Professional Documents
Culture Documents
Copyright and Trademark Notice CITRIX SYSTEMS, INC., 2010. ALL RIGHTS RESERVED. NO PART OF THIS DOCUMENT MAY BE REPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS OR USED TO MAKE DERIVATIVE WORK (SUCH AS TRANSLATION, TRANSFORMATION, OR ADAPTATION) WITHOUT THE EXPRESS WRITTEN PERMISSION OF CITRIX SYSTEMS, INC. ALTHOUGH THE MATERIAL PRESENTED IN THIS DOCUMENT IS BELIEVED TO BE ACCURATE, IT IS PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE ALL RESPONSIBILITY FOR THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS MANUAL. CITRIX SYSTEMS, INC. OR ITS SUPPLIERS DO NOT ASSUME ANY LIABILITY THAT MAY OCCUR DUE TO THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS DOCUMENT. INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. COMPANIES, NAMES, AND DATA USED IN EXAMPLES ARE FICTITIOUS UNLESS OTHERWISE NOTED. The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radiofrequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. Modifying the equipment without Citrix' written authorization may result in the equipment no longer complying with FCC requirements for Class A digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense. You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the NetScaler Request Switch 9000 Series equipment. If the NetScaler equipment causes interference, try to correct the interference by using one or more of the following measures: Move the NetScaler equipment to one side or the other of your equipment. Move the NetScaler equipment farther away from your equipment. Plug the NetScaler equipment into an outlet on a different circuit from your equipment. (Make sure the NetScaler equipment and your equipment are on circuits controlled by different circuit breakers or fuses.) Modifications to this product not authorized by Citrix Systems, Inc., could void the FCC approval and negate your authority to operate the product. BroadCom is a registered trademark of BroadCom Corporation. Fast Ramp, NetScaler, WANScaler, Citrix XenApp, and NetScaler Request Switch are trademarks of Citrix Systems, Inc. Linux is a registered trademark of Linus Torvalds. Internet Explorer, Microsoft, PowerPoint, Windows and Windows product names such as Windows NT are trademarks or registered trademarks of the Microsoft Corporation. NetScape is a registered trademark of Netscape Communications Corporation. Red Hat is a trademark of Red Hat, Inc. Sun and Sun Microsystems are registered trademarks of Sun Microsystems, Inc. Other brand and product names may be registered trademarks or trademarks of their respective holders. Software covered by the following third party copyrights may be included with this product and will also be subject to the software license agreement: Copyright 1998 Carnegie Mellon University. All rights reserved. Copyright David L. Mills 1993, 1994. Copyright 1992, 1993, 1994, 1997 Henry Spencer. Copyright Jean-loup Gailly and Mark Adler. Copyright 1999, 2000 by Jef Poskanzer. All rights reserved. Copyright Markus Friedl, Theo de Raadt, Niels Provos, Dug Song, Aaron Campbell, Damien Miller, Kevin Steves. All rights reserved. Copyright 1982, 1985, 1986, 1988-1991, 1993 Regents of the University of California. All rights reserved. Copyright 1995 Tatu Ylonen, Espoo, Finland. All rights reserved. Copyright UNIX System Laboratories, Inc. Copyright 2001 Mark R V Murray. Copyright 1995-1998 Eric Young. Copyright 1995,1996,1997,1998. Lars Fenneberg. Copyright 1992. Livingston Enterprises, Inc. Copyright 1992, 1993, 1994, 1995. The Regents of the University of Michigan and Merit Network, Inc. Copyright 1991-2, RSA Data Security, Inc. Created 1991. Copyright 1998 Juniper Networks, Inc. All rights reserved. Copyright 2001, 2002 Networks Associates Technology, Inc. All rights reserved. Copyright (c) 2002 Networks Associates Technology, Inc. Copyright 19992001 The Open LDAP Foundation. All Rights Reserved. Copyright 1999 Andrzej Bialecki. All rights reserved. Copyright 2000 The Apache Software Foundation. All rights reserved. Copyright (C) 2001-2003 Robert A. van Engelen, Genivia inc. All Rights Reserved. Copyright (c) 1997-2004 University of Cambridge. All rights reserved. Copyright (c) 1995. David Greenman. Copyright (c) 2001 Jonathan Lemon. All rights reserved. Copyright (c) 1997, 1998, 1999. Bill Paul. All rights reserved. Copyright (c) 1994-1997 Matt Thomas. All rights reserved. Copyright 2000 Jason L. Wright. Copyright 2000 Theo de Raadt. Copyright 2001 Patrik Lindergren. All rights reserved. Last Updated: July 2010
C ONTENTS
Preface
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i New in This Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii Formatting Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv Related Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv Getting Service and Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .v Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .v
Chapter 1
IP Addressing
Configuring NetScaler-Owned IP Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 NetScaler IP Address (NSIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Virtual IP Address (VIP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Subnet IP Address (SNIP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Mapped IP Address (MIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 GSLB Site IP Address (GSLBIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Creating NetScaler-Owned IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Proxying Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 Selecting the Destination IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Selecting the Source IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Enabling the Use Source IP Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 Configuring Modes of Packet Forwarding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 Enabling and Disabling Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 Network Address Translation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 Inbound Network Address Translation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 Reverse Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Configuring Static ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32 IP Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 NetScaler as an Encapsulator (Load Balancing with DSR mode) . . . . . . . . . . .36 NetScaler as a Decapsulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Chapter 2
