
Network for which the route is being created.
netmaskSubnet mask for the network
nullDrop the packets this route receives. Possible values: Yes, No. Default: No. Nullroutes have a fixed distance of 255.
gatewayIP address of the gateway for this route.
distanceAdministrative distance of this route. Possible values: 1 through 255. Default: 1.
costValue used by the routing algorithms to compare performance. Route having lowestcost is the most preferred route. Value that this parameter can take is from 0through 65535.
Chapter 4 IP Routing
200
weightValue to facilitate balancing the load on ECMP routes. This value is compared withthe hashed value of the packet and a route is chosen. Specific to ECMP routes.Possible values: 1 through 65535. Default: 1.
advertiseState of advertisement of this route. Possible values: Enabled or Disabled. Default:Enabled.
protocolRouting protocols used for advertising routes. Possible values: OSPF, RIP, BGP.
msrMonitor this route. Possible values: Enabled, Disabled. Default: Disabled.
monitorType of monitor. Determines the protocol used for monitoring the route (forexample, PING or ARP).
To configure a static route by using the configuration utility1. In the navigation pane, expand Network, expand Routing, and then click Routes.
2. In the details pane, on the Basic tab, do one of the following:
• To create a new static route, click Add.
• To modify an existing static route, click Open.
3. In the Create Route or Configure Route dialog box, specify values for thefollowing parameters, which correspond to parameters described in “Parametersfor configuring static routes” as shown:
• Network*-network
• Netmask*-netmask
• Null Route-null
• Gateway*-gateway
• Distance-distance
• Cost-cost
• Weight-weight
• Over-ride Global-advertise
• Protocol-protocol
• Monitored Static Route-msr
• Monitor-monitor
* A required parameter
4. Click Create or OK, and then click Close. A message appears in the status bar,stating that the route has been configured successfully.
Citrix NetScaler Networking Guide
201
To remove a route by using the configuration utility1. In the navigation pane, expand Network, expand Routing, and then click Routes.
2. On the Routes pane, click the Basic tab, select the route you want to remove (forexample, 192.168. 20.2), and then click Remove.
3. In the Remove dialog box, click Yes. A message appears in the status bar, statingthat the route has been successfully removed.
Configuring IPv6 Static RoutesYou can configure a maximum of six default IPv6 static routes. IPv6 routes are selectedon the basis of whether the MAC address of the destination device is reachable. Thiscan be determined by using the IPv6 Neighbor Discovery feature. Routes are loadbalanced and only source/destination-based hash mechanisms are used. Therefore,route selection mechanisms such as round robin are not supported. The next hopaddress in the default route need not belong to the NSIP subnet.
To create an IPv6 route by using the NetScaler commandlineAt the NetScaler command prompt, type the following commands to create an IPv6route and verify the configuration:
w add route6 <network> <gateway> [-vlan <positive_integer>]
w show route6 [<network> [<gateway>]
Example
> add route6 ::/0 FE80::67 -vlan 5 Done
> show route6Flags: S - Static, C - Connected, R - RA Route, A - Active, O - OSPFV3, P – Permanent
Network Gateway Vlan Flags------- ------- ---- -----
::1/128 ::1 1 PA::/0 fe80::67 5 SAfe80::/64 fe80::2d0:68ff:fe15:fd36 1 CA
Done
Chapter 4 IP Routing
202
To create a monitored IPv6 static route by using theNetScaler command lineAt the NetScaler command prompt, type the following commands to create amonitored IPv6 static route and verify the configuration:
w add route6 <network> <gateway> [-msr ( ENABLED | DISABLED ) [-monitor <string>]]
w show route6 [<network> [<gateway>]
Example
> add route6 ::/0 2004::1 -msr ENABLED -monitor PING Done> show route6Flags: S - Static, C - Connected, R - RA Route, A - Active, O - OSPFV3, n - RIPng, B - BGP, P - PermanentNetwork Gateway Vlan Flags------- ------- ---- -----::1/128 ::1 1 PAfe80::/64 fe80::2d0:68ff:fe17:33c 1 CA::/0 2004::1 0 S Done
To remove an IPv6 route by using the NetScaler commandlineAt the NetScaler command prompt, type:
rm route6 <network> <gateway>
Example
> rm route6 ::/0 FE80::67 Done
Parameters for configuring IPv6 static routesnetwork
Network for which the route is being created.
Citrix NetScaler Networking Guide
203
gatewayIP address of the gateway for this route.
vlanVirtual LAN (VLAN) number associated with the route. Possible values: 1 through4094. Default: 0. Required for link-local address type.
distanceAdministrative distance of this route. Possible values: 1 through 255. Default: 1.
costValue used by the routing algorithms to compare performance. Route having lowestcost is the most preferred route. Possible values: 0 through 65535.
weightValue for balancing the load on ECMP routes. This value is compared with the hashedvalue of the packet and a route is chosen. Specific to ECMP routes. Possible values: 1through 65535. Default: 1.
advertiseAdvertise this route. Possible values: Enabled, Disabled. Default: Enabled.
msrMonitor this route. Possible values: Enabled, Disabled. Default: Disabled.
monitorA ND6 or a PING monitor that will be used for monitoring the IPv6 static route.
To configure an IPv6 route by using the configuration utility1. In the navigation pane, expand Network, expand Routing, and then click Routes.
2. In the details pane, on the IPv6 tab, do one of the following:
• To create a new route, click Add.
• To modify an existing route, click Open.
3. In the Create IPv6 Route or Configure IPv6 Route dialog box, specify values forthe following parameters, which correspond to parameters described in“Parameters for configuring IPv6 static routes” as shown:
• Network*-network
• Gateway*-gateway
• VLAN-vlan
• Distance-distance
• Cost-cost
• Weight-weight
• Advertise-advertise
• Monitored Static Route-msr
Chapter 4 IP Routing
204
• Monitor-monitor
* A required parameter
4. Click Create or OK, and then click Close. A message appears in the status bar,stating that the IPv6 route has been configured successfully.
To remove an IPv6 route by using the configuration utility1. In the navigation pane, expand Network, expand Routing, and then click Routes.
2. On the Routes pane, click the IPV6 tab.
3. Select the network, from which you want to remove the route (for example,::/0),and then click Remove.
4. In the Remove dialog box, click Yes. A message appears in the status bar, statingthat the IPv6 route has been successfully removed.
Configuring Policy-Based RoutesPolicy-based routing bases routing decisions on criteria that you specify. A policy-basedroute (PBR) specifies criteria for selecting packets and, typically, a next hop to whichto send the selected packets. For example, you can configure the NetScaler applianceto route outgoing packets from a specific IP address or range to a particular next hoprouter. Each packet is matched against each configured PBR, in the order determinedby the specified priorities, until a match is found. If no match is found, or if thematching PBR specifies a DENY action, the NetScaler applies the routing table fornormal destination-based routing.
A PBR bases routing decisions for the data packets on parameters such as source IPaddress, source port, destination IP address, destination port, protocol, and sourceMAC address. A PBR defines the conditions that a packet must satisfy for the NetScalerto route the packet. These actions are known as "processing modes." The processingmodes are:
w ALLOW - The NetScaler sends the packet to the designated next-hop router.
w DENY - The NetScaler applies the routing table for normal destination-based routing.
The NetScaler process PBRs before processing the RNAT rules.
You can create PBRs for outgoing IPv4 and IPv6 traffic.
Many users begin by creating PBRs and then modifying them. To activate a new PBR,you must apply it. To deactivate a PBR, you can either remove or disable it. You canchange the priority number of a PBR to give it a higher or lower precedence.
Configuring a Policy-Based Routes (PBR) for IPv4Traffic
Configuring PBRs involves the following tasks:
Citrix NetScaler Networking Guide
205
w Create a PBR.
w Apply PBRs.
w (Optional) Disable or enable a PBR.
w (Optional) Renumber the priority of the PBR.
Creating or Modifying a PBRYou cannot create two PBRs with the same parameters. If you attempt to create aduplicate, an error message appears.
You can configure the priority of a PBR. The priority (an integer value) defines theorder in which the NetScaler appliance evaluates PBRs. When you create a PBR withoutspecifying a priority, the NetScaler automatically assigns a priority that is a multiple of10.
If a packet matches the condition defined by the PBR, the NetScaler performs anaction. If the packet does not match the condition defined by the PBR, the NetScalercompares the packet against the PBR with the next highest priority.
Instead of sending the selected packets to a next hop router, you can configure the PBRto send them to a link load balancing virtual server to which you have bound multiplenext hops. This configuration can provide a backup if a next hop link fails.
Consider the following example. Two PBRs, p1 and p2, are configured on the NetScalerand automatically assigned priorities 20 and 30. You need to add a third PBR, p3, to beevaluated immediately after the first PBR, p1. The new PBR, p3, must have a prioritybetween 20 and 30. In this case, you can specify the priority as 25.
To create a PBR by using the NetScaler command lineAt the NetScaler command prompt, type:
w add ns pbr <name> <action> [-srcIP [<operator>] <srcIPVal>] [-srcPort [<operator>]<srcPortVal>] [-destIP [<operator>] <destIPVal>] [-destPort [<operator>]<destPortVal>] [-nextHop <nextHopVal>] [-srcMac <mac_addr>] [-protocol <protocol>|-protocolNumber <positive_integer>] [-vlan <positive_integer>] [-interface<interface_name>] [-priority <positive_integer>] [-msr ( ENABLED | DISABLED ) [-monitor <string>]] [-state ( ENABLED | DISABLED )]
w sh ns pbr
Example
> add ns pbr pbr1 allow -srcip 10.102.37.252 -destip 10.10.10.2 -nexthop 10.102.29.77 Done> sh ns pbr pbr11) Name: pbr1 Action: ALLOW Hits: 0 srcIP = 10.102.37.252 destIP = 10.10.10.2
Chapter 4 IP Routing
206
srcMac: Protocol: Vlan: Interface: Active Status: ENABLED Applied Status: NOTAPPLIED Priority: 10 NextHop: 10.102.29.77
Done
To modify the priority of a PBR by using the NetScaler command lineAt the NetScaler command prompt, type the following commands to modify the priorityand verify the configuration:
w set ns pbr <name> [-action ( ALLOW | DENY )] [-srcIP [<operator>] <srcIPVal>] [-srcPort [<operator>] <srcPortVal>] [-destIP [<operator>] <destIPVal>] [-destPort[<operator>] <destPortVal>] [-nextHop <nextHopVal>] [-srcMac <mac_addr>] [-protocol <protocol> | -protocolNumber <positive_integer>] [-vlan<positive_integer>] [-interface <interface_name>] [-priority <positive_integer>] [-msr ( ENABLED | DISABLED ) [-monitor <string>]] [-state ( ENABLED | DISABLED )]
w show ns pbr [<name>]
Example
> set ns pbr pbr1 -priority 23 Done> show ns pbr pbr11) Name: pbr1 Action: ALLOW Hits: 0 srcIP = 10.102.37.252 destIP = 10.10.10.2 srcMac: Protocol: Vlan: Interface: Active Status: DISABLED Applied Status: NOTAPPLIED Priority: 23 NextHop: 10.102.29.77 Done
To remove one or all PBRs by using the NetScaler command lineAt the NetScaler command prompt, type one of the following commands:
w rm ns pbr <name>
Citrix NetScaler Networking Guide
207
w clear ns PBRs
Example
> rm ns pbr pbr1 Done> clear ns PBRs Done
Parameters for configuring a PBRname
The name (alphanumeric) of the PBR.
actionThe action to perform on packets that match the PBR. Possible values: ALLOW, DENY.
nextHopThe IP address of the next hop router or the name of the link load balancing virtualserver to which to send matching packets if action is set to ALLOW. If you specify alink load balancing virtual server, which can provide a backup if a next hop link fails,first make sure that the next hops bound to it are actually next hops that are directlyconnected to the NetScaler appliance. Otherwise, the NetScaler will throw an errorwhen you attempt to create the PBR.
srcIPIP address of the source machine. You can also specify a range of addresses, byenclosing the low and high addresses in brackets (for example,[10.102.29.50-10.102.29.100]).
operatorYou can use the following operators while creating PBRs: = and !=
destIPThe IP address of the destination system. You can also specify a range of addresses,by enclosing the low and high addresses in brackets (for example,[10.102.33.31-10.102.33.100]).
srcPortThe port address of the source system. You also can specify a range of ports, byenclosing the low and high port numbers in brackets (for example [30-90]).
Note: The source port can be modified only for TCP and UDP.
destPortThe port address of the destination system. You also can specify a range of ports, byenclosing the low and high port numbers in brackets (for example [40-90]).
Note: The destination port can be modified only for TCP and UDP.
Chapter 4 IP Routing
208
protocolThe protocol field in the IP header. Possible values: ICMP, IGMP, TCP, EGP, IGP, ARGUS,UDP, RDP, RSVP, EIGRP, L2TP, and ISIS.
protocolNumberThe IP protocol number (decimal). Minimum value: 1. Maximum value: 255.
srcMacThe MAC address of the source system. Only the last 32 bits are considered during alookup.
vlanThe VLAN ID present in the VLAN tag of the packet. Possible values: 1 to 4094.
interfaceThis is the network interface on which the packet arrives.
priorityThe priority of the ACL. Possible values: 0 to 10240.
stateThe state of the PBR. Possible Values: ENABLED, DISABLED. Default: Enabled.
msrEnable or disable Monitored Static Route(MSR) on this route. This parameter is notapplicable if you specify an LLB virtual server name for the nextHop parameter.Possible values: ENABLED, DISABLED Default value: DISABLED.
monitorThe name of the monitor of type PING or ARP.
stateThe state of the PBR. Possible values: ENABLED, DISABLED Default value: ENABLED
To create a PBR by using the configuration utility
1. In the navigation pane, expand Network, and then click PBRs.
2. In the details pane, do one of the following:
• To create a new PBR, click Add.
• To modify an existing PBR, click Open.
3. In the Create PBR or Configure PBR dialog box, specify values for the followingparameters, which correspond to parameters described in “Parameters forconfiguring a PBR” as shown:
• Name*-name
• Action-action
• Next Hop-nextHop
• Source, Operator-operator
• Source, Low/High-srcIP (To specify a specific IP address, type the same addressin both text boxes.
Citrix NetScaler Networking Guide
209
• Destination, Operator-operator
• Destination, Low/High-destIP (To specify a specific IP address, type the sameaddress in both text boxes.
• Protocol-protocol (or protocolNumber)
• Source Port, Operator-operator
• Source Port, Low/High-srcPort
• Destination Port, Operator-operator
• Destination Port, Low/High-destPort
• Source Mac-srcMac
• VLAN-vlan
• Interface-interface
• Priority-priority
• Enable PBR-state
• Monitored Static Route-msr
• Monitor-monitor
* A required parameter
4. Click Create or OK, and then click Close. A message appears in the status bar,stating that the PBR has been configured successfully.
To remove one or all PBRs by using the configuration utility
1. In the navigation pane, expand Network, and then click PBRs.
2. To remove a single PBR, in the details pane, select the PBR that you want toremove (for example, p1), and then click Remove.
3. To remove all PBRs, click Clear.
Applying a PBRYou must apply a PBR to activate it. The following procedure reapplies all PBRs thatyou have not disabled. The PBRs constitute a memory tree (lookup table). For example,if you create 10 PBRs (p1 - p10), and then you create another PBR (p11) and apply it,all of the PBRs (p1 - p11) are freshly applied and a new lookup table is created. If asession has a DENY PBR related to it, the session is destroyed.
You must apply this procedure after every modification you make to any PBR. Forexample, you must follow this procedure after disabling a PBR.
Note: PBRs created on the NetScaler appliance do not work until they are applied.