Interfaces
MAC-Based Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44 Enabling and Disabling MAC-based Forwarding . . . . . . . . . . . . . . . . . . . . . . .44 Configuring Network Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 Managing Network Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 Configuring VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51 Applying Rules to Classify Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53 VLANs and Packet Forwarding on the NetScaler . . . . . . . . . . . . . . . . . . . . . . .54
iv
Configuring Bridge Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65 Adding a Bridge Group and Binding VLANs and IP Subnets. . . . . . . . . . . . . .65 Verifying the Bridge Group Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . .66 Unbinding VLANs and IP Subnets from a Bridge Group . . . . . . . . . . . . . . . . .66 Removing a Bridge Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67 Configuring Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 Configuring Link Aggregation Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 Configuring the Link Aggregate Channel Protocol . . . . . . . . . . . . . . . . . . . . . .72 Verifying the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74 Configuring VMACs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75 Configuring the Bridge Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75 Enabling or Disabling Path MTU Behavior. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77 Configuring NetScaler Appliances in Active-Active Mode using VRRP . . . . . . .78 Configuring Active-Active Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81 A Deployment Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85 Network Visualizer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Chapter 3
Chapter 4
IP Routing
Contents
Configuring Dynamic Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117 Routing Tables in the NetScaler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118 High Availability Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119 Interfaces for Configuring Dynamic Routing. . . . . . . . . . . . . . . . . . . . . . . . . .120 Using RIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120 Using OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123 Using BGP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127 Using IPv6 RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132 Using IPv6 OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136 Installing Routes . . . . . . . . . . . . . . . . . . . . . . to the NetScaler Routing Table140 Configuring Route Health Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142 Enabling RHI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142 Limiting Host Route Advertising for VIPs. . . . . . . . . . . . . . . . . . . . . . . . . . . .143 Advertising Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144 Displaying Routes Learned Through Dynamic Routing Protocols . . . . . . . . .145 Configuring Static Routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145 Monitored Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146 Weighted Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147 Null Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147 Customizing a Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150 Removing a Static Route. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151 Configuring IPv6 Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152 Configuring Policy Based Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155 Creating a PBR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156 Applying a PBR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157 Removing PBRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158 Enabling and Disabling PBRs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158 Modifying PBRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159 Renumbering PBRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160 Troubleshooting Routing Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161 Generic Routing FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161 Troubleshooting OSPF Specific Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
Chapter 5
IP version 6
IPv6 Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167
vi
Implementing IPv6 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168 Enabling or Disabling IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168 Adding an IPv6 Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169 Customizing SNIP and NSIP IPv6 Addresses . . . . . . . . . . . . . . . . . . . . . . . . .171 Customizing VIP IPv6 Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172 Verifying the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173 Monitoring the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174 Configuring Neighbor Discovery and Router Learning . . . . . . . . . . . . . . . . . . . .175 Neighbor Discovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175 Router Learning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178 Adding IPv6 Support to NetScaler Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179 Adding an IPv6 Vserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179 VLAN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180 Simple Deployment Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180 Host Header Modification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184 VIP Insertion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185
Chapter 6
High Availability
How High Availability Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187 Considerations for a High Availability Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . .188 Configuring High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190 Configuring a Basic High Availability Setup . . . . . . . . . . . . . . . . . . . . . . . . . .190 Modifying an Existing HA Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192 Customizing a High Availability Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194 Configuring the Communication Intervals . . . . . . . . . . . . . . . . . . . . . . . . . . . .195 Configuring Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196 Configuring Command Propagation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197 Forcing a Node to Fail Over . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198 Configuring Virtual MAC Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202 Configuring IPv4 VMACs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202 Configuring IPv6 VMACs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206 Improving the Reliability of a High Availability Setup. . . . . . . . . . . . . . . . . . . . .209 Configuring High Availability Nodes in Different Subnets. . . . . . . . . . . . . . .209 Configuring Link Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213 Configuring Route Monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216 High Availability Health Check Computation . . . . . . . . . . . . . . . . . . . . . . . . .218 Configuring the State of a Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219 Forcing the Secondary Node to Stay Secondary . . . . . . . . . . . . . . . . . . . . . . .219 Forcing the Primary Node to Stay Primary. . . . . . . . . . . . . . . . . . . . . . . . . . . .220 Troubleshooting High Availability Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
P REFACE
Preface
Before you begin to configure the networking features, take a few minutes to review this chapter and learn about related documentation, other support options, and ways to send us feedback. In This Preface About This Guide New in This Release Audience Formatting Conventions Related Documentation Getting Service and Support Documentation Feedback
ii
Chapter 5, IP version 6. Describes NetScaler support for IPv6 and how to implement it. Chapter 6, High Availability. Describes how High Availability (HA) works in a NetScaler deployment to ensure uninterrupted operation in any transaction. Includes configuration instructions.
Preface
iii
IPv6 OSPF. The NetScaler is enhanced to support Open Shortest Path First (OSPF) Version 3 dynamic routing protocol. This protocol supports IPv6 route exchanges.For more information, see Using IPv6 OSPF, on page 136. IPv6 RIP. The NetScaler is enhanced to support the Routing Information Protocol next generation (RIPng) dynamic routing protocol. This protocol supports IPv6 route exchanges. For more information, see Using IPv6 RIP, on page 132. IPv6 support in BGP. The Border Gateway Protocol (BGP) dynamic routing protocol is enhanced to support IPv6 addresses. For more information, see Using BGP, on page 127. Monitored IPv6 Static Routes. NetScaler supports monitoring of IPv6 static routes. You can configure the NetScaler to monitor a IPv6 static route either by creating a new ND6 or PING monitor or by using existing ND6 or PING monitors. For more information, see Monitored Static Routes, on page 146 and Adding an IPv6 Route, on page 152. Route Monitor for IPv6 Network. In a high availability (HA) configuration in INC mode, a route monitor can now be configured for an IPv6 network. For more information, see Configuring Route Monitors, on page 216. Network Visualizer. The NetScaler configuration utility now includes the Network Visualizer. You can use this tool to view the network configuration of a NetScaler deployment and configure interfaces, channels, VLANs, and bridge groups. You can also view the NetScaler appliances that are configured as a high availability (HA) pair and perform high availability configuration tasks. For more information, see Network Visualizer, on page 86.
For a summary of the new features and remaining unsupported features, see the Citrix NetScaler 9.2 Release Notes.
Audience
This guide is intended for the following audience: Hardware Technicians System and Network Administrators
The concepts and tasks described in this guide require you to have a basic understanding of networking concepts such as Layer2 and Layer 3 modes, routing, and interfaces.
iv
Formatting Conventions
This documentation uses the following formatting conventions. Formatting Conventions
Convention Boldface Italics Meaning Information that you type exactly as shown (user input); elements in the user interface. Placeholders for information or parameters that you provide. For example, FileName in a command means you type the actual name of a file. Also, new terms, and words referred to as words (which would otherwise be enclosed in quotation marks). System output or characters in a command line. User input and placeholders also are formatted using monspace text. Optional items in command statements. For example, in the following command, [-range positiveInteger] means that you have the option of entering a range, but it is not required:
add lb vserver name serviceType IPAddress port [-range positiveInteger]
Monospace
[ brackets ]
Do not type the brackets themselves. | (vertical bar) A separator between options in braces or brackets in command statements. For example, the following indicates that you choose one of the following load balancing methods:
lbMethod = ( ROUNDROBIN | LEASTCONNECTION | LEASTRESPONSETIME | URLHASH | DOMAINHASH | DESTINATIONIPHASH | SOURCEIPHASH | SRCIPDESTIPHASH | LEASTBANDWIDTH | LEASTPACKETS | TOKEN | SRCIPSRCPORTHASH | LRTM | CALLIDHASH | CUSTOMLOAD )
Related Documentation
A complete set of documentation is available on the Documentation tab of your NetScaler and from http://support.citrix.com/. (Most of the documents require Adobe Reader, available at http://adobe.com/.)