To apply a PBR by using the NetScaler command lineAt the NetScaler command prompt, type:
Chapter 4 IP Routing
210
apply ns PBRs
To apply a PBR by using the configuration utility
1. In the navigation pane, expand Network, and then click PBRs.
2. In the details pane, select the PBR that you want to apply (for example, p1).
3. Click Commit.
4. In the Apply PBR(s) dialog box, click Yes.
Enabling or Disabling PBRsBy default, the PBRs are enabled. This means that when PBRs are applied, theNetScaler appliance automatically compares incoming packets against the configuredPBRs. If a PBR is not required in the lookup table, but it needs to be retained in theconfiguration, it must be disabled before the PBRs are applied. After the PBRs areapplied, the NetScaler does not compare incoming packets against disabled PBRs.
To enable or disable a PBR by using the NetScaler command lineAt the NetScaler command prompt, type one of the following commands:
w enable ns pbr <name>
w disable ns pbr <name>
Examples
> enable ns PBR pbr1 Done> show ns PBR pbr11) Name: pbr1 Action: ALLOW Hits: 0 srcIP = 10.102.37.252 destIP = 10.10.10.2 srcMac: Protocol: Vlan: Interface: Active Status: ENABLED Applied Status: APPLIED Priority: 10 NextHop: 10.102.29.77
Done
> disable ns PBR pbr1Warning: PBR modified, use 'apply pbrs' to commit this operation> apply pbrs Done> show ns PBR pbr11) Name: pbr1
Citrix NetScaler Networking Guide
211
Action: ALLOW Hits: 0 srcIP = 10.102.37.252 destIP = 10.10.10.2 srcMac: Protocol: Vlan: Interface: Active Status: DISABLED Applied Status: NOTAPPLIED Priority: 10 NextHop: 10.102.29.77Done
To enable or disable a PBR by using the configuration utility
1. In the navigation pane, expand Network, and then click PBRs.
2. In the details pane, select the PBR (for example, p1) and do one of the following:
• To enable the PBR, click Enable.
• To disable the PBR, click Disable.
A message appears in the status bar, stating that the PBR has been successfullyenabled or disabled.
Renumbering PBRsYou can automatically renumber the PBRs to set their priorities to multiples of 10.
To renumber PBRs by using the NetScaler command lineAt the NetScaler command prompt, type:
renumber ns pbrs
To renumber PBRs by using the configuration utility
1. In the navigation pane, expand Network, and then click PBRs.
2. In the details pane, click Renumber Priority (s).
3. In the Renumber Priority(s) PBR(s) dialog box, click Yes.
Use Case - PBR with Multiple HopsConsider a scenario in which two PBRs, PBR1 and PBR2, are configured on NetScalerappliance NS1. PBR1 routes all the outgoing packets, with source IP address as10.102.29.30, to next hop router R1. PBR2 routes all the outgoing packets, with sourceIP address as 10.102.29.90, to next hop router R2. R3 is another next hop routerconnected to NS1.
If router R1 fails, all the outgoing packets that matched against PBR1 are dropped. Toavoid this situation, you can specify a link load balancing (LLB) virtual server in thenext hop field while creating or modifying a PBR. Multiple next hops are bound to theLLB virtual server as services (for example R1, R2, and R3). Now, if R1 fails, all the
Chapter 4 IP Routing
212
packets that matched against PBR1 are routed to R2 or R3 as determined by the LBmethod configured on the LLB virtual server.
The NetScaler appliance throws an error if you attempt to create a PBR with an LLBvirtual server as the next hop in the following cases:
w Adding another PBR with the same LLB virtual server.
w Specifying a nonexistent LLB virtual server.
w Specifying an LLB virtual server for which the bound services are not next hops.
w Specifying an LLB virtual server for which the LB method is not set to one of thefollowing:
• LEASTPACKETS
• LEASTBANDWIDTH
• DESTIPHASH
• SOURCEIPHASH
• WEIGHTDRR
• SRCIPDESTIP_HASH
• LTRM
• CUSTOM LOAD
w Specifying an LLB virtual server for which the LB persistence type is not set to oneof the following:
• DESTIP
• SOURCEIP
• SRCDSTIP
The following table lists the names and values of the entities configured on theNetScaler appliance:
Table 4-1. Sample Values for Creating Entities
Entity Type Name IP Address
Link load balancing virtualserver
LLB1 NA
Services (next hops) Router1 1.1.1.254
Router2 2.2.2.254
Router3 3.3.3.254
PBRs PBR1 NA
Citrix NetScaler Networking Guide
213
Entity Type Name IP Address
PBR2 NA
To implement the configuration described above, you need to:
1. Create services Router1, Router2, and Router3 that represent next hop routers R1,R2, and R3.
2. Create link load balancing virtual server LLB1 and bind services Router1, Router2,and Router3 to it.
3. Create PBRs PBR1 and PBR2, with next hop fields set as LLB1 and 2.2.2.254 (IPaddress of the router R2), respectively.
To create a service by using the NetScaler command lineAt the NetScaler command prompt, type:
w add service <name> <IP> <serviceType> <port>
w show service <name>
Example
> add service Router1 1.1.1.254 ANY * Done> add service Router2 2.2.2.254 ANY * Done> add service Router3 3.3.3.254 ANY * Done
Parameters for creating a servicename
The name of the service. Maximum length: 127
IPThe IP address of the physical router for which a service will be added.
serviceTypeThe type of connections that the service will handle. Specify a service type of ANY.
portPort on which the service listens. Specify an asterisk (*) as the port number.
To create services by using the configuration utility
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details pane, click Add.
Chapter 4 IP Routing
214
3. 3. In the Create Service dialog box, specify values for the following parameters,which correspond to parameters described in “Parameters for creating a service,as shown:
• Service Name*—name
• Server—IP
• Protocol*—serviceType (Select ANY from the drop-down list.)
• Port*—port
* A required parameter
4. Click Create.
5. Repeat Steps 2-4 to create another service.
6. Click Close.
7. In the Services pane, select the services that you just configured and verify thatthe settings displayed at the bottom of the screen are correct.
To create a link load balancing virtual server and bind a service byusing the NetScaler command lineAt the NetScaler command prompt, type:
w add lb vserver <name> <serviceType>
w bind lb vserver < name> <serviceName>
w show lb vserver < name>
Example
> add lb vserver LLB1 ANY Done> bind lb vserver LLB1 Router1 Router2 Router3 Done
Parameters for creating an LLB virtual servername
The name of the load balancing virtual server being added. Maximum length: 127
serviceType
The service type. Possible value: ANY.
Parameters for binding the servicename
The virtual server name to which the service is bound. Maximum length: 127
Citrix NetScaler Networking Guide
215
serviceNameThe name of the service that is bound. Maximum Length: 127
To create a link load balancing virtual server and bind a service byusing the configuration utility
1. In the navigation pane, expand Load Balancing, and then click Virtual Servers.
2. In the Load Balancing Virtual Servers pane, click Add.
3. In the Create Virtual Servers (Load Balancing) dialog box, specify values for thefollowing parameters, which correspond to parameters described in “Parametersfor creating an LLB virtual server, as shown:
• Name*—name
• Protocol*—serviceType (Select ANY.)
* A required parameter
Note: Make sure Directly Addressable is unchecked.
4. Under the Services tab, in the Active column, select the check box for the servicethat you want to bind to the virtual server.
5. Click Create, and then click Close.
6. In the Load Balancing Virtual Servers tab, select the virtual server that you justcreated, and verify that the settings displayed in the Details pane are correct.
To create a PBR by using the NetScaler command lineAt the NetScaler command prompt, type:
w add ns pbr <name> <action> [-srcIP [<operator>] <srcIPVal>] [-nextHop<nextHopVal>]
w sh ns pbr
Example
> add pbr PBR1 ALLOW -srcIP 10.102.29.30 -nextHop LLB1 Done> add pbr PBR2 ALLOW -srcIP 10.102.29.90 -nextHop 2.2.2.254 Done
Parameters for configuring a PBRname
The name (alphanumeric) of the PBR.
Chapter 4 IP Routing
216
actionThe action to perform on packets that match the PBR. Possible values: ALLOW, DENY.
nextHopThe IP address of the next hop router or the name of the link load balancing virtualserver to which to send matching packets if action is set to ALLOW. If you specify alink load balancing virtual server, which can provide a backup if a next hop link fails,first make sure that the next hops bound to it are actually next hops that are directlyconnected to the NetScaler appliance. Otherwise, the NetScaler will throw an errorwhen you attempt to create the PBR.
srcIPIP address of the source machine. You can also specify a range of addresses, byenclosing the low and high addresses in brackets (for example,[10.102.29.50-10.102.29.100]).
To create a PBR by using the configuration utility
1. In the navigation pane, expand Network, and then click PBRs.
2. In the details pane, do one of the following:
• To create a new PBR, click Add.
• To modify an existing PBR, click Open.
3. In the Create PBR or Configure PBR dialog box, specify values for the followingparameters, which correspond to parameters described in “Parameters forconfiguring a PBR” as shown:
• Name*-name
• Action-action
• Next Hop-nextHop
• Source, Operator-operator
• Source, Low/High-srcIP (To specify a specific IP address, type the same addressin both text boxes.
* A required parameter
4. Click Create or OK, and then click Close. A message appears in the status bar,stating that the PBR has been configured successfully.
Configuring a Policy-Based Routes (PBR6) for IPv6Traffic
Configuring PBR6s involves the following tasks:
w Create a PBR6.
w Apply PBR6s.
Citrix NetScaler Networking Guide
217
w (Optional) Disable or enable a PBR6.
w (Optional) Renumber the priority of the PBR6.
Creating or Modifying a PBR6You cannot create two PBR6s with the same parameters. If you attempt to create aduplicate, an error message appears.
You can configure the priority of a PBR6. The priority (an integer value) defines theorder in which the NetScaler appliance evaluates PBR6s. When you create a PBR6without specifying a priority, the NetScaler automatically assigns a priority that is amultiple of 10.
If a packet matches the condition defined by the PBR6, the NetScaler performs anaction. If the packet does not match the condition defined by the PBR6, the NetScalercompares the packet against the PBR6 with the next highest priority.
To create a PBR6 by using the NetScaler command lineAt the NetScaler command prompt, type:
w add ns pbr6 <name> <action> [-srcIPv6 [<operator>] <srcIPv6Val>] [-srcPort[<operator>] <srcPortVal>] [-destIPv6 [<operator>] <destIPv6Val>] [-destPort[<operator>] <destPortVal>] [-srcMac <mac_addr>] [-protocol <protocol> |-protocolNumber <positive_integer>] [-vlan <positive_integer>] [-interface<interface_name>] [-priority <positive_integer>] [-state ( ENABLED | DISABLED )] [-msr ( ENABLED | DISABLED ) [-monitor <string>]] [-nextHop <nextHopVal>] [-nextHopVlan <positive_integer>]
w sh ns pbr
To modify or remove a PBR6 by using the NetScaler command line
To modify a PBR6, type the set pbr6 <name> command and the parameters to bechanged, with their new values.
To remove one or all PBR6s by using the NetScaler command lineAt the NetScaler command prompt, type one of the following commands:
w rm ns pbr6 <name>
w clear ns pbr6
Parameters for creating or modifying a PBR6Name (Name)
A name for PBR6. The name can begin with a letter, number, or the underscoresymbol, and can consist of up to 127 letters, numbers, and the hyphen (-), period (.),pound (#), space ( ), at sign (@), equals (=), colon (:), and underscore (_) symbols.(Cannot be changed after the PBR6 has been created.)
Chapter 4 IP Routing
218
action (Action)The action to perform on packets that match the PBR6. Possible values: ALLOW,DENY.
nextHop (Next Hop Value)The IPv6 address of the next hop router to which to send matching packets if actionis set to ALLOW.
nextHopVlan (Next Hop vlan)The VLAN ID, if you have specified a link local address for the Next Hop parameter.Minimum value: 1. Maximum value: 4094.
priority (Priority)The priority of the PBR6, which determines the order in which it will be appliedrelative to other PBR6s. A lower number specifies a higher priority. Minimum value:0. Maximum value: 80000.
state (Enable PBR)The state of the PBR6. Possible Values: ENABLED, DISABLED. Default: ENABLED.
Msr (Monitored Static Route)Enable or disable monitored static route (MSR) on the static route entry for the nexthop. Possible values: ENABLED, DISABLED Default value: DISABLED.
monitor (Monitor)Designate a PING6 or an ARP monitor for monitoring the static route entry for thenext hop.
operator (Operation)The type of operation for matching the PBR6 against packets. Possible values: =(equals), != (does not equal).
srcIPv6 (Source IP, Low/High)The IPv6 address that the PBR6 rule compares to the address in the source IP addressfield of every outgoing IPv6 packet. To specify a range of addresses from thecommand line interface enclose the low and high addresses in brackets, with ahyphen between the two addresses.
destIPv6 (Destination IP, Low/High)The IP address that the PBR6 rule compares to the address in the destination IPaddress field of every outgoing IPv6 packet. To specify a range of addresses from thecommand line interface enclose the low and high addresses in brackets, with ahyphen between the two addresses.
Protocol (Protocol)The protocol field in the IPv6 header. Possible values: ICMP, IGMP, TCP, EGP, IGP,ARGUS, UDP, RDP, RSVP, EIGRP, L2TP, and ISIS.
protocol NumberThe IPv6 protocol number. Minimum value: 1. Maximum value: 255.
srcPort (Source Port, Low/High)The port number that the PBR6 rule compares to the port number in the source portfield of every incoming IPv6 packet. To specify a range of ports from the commandline interface enclose the low and high port numbers in brackets with a hyphenbetween the two port numbers (for example [50-90]).
Citrix NetScaler Networking Guide
219
Note: The source port can be specified only for TCP and UDP.
destPort (Destination Port, Low/High)
The port number that the PBR6 rule compares to the port number in the destinationport field of every incoming IPv6 packet. To specify a range of ports from thecommand line interface enclose the low and high port numbers in brackets, with ahyphen between the two ports (for example [40-90]).
Note: The destination port can be specified only for TCP and UDP protocols.
srcMac (Source MAC)The MAC address of the source system. Only the last 32 bits are considered during alookup.
vlan (VLAN)The VLAN ID present in the VLAN tag of the IPv6 packet. Minimum value: 1. Maximumvalue: 4094.
interface (Interface)This is the network interface on which the IPv6 packet arrives.
To create or modify a PBR6 by using the configuration utility
1. In the navigation pane, expand Network, and then click PBRs.
2. On the PBR6s tab, do one of the following:
• To create a new PBR6, click Add.
• To modify an existing PBR6, click Open.
3. In the Create PBR6 or Configure6 PBR dialog box, set the following parameters:
• Name*
• Action*
• Next Hop value*
• Next Hop vlan*
• Priority
• Enable PBR
• Monitored static route
• Monitor
• Source, Operation
• Source IP, Low/High (To specify a specific IP address, type the same address inboth text boxes.)
Chapter 4 IP Routing
220
• Destination, Low/High (To specify a specific IP address, type the same addressin both text boxes.)
• Protocol
• Source Port, Operation
• Source Port, Low/High
• Destination Port, Operation
• Destination Port, Low/High
• Source Mac
• VLAN
• Interface
* A required parameter
4. Click Create or OK, and then click Close. A message appears in the status bar,stating that the PBR6 has been configured successfully.
To remove one or all PBR6s by using the configuration utility
1. In the navigation pane, expand Network, and then click PBRs.
2. To remove a single PBR6, on the PBR6s tab, select the PBR6 that you want toremove, and then click Remove.
3. To remove all PBR6s, click Clear.
Applying PBR6sYou must apply a PBR6 to activate it. The following procedure reapplies all PBR6s thatyou have not disabled. The PBR6s constitute a memory tree (lookup table). Forexample, if you create 10 PBR6s (p6_1 - p6_10), and then you create another PBR6(p6_11) and apply it, all of the PBR6s (p6_1 - p6_11) are freshly applied and a newlookup table is created. If a session has a DENY PBR6 related to it, the session isdestroyed.
You must apply this procedure after every modification you make to any PBR6. Forexample, you must follow this procedure after disabling a PBR6.
Note: PBR6s created on the NetScaler appliance do not work until they are applied.
To apply PBR6s by using the NetScaler command lineAt the NetScaler command prompt, type:
apply ns PBR6
To apply PBR6s by using the configuration utility
1. In the navigation pane, expand Network, and then click PBRs.
Citrix NetScaler Networking Guide
221
2. On the PBR6s tab, click Commit.
3. In the Confirm dialog box, click Yes.
Enabling or Disabling a PBR6By default, the PBR6s are enabled. This means that when PBR6s are applied, theNetScaler appliance automatically compares outgoing IPv6 packets against theconfigured PBR6s. If a PBR6 is not required in the lookup table, but it needs to beretained in the configuration, it must be disabled before the PBR6s are applied. Afterthe PBR6s are applied, the NetScaler does not compare incoming packets againstdisabled PBR6s.
To enable or disable a PBR6 by using the NetScaler command lineAt the NetScaler command prompt, type one of the following commands:
w enable ns pbr <name>
w disable ns pbr <name>
To enable or disable a PBR6 by using the configuration utility
1. In the navigation pane, expand Network, and then click PBR6s.
2. On the PBR6s tab, select the PBR6 (for example, p1_6) and do one of thefollowing:
• To enable the PBR6, click Enable.
• To disable the PBR6, click Disable.
A message appears in the status bar, stating that the PBR6 has been successfullyenabled or disabled.
Renumbering PBR6sYou can automatically renumber the PBR6s to set their priorities to multiples of 10.
To renumber PBR6s by using the NetScaler command lineAt the NetScaler command prompt, type:
renumber pbr6
To renumber PBR6s by using the configuration utility
1. In the navigation pane, expand Network, and then click PBRs.
2. On the PBR6s tab, Renumber Priority (s).
3. In the Renumber Priority(s) PBR(s) dialog box, click Yes.
Chapter 4 IP Routing
222
Troubleshooting Routing IssuesTo make your troubleshooting process as efficient as possible, begin by gatheringinformation about your network. You need to obtain the following information aboutthe NetScaler appliance and other systems in the Network:
w Complete Topology diagram, including interface connectivity and intermediateswitch details.
w Running Configuration. You can use the show running command to get the runningconfiguration for ns.conf and ZebOS.conf.
w Output of the History command, to determine whether any configuration changeswere made when the issue arose.
w Output of the Top and ps -ax commands, to determine whether any routing daemonis over utilizing the CPU or is misbehaving.
w Any routing related core files in /var/core - nsm, bgpd, ospfd, or ripd.Check the time stamp to see if they are relevant.
w dr_error.log and dr_info.log files from /var/log.
w Output of the date command and time details for all relevant systems. Print datesacross all devices one after another, so that the times on the log messages can becorrelated with various events.
w Relevant ns.log, newnslog files.
w Configuration files, log files and command history details from upstream anddownstream routers.
Generic Routing FAQsUsers typically have the following questions about how to troubleshoot generic routingissues:
w How do I save the config files?
The write command from VTYSH saves only ZebOS.conf. Run the save configcommand from NetScaler CLI to save both ns.conf and ZebOS.conf files.
w If I have configured both a static default route and a dynamically learned defaultroute, which is the preferred default route?
The dynamically learned route is the preferred default route. This behavior isunique to default routes. However, in case of the Network Services Module (NSM),unless the administrative distances are modified, a statically configured route in theRIB is preferred over a dynamic route. The route that is downloaded to the NSM FIBis the static route.
w How do I block the advertisement of default routes?
After release 7.0, the default route is not injected into ZebOS.
Citrix NetScaler Networking Guide
223
However, if you are working with 7.0 or an earlier release, you must apply a suitableroute map with the
However, if you are working with 7.0 or an earlier release, you must apply a suitableroute map with the redistribute kernel command for each protocol to block defaultroute advertisement. For example:
ns(config)#access-list 1 deny 0.0.0.0ns(config)#access-list 2 permit anyns(config)#route-map redist-kernel permit 5ns(config-route-map)#match ip address 1ns(config)#route-map redist-kernel permit 10ns(config-route-map)#match ip address 2ns(config-route-map)#qns(config)#router ospf 1ns(config-router)#redistribute kernel route-map redist-kernelns(config-router)#qns(config)#qns#show route-maproute-map redist-kernel, permit, sequence 5 Match clauses: ip address 1 Set clauses:route-map redist-kernel, permit, sequence 10 Match clauses: ip address 2 Set clauses:ns#show access-listStandard IP access list 1 deny 0.0.0.0Standard IP access list 2 permit anyns#
w How do I view the debug output of networking daemons?
You can write debugging output from networking daemons to a file by entering thefollowing log file command from the global configuration view in VTYSH:
ns(config)#log file /var/ZebOS.log
With release 8.1, you can direct debug output to the console by entering theterminal monitor command from VTYSH user view:
ns#terminal monitor
w How do I collect cores of running daemons?
Chapter 4 IP Routing
224
You can use the gcore utility to collect cores of running daemons for processing bygdb. This might be helpful in debugging misbehaving daemons without bringing thewhole routing operation to a standstill.
gcore [-s] [-c core] [executable] pid
The -s option temporarily stops the daemon while gathering the core image. This isa recommended option, because it guarantees that the resulting image shows thecore in a consistent state.
root@ns#gcore -s -c nsm.core /netscaler/nsm 342
w How do I run a batch of ZebOS commands?
You can run a batch of ZebOS commands from a file by entering the VTYSH -f <file-name> command. This does not replace the running configuration, but appends toit. However, by including commands to delete the existing configuration in thebatch file and then add those for the new, desired configuration, you can use thismechanism to replace a specific configuration:
!router bgp 234network 1.1.1.1 255.255.255.0!route-map bgp-out2 permit 10 set metric 9900 set community 8602:300!
Troubleshooting OSPF-Specific IssuesBefore you start debugging any OSPF specific issue, you must collect information fromthe NetScaler appliance and all systems in the affected LAN, including upstream anddownstream routers. To begin, enter the following commands:
1. show interface from both nscli and VTYSH
2. show ip ospf interface
3. show ip ospf neighbor detail
4. show ip route
5. show ip ospf route
6. show ip ospf database summary
a. If there are only few LSAs in the database, then enter show ip ospf databaserouter, show ip ospf database A. network, show ip ospf database external,and other commands to get the full details of LSAs.
Citrix NetScaler Networking Guide
225
b. If there are a large number of LSAs in the database, enter the show ip ospfdatabase self-originated command.
7. show ip ospf
8. show ns ip. This ensures that the details of all VIPs of interest are included.
9. Get the logs from peering devices and run the following command:
gcore -s -c xyz.core /netscaler/ospfd <pid>
Note: The gcore command is non-disruptive.
Collect additional information from the NetScaler as follows:
1. Enable logging of error messages by entering the following command from theglobal configuration view in VTYSH:
ns(config)#log file /var/ospf.log
2. Enable debugging ospf events and log them by using the following command:
ns(config)#log file /var/ospf.log
Enable debug ospf lsa packet only if the number of LSAs in the database isrelatively small (< 500).
Chapter 4 IP Routing
226
Chapter 5
Internet Protocol version 6 (IPv6)
Topics:• Implementing IPv6 Support
• VLAN Support
• Simple Deployment Scenario
• Host Header Modification
• VIP Insertion
A NetScaler appliance supports both server-side and client-side IPv6 and can therefore function as an IPv6 node. It canaccept connections from IPv6 nodes (both hosts and routers)and from IPv4 nodes, and can perform Protocol Translation(RFC 2765) before sending traffic to the services. You have tolicense the IPv6 feature before you can implement it.
The following table lists some of the IPv6 features that theNetScaler appliance supports.
Table 5-1. Some Supported IPv6 Features
IPv6 features
IPv6 addresses for SNIPs (NSIP6, VIP6, and SNIP6)
Neighbor Discovery (Address Resolution, Duplicated AddressDetection, Neighbor Unreachability Detection, RouterDiscovery)
Management Applications (ping6, telnet6, ssh6)
Static Routing and Dynamic routing (OSPF)
Port Based VLANs
Access Control Lists for IPv6 addresses (ACL6)
IPv6 Protocols (TCP6, UDP6, ICMP6)
Server Side Support (IPv6 addresses for vservers, services)
USIP (Use source IP) and DSR (Direct Server Return) for IPv6
SNMP and CVPN for IPv6
HA with native IPv6 node address
IPv6 addresses for MIPs
Path-MTU discovery for IPv6
227
The following table lists NetScaler components that supportIPv6 addresses and provides references to the PDFdocumentation of the components.
Table 5-2. NetScaler Components That Support IPv6Addresses and the Corresponding Documentation
NetScalercomponent
Section thatdocuments IPv6support
Document title
Network Adding,Customizing,Removing,Removing all, andViewing routes.
Citrix NetScalerNetworking Guide
SSL Offload Creating IPv6vservers for SSLOffload
Citrix NetScalerTraffic ManagementGuide
SSL Offload Specifying IPv6SSL OffloadMonitors
Citrix NetScalerTraffic ManagementGuide
SSL Offload Creating IPv6 SSLOffload Servers
Citrix NetScalerTraffic ManagementGuide
Load Balancing Creating IPv6vservers for LoadBalancing
Citrix NetScalerTraffic ManagementGuide
Load Balancing Specifying IPv6Load BalancingMonitors
Citrix NetScalerTraffic ManagementGuide
Load Balancing Creating IPv6Load BalancingServers
Citrix NetScalerTraffic ManagementGuide
DNS Creating AAAARecords
Citrix NetScalerTraffic ManagementGuide
You can configure IPv6 support for the above features afterimplementing the IPv6 feature on your NetScaler appliance.You can configure both tagged and prefix-based VLANs forIPv6. You can also map IPv4 addresses to IPv6 addresses.
Chapter 5 Internet Protocol version 6 (IPv6)
228
Implementing IPv6 SupportIPv6 support is a licensed feature, which you have to enable before you can use orconfigure it. If IPv6 is disabled, the NetScaler does not process IPv6 packets. It displaysthe following warning when you run an unsupported command:
"Warning: Feature(s) not enabled [IPv6PT]"
The following message appears if you attempt to run IPv6 commands without theappropriate license:
"ERROR: Feature(s) not licensed"
After licensing the feature, use either of the following procedures to enable or disableIPv6.
To enable or disable IPv6 by using the NetScalercommand line
At the NetScaler command prompt, type one of the following commands:
w enable ns feature ipv6pt
w disable ns feature ipv6pt
To enable or disable IPv6 by using the configurationutility
1. In the navigation pane, expand System and click Settings.
2. On the Settings page, under Modes and Features, click change advancedfeatures.
3. In the Configure Advanced Features dialog box, do one of the following:
• To enable IPv6, select the IPv6 Protocol Translation check box.
• To disable IPv6, clear the IPv6 Protocol Translation check box.
4. Click OK.
5. In the Enable/Disable Feature(s)? dialog box, click Yes.
VLAN SupportIf you need to send broadcast or multicast packets without identifying the VLAN (forexample, during DAD for NSIP, or ND6 for the next hop of the route), you can configurethe NetScaler appliance to send the packet on all the interfaces with appropriatetagging. The VLAN is identified by ND6, and a data packet is sent only on the VLAN.
Citrix NetScaler Networking Guide
229
For more information about ND6 and VLANs, see Configuring Neighbor Discovery.
Port-based VLANs are common for IPv4 and IPv6. Prefix-based VLANs are supported forIPv6.
Simple Deployment ScenarioFollowing is an example of a simple load balancing set-up consisting of an IPv6 vserverand IPv4 services, as illustrated in the following topology diagram.
Figure 5-1. IPv6 Sample Topology
The following table summarizes the names and values of the entities that must beconfigured on the NetScaler.
Table 5-3. Sample Values for Creating Entities
Entity type Name Value
LB Vserver VS1_IPv6 2002::9
Services SVC1 10.102.29.1
SVC2 10.102.29.2
The following figure shows the entities and values of the parameters to be configuredon the NetScaler.
Chapter 5 Internet Protocol version 6 (IPv6)
230
Figure 5-2. IPv6 Entity Diagram
To configure this deployment scenario, you need to do the following:
1. Create an IPv6 service.
2. Create an IPv6 LB vserver.
3. Bind the services to the vserver.
To create IPv4 services by using the NetScalercommand line
At the NetScaler command prompt, type:
add service <Name> <IPAddress> <Protocol> <Port>
Example
add service SVC1 10.102.29.1 HTTP 80add service SVC2 10.102.29.2 HTTP 80
Citrix NetScaler Networking Guide
231
To create IPv4 services by using the configurationutility
1. In the navigation pane, expand Load Balancing and click Services.
2. On the Services page, click Add.
3. In the Create Service dialog box, in the Service Name, Server, and Port textboxes, type the name, IP address, and port of the service (for example, SVC1,10.102.29.1, and 80).
4. In the Protocol drop-down list box, select the type of the service (for example,HTTP).
5. Click Create and click Close.
6. Repeat Steps 1-5 to create a service SVC2 with IP address 10.102.29.2 and port 80.
To create IPv6 vserver by using the NetScalercommand line
At the NetScaler command prompt, type:
add lb vserver <Name> <IPAddress> <Protocol> <Port>
Example
add lb vserver VS1_IPv6 2002::9 HTTP 80
To create IPv6 vserver by using the configurationutility
1. In the navigation pane, expand Load Balancing and click Virtual Servers.
2. In the Load Balancing Virtual Servers page, click Add.
3. In the Create Virtual Servers (Load Balancing) dialog box, select the IPv6 checkbox.
4. In the Name, Port, and IP Addresses text boxes, type the name, port, and IPaddress of the vserver (for example, VS1_IPv6, 80, and 2002::9).
5. Click Create and click Close.
Chapter 5 Internet Protocol version 6 (IPv6)
232
To bind a service to an LB vserver by using theNetScaler command line
At the NetScaler command prompt, type:
bind lb vserver <name> <service>
Example
bind lb vserver VS1_IPv6 SVC1
The vservers receive IPv6 packets and the NetScaler performs Protocol Translation (RFC2765) before sending traffic to the IPv4-based services.
To bind a service to an LB vserver by using theconfiguration utility
1. In the navigation pane, expand Load Balancing and click Virtual Servers.
2. In the Load Balancing Virtual Servers page, select the vserver for which you wantto bind the service (for example, VS1_IPv6).
3. Click Open.
4. In the Configure Virtual Server (Load Balancing) dialog box, on the Services tab,select the Active check box corresponding to the service that you want to bind tothe vserver (for example, SVC1).
5. Click OK.
6. Repeat Steps 1-4 to bind the service (for example, SVC2 to the vserver).
Host Header ModificationWhen an HTTP request has an IPv6 address in the host header, and the server does notunderstand the IPv6 address, you must map the IPv6 address to an IPv4 address. TheIPv4 address is then used in the host header of the HTTP request sent to the vserver.
To change the IPv6 address in the host header to anIPv4 address by using the NetScaler command line
At the NetScaler command prompt, type:
set ns ip6 <IPv6Address> -map <IPAddress>
Citrix NetScaler Networking Guide
233
Example
set ns ip6 2002::9 -map 200.200.200.200
To change the IPv6 address in the host header to anIPv4 address by using the configuration utility
1. In the navigation pane, expand Networks and click IPs.
2. In the IPs page, click the IPV6s tab and select the IP address for which you want toconfigure a mapped IP address, for example, 2002:0:0:0:0:0:0:9.