To view the documentation
1. 2.
From a Web browser, log on to the NetScaler. Click the Documentation tab.
Preface
3.
To view a short description of each document, hover your cursor over the title. To open a document, click the title.
For detailed information about Citrix services and support, see the Citrix Systems Support Web site at http://www.citrix.com/lang/English/support.asp. You can also participate in and follow technical discussions offered by the experts on various Citrix products at the following sites: http://community.citrix.com http://twitter.com/citrixsupport
Documentation Feedback
You are encouraged to provide feedback and suggestions so that we can enhance the documentation. You can send email to the following alias or aliases, as appropriate. In the subject line, specify Documentation Feedback. Be sure to include the document name, page number, and product release version. For NetScaler documentation, send email to nsdocs_feedback@citrix.com. For Command Center documentation, send email to ccdocs_feedback@citrix.com. For Access Gateway documentation, send email to agdocs_feedback@citrix.com.
vi
You can also provide feedback from the Knowledge Center at http:// support.citrix.com/.
To provide feedback from the Knowledge Center home page
1. 2.
Go to the Knowledge Center home page at http://support.citrix.com/. On the Knowledge Center home page, under Products, expand NetScaler, and then click the Netscaler release for which you want to provide feedback. On the Documentation tab, click the guide name, and then click Article Feedback. On the Documentation Feedback page, complete the form, and then click Submit.
3. 4.
C HAPTER 1
IP Addressing
Before you can configure the NetScaler, you must assign the NetScaler IP Address (NSIP), also known as the Management IP address. You can also create other NetScaler-owned IP addresses for abstracting servers and establishing connections with the servers. In this type of configuration, the NetScaler serves as a proxy for the abstracted servers. You can also proxy connections by using network address translations (INAT and RNAT). When proxying connections, the NetScaler can behave either as a bridging (Layer 2) device or as a packet forwarding (Layer 3) device. To make packet forwarding more efficient, you can configure static ARP entries. In This Chapter Configuring NetScaler-Owned IP Addresses Proxying Connections Configuring Modes of Packet Forwarding Network Address Translation Configuring Static ARP IP Tunneling
1. 2. 3. 4.
In the navigation pane, click NetScaler. On the System Overview page, click Setup Wizard. In the Setup Wizard dialog box, click Next. On the IP Addresses page, under System IP Address Configuration, in the IP Address, Netmask, and Host Name text boxes, type the IP address, subnet mask, and the host name, respectively (for example, 10.102.29.170, 255.255.255.0, and NS170). Follow the instructions in the Setup Wizard to complete the configuration.
5.
Example
set ns config -ipaddress 10.102.29.170 -netmask 255.255.255.0
Note: With an IPv6 address configured as NSIP in NetScaler running on 8.1 release, when upgrading from release 8.1 to 9.2 the NSIP changes to SNIP.
Chapter 1
IP Addressing
Specifies Use Address Resolution Protocol (ARP) to map IP addresses to the corresponding hardware addresses. Possible values: Enabled and Disabled. Default: Enabled. Send Internet Control Message Protocol (ICMP) messages. The user network applications that use ICMP are PING and TRACEROUTE. Possible values: Enabled and Disabled. Default Enabled. Apply the vserver attribute to this IP entity. Possible values: Enabled and Disabled. Default: Enabled. State of the VIP. Possible values: Enabled and Disabled. Default: Enabled. Advertise a route for this IP address. Possible values: Enabled and Disabled. Default: Disabled. IP address of the network advertised as the gateway to connect to external networks such as the Internet.
ICMP
(icmp)
Virtual Server
(vServer)
Specifies Value used by routing algorithms to compare performance of this route to others. Route with lowest metric is the preferred route. Default value depends on the routing protocol. To change default, set this parameter. Possible values: -16777215 to 2147483647. When the host route associated with the VIP is advertised. Possible values: ONE_VSERVER, ALL_VSERVERS, and NONE. Default: ONE_SERVER. Type of Link State Advertisement (LSA) used by OSPF protocol to discover and maintain neighbor relationships. Possible values: Type 1 or Type 5. Default: Disabled. Logical collection of OSPF networks, routers, and links is an Area. Areas are identified by an Area ID. Possible values: 0 to 4294967295. Default: 1.