3. Click Open.
4. In the Configure IP6 dialog box, in the Mapped IP text box, type the mapped IPaddress that you want to configure, for example, 200.200.200.200.
5. Click OK.
VIP InsertionIf an IPv6 address is sent to an IPv4-based server, the server may not understand the IPaddress in the HTTP header, and may generate an error. To avoid this, you can map anIPv4 address to the IPv6 VIP and enable VIP insertion.
To configure a mapped IPv6 address by using theNetScaler command line
At the NetScaler command prompt, type:
set ns ip6 <IPv6Address> -map <IPAddress>
Example
> set ns ip6 2002::9 -map 200.200.200.200 Done
To configure a mapped IPv6 address by using theconfiguration utility
1. In the navigation pane, expand Networks and click IPs.
Chapter 5 Internet Protocol version 6 (IPv6)
234
2. In the IPs page, click the IPV6s tab and select the IP address for which you want toconfigure a mapped IP address (for example, 2002:0:0:0:0:0:0:9).
3. Click Open.
4. In the Configure IP6 dialog box, in the Mapped IP text box, type the mapped IPaddress that you want to configure (for example, 200.200.200.200).
5. Click OK.
Use either of the following procedures to enable insertion of an Ipv4 VIP address andport number in the HTTP requests sent to the servers.
To enable VIP insertion by using the NetScalercommand line
At the NetScaler command prompt, type:
set lb vserver <name> -insertVserverIPPort <Value>
Example
> set lb vserver VS1_IPv6 -insertVserverIPPort ON Done
To enable VIP insertion by using the configurationutility
1. In the navigation pane, expand Load Balancing and click Virtual Servers.
2. In the Load Balancing Virtual Servers page, in the Load Balancing Virtual Serverspage, select the vserver that you want to enable port insertion (for example,VS1_IPv6).
3. Click Open.
4. In the Configure Virtual Server (Load Balancing) dialog box, click the Advancedtab.
5. In the Vserver IP Port Insertion drop-down list box, select VIPADDR.
6. In the Vserver IP Port Insertion text box, type the vip header.
Citrix NetScaler Networking Guide
235
Chapter 5 Internet Protocol version 6 (IPv6)
236
Chapter 6
CloudBridge 1.1
Topics:• About the CloudBridge
• Setting Up a CloudBridge -Method 1
• Configuring the CloudBridge—Method 2
• Setting Up CloudBridge toSoftLayer Enterprise Cloud
As a tool for building a cloud-extended data center, the CitrixNetScaler® CloudBridge™ feature is a fundamental part of theCitrix® Cloud framework. This feature can reduce the cost ofmoving your applications to the cloud, reduce the risk ofapplication failure, and increase network efficiency in yourcloud environment.
With the CloudBridge feature, you can create a networkbridge (or more than one) connecting one or more cloudcomputing instances—virtual servers in the cloud—to yournetwork without reconfiguring your network. Cloud-hostedapplications appear as though they are running on onecontiguous enterprise network.
Setting up a network bridge involves configuring twoNetScaler appliances or virtual appliances, one on each sideof the bridge. On each appliance, you configure one or moreGRE tunnels and configure IPSec on the tunnel or tunnels. Youthen assign a name to the network bridge and bind the GREtunnel(s) to it. Optionally, you can bind VLANs and IPaddresses to the network bridge.
If you need only one GRE tunnel, you can use an alternativeconfiguration method in which you configure all of thenetwork bridge elements in one dialog box in theconfiguration utility. You can add more tunnels later.
237
About the CloudBridgeA network bridge extends layer 2 bridging to connect a NetScaler appliance or virtualappliance residing in a cloud to a NetScaler appliance or virtual appliance on your LAN.The connection is made through an IP tunnel that uses the Generic RoutingEncapsulation (GRE) protocol. The GRE protocol provides a mechanism forencapsulating packets, from a wide variety of network protocols, to be forwarded overanother protocol. GRE is used to:
w Connect networks running non-IP, nonroutable protocols, such as AppleTalk, NovellIPX, and NetBIOS.
w Bridge across a wide area network (WAN).
w Create a transport tunnel for any type of traffic that needs to be sent unchangedacross a different network.
The GRE protocol encapsulates packets by adding a GRE and a GRE IP header to thepackets.
CloudBridge supports the use of open-standard Internet Protocol security (IPSec)protocol suite to secure the communication between peers in the CloudBridge.
In a CloudBridge, IPSec ensures:
w Data integrity
w Data origin authentication
w Data confidentiality (encryption)
w Protection against replay attacks
IPSec uses the transport mode in which only the payload of the GRE encapsulatespacket is encrypted. The encryption is done by the Encapsulating Security Payload(ESP) protocol. The ESP protocol ensures the integrity of the packet using a HMAC hashfunction and the confidentiality using a encryption algorithm. After encrypting thepayload and calculating the HMAC, an ESP header is generated and is inserted after theGRE IP header and a ESP trailer is inserted at the end of the encrypted payload. AnAuthentication Header (AH) is also added before the ESP header for data originauthentication of the packet.
CloudBridge also supports the NAT implementation defined in RFC 3947 and 3948 forthe CloudBridge peers to communicate with peers behind a NAT device.
To secure their communication, the two peers in the network bridge use the InternetKey Exchange (IKE) protocol in IPSec to:
w Mutually authenticate with each other, using one of the following authenticationmethods:
• Pre-shared key authentication. A text string called a pre-shared key is manuallyconfigured on each peer. The pre-shared keys of the peers are matched againsteach other for authentication. Therefore, for the authentication to besuccessful, you must configure the same pre-shared key on each of the peers.
Chapter 6 CloudBridge 1.1
238
• Digital certificates authentication. The initiator (sender) peer signs messageinterchange data by using its private key, and the other receiver peer uses thesender’s public key to verify the signature. Typically, the public key is exchangedin messages containing an X.509v3 certificate. This certificate provides a level ofassurance that a peer's identity as represented in the certificate is associatedwith a particular public key.
w Negotiate to reach agreement on:
• A security protocol to use, so that each peer sends data in a format that theother recognizes.
• An encryption algorithm.
• Cryptographic keys for encrypting data in one peer and decrypting the data inthe other.
This agreement upon the security protocol, encryption algorithm and cryptographickeys is called a Security Association (SA). SAs are one way (simplex). For example,when two NetScaler appliances, NS1 and NS2, are communicating by means of IPSecover a CloudBridge, NS1 has two Security Associations. One SA is used for processingout-bound packets, and the other SA is used for processing inbound packets.
SAs expire after a specified length of time, which is called the lifetime. The two peersusie the Internet Key Exchange (IKE) protocol (part of the IPSec protocol suite) tonegotiate new cryptographic keys and establish new SAs. The purpose of the limitedlifetime is to prevent attackers from cracking a key.
Figure 6-1. Conceptual Diagram: NetScaler CloudBridge
Citrix NetScaler Networking Guide
239
Setting Up a CloudBridge - Method 1Before setting up a CloudBridge, you must configure the NetScaler appliance or VPXvirtual appliance on the LAN and the appliance or virtual appliance on the Cloud.
To configure a new NetScaler appliance, see the Citrix NetScaler Getting StartedGuide. For a link to the guide, see the Documentation Library. To configure a newvirtual appliance, see the Citrix NetScaler VPX Getting Started Guide. For a link to theguide, see the Documentation Library.
You must then configure networking on both appliances. Each of the two configurationsmay include a VLAN that contains the servers or the cloud instances that will use theCloudBridge. To configure VLANs, see Configure a VLAN.
To set up a CloudBridge, on the NetScaler appliance or virtual appliance that anchorsthe LAN side of the CloudBridge:
1. Configure IPSec on the GRE tunnel.
2. Configure a GRE tunnel.
3. Configure a CloudBridge:
• Create a logical representation of the CloudBridge by specifying a name.
• Bind one or more GRE tunnels to the CloudBridge.
• Bind VLANs and IP addresses to the CloudBridge (Optional.)
You then repeat these steps on the NetScaler appliance or virtual appliance thatanchors the cloud side of the CloudBridge.
You can perform these tasks individually (Method 1), or you can configure everything inone dialog box in dialog box in the configuration utility (Method 2). For moreinformation, see Setting Up a CloudBridge – Method 2.
Configuring IPSec on a GRE tunnelFor configuring IPSec on a GRE tunnel:
w The IPSecprofile parameter should be enabled on the GRE tunnel.
w You need to specify the same local IP address and the remote IP address that youspecified for the GRE tunnel.
To configure IPSec on a GRE tunnel by using the NetScalercommand lineAt the NetScaler command prompt, type:
add ipsec profile <name> [-encAlgo ( AES | 3DES ) ...] [-hashAlgo <hashAlgo> ...] [-lifetime <positive_integer>] (-psk |(-publickey <string> -privatekey <string> -peerPublicKey <string>))
Chapter 6 CloudBridge 1.1
240
To remove an IPSec config by using the NetScalercommand lineTo remove an IPSec config, type the rm ipsec profile command and the name of theIPSec config.
Parameters for configuring IPSec on a GRE tunnelname
Name for an IPSec configuration. The name can begin with a letter, number, or theunderscore symbol, and can consist of from one to 127 letters, numbers, and thehyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), andunderscore (_) symbols.
encAlgoThe encryption algorithm to be used in IPSec configuration for a CloudBridge.Possible values: AES, 3DES.
hashAlgoThe encryption algorithm to be used in IPSec configuration for a CloudBridge.Possible values: HMAC_SHA1, HMAC_SHA256, HMAC_MD5. Default: HMAC_SHA1.
lifetimeTime, in seconds, after which the security association expires. After expiration, newSAs are established, and new cryptographic keys are negotiated between the peersconnected by the CloudBridge. Maximum value: 31536000. Default: 28800.
pskA text string, called the pre-shared key, to be manually configured on each peer. Thepre-shared keys of the peers are matched against each other for authenticationbefore security associations are established. Therefore, for the authentication to besuccessful, you must configure the same pre-shared key on both of the peers of theCloudBridge. Maximum Length: 63 characters.
livenessCheckIntervalTime, in seconds, after which a notify payload is sent to check the status of the peer(UP or DOWN). Additional payloads are sent as per the retransmit interval setting.Zero value disables liveliness checks.
retransmissiontimeTime, in seconds, after which IKE retry message is sent to a peer. The retry messageis sent three times, each time doubling the time interval for every failure.
publickeyA local digital certificate to be used to authenticate the local NetScaler appliance tothe remote peer before establishing IPSec security associations. The same certificateshould be present and set for the Peer Public Key parameter in the remote peer.
privatekeyThe private key of the local digital certificate.
Citrix NetScaler Networking Guide
241
peerPublicKeyA digital certificate of the remote peer. This certificate is used to authenticate theremote peer to the local peer before establishing IPSec security associations. Thesame certificate should be present and set for the Public key parameter in theremote peer.
To configure IPSec on a GRE tunnel by using theconfiguration utility1. In the navigation pane, expand CloudBridge, expand Advanced, and then click
IPSec Profile.
2. In the details pane, click Add.
3. In the Create IPSec Profile dialog box, type or select values for the followingparameters, which correspond to parameters described in "Parameters forconfiguring IPSec" as shown:
• Name*—name
• Encryption Algorithm—encAlgo
• Hash Algorithm—hashAlgo
• Lifetime—lifetime
• Liveness Check Interval—livenessCheckInterval
• Retransmit Interval—retransmissiontime
• Pre-Shared key Exists—psk
• Public Key—publickey
• Private Key—privatekey
• Peer Public Key—peerPublicKey
* A required parameter.
4. Click Create, and then click Close.
Creating IP Tunnels
To create an IP tunnel by using the NetScaler command lineAt the NetScaler command prompt type:
w add iptunnel <name> <remoteIp> <remoteSubnetMask> <localIp> -type -protocol(ipoverip | GRE) -ipsecprofile <name>
w show iptunnel
Chapter 6 CloudBridge 1.1
242
To remove an IP tunnel by using the NetScaler commandlineTo remove an IP tunnel, type the rm iptunnel command and the name of the tunnel.
Parameters for creating an IP tunnelname
Name of the IP Tunnel. This alphanumeric string is required and cannot be changedafter the service group is created. The name must not exceed 127 characters, andthe leading character must be a number or letter. The following characters are alsoallowed: @ _ - . (period) : (colon) # and space ( ).
remoteIpA public IPv4 address of the remote NetScaler appliance used to set up the tunnel.
remoteSubnetMaskSubnet mask of the remote IP address of the tunnel.
localIpA public IPv4 address of the local NetScaler appliance used to set up the tunnel.Possible values: Auto, MIP, SNIP, and VIP. Default: Auto.
protocolThe protocol to be used in setting up the IP tunnel. Select GRE for using the GenericRouting Encapsulation (GRE) protocol to set up a GRE tunnel.
ipsecProfileNameName of the IPSec profile that is used for securing communication in the GRE tunnel.
To create an IP Tunnel by using the configuration utility1. In the navigation pane, expand Network, and click IP Tunnels.
2. In the details pane, click Add.
3. In the Add IP Tunnel dialog box, specify values for the following parameters:
• Name*—name
• Remote IP*—remoteIp
• Remote Mask*—remoteSubnetMask
• Local IP Type*—localIp (in the local IP Type drop down list, select one of the IPtype (Mapped IP, Subnet IP, and Virtual). All the configured IPs of the selected IPtype will be populated in the Local IP drop down list. Select the desired IP fromthe list.)
• Protocol—protocol and ipsecProfileName from the corresponding field when youselect protocol as GRE.
*A required parameter.
4. Click Create, and then click Close.
Citrix NetScaler Networking Guide
243
To create an IPv6 tunnel by using the NetScaler commandlineAt the NetScaler command prompt type:
w add ip6tunnel <name> <remoteIp> <local>
w show ip6tunnel
To remove an IPv6 tunnel by using the NetScaler commandlineTo remove an IPv6 tunnel, type the rm ip6tunnel command and the name of thetunnel.
Parameters for creating an IPv6 tunnelname (Name)
A name for the IPv6 Tunnel. This alphanumeric string is required and cannot bechanged after the service group is created. The name must not exceed 127characters, and the leading character must be a number or letter. The followingcharacters are also allowed: @ _ - . (period) : (colon) # and space ( ).
remoteIp (Remote IP)An IPv6 address of the remote NetScaler appliance used to set up the tunnel.
localIp (Local IP Type)An IPv6 address of the local NetScaler appliance used to set up the tunnel. Possiblevalues: SNIP6 and VIP6. Default: Auto.
To create an IPv6 Tunnel by using the configuration utility1. In the navigation pane, expand Network, and click IP Tunnels.
2. On the IPv6 Tunnels tab, click Add.
3. In the Create IPv6 Tunnel dialog box, set the following parameters:
• Name*
• Remote IP*
• Local IP Type* (In the local IP Type drop down list, select one of the IP type(SNIP6 or VIP6). All the configured IPv6 addresses of the selected IPv6 type arebe populated in the Local IP drop down list. Select the desired IP from the list.)
*A required parameter.
4. Click Create, and then click Close.
Configuring a CloudBridgeYou can think of the CloudBridge as a group that holds a set of secure GRE tunnels.After configuring GRE tunnels secured with IPSec, you need to create a logical
Chapter 6 CloudBridge 1.1
244
representation of the CloudBridge by assigning a name to a CloudBridge and bindingone or more configured GRE tunnels to the CloudBridge. You can then bind VLANs andIP subnets to the new CloudBridge. The VLAN and IP subnet settings are common to allthe GRE tunnels bound to the CloudBridge.
To create a CloudBridge by using the NetScaler commandlineAt the NetScaler command prompt, type:
add netbridge <name>
To bind GRE tunnels, VLANs, and IP Subnets to aCloudBridge by using the NetScaler command lineAt the NetScaler command prompt, type:
bind netbridge <name> [-tunnel <name>] [-vlan <id>] [-IPAddress <ip_addr|ipv6_addr>]
To modify or remove an CloudBridge by using theNetScaler command linew To modify a CloudBridge, type the set netbridge command, the name of the
CloudBridge, and the parameters to be changed, with their new values.
w To remove a CloudBridge, type the rm netbridge command and the name of theCloudBridge.
Parameters for configuring a CloudBridgename
The name of the CloudBridge that you are configuring. The name can begin with aletter, number, or the underscore symbol, and can consist of from one to 127 letters,numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon(:), and underscore (_) symbols. You should choose a name that will make it easy forothers to tell which NetScaler appliances the CloudBridge connects.
tunnelThe name of the GRE tunnel to be associated with the CloudBridge.
VLANThe ID of the local VLAN that needs to be extended to the cloud.
IPAddressThe IPV4 subnet that needs to be extended to the cloud.
To configure a CloudBridge by using the configurationutility1. In the navigation pane, expand CloudBridge, and then click Network Bridge.
2. In the details pane, do one of the following:
Citrix NetScaler Networking Guide
245
• To create a new CloudBridge, click Add.
• To modify an existing CloudBridge, select the CloudBridge, and then click Open.
3. In the Create Network Bridge dialog box, type a name for your new CloudBridge.
4. In the Create Network Bridge or Configure Network Bridge dialog box, on theTunnels tab (selected by default), do one of the following to bind GRE tunnels tothe CloudBridge:
• If the GRE tunnels that you want are listed, select the corresponding checkboxes.
• If you want bind all the GRE tunnels listed, click Activate All.
• If you want to create a new GRE tunnel, click Add.
5. In the Create Network Bridge or Configure Network Bridge dialog box, on theVLANs tab (selected by default), do one of the following to bind GRE tunnels tothe CloudBridge:
• If the VLANS that you want are listed, select the corresponding check boxes.
• If you want bind all the VLANs listed, click Activate All.
• If you want to create a new VLAN, click Add.
6. On the IP Subnets tab, do the following to bind IP subnets to the CloudBridge:
• If you want to bind a new IP subnet, click Add.
• If you want to modify an existing IP subnet, click Open.
7. Click Create, and then click Close.
Configuring the CloudBridge—Method 2For configuring a network bridge, you need to perform the following steps on each ofthe appliances that is to a be peer on the network bridge.
1. Configure a GRE tunnel.
2. Configure IPSec on the GRE tunnel.
3. Create a logical representation of the network bridge by specifying a name.
4. Bind one or more GRE Tunnels to the network bridge.
5. Bind VLANs and IP addresses to the network bridge (Optional.)
The configuration utility provides a single dialog box in which you can perform all ofthese tasks to configure a CloudBridge.
When you use this dialog box:
w A GRE tunnel, IPSec, and network bridge entities are created, all with the samename.
Chapter 6 CloudBridge 1.1
246
w The GRE tunnel created is configured with IPSec.
By using this method, you can configure a network bridge with only one GRE tunnel.You can later modify the network bridge to bind more GRE tunnels to it.
Parameters for configuring a network bridgename
The name of the CloudBridge that you are configuring. The name can begin with aletter, number, or the underscore symbol, and can consist of from one to 127 letters,numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon(:), and underscore (_) symbols. You should choose a name that will make it easy forothers to know which NetScaler appliances the CloudBridge connects.
Local IPA public IPv4 address of the local NetScaler appliance or VPX virtual appliance. Thisaddress is used to set up a GRE tunnel, with IPSec configuration, to a public IP IPv4address of the remote peer NetScaler appliance or virtual appliance.
Remote IPA public IPv4 address of the remote peer NetScaler appliance or virtual appliance.This is the address that is used to at the remote peer to set up the GRE tunnel, withIPSec configuration, with the local peer.
Pre-Shared keyA text string, called the pre-shared key, to be manually configured on each peer. Thepre-shared keys of the peers are matched against each other for authenticationbefore security associations are established. Therefore, for the authentication to besuccessful, you must configure the same pre-shared key on both of the peers of theCloudBridge. Maximum Length: 63 characters.
Public keyA local digital certificate to be used to authenticate the local NetScaler appliance tothe remote peer before establishing IPSec security associations. The same certificateshould be present and set for the Peer Public Key parameter in the remote peer.
Private KeyThe private key of the local digital certificate.
Peer Public KeyA digital certificate of the remote peer. This certificate is used to authenticate theremote peer to the local peer before establishing IPSec security associations. Thesame certificate should be present and set for the Public key parameter in theremote peer.
To configure a CloudBridge by using theconfiguration utility
1. In the navigation pane, click CloudBridge.
Citrix NetScaler Networking Guide
247
2. In the details pane, under Getting Started, click Configure CloudBridge.
3. In the Configure CloudBridge dialog box, specify values for the followingparameters, which are described in "Parameters for configuring a CloudBridge":
• Name*
• Local IP*
• Remote IP*
* A required parameter.
4. Do one of the following to select an IPSec authentication method between thepeers for establishing IPSec security associations:
• For pre-shared key authentication method, select Pre-shared Key and specifyvalues for the following parameters, which are described in "Parameters forconfiguring a CloudBridge":
w Pre-Shared key
w Confirm Key
* A required parameter.
• For digital certificates authentication method, select Certificate and specifyvalues for the following parameters, which are described in "Parameters forconfiguring a CloudBridge":
w Public Key
w Private Key
w Peer Public Key
* A required parameter.
5. Click Create, and then click Close.
Setting Up CloudBridge to SoftLayer EnterpriseCloud
The configuration utility includes a wizard that helps you to easily configure aCloudBridge between a NetScaler appliance on any network and NetScaler VPXinstances on the SoftLayer enterprise cloud.
Using the wizard, you can perform the following steps to configure a CloudBridge to aNetScaler VPX instance on the SoftLayer enterprise cloud.
1. Connect to the SoftLayer enterprise cloud by providing the user log on credentials.
2. Select the Citrix XenServer that is running the NetScaler VPX appliance.
3. Select the NetScaler VPX appliance.
Chapter 6 CloudBridge 1.1
248
4. Provide CloudBridge parameters to:
• Configure a GRE Tunnel.
• Configure IPSec on the GRE tunnel.
• Create a logical representation of the CloudBridge by specifying a name.
• Bind the GRE Tunnel to the CloudBridge.
When you use this wizard, a GRE tunnel, IPSec, and CloudBridge entities are created onboth of the peers.
To configure a CloudBridge by using theconfiguration utility
1. In the navigation pane, click CloudBridge.
2. In the details pane, click SOFTLAYER.
3. In the Setup CloudBridge on SoftLayer wizard, click Next, and then follow theinstructions in the wizard.
Citrix NetScaler Networking Guide
249
Chapter 6 CloudBridge 1.1
250
Chapter 7
High Availability
Topics:• Considerations for a High
Availability Setup
• Configuring High Availability
• Configuring theCommunication Intervals
• Configuring Synchronization
• Synchronizing ConfigurationFiles in a High AvailabilitySetup
• Configuring CommandPropagation
• Configuring Fail-Safe Mode
• Configuring Virtual MACAddresses
• Configuring High AvailabilityNodes in Different Subnets
• Configuring Route Monitors
• Configuring FIS
• Understanding the Causes ofFailover
• Forcing a Node to Fail Over
• Forcing the Secondary Nodeto Stay Secondary
• Forcing the Primary Node toStay Primary
• Understanding the HighAvailability Health CheckComputation
A high availability (HA) deployment of two Citrix® NetScaler®
appliances can provide uninterrupted operation in anytransaction. With one appliance configured as the primarynode and the other as the secondary node, the primary nodeaccepts connections and manages servers while the secondarynode monitors the primary. If, for any reason, the primarynode is unable to accept connections, the secondary nodetakes over.
The secondary node monitors the primary by sending periodicmessages (often called heartbeat messages or health checks)to determine whether the primary node is acceptingconnections. If a health check fails, the secondary noderetries the connection for a specified period, after which itdetermines that the primary node is not functioning normally.The secondary node then takes over for the primary (aprocess called failover).
After a failover, all clients must reestablish their connectionsto the managed servers, but the session persistence rules aremaintained as they were before the failover.
With Web server logging persistence enabled, no log data islost due to the failover. For logging persistence to be enabled,the log server configuration must carry entries for bothsystems in the log.conf file.
The following figure shows a network configuration with anHA pair.
251
• Troubleshooting HighAvailability Issues
• High Availability
Figure 7-1. NetScaler Appliances in a High AvailabilityConfiguration
To configure HA, you might want to begin by creating a basicsetup, with both nodes in the same subnet. You can thencustomize the intervals at which the nodes communicatehealth-check information, the process by which nodesmaintain synchronization, and the propagation of commandsfrom the primary to the secondary. You can configure fail-safemode to prevent a situation in which neither node is primary.If your environment includes devices that do not acceptNetScaler gratuitous ARP messages, you should configurevirtual MAC addresses. When you are ready for a morecomplex configuration, you can configure HA nodes indifferent subnets.
To improve the reliability of your HA setup, you can configureroute monitors and create redundant links. In some situations,such as when troubleshooting or performing maintenancetasks, you might want to force a node to fail over (assignprimary status to the other node), or you might want to forcethe secondary node to stay secondary or the primary node tostay primary.
Chapter 7 High Availability
252
Considerations for a High Availability SetupNote the following requirements for configuring systems in an HA setup:
w In an HA configuration, the primary and secondary NetScaler appliances should be ofthe same model. Different NetScaler models are not supported in an HA pair (forexample, you cannot configure a 10010 model and a 7000 model as an HA pair).
w In an HA setup, both nodes must run the same version of NetScaler, for example,nCore/nCore or classic/classic. If the nodes are running NetScaler classic and youwant to migrate to NetScaler nCore of the same NetScaler release, prop and syncare not supported during the migration process. Once migration is complete, propand sync are auto-enabled. The same applies if you migrate from NetScaler nCore toNetScaler classic.
w Entries in the configuration file (ns.conf) on both the primary and the secondarysystem must match, with the following exceptions:
• The primary and the secondary systems must each be configured with their ownunique NetScaler IP addresses (NSIPs.)
• In an HA pair, the node ID and associated IP address of one node must point tothe other node. For example, if you have nodes NS1 and NS2, you must configureNS1 with a unique node ID and the IP address of NS2, and you must configure NS2with a unique node ID and the IP address of NS1.
w If you create a configuration file on either node by using a method that does not godirectly through the GUI or the CLI (for example, importing SSL certificates, orchanging to startup scripts), you must copy the configuration file to the other nodeor create an identical file on that node.
w Initially, all NetScaler appliances are configured with the same RPC node password.RPC nodes are internal system entities used for system-to-system communication ofconfiguration and session information. For security, you should change the defaultRPC node passwords.
One RPC node exists on each NetScaler. This node stores the password, which ischecked against the password provided by the contacting system. To communicatewith other systems, each NetScaler requires knowledge of those systems, includinghow to authenticate on those systems. RPC nodes maintain this information, whichincludes the IP addresses of the other systems, and the passwords they require forauthentication.
RPC nodes are implicitly created when adding a node or adding a Global Server LoadBalancing (GSLB) site. You cannot create or delete RPC nodes manually.
Note: If the NetScaler appliances in a high availability setup are configured in one-arm mode, you must disable all system interfaces except the one connected to theswitch or hub.
w For an IPv6 HA configuration, the following considerations apply:
Citrix NetScaler Networking Guide
253
• You must install the IPv6PT license on both NetScaler appliances.
• After installing the IPv6PT license, enable the IPv6 feature by using theconfiguration utility or the NetScaler command line.
• Both NetScaler appliances require a global NSIP IPv6 address. In addition,network entities (for example, switches and routers) between the two nodesmust support IPv6.
Configuring High AvailabilityTo set up a high availability configuration, you create two nodes, each of which definesthe other’s NetScaler IP (NSIP) address as a remote node. Begin by logging on to one ofthe two NetScaler appliances that you want to configure for high availability, and add anode. Specify the other appliance’s NetScaler IP (NSIP) address as the address of thenew node. Then, log on to the other appliance and add a node that has the NSIPaddress of the first appliance. An algorithm determines which node becomes primaryand which becomes secondary.
Note: The configuration utility provides an option that avoids having to log on to thesecond appliance.
The following figure shows a simple HA setup, in which both nodes are in same subnet.
Chapter 7 High Availability
254
Figure 7-2. Two NetScaler Appliances Connected in a High Availability Configuration
Adding a Remote NodeTo add a remote NetScaler appliance as a node in a high availability setup, you specifya unique node ID and the appliance’s NSIP. The maximum number of node IDs in an HAsetup is 64. When you add an HA node, you must disable the HA monitor for eachinterface that is not connected or not being used for traffic. For CLI users, this is aseparate procedure.
Note: To ensure that each node in the high availability configuration has the samesettings, you should synchronize your SSL certificates, startup scripts, and otherconfiguration files with those on the primary node.
To add a node by using the NetScaler command lineAt the NetScaler command prompt, type:
w add ha node <id> <IPAddress>
Citrix NetScaler Networking Guide
255
w sh ha node
Example
> add ha node 3 1000:0000:0000:0000:0005:0600:700a:888b> sh ha node
To disable an HA monitor by using the NetScaler commandlineAt the NetScaler command prompt, type:
w set interface <ifNum> [-haMonitor ( ON | OFF )]
w show interface <ifNum>
Example
> set interface 1/3 -haMonitor OFF Done> show interface 1/3 Interface 1/3 (Fast Ethernet 10/100 MBits) #5 flags=0x4000 [ENABLED, DOWN, down, autoneg, 802.1q] MTU=1514, native vlan=5, MAC=00:d0:68:0b:58:dc, downtime 332h55m50s Requested: media AUTO, speed AUTO, duplex AUTO, fctl ON, throughput 0
RX: Pkts(0) Bytes(0) Errs(0) Drops(0) Stalls(0) TX: Pkts(0) Bytes(0) Errs(0) Drops(0) Stalls(0) NIC: InDisc(0) OutDisc(0) Fctls(0) Stalls(0) Hangs(0) Muted(0) Bandwidth thresholds are not set.Done
Parameters for adding a remote nodenode id
Unique number that identifies the node to be added. Possible values: 1 to 64.
IPAddressIPv4 or IPv6 address of the node to be added.
idInterface number, in slot/port notation.
Chapter 7 High Availability
256
haMonitorMonitor the specified interface for failing events. Possible values: ON, OFF. Default:ON.
To add a remote node by using the configuration utility1. In the navigation pane, expand System, and then click High Availability.
2. In the details pane, select the Nodes tab, and then click Add.
3. In the High Availability Setup dialog box, in the Remote Node IP Address textbox, type the NSIP address of the NetScaler that is to be added as the remotenode. If the NSIP is an IPv6 address, select the IPv6 check box before entering theaddress.
4. If you want to add the local node to the remote node automatically, select theConfigure remote system to participate in High Availability setup check box. Ifyou do not select this option, you will have to log in to the appliance representedby the remote node and add the node that you are currently configuring.
5. Make sure that the Turn off HA monitor on interfaces/channels that are downcheck box is selected.
6. Click OK. The Nodes page displays both of the nodes in your HA configuration (thelocal node and the remote node).
Disabling or Enabling a NodeYou can disable or enable only a secondary node. When you disable a secondary node,it stops sending heartbeat messages to the primary node, and therefore the primarynode can no longer check the status of the secondary. When you enable a node, thenode takes part in the high availability configuration.
To disable or enable a node by using the NetScalercommand lineAt the NetScaler command prompt, type one of the following commands:
w set ha node -hastatus DISABLED
w set ha node -hastatus ENABLED
To disable or enable a node by using the configurationutility1. In the navigation pane, expand System, and then click High Availability.