Area
(ospfArea)
1. 2. 3.
In the navigation pane, expand Network and click IPs. In the details pane, on the IPv4s tab, select the IP address that you want to modify (for example, 10.102.29.5), and then click Open. In the Configure IP dialog box, under Options, do one of the following: To disable ARP, clear the ARP check box. To enable ARP, check the ARP check box.
4.
Click OK.
Examples
set ns ip 10.102.29.54 -ARP disable set ns ip 10.102.29.54 -ARP enable
Chapter 1
IP Addressing
1. 2.
In the navigation pane, expand Network and click IPs. In the details pane, on the IPv4s tab, select the IP address (for example, 10.102.29.5) and do one of the following: To enable the selected IP address, click Enable. To disable the selected IP address, click Disable.
Example
enable ns ip 10.102.29.5 disable ns ip 10.102.29.5
USNIP mode Use the following procedure to enable or disable the Use SNIP mode.
To enable or disable USNIP using the configuration utility
1. 2. 3.
In the navigation pane, expand System and click Settings. In the details pane, in the Modes and Features group, click Change modes. In the Configure Modes dialog box, do one of the following: To enable USNIP, select the Use Subnet IP check box. To disable USNIP, clear the Use Subnet IP check box.
4. 5.
Example
enable ns mode usnip disable ns mode usnip
Chapter 1
IP Addressing
Specifies Unique identification used to represent an entity. This is a mandatory parameter. Subnet mask associated with the IP address. This is a mandatory parameter. Type of the IP address. Possible values: SNIP, VIP, MIP, and GSLBsiteIP. Default: SNIP. You cannot use this procedure to configure the NSIP. For the procedure to configure the NSIP, see Creating the NetScaler IP Address (NSIP), on page 2.
1.
2. 3.
In the details pane, click Add. In the Create IP dialog box, in the IP Address and Netmask text boxes, type the IP address and subnet mask, respectively (for example, 10.102.29.54 and 255.255.255.0). Under IP Type, select the type of IP address to be created. Click Create and click Close. The subnet IP address you created appears in the IPs page.
4. 5.
Example
add ns ip 10.102.29.54 255.255.255.0 -type SNIP
Removing an IP Address
You can remove any IP address except the NSIP. The following table provides information on the processes you must follow to remove the various types of IP addresses. Removing an IP Address
IP address type Subnet IP address (SNIP) Implications If IP address being removed is the last IP address in the subnet, the associated route from the route table is deleted. If IP address being removed is the gateway in the corresponding route entry, the gateway for that subnet route is changed to another NetScaler-owned IP address. If a SNIP exists, you can remove the MIPs. NetScaler uses NSIP and SNIPs to communicate with the servers when the MIP is removed. Therefore, you must also enable Use SNIP. For information on enabling and disabling Use SNIP, see To configure an IP address using the configuration utility, on page 7. Before removing a VIP, you must first remove the vserver associated with it. For information on removing the vserver, see the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing. Before removing a GSLB site IP address, you must remove the site associated with it. For information on removing the site, see the Citrix NetScaler Traffic Management Guide, Chapter 8, Global Server Load Balancing.
GSLB-Site-IP address
Chapter 1
IP Addressing
Use either of the following procedures to remove a MIP, GSLBIP, SNIP, or VIP. (Before removing a VIP, remove the associated virtual server.)
To remove an IP address using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click IPs. On the IPs page, on the IPv4s tab, select the IP address that you want to remove (for example, 10.102.29.54), and then click Remove. In the Remove dialog box, click Yes.
Example
rm ns ip 10.102.29.54
Telnet (state configured on Telnet (effective state at the IP the NetScaler) level) Enable Disable Enable Disable Enable Disable Disable Disable
10
The following table provides an overview of the IP addresses used as source IP addresses in outbound traffic.
Application/ IP ARP Server side traffic RNAT ICMP PING Dynamic Routing
The following table provides an overview of the applications available on these IP addresses.