2. In the details pane, on the Nodes tab, select the local node, and then click Open.
3. In the Configure Node dialog box, under High Availability Status, do one of thefollowing:
• To enable the node, select the DISABLED (Do not participate in HA) check box.
Citrix NetScaler Networking Guide
257
• To enable the node, select the ENABLED (Do not participate in HA) check box.
4. Click OK. A message appears in the status bar, stating that the node has beenconfigured successfully.
Removing a NodeIf you remove a node, the nodes are no longer in high availability configuration.
To remove a node by using the NetScaler command lineAt the NetScaler command prompt, type:
rm ha node <id>
Example
> rm ha node 2 Done
To remove a node by using the configuration utility1. In the navigation pane, expand System, and then click High Availability.
2. On the High Availability page, select the Nodes tab.
3. On the Nodes page, select the node that you want to remove, and click Remove.
4. On the Remove dialog box, click Yes.
Note: You can use the Network Visualizer to view the NetScaler appliances that areconfigured as a high availability (HA) pair and perform high availability configurationtasks. For more information, see "Using the Network Visualizer".
Configuring the Communication IntervalsThe hello interval is the interval at which the heartbeat messages are sent to the peernode. The dead interval is the time interval after which the peer node is marked DOWNif heartbeat packets are not received. The heartbeat messages are UDP packets sent toport 3003 of the other node in an HA pair.
To set the hello and dead intervals by using theNetScaler command line
At the NetScaler command prompt, type:
w set HA node [-helloInterval <msecs>] [-deadInterval <secs>]
Chapter 7 High Availability
258
w show HA node [<id>]
Parameters for setting the hello and dead intervalshelloInterval
Interval between successive heartbeat messages, in milliseconds. Possible values: 200to 1000. Default: 200.
deadIntervalNumber of seconds after which a node is marked DOWN if there is no response toheartbeat messages. Possible values: 3 to 60. Default: 3.
To set the hello and dead intervals by using theconfiguration utility
1. In the navigation pane, expand System and click High Availability.
2. In the details pane, on the Nodes tab, select the local node, and then click Open.
3. In the Configure Node dialog box, under Intervals, specify values for the followingparameters, which correspond to parameters described in “Parameters for settingthe hello and dead intervals” as shown:
• Hello Interval (msecs)—helloInterval
• Dead Interval (secs)—deadInterval
4. Click OK. A message appears in the status bar, stating that the node has beenconfigured successfully.
Configuring SynchronizationSynchronization is a process of duplicating the configuration of the primary node on thesecondary node. The purpose of synchronization is to ensure that there is no loss ofconfiguration information between the primary and the secondary nodes, regardless ofthe number of failovers that occur. Synchronization uses port 3010.
Synchronization is triggered by either of the following circumstances:
w The secondary node in an HA setup comes up after a restart.
w The primary node becomes secondary after a failover.
Automatic synchronization is enabled by default. You can also force synchronization.
Disabling or Enabling SynchronizationAutomatic HA synchronization is enabled by default on each node in an HA pair. You canenable or disable it on either node.
Citrix NetScaler Networking Guide
259
To disable or enable automatic synchronization by usingthe NetScaler command lineAt the NetScaler command prompt, type:
w set HA node -haSync DISABLED
w set HA node -haSync ENABLED
To disable or enable synchronization by using theconfiguration utility1. In the navigation pane, expand System, and then click High Availability.
2. In the details pane, on the Nodes tab, select the local node, and then click Open.
3. In the Configure Node dialog box, under HA Synchronization, do one of thefollowing:
• To disable HA synchronization, clear the Secondary node will fetch theconfiguration from Primary check box.
• To enable HA synchronization, select the Secondary node will fetch theconfiguration from Primary check box.
4. Click OK. A message appears in the status bar, stating that the node has beenconfigured successfully.
Forcing the Secondary Node to Synchronize withthe Primary Node
In addition to automatic synchronization, the NetScaler supports forcedsynchronization. You can force the synchronization from either the primary or thesecondary node. When you force synchronization from the secondary node, it startssynchronizing its configuration with the primary node.
However, if synchronization is already in progress, forced synchronization fails and thesystem displays a warning. Forced synchronization also fails in any of the followingcircumstances:
w You force synchronization on a standalone system.
w The secondary node is disabled.
w HA synchronization is disabled on the secondary node.
To force synchronization by using the NetScaler commandlineAt the NetScaler command prompt, type:
force HA sync
Chapter 7 High Availability
260
To force synchronization by using the configuration utility1. In the navigation pane, expand System, and then click High Availability.
2. In the details pane, on the Nodes tab, click Force Synchronization.
Synchronizing Configuration Files in a HighAvailability Setup
In a high availability setup, you can synchronize various configuration files from theprimary node to the secondary node.
To perform the synchronization, you can use the NetScaler command line or theconfiguration utility at either the primary or the secondary node. Files located on thesecondary that are specific to the secondary (not present on the primary) are notdeleted during the synchronization.
To synchronize files in a high availability setup byusing the NetScaler command line
At the NetScaler command prompt, type:
sync HA files <mode>
Example
> sync HA files all Done
Parameters for synchronizing files in a highavailability setup
ModeThe type of synchronization to be performed. Following are descriptions of theavailable options. Each description includes, in parentheses, the command-lineargument that specifies that option.
w Everything except licenses and rc.conf (all). Synchronizes files related to systemconfiguration, Access Gateway bookmarks, SSL certificates, SSL CRL lists, HTMLinjection scripts, and Application Firewall XML objects. Synchronization paths:
• /nsconfig/ssl/
• /var/netscaler/ssl/
Citrix NetScaler Networking Guide
261
• /var/vpn/bookmarks/
• /nsconfig/htmlinjection/
• /nsconfig/monitors/
• /nsconfig/nstemplates/
• /nsconfig/rc.netscaler
• /nsconfig/inetd.conf
• /nsconfig/sshd_config
• /nsconfig/hosts
• /nsconfig/snmpd.conf
• /nsconfig/ntp.conf
• /nsconfig/resolv.conf
• /nsconfig/syslog.conf
w Bookmarks (bookmarks). Synchronizes all Access Gateway bookmarks.Synchronization path:
• /var/vpn/bookmark/
w SSL certificates and keys (ssl). Synchronizes all certificates, keys, and CRLs forthe SSL feature. Synchronization paths:
• /nsconfig/ssl/
• /var/netscaler/ssl/
w EdgeSight Monitoring (HTML injection) scripts (htmlinjection). Synchronizes allscripts configured for the HTML injection feature. Synchronization path:
• /nsconfig/htmlinjection/
w Imported XML objects (imports). Synchronizes all XML objects (for example,WSDLs, schemas, error pages) configured for the Application Firewall.Synchronization path:
• /var/download/
w Licenses and rc.conf (misc). Synchronizes all license files and the rc.conf file.Synchronization paths:
• /nsconfig/license/
• /nsconfig/rc.conf
w Everything including licenses and rc.conf (all_plus_misc). Synchronizes filesrelated to system configuration, Access Gateway bookmarks, SSL certificates, SSLCRL lists, HTML injection scripts, Application Firewall XML objects, licenses, andthe rc.conf file. Synchronization paths:
• /nsconfig/ssl/
Chapter 7 High Availability
262
• /var/netscaler/ssl/
• /var/vpn/bookmarks/
• /nsconfig/htmlinjection/
• /nsconfig/monitors/
• /nsconfig/nstemplates/
• /nsconfig/rc.netscaler
• /nsconfig/inetd.conf
• /nsconfig/sshd_config
• /nsconfig/hosts
• /nsconfig/snmpd.conf
• /nsconfig/ntp.conf
• /nsconfig/resolv.conf
• /nsconfig/syslog.conf
• /nsconfig/license/
• /nsconfig/rc.conf
To synchronize files in a high availability setup byusing the configuration utility
1. In the navigation pane, expand System, and then click Diagnostics.
2. In the details pane, under Utilities, click Start file synchronization.
3. In the Start file synchronization dialog box, in the Mode drop-down list, selectthe appropriate type of synchronization (for example, Everything except licensesand rc.conf), and then click OK.
Configuring Command PropagationIn an HA setup, any command issued on the primary node propagates automatically to,and is executed on, the secondary before it is executed on the primary. If commandpropagation fails, or if command execution fails on the secondary, the primary nodeexecutes the command and logs an error. Command propagation uses port 3010.
In an HA pair configuration, command propagation is enabled by default on both theprimary and secondary nodes. You can enable or disable command propagation oneither node in an HA pair. If you disable command propagation on the primary node,commands are not propagated to the secondary node. If you disable commandpropagation on the secondary node, commands propagated from the primary are notexecuted on the secondary node.
Citrix NetScaler Networking Guide
263
Note: After reenabling propagation, remember to force synchronization.
If synchronization occurs while you are disabling propagation, any configuration-relatedchanges that you make before the disabling of propagation takes effect aresynchronized with the secondary node. This is also true for cases where propagation isdisabled while synchronization is in progress.
To disable or enable command propagation byusing the NetScaler command line
At the NetScaler command prompt, type:
w set HA node -haProp ENABLED
w set HA node -haProp ENABLED
To disable or enable command propagation byusing the configuration utility
1. In the navigation pane, expand System, and then click High Availability.
2. In the details pane, on the Nodes tab, select the local node, and then click Open.
3. In the Configure Node dialog box, under HA Propagation, do one of the following:
• To disable HA Propagation, clear the Primary node will propagateconfiguration to the Secondary check box.
• To enable HA Propagation, select the Primary node will propagateconfiguration to the Secondary check box.
4. Click OK. A message appears in the status bar, stating that the node has beenconfigured successfully.
Configuring Fail-Safe ModeIn an HA configuration, fail-safe mode ensures that one node is always primary whenboth nodes fail the health check. This is to ensure that when a node is only partiallyavailable, backup methods are enabled to handle traffic as best as possible. The HAfail-safe mode is configured independently on each node.
The following table shows some of the fail-safe cases. The NOT_UP state means thatthe node failed the health check yet it is partially available. The UP state means thatthe node passed the health check.
Chapter 7 High Availability
264
Table 7-1. Fail-Safe Mode Cases
Node A(Primary)HealthState
Node B(Secondary)Health State
Default HABehavior
Fail-SafeEnabled HABehavior
Description
NOT_UP(failed last)
NOT_UP (failedfirst)
A(Secondary), B(Secondary)
A (Primary),B(Secondary)
If both nodes fail, oneafter the other, thenode that was the lastprimary remainsprimary.
NOT_UP(failedfirst)
NOT_UP(failedlast)
A(Secondary), B(Secondary)
A(Secondary), B(Primary)
If both nodes fail, oneafter the other, thenode that was the lastprimary remainsprimary.
UP UP A(Primary),B(Secondary)
A (Primary),B(Secondary)
If both nodes pass thehealth check, no changein behavior with fail-safe enabled.
UP NOT_UP A(Primary),B(Secondary)
A (Primary),B(Secondary)
If only the secondarynode fails, no change inbehavior with fail-safeenabled.
NOT_UP UP A(Secondary),B(Primary)
A(Secondary), B(Primary)
If only the primary fails,no change in behaviorwith fail-safe enabled.
NOT_UP UP(STAYSECONDARY)
A(Secondary), B(Secondary)
A (Primary),B(Secondary)
If the secondary isconfigured asSTAYSECONDARY, theprimary remainsprimary even if it fails.
To enable fail-safe mode by using the NetScalercommand line
At the NetScaler command prompt, type:
set HA node [-failSafe ( ON | OFF )]
Citrix NetScaler Networking Guide
265
Example
set ha node -failsafe ON
To enable fail-safe mode by using the configurationutility
1. In the navigation pane, expand System, and then click High Availability.
2. In the details pane, on the Nodes tab, select the local node, and then click Open.
3. In the Configure Node dialog box, under Fail-Safe Mode, select the Maintain onePrimary node even when both nodes are unhealthy check box.
4. Click OK. A message appears in the status bar, stating that the node has beenconfigured successfully.
Configuring Virtual MAC AddressesA Virtual MAC address (VMAC) is a floating entity shared by the primary and thesecondary nodes in an HA setup.
In an HA setup, the primary node owns all of the floating IP addresses, such as theMIPs, SNIPs, and VIPs. The primary node responds to Address Resolution Protocol (ARP)requests for these IP addresses with its own MAC address. As a result, the ARP table ofan external device (for example, an upstream router) is updated with the floating IPaddress and the primary node's MAC address.
When a failover occurs, the secondary node takes over as the new primary node. Itthen uses Gratuitous ARP (GARP) to advertise the floating IP addresses that it acquiredfrom the primary. However, the MAC address that the new primary advertises is theMAC address of its own interface.
Some devices (notably a few routers) do not accept the GARP messages generated bythe NetScaler appliance. As a result, some external devices retain the old IP to MACmapping advertised by the old primary node. This can result in a site going down.
You can overcome this problem by configuring a VMAC on both nodes of an HA pair.Both nodes then possess identical MAC addresses. Therefore, when failover occurs, theMAC address of the secondary node remains unchanged, and the ARP tables on theexternal devices do not need to be updated.
To create a VMAC, you need to first create a Virtual Router ID (VRID) and bind it to aninterface. (In an HA setup, you need to bind the VRID to the interfaces on both nodes.)Once the VRID is bound to an interface, the system generates a VMAC with the VRID asthe last octet.
Chapter 7 High Availability
266
Configuring IPv4 VMACsWhen you create a IPv4 VMAC address and bind it to a interface, any IPv4 packet sentfrom the interface uses the VMAC address that is bound to the interface. If there is noIPv4 VMAC bound to an interface, the interface’s physical MAC address is used.
The generic VMAC is of the form 00:00:5e:00:01:<VRID>. For example, if you create aVRID with a value of 60 and bind it to an interface, the resulting VMAC is 00:00:5e:00:01:3c, where 3c is the hex representation of the VRID. You can create 255 VRIDswith values from 1 to 255.
Creating or Modifying an IPv4 VMACYou create an IPv4 virtual MAC by assigning it a virtual router ID. You can then you bindthe VMAC to an interface. You cannot bind multiple VRIDs to the same interface. Toverify the VMAC configuration, you should display and examine the VMACs and theinterfaces bound to the VMACs.
To add a VMAC by using the NetScaler command lineAt the NetScaler command prompt, type:
w add vrID <id>
w bind vrid <id> -ifnum <interface_name>
w sh vrID
Example
add vrID 100bind vrid 100 -ifnum 1/1 1/2 1/3sh vrID 100
To unbind interfaces from a VMAC by using the NetScaler commandlineAt the NetScaler command prompt, type:
w unbind vrid <id> -ifnum <interface_name>
w sh vrID
Parameters for configuring a VMACVrID
The VRID that identifies the VMAC. Possible values: 1 to 255.
ifnumThe interface number (slot/port notation) to be bound to the VMAC.
Citrix NetScaler Networking Guide
267
To configure a VMAC by using the configuration utility
1. In the navigation pane, expand Network, and then click VMAC.
2. In the details pane, on the VMAC tab, do one of the following:
• To create a new VMAC, click Add.
• To modify an existing VMAC, click Open.
3. In the Create VMAC or Configure VMAC dialog box, specify values for the followingparameter, which correspond to parameter described in “Parameters forconfiguring a VMAC” as shown:
• Virtual Router ID*—VrID
4. Under Associate Interfaces, do one of the following:
• To bind interfaces to the VMAC, select the desired interfaces from the AvailableInterfaces table, and click Add.
• To unbind interfaces from the VMAC, select the desired interfaces from theConfigured Interfaces table, and click Remove.
5. Click OK. A message appears in the status bar, stating that the VMAC has beenconfigured successfully.
Removing an IPv4 VMACTo remove an IPv4 virtual MAC, you delete its virtual router ID.