VIP No No
You can access and manage the NetScaler by using applications such as Telnet, SSH, GUI, and FTP. Note: Telnet and FTP are disabled on the NetScaler for security reasons. To enable them, contact the customer support. After the applications are enabled, you can apply the controls at the IP level. The following table lists and describes the parameters used for customizing the SNIP and MIP addresses on your NetScaler. Parameters for customizing a SNIP and MIP Address
Parameter Telnet
(telnet)
Specifies Allow Telnet access to the IP address. Possible values: ENABLED and DISABLED. Default: ENABLED. Allow File Transfer Protocol (FTP) access to the IP address. Possible values: ENABLED and DISABLED. Default: ENABLED. Allow Graphical User Interface (GUI) access to the IP address. Possible values: ENABLED, SECUREONLY, and DISABLED. Default: ENABLED.
FTP
(ftp)
GUI
(gui)
Chapter 1
IP Addressing
11
Specifies Allow Secure Shell (SSH) access to the IP address. Possible values: ENABLED and DISABLED. Default: ENABLED. Allow Simple Network Management Protocol (SNMP) access to the IP address. Possible values: ENABLED and DISABLED. Default: ENABLED. Allow external access to the IP address. Possible values: ENABLED or DISABLED. Default: DISABLED. Allow dynamic routing on the IP address. Specific to SNIP. Possible values: Enabled or Disabled. Default: Disabled. Block access to non-management applications on this IP. This options is applicable for MIPs, SNIPs, and NSIP and is disabled by default. Non-management applications may run on the underlying NetScaler Free BSD operating system. Possible values: ENABLED and DISABLED. Default: DISABLED.
SNMP
(snmp)
Management Access
(mgmtAccess)
Dynamic Routing
(dynamicRouting )
To configure the NetScaler to respond to these applications using a specific IP address, you need to enable the specific management applications. If you disable management access for an IP address, existing connections that use the IP address are not terminated. However, if you close the session, you cannot initiate a connection. Also, the non-management applications running on the underlying FreeBSD operating system are open to protocol attacks, and these applications do not take advantage of the attack prevention capabilities of the NetScaler. You can block access to these non-management applications on a MIP, SNIP, and NSIP. When access is blocked, a user connecting to a NetScaler using a MIP, SNIP, or NSIP will not be able to access the non-management applications running on the underlying operating system.
To enable management access for an IP address using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click IPs. On the IPs page, select the IP address that you want to modify (for example, 10.102.29.54), and then click Open. In the Configure IP dialog box, under Application Access Control, select the Enable Management Access control to support the below listed applications check box.
12
4. 5. 6.
Select the application or applications that you want to enable. To block access to non-management applications on this IP address, select the Allow access only to management applications check box. click OK.
To enable management access for an IP address using the NetScaler command line
Example
set ns ip 10.102.29.54 -mgmtAccess enabled -restrictAccess ENABLED
In the navigation pane, expand Network and click IPs. The IPs page appears in the details pane, listing the available IP addresses and some of their properties.
To display all the IP addresses using the NetScaler command line
1. 2.
In the navigation pane, expand Network and click IPs. On the IPs page, verify that the configured IP address (for example, 10.102.29.5) appears.
Chapter 1
IP Addressing
13
3.
Select the IP address. Information about the address appears in the details pane.
Proxying Connections
When a client initiates a connection, the NetScaler terminates the client connection, initiates a connection to an appropriate server, and sends the packet to the server. The NetScaler does not perform this action for service type UDP or ANY. For more information about service types, see the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing. You can configure the NetScaler to process the packet before initiating the connection with a server. The default behavior of the NetScaler is to change the source and destination IP addresses of a packet before sending the packet to the server. You can configure the NetScaler to retain the source IP address of the packets by enabling Use Source IP mode.
14
Proxying Connections to VIPs Packets bound to a service are sent directly to the appropriate server, and the NetScaler does not modify the destination IP addresses.