To remove an IPv4 VMAC by using the NetScaler command lineAt the NetScaler command prompt, type:
rm vrid <id>
Example
rm vrid 100s
To remove an IPv4 VMAC by using the configuration utility
1. In the navigation pane, expand Network, and then click VMAC.
2. In the details pane, on the VMAC tab, select the virtual router ID that you want toremove, and then click Remove. A message appears in the status bar, stating thatthe VMAC has been successfully removed.
Configuring IPv6 VMAC6sThe NetScaler supports VMAC6 for IPv6 packets. You can bind any interface to a VMAC6,even if an IPv4 VMAC is bound to the interface. Any IPv6 packet sent from the interface
Chapter 7 High Availability
268
uses the VMAC6 bound to that interface. If there is no VMAC6 bound to an interface, anIPv6 packet uses the physical MAC.
Creating or Modifying a VMAC6You create an IPv6 virtual MAC by assigning it an IPv6 virtual router ID. You can thenyou bind the VMAC to an interface. You cannot bind multiple IPv6 VRIDs to an interface.To verify the VMAC6 configuration, you should display and examine the VMAC6s and theinterfaces bound to the VMAC6s.
To add a VMAC6 by using the NetScaler command lineAt the NetScaler command prompt, type:
w add vrID6 <id>
w bind vrID6 <id> -ifnum <interface_name>
w sh vrID6
Example
add vrID6 100bind vrID6 100 -ifnum 1/1 1/2 1/3sh vrID6 100
To unbind interfaces from a VMAC6 by using the NetScaler commandlineAt the NetScaler command prompt, type:
w unbind vrID6 <id> -ifnum <interface_name>
w sh vrID6
Parameters for configuring a VMAC6vrID6
The VRID that identifies the VMAC6. Possible values: 1 to 255.
ifnumThe interface number (slot/port notation) to be bound to the VMAC6.
To configure a VMAC6 by using the configuration utility
1. In the navigation pane, expand Network, and then click VMAC.
2. In the details pane, on the VMAC6 tab, do one of the following:
• To create a new VMAC6, click Add.
• To modify an existing VMAC6, click Open.
Citrix NetScaler Networking Guide
269
3. In the Create VMAC6 or Configure VMAC6 dialog box, specify values for thefollowing parameter, which correspond to parameter described in “Parameters forconfiguring a VMAC6” as shown:
• Virtual Router ID6*—vrID6
4. Under Associate Interfaces, do one of the following:
• To bind interfaces to the VMAC6, select the desired interfaces from theAvailable Interfaces table, and click Add.
• To unbind interfaces from the VMAC6, select the desired interfaces from theConfigured Interfaces table, and click Remove.
5. Click OK. A message appears in the status bar, stating that the VMAC6 has beenconfigured successfully.
Removing a VMAC6To remove an IPv4 virtual MAC, you delete its virtual router ID.
To remove a VMAC6 by using the NetScaler command lineAt the NetScaler command prompt, type:
rm vrid6 <id>
Example
rm vrid6 100s
To remove a VMAC6 by using the configuration utility
1. In the navigation pane, expand Network, and then click VMAC.
2. In the details pane, on the VMAC6 tab, select the virtual router ID that you wantto remove, and then click Remove. A message appears in the status bar, statingthat the VMAC6 has been successfully removed.
Configuring High Availability Nodes in DifferentSubnets
The following figure shows an HA deployment with the two systems located in differentsubnets:
Chapter 7 High Availability
270
Figure 7-3. High Availability over a Routed Network
In the figure, the systems NS1 and NS2 are connected to two separate routers, R3 andR4, on two different subnets. The NetScaler appliances exchange heartbeat packetsthrough the routers. This configuration could be expanded to accommodatedeployments involving any number of interfaces.
Note: If you use static routing on your network, you must add static routes between allthe systems to ensure that heartbeat packets are sent and received successfully. (Ifyou use dynamic routing on your systems, static routes are unnecessary.)
If the nodes in an HA pair reside on two separate networks, the primary and secondarynode must have independent network configurations. This means that nodes ondifferent networks cannot share entities such as MIPs, SNIPs, VLANs, and routes. Thistype of configuration, where the nodes in an HA pair have different configurableparameters, is known as Independent Network Configuration (INC) or SymmetricNetwork Configuration (SNC).
The following table summarizes the configurable entities and options for an INC, andshows how they must be set on each node.
Table 7-2. Behavior of NetScaler Entities and Options in an Independent NetworkConfiguration
NetScaler entities Options
IPs (NSIP/MIP/SNIPs) Node-specific. Active only on that node.
Citrix NetScaler Networking Guide
271
NetScaler entities Options
VIPs Floating.
VLANs Node-specific. Active only on that node.
Routes Node-specific. Active only on that node.Link load balancing routes are floating.
ACLs Floating (Common). Active on bothnodes.
Dynamic routing Node-specific. Active only on that node.The secondary node should also run therouting protocols and peer with upstreamrouters.
L2 mode Floating (Common). Active on bothnodes.
L3 mode Floating (Common). Active on bothnodes.
Reverse NAT (RNAT) Node-specific. RNAT with VIP, becauseNATIP is floating.
As in configuring HA nodes in the same subnet, to configure HA nodes in differentsubnets, you log on to each of the two NetScaler appliances and add a remote noderepresenting the other appliance.
Adding a Remote NodeWhen two nodes of an HA pair reside on different subnets, each node must have adifferent network configuration. Therefore, to configure two independent systems tofunction as an HA pair, you must specify INC mode during the configuration process.
When you add an HA node, you must disable the HA monitor for each interface that isnot connected or not being used for traffic. For CLI users, this is a separate procedure.
To add a node by using the NetScaler command lineAt the NetScaler command prompt, type:
w add ha node <id> <IPAddress> -inc ENABLED
w show ha node
Chapter 7 High Availability
272
Example
add ha node 3 10.102.29.170 -inc ENABLEDadd ha node 3 1000:0000:0000:0000:0005:0600:700a:888bsh ha node
To disable an HA monitor by using the NetScaler commandlineAt the NetScaler command prompt, type:
w set interface <ifNum> [-haMonitor ( ON | OFF )]
w show interface <ifNum>
Example
> set interface 1/3 -haMonitor OFF Done> show interface 1/3 Interface 1/3 (Fast Ethernet 10/100 MBits) #5 flags=0x4000 (ENABLED, DOWN, down, autoneg, 802.1q) MTU=1514, native vlan=5, MAC=00:d0:68:0b:58:dc, downtime 332h55m50s Requested: media AUTO, speed AUTO, duplex AUTO, fctl ON, throughput 0
RX: Pkts(0) Bytes(0) Errs(0) Drops(0) Stalls(0) TX: Pkts(0) Bytes(0) Errs(0) Drops(0) Stalls(0) NIC: InDisc(0) OutDisc(0) Fctls(0) Stalls(0) Hangs(0) Muted(0) Bandwidth thresholds are not set.Done
Parameters for adding a remote nodenode id
Unique number that identifies the node to be added. Possible values: 1 to 64.
IPAddressIPv4 or IPv6 address of the node to be added.
incOption to be enabled when the nodes that you want to configure for high availabilityare in different subnets.
Citrix NetScaler Networking Guide
273
idInterface number, in slot/port notation.
haMonitorMonitor the specified interface for failing events. Possible values: ON, OFF. Default:ON.
To add a remote node by using the configuration utility1. In the navigation pane, expand System, and then click High Availability.
2. In the details pane, select the Nodes tab, and then click Add.
3. In the High Availability Setup dialog box, in the Remote Node IP Address textbox, type the NSIP address of the NetScaler that is to be added as the remotenode. If the NSIP is an IPv6 address, select the IPv6 check box before entering theaddress.
4. If you want to add the local node to the remote node automatically, select theConfigure remote system to participate in High Availability setup check box. Ifyou do not select this option, you will have to log in to the appliance representedby the remote node and add the node that you are currently configuring.
5. Make sure that the Turn off HA monitor on interfaces/channels that are downcheck box is selected.
6. Select the Turn on INC (Independent Network Configuration) mode on self modecheck box.
7. Click OK. The Nodes page displays both of the nodes in your HA configuration (thelocal node and the remote node).
Removing a NodeIf you remove a node, the nodes are no longer in high availability configuration.
To remove a node by using the NetScaler command lineAt the NetScaler command prompt, type:
rm ha node <id>
Example
> rm ha node 2 Done
To remove a node by using the configuration utility1. In the navigation pane, expand System, and then click High Availability.
2. On the High Availability page, select the Nodes tab.
Chapter 7 High Availability
274
3. On the Nodes page, select the node that you want to remove, and click Remove.
4. On the Remove dialog box, click Yes.
Note: You can use the Network Visualizer to view the NetScaler appliances that areconfigured as a high availability (HA) pair and perform high availability configurationtasks. For more information, see "Using the Network Visualizer".
Configuring Route MonitorsYou can use route monitors to make the HA state dependent on the internal routingtable, whether or not the table contains any dynamically learned or static routes. In anHA configuration, a route monitor on each node watches the internal routing table tomake sure that a route entry for reaching a particular network is always present. If theroute entry is not present, the state of the route monitor changes to DOWN.
When a NetScaler appliance has only static routes for reaching a network, and youwant to create a route monitor for the network, you must enable monitored staticroutes (MSR) for the static routes. MSR removes unreachable static routes from theinternal routing table. If MSR is disabled on static routes, an unreachable static routecan remain in the internal routing table, defeating the purpose of having the routemonitor.
Route Monitors are supported both in non-INC and INC mode.
Route Monitors in HA in non-INC mode Route Monitors in HA in INC mode
Route monitors are propagated by nodesand exchanged during synchronization.
Route monitors are neither propagatedby nodes nor exchanged duringsynchronization.
Route monitors are active only in thecurrent primary node.
Route monitors are active on both theprimary and the secondary node.
The NetScaler appliance always displaysthe state of a route monitor as UPirrespective of the whether the routeentry is present or not in the internalrouting table.
The NetScaler appliance displays thestate of the route monitor as DOWN ifthe corresponding route entry is notpresent in the internal routing table.
A route monitor starts monitoring itsroute after 180 seconds in the followingcases [This is done to allow dynamicroutes to get learnt, which may take 180secs]:
w reboot
w failover
w set route6 command for v6 routes
-
Citrix NetScaler Networking Guide
275
Route Monitors in HA in non-INC mode Route Monitors in HA in INC mode
w set route msr enable/disablecommand for v4 routes.
w adding a new route monitor
Route monitors are useful in a non-INC mode HA configuration where you want the non-reachability of a gateway from a primary node to be one of the conditions for HAfailover.
Consider an example of a non-Inc mode HA setup in a two-arm topology that hasNetScaler appliances NS1 and NS2 in the same subnet, with router R1 and switchesSW1, SW2, and SW3.
Because R1 is the only router in this setup, you want the HA setup to failover wheneverR1 is not reachable from the current primary node. You can configure a route monitor(say, RM1 and RM2, respectively) on each of the nodes to monitor the reachability of R1from that node.
Figure 7-4.
With NS1 as the current primary node, the execution flow is as follows:
1. Route monitor RM1 on NS1 monitors NS1's internal routing table for the presence ofa route entry for router R1. NS1 and NS2 exchange heartbeat messages throughswitch SW1 or SW3 at regular intervals.
2. If switch SW1 goes down, the routing protocol on NS1 detects that R1 is notreachable and therefore removes the route entry for R1 from the internal routing
Chapter 7 High Availability
276
table. NS1 and NS2 exchanges heartbeat messages through switch SW3 at regularintervals.
3. Detecting that the route entry for R1 is not present in the internal routing table,RM1 initiates a failover. If route to R1 is down from both NS1 and NS2, failoverhappens every 180 seconds till one of the appliances is able to reach R1 andrestore the connectivity.
Adding a Route Monitor to a High Availability NodeA single procedure creates a route monitor and binds it to an HA node.
To add a route monitor by using the NetScaler commandlineAt the NetScaler command prompt, type:
w bind HA node <id> (-routeMonitor <ip_addr|ipv6_addr> [<netmask>])
w sh HA node
Example
bind HA node 3 -routeMonitor 10.102.71.0 255.255.255.0bind HA node 3 -routeMonitor 1000:0000:0000:0000:0005:0600:700a:888b
Parameters for adding a route monitorid
The ID of the node to which the monitor is to be bound.
routeMonitorIPv4 or IPv6 address of the route to be monitored.
netmaskSubnet mask for the IPv4 address.
To add a route monitor by using the configuration utility1. In the navigation pane, expand System, and then click High Availability.
2. In the details pane, on the Route Monitors tab, click Configure.
3. In Bind / Unbind Route Monitor(s) dialog box, in the Network text box, do one ofthe following:
• For a IPv4 network, type an IPv4 network address (for example, 10.102.29.30)and in the Netmask text box, type a subnet mask (for example, 255.255.255.0).
• For a IPv6 network, select the IPv6 check box and type a IPv6 network address(for example, 1000:0000:0000:0000:0005:0600:700a:888b).
Citrix NetScaler Networking Guide
277
4. Click Add. The Route Monitor is added and appears in the Configured RouteMonitors table.
5. Click OK.
Removing Route MonitorsTo remove a route monitor by using the NetScalercommand lineAt the NetScaler command prompt, type:
w unbind HA node <id> (-routeMonitor <ip_addr|ipv6_addr> [<netmask>])
w sh HA node
Example
unbind HA node 3 -routeMonitor 10.102.71.0 255.255.255.0unbind HA node 3 -routeMonitor 1000:0000:0000:0000:0005:0600:700a:888b
To remove a route monitor by using the configuration utility1. In the navigation pane, expand System, and then click High Availability.
2. In the details pane, on the Route Monitors tab, click Configure.
3. In the Bind / Unbind Route Monitor(s) dialog box, under Configured RouteMonitors, select a route monitor to remove and click Remove.
4. Click OK.
Configuring FISLink redundancy is a way to prevent failover by grouping interfaces so that, when oneinterface fails, other functioning interfaces are still available. The link redundancyfeature allows you to group the two interfaces into a failover interface set (FIS), whichprevents the failure of a single link from causing failover to the secondary systemunless all of the interfaces on the primary system are nonfunctional.
Each interface in an FIS maintains independent bridge entries. HA MON interfaces thatare not bound to an FIS are known as critical interfaces (CI) because if any of themfails, failover is triggered.
Creating or Modifying an FIS
Chapter 7 High Availability
278
To add an FIS and bind interfaces to it by using theNetScaler command lineAt the NetScaler command prompt, type:
w add fis <name>
w bind fis <name> <ifnum> ...
w sh fis <name>
Example
> add fis fis1 Done> bind fis fis1 1/3 1/5 Done> show fis fis11) FIS: fis1 Member Interfaces : 1/3 1/5 Done
An unbound interface becomes a critical interface (CI) if it is enabled and HA MON ison.
To unbind an interface from an FIS by using the NetScalercommand lineAt the NetScaler command prompt, type:
w unbind fis <name> <ifnum> ...
w sh fis <name>
Example
> unbind fis fis1 1/3 Done> show FIS fis11) FIS: fis1 Member Interfaces : 1/5 Done
Parameters for configuring an FISname
Name of the FIS to which interfaces are to be bound.
ifnumInterface number (slot/port notation) to be bound to the FIS.
Citrix NetScaler Networking Guide
279
To configure an FIS by using the configuration utility1. In the navigation pane, expand System, and then click High Availability.
2. In the details pane, on the Failover Interface Set tab, do one of the following:
• To create a new FIS, click Add.
• To modify an existing FIS, click Open.
3. In the Create FIS or Configure FIS dialog box, in the Name text box, type thename of the FIS.
4. Select an available interface and click Add to bind it to the FIS. Repeat to bindadditional interfaces.
5. Click OK. A message appears in the status bar, stating that the FIS has beenconfigured successfully.
Removing an FISWhen the FIS is removed, its interfaces are marked as critical interfaces.