Chapter 1
IP Addressing
15
USIP Mode When USIP mode is enabled for HTTP protocols, the NetScaler provides limited connection reuse, WAN latency, and denial of service (SYN) attack prevention benefits. When USIP mode is disabled, the NetScaler uses mapped IP addresses and subnet IP addresses to establish server-side connections. USIP mode has the following restrictions: One-arm installations. You should not enable USIP mode if you install the NetScaler in a logical one-arm configuration, because in a one-arm configuration the NetScaler cannot bypass its own processing and send
16
responses directly to the client. If the IP address of the default gateway for a service is one of the NetScaler-owned IP addresses, the traffic continues to flow through the NetScaler and the response is also processed correctly. Concurrent HTTP connection limit. For HTTP protocols, USIP mode supports up to 64,000 concurrent connections. If concurrent HTTP connections between the NetScaler and servers are expected to exceed 64,000, you must disable USIP or contact customer support for the method to override this behavior. The concurrent connection limit applies only to HTTP. It does not affect other services types, for example, TCP, UDP, and FTP. Delay when disabling USIP. Disabling USIP mode does not affect the existing connections. This delay avoids outages on long-lived connections. Performance Impact on HTTP traffic. USIP mode prevents use of the same HTTP connection for multiple clients, and therefore can result in a large number of connections to the server. Furthermore, idle server connections can block connections for other clients. Therefore, you need to carefully set limits on the number of connections to services. Citrix suggests that you set the HTTP server time-out values on your services to a value lower than the default, so that idle client connections are cleared quickly on the server side. For more information about setting an idle timeout value, see the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing. Also, with USIP enabled, you must configure persistence (for example, source IP persistence) to ensure repeated selection of the same server and reuse of the client connection. Because TCP handles the traffic on a one-to-one basis, the USIP option does not affect TCP services. Note: Citrix does not recommend the use of Surge Protection (SP) with USIP. By default, USIP mode is disabled. You can enable or disable it globally or for a specific service. The setting for a specific service overrides the global setting. A newly created service inherits the global setting by default. To enable or disable USIP mode for a specific service, see the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing. To enable or disable USIP mode globally, use either of the following procedures.
To globally enable or disable USIP mode using the configuration utility
1. 2.
In the navigation pane, expand System and click Settings. On the Settings page, under Modes and Features, click Change modes.
Chapter 1
IP Addressing
17
3.
In the Configure Modes dialog box, do one of the following: To enable Use Source IP mode, select the Use Source IP check box. To disable Use Source IP mode, clear the Use Source IP check box.
4. 5.
To globally enable or disable USIP mode using the NetScaler command line
Examples
enable ns mode USIP disable ns mode USIP
Note: Services that are created before you enable USIP mode globally do not inherit the global settings. For these services, you need to enable the USIP mode at the service level. To enable or disable USIP mode for a specific service, see the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing.
18
With Layer 2 mode enabled, packets that are not destined for the NetScaler MAC address are bridged or processed, as shown in the following diagram.
Interaction between the Layer 2 and Layer 3 modes By default, Layer 2 mode is disabled causing the NetScaler to drop packets that are not destined for its MAC address. If another Layer 2 device is installed in parallel with the NetScaler, Layer 2 mode must be disabled to prevent bridging (Layer 2) loops. By default, Layer 3 mode is enabled. The NetScaler performs a route table lookup and forwards packets that are not destined to any NetScaler-owned IP address. If you disable Layer 3 mode, the NetScaler drops received packets if they are not destined for a NetScaler-owned IP address, as shown in the diagram, Interaction between the Layer 2 and Layer 3 modes, on page 18. To enable or disable the Layer 2 mode or Layer 3 mode, use either of the following procedures.
Chapter 1
IP Addressing
19
1. 2. 3.
In the navigation pane, expand System and click Settings. On the Settings page, under Modes and Features, click Change modes. In the Configure Modes dialog box, do one of the following: To enable Layer 2 mode, select the Layer 2 Mode check box. To disable Layer 2 mode, clear the Layer 2 Mode check box. To enable Layer 3 mode, select the Layer 3 Mode check box. To disable Layer 3 mode, clear the Layer 3 Mode check box.
4. 5.
To enable or disable the Layer 2 mode or Layer 3 mode using the NetScaler command line
Examples
enable ns mode l2 disable ns mode l2 enable ns mode l3 disable ns mode l3
20
Inbound NAT (INAT), in which the NetScaler replaces the destination IP address in the packets generated by the client with the private IP address of the server. Reverse NAT (RNAT), in which the NetScaler replaces the source IP address in the packets generated by the servers with the public NAT IP addresses.
If you select the Use Source IP Address (USIP) mode, the Client IP address (CIP) is selected as the source IP address. However, if you have selected both USIP and USNIP modes, USIP mode takes precedence over USNIP. You can also configure the NetScaler to use a unique IP address as the source IP address, by using the ProxyIP parameter. For additional information on how to configure the NetScaler to use a unique IP address, see Customizing the INAT Configuration, on page 22.