To remove an FIS by using the NetScaler command lineAt the NetScaler command prompt, type:
rm fis <name>
Example
> rm fis fis1 Done
To remove an FIS by using the configuration utility1. In the navigation pane, expand System, and then click High Availability.
2. In the details pane, on the Failover Interface Set tab, select the FIS that you wantto remove and click Remove.
3. In the Remove dialog box, click Yes.
Understanding the Causes of FailoverThe following events can cause failover in an HA configuration:
1. If the secondary node does not receive a heartbeat packet from the primary for aperiod of time that exceeds the dead interval set on the secondary. (See Note 1.)
2. The primary node experiences a hardware failure of its SSL card.
Chapter 7 High Availability
280
3. The primary node does not receive any heartbeat packets on its network interfacesfor three seconds.
4. On the primary node, a network interface that is not part of a Failover InterfaceSet (FIS) or a Link Aggregation (LA) channel and has the HA Monitor (HAMON)enabled, fails. (See Note 2.)
5. On the primary node, all interfaces in an FIS fail. (See Note 2.)
6. On the primary node, an LA channel with HAMON enabled fails. (See Note 2.)
7. On the primary node, all interfaces fail (see Note 2). In this case, failover occursregardless of the HAMON configuration.
8. On the primary node, all interfaces are manually disabled. In this case, failoveroccurs regardless of the HAMON configuration.
9. You force a failover by issuing the force failover command on either node.
10. A route monitor that is bound to the primary node goes DOWN.
Note 1: For more information about setting the dead interval, see Configuringthe Communication Intervals. Possible causes for a node not receiving heartbeatpackets from a peer node include:
• A network configuration problem prevents heartbeats from traversing the network betweenthe HA nodes.
• The peer node experiences a hardware or software failure that causes it to freeze (hang),reboot, or otherwise stop processing and forwarding heartbeat packets.
Note 2: In this case, fail means that the interface was enabled but goes to theDOWN state, as can be seen from the show interface command or from theconfiguration utility. Possible causes for an enabled interface to be in the DOWNstate are LINK DOWN and TXSTALL.
Forcing a Node to Fail OverYou might want to force a failover if, for example, you need to replace or upgrade theprimary node. You can force failover from either the primary or the secondary node. Aforced failover is not propagated or synchronized. To view the synchronization statusafter a forced failover, you can view the status of the node.
A forced failover fails in any of the following circumstances:
w You force failover on a standalone system.
w The secondary node is disabled.
w The secondary node is configured to remain secondary.
Citrix NetScaler Networking Guide
281
The NetScaler appliance displays a warning message if it detects a potential issue whenyou run the force failover command. The message includes the information thattriggered the warning, and requests confirmation before proceeding.
Forcing Failover on the Primary NodeIf you force failover on the primary node, the primary becomes the secondary and thesecondary becomes the primary. Forced failover is possible only when the primary nodecan determine that the secondary node is UP.
If the secondary node is DOWN, the force failover command returns the following errormessage: "Operation not possible due to invalid peer state. Rectify and retry."
If the secondary system is in the claiming state or inactive, it returns the followingerror message: "Operation not possible now. Please wait for system to stabilize beforeretrying."
To force failover on the primary node by using theNetScaler command lineAt the NetScaler command prompt, type:
force HA failover
To force failover on the primary node by using theconfiguration utility1. In the navigation pane, expand System, and then click High Availability.
2. In the details pane, on the Nodes tab, click Force Failover.
3. In the Warning dialog box, click Yes.
Forcing Failover on the Secondary NodeIf you run the force failover command from the secondary node, the secondary nodebecomes primary and the primary node becomes secondary. A force failover can occuronly if the secondary node’s health is good and it is not configured to stay secondary.
If the secondary node cannot become the primary node, or if secondary node wasconfigured to stay secondary (using the STAYSECONDARY option), the node displays thefollowing error message: "Operation not possible as my state is invalid. View the nodefor more information."
To force failover on the secondary node by using theNetScaler command lineAt the NetScaler command prompt, type:
force HA failover
Chapter 7 High Availability
282
To force failover on the secondary node by using theconfiguration utility1. In the navigation pane, expand System, and then click High Availability.
2. In the details pane, on the Nodes tab, click Force Failover.
3. In the Warning dialog box, click Yes.
Forcing Failover When Nodes Are in Listen ModeWhen the two nodes of an HA pair are running different versions of the systemsoftware, the node running the higher version switches to the listen mode. In thismode, neither command propagation nor synchronization works.
Before upgrading the system software on both nodes, you should test the new versionon one of the nodes. To do this, you need to force a failover on the system that hasalready been upgraded. The upgraded system then takes over as the primary node, butneither command propagation or synchronization occurs. Also, all connections need tobe re-established.
To force failover when nodes are in listen mode by usingthe NetScaler command lineAt the NetScaler command prompt, type:
force HA failover
To force failover when nodes are in listen mode by usingthe configuration utility1. In the navigation pane, expand System, and then click High Availability.
2. In the details pane, on the Nodes tab, click Force Failover.
3. In the Warning dialog box, click Yes.
Forcing the Secondary Node to Stay SecondaryIn an HA setup, the secondary node can be forced to stay secondary regardless of thestate of the primary node.
For example, suppose the primary node needs to be upgraded and the process will takea few seconds. During the upgrade, the primary node may go down for a few seconds,but you do not want the secondary node to take over; you want it to remain thesecondary node even if it detects a failure in the primary node.
When you force the secondary node to stay secondary, it will remain secondary even ifthe primary node goes down. Also, when you force the status of a node in an HA pair tostay secondary, it does not participate in HA state machine transitions. The status ofthe node is displayed as STAYSECONDARY.
Citrix NetScaler Networking Guide
283
Forcing the node to stay secondary works on both standalone and secondary nodes. Ona standalone node, you must use this option before you can add a node to create an HApair. When you add the new node, the existing node continues to function as theprimary node, and the new node becomes the secondary node.
Note: When you force a system to remain secondary, the forcing process is notpropagated or synchronized. It affects only the node on which you run the command.
To force the secondary node to stay secondary byusing the NetScaler command line
At the NetScaler command prompt, type:
set node -hastatus STAYSECONDARY
To force the secondary node to stay secondary byusing the configuration utility
1. In the navigation pane, expand System, and then click High Availability.
2. In the details pane, on the Nodes tab, select the local node, and then click Open.
3. In the Configure Node dialog box, under High Availability Status, select STAYSECONDARY.
4. Click OK.
Forcing the Primary Node to Stay PrimaryIn an HA setup, you can force the primary node to remain primary even after a failover.You can enable this option either on a primary node in an HA pair or on a standalonesystem.
On a standalone system, you must run this command before you can add a node tocreate an HA pair. When you add the new node, it becomes the primary node. Theexisting node stops processing traffic and becomes the secondary node in the HA pair.
To force the primary node to stay primary by usingthe NetScaler command line
At the NetScaler command prompt, type:
set node -hastatus STAYPRIMARY
Chapter 7 High Availability
284
To force the primary node to stay primary by usingthe configuration utility
1. In the navigation pane, expand System, and then click High Availability.
2. In the details pane, on the Nodes tab, select the local node, and then click Open.
3. In the Configure Node dialog box, under High Availability Status, select STAYPRIMARY.
4. Click OK.
Understanding the High Availability HealthCheck Computation
The following table summarizes the factors examined in a health check computation:
w State of the CIs
w State of the FISs
w State of the route monitors
The following table summarizes the health check computation.
Table 7-3. High Availability Health Check Computation
FIS CI Routemonitor
Condition
N Y N If the system has any CIs, allof those CIs must be UP.
Y Y N If the system has any FISs,all of those FISs must be UP.
Y Y Y If the system has any routemonitors configured, allmonitored routes must bepresent in the FIS.
Troubleshooting High Availability IssuesCertain conditions can cause improper synchronization between nodes or incorrectconfiguration on the secondary node.
w Improper synchronization of VLAN configuration in high availability systems. InHA pairs, synchronization does not work properly if only one node has a VLAN
Citrix NetScaler Networking Guide
285
configured. To prevent this problem, configure your VLANs after you configure yourappliances as an HA pair, and be sure to configure them both.
w Retrieving a lost configuration. If the primary node is unable to send theconfiguration to the secondary node due to a network error, the secondary nodemay not have an accurate configuration and may not behave correctly if a failoveroccurs. If this happens, you can retrieve the current configuration from theconfiguration backup on the hard disk of the primary appliance. The operatingsystem saves the last four copies of the ns.conf file in the /nsconfig directory asns.conf.0, ns.conf.1, ns.conf.2, and ns.conf.3. The ns.conf.0 file contains thecurrent configuration.
To retrieve the current system configuration1. Exit the CLI to FreeBSD by typing the following command and pressing the Enter
key:
> shell
The FreeBSD shell prompt appears, as shown below.
#
2. Copy the latest backup file to /nsconfig/ns.conf by using the following command:
# cp ‘ls -t /nsconfig/ns.conf.? | head -1` /nsconfig/ns.conf
If you perform a configuration using the NSConfig utility, it is not propagated. If youcreate a configuration using NSconfig, you must repeat the configuration stepsseparately for each node in an HA pair.
High Availability1: What are the various ports used to exchange the HA-related information
between the nodes in an HA configuration?
Ans: In an HA configuration, both nodes use the following ports to exchange HArelated information:
w UDP Port 3003, to exchange heartbeat packets.
w Port 3010, for synchronization and command propagation.
2: What are the conditions that trigger synchronization?
Ans: Synchronization is triggered by any of the following conditions:
Chapter 7 High Availability
286
w The incarnation number of the primary node, received by the secondary, does not match thatof the secondary node.
Note: Both nodes in an HA configuration maintain a counter called incarnation number, whichcounts the number of configurations in the node's configuration file. Each node sends itsincarnation number to each other node in the heartbeat messages. The incarnation number isnot incremented for the following commands:
a. All HA configuration related commands. For example, add ha node, set ha node, andbind ha node.
b. All Interface related commands. For example, set interface and unset interface.
c. All channel-related commands. For example, add channel, set channel, and bindchannel.
w The secondary node comes up after a restart.
w The primary node becomes secondary after a failover.
3: What configurations are not synced or propagated in an HA configuration inINC or non-INC mode?
Ans: The following commands are neither propagated nor synced to thesecondary node:
w All node specific HA configuration commands. For example, add ha node, set ha node, andbind ha node.
w All Interface related configuration commands. For example, set interface and unset interface.
w All channel related configuration commands. For example, add channel, set channel, and bindchannel.
4: What configurations are not synced nor propagated in an HA configuration inINC mode?
Ans: The following configurations are not synced or propagated. Each node hasits own.
w MIPs
w SNIPs
w VLANs
w Routes (except LLB routes)
Citrix NetScaler Networking Guide
287
w Route monitors
w RNAT rules (except any RNAT rule with VIP as the NAT IP)
w Dynamic routing configurations.
5: Does a configuration added to the secondary node get synchronized on theprimary?
Ans: No, a configuration added to the secondary node is not synchronized to theprimary.
6: What could be the reason for both nodes claiming to be the primary in an HAconfiguration?
Note: The most likely reason is that the primary and secondary nodes are both healthybut the secondary does not receive the heartbeat packets from the primary. Theproblem could be with the network between the nodes.
7: Does an HA configuration run into any issues if you deploy the two nodes withdifferent system clock settings?
Note: Different system-clock settings on the two nodes can cause the following issues:
w The time stamps in the log file entries do not match. This situation makes itdifficult to analyze the log entries for any issues.
w After a failover, you might have problems with any type of cookie basedpersistence for load balancing. A significant difference between the times cancause a cookie to expire sooner than expected, resulting in termination of thepersistence session.
w Similar considerations apply to any time related decisions on the nodes.
8: What are the conditions for failure of the force HA sync command?
Note: Forced synchronization fails in any of the following circumstances:
w You force synchronization when synchronization is already in progress.
w You force synchronization on a standalone NetScaler appliance.
w The secondary node is disabled.
Chapter 7 High Availability
288
w HA synchronization is disabled on the current secondary node.
w HA propagation is disabled on the current primary node and you forcesynchronization from the primary.
9: What are the conditions for failure of the sync HA files command?
Ans: Synchronizing configuration files fail in either of the following circumstances:
w On a standalone system.
w With the secondary node disabled.
10: In an HA configuration, if the secondary node takes over as the primary, doesit switch back to secondary status if the original primary comes back online?
Ans: No. After the secondary node takes over as the primary, it remains asprimary even if the original primary node comes back online again. To interchange theprimary and secondary status of the nodes, run the force failover command.
11: What are the conditions for failure of the force failover command?
Ans: A forced failover fails in any of the following circumstances:
w You force failover on a standalone system.
w The secondary node is disabled.
w The secondary node is configured to remain secondary.
w The primary node is configured to remain primary.
w The state of the peer node is unknown.
Citrix NetScaler Networking Guide
289
Chapter 7 High Availability
290
Appendix A
Documentation Library
Topics:• Release Notes
• Quick Start Guides
• Configuration Guides
• Reference Guides
This appendix contains links to various NetScaler guides. Youcan either click the respective document ID to open the PDFversion of the guide, or use the ID to search the guide in theCitrix Knowledge Center website available at http://support.citrix.com.
To search the guide on Citrix Knowledge Center website
1. Open the http://support.citrix.com link in a web browser.
2. Type the document ID in the Knowledge Center searchtext box and click Search.
3. Select the appropriate link from the search results.
291
Release NotesTitle Document ID
Citrix NetScaler Release Notes CTX132356
Quick Start GuidesTitle Document ID
Citrix NetScaler Quick Start Guide forNetScaler MPX
CTX132374
Citrix NetScaler Quick Start Guide forNetScaler MPX 5500
CTX132371
Citrix NetScaler Quick Start Guide forNetScaler MPX 7500, 9500
CTX132370
Citrix NetScaler Quick Start Guide forNetScaler MPX 9700, 10500, 12500, 15500
CTX132373
Citrix NetScaler Quick Start Guide forMPX 11500, 13500, 14500, 16500, 18500
CTX132379
Citrix NetScaler Quick Start Guide MPX17550/19550/20550/21550
CTX132380
Citrix NetScaler Quick Start Guide forNetScaler MPX 17500, 19500, 21500
CTX132377
Citrix NetScaler Quick Start Guide forSDX 11500, 13500, 14500, 16500, 18500,20500
CTX132785
Citrix NetScaler Quick Start Guide forSDX 17500/19500/21500
CTX132784
Citrix NetScaler Quick Start Guide forSDX 17550/19550/20550/21550
CTX132783
Appendix A Documentation Library
292
Configuration GuidesTitle Document ID
Citrix NetScaler Administration Guide CTX132357
Citrix NetScaler AppExpert Guide CTX132358
Citrix NetScaler Application OptimizationGuide
CTX132361
Citrix NetScaler Application Security Guide CTX132366
Citrix NetScaler Clustering Guide CTX132840
Citrix Application Firewall Guide CTX132360
Citrix NetScaler Getting Started Guide CTX132368
Citrix Hardware Installation and Setup Guide CTX132365
Citrix NetScaler Migration Guide CTX132364
Citrix NetScaler Networking Guide CTX132369
Citrix NetScaler Policy Configuration andReference Guide
CTX132362
Citrix NetScaler SDX Administration CTX132782
Citrix NetScaler Traffic Management Guide CTX132359
Citrix NetScaler VPX Getting Started Guide CTX132363
Reference GuidesTitle Document ID
Citrix NetScaler Command ReferenceGuide
CTX132384
Citrix NetScaler Developers Guide CTX132367
Citrix NetScaler Glossary CTX132383
Citrix NetScaler Log Message Reference CTX132382
Citrix NetScaler SNMP OID Reference CTX132381
Citrix NetScaler Networking Guide
293