Chapter 1
IP Addressing
21
Note: If the modes have not been selected and the unique IP has also not been specified, an attempt is made to send the packet using Mapped IP Address (MIP). If both USIP and USNIP modes have been selected and the unique IP has also been specified, the order of precedence used is as follows: USIP --- unique IP--- USNIP --- MIP --- Error. The following table describes the parameters used to configure a basic INAT for incoming packets. Inbound NAT Basic Parameters
Parameter Name Public IP Address Private IP Address Specifies Name of the Inbound NAT configuration being added. Mandatory parameter. Public destination IP address of packets received on the NetScaler. Mandatory parameter. Possible values: NetScaler owned VIPs. Private destination IP address of the server to which the packet is sent by the NetScaler. Mandatory parameter. Possible values: IP addresses of the servers. Use Source IP mode. Possible values: Enabled and Disabled. Default: Enabled. Use Subnet IP mode is enabled. Possible values: Enabled and Disabled. Default: Enabled. A unique IP address that is represented as the source IP address for the server.
USIP
(usip)
USNIP
(usnip)
ProxyIP
(proxyIP)
The following procedure includes examples for creating an INAT configuration in which the NetScaler replaces the public VIP of 10.102.29.55 with 192.168.1.0, the private IP address of a physical server.
To configure INAT with a VIP as the destination IP address using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network, expand Routing, and click Routes. On the Routes page, click the INAT tab, and then click Add. In the Create INAT dialog box, in the Name textbox, type the name of the INAT (for example, MyNAT). In the Public IP Address textbox, type a public VIP address owned by the NetScaler (for example, 10.102.29.55).
22
5. 6.
In the Private IP Address textbox, type the private IP address of the server (for example, 192.168.1.0). Click Create, and then click Close.
To configure INAT with a VIP as the destination IP address using the NetScaler command line
Example
add inat MyNAT 10.102.29.55 192.168.1.0
1. 2. 3.
In the navigation pane, expand Network, expand Routing, and click Routes. On the Routes page, click the INAT tab, select the INAT and then click Open. In the Configure INAT dialog box, from the Proxy IP Address drop-down menu, select an IP address that the NetScaler will use as the client IP address (for example, 10.102.29.56). Click Create and then click Close.
4.
To assign a unique IP address as the INAT source IP Address using the NetScaler command line
Example
add inat MyNAT1 proxyip 10.102.29.56
You can configure INAT to provide protection to the NetScaler from DOS attacks by enabling TCP Proxy and/or FTP. However, if other protection mechanisms are used in your network, you may want to disable these features.
Chapter 1
IP Addressing
23
The following table lists and describes the parameters used to configure an existing INAT with the FTP and TCPProxy features. Customizing INAT Configuration
Parameter TCPProxy
(tcpproxy)
Specifies Allow TCP traffic. Possible values: Enabled and Disabled. Default: Disabled. Allow Active FTP. Possible values: Enabled and Disabled. Default: Disabled.
FTP
(ftp)
Use either of the following procedures to enable or disable TCP traffic on an existing INAT. In the example, MyNAT1 is the existing INAT.
To enable or disable TCPProxy on the INAT using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network, expand Routing, and then click Routes. On the Routes page, click the INAT tab, select the name of the INAT that you want to modify (for example, MyNAT1) and then click Open. In the Configure INAT dialog box, do one of the following: To enable TCPProxy, select the TCP Proxy Mode checkbox. To disable TCPProxy, clear the TCP Proxy Mode checkbox. Click Ok and then click Close.
To enable or disable TCP Proxy mode on the INAT using the NetScaler command line
Example
set inat TestINAT set inat TestINAT tcpproxy enabled tcpproxy disabled
1.
In the navigation pane, expand Network, expand Routing, and click Routes.
24
2. 3. 4.
On the Routes page, click the INAT tab. In the details pane, select the name of the INAT configuration that you want to remove (for example, MyNAT). Click Remove, and then click Close.
Example
rm inat MyNAT
Case You have configured a vserver and a service to send all data packets received on a specific NetScaler port to the server directly. You have also configured INAT and enabled TCP. Configuring INAT in this manner sends all data packets received through a TCP engine before sending them to the server. You have configured a vserver and a service to send all data packets of service type TCP, that are received on a specific port on the NetScaler, to the server after passing through the TCP engine. You have also configured INAT and disabled TCP. Configuring INAT in this manner sends the data packets received directly to the server. You have configured a vserver and a service to send all data packets received to either of two servers. You are attempting to configure INAT to send all data packets received to a different server.
Result All packets received on the NetScaler, except those received on the specific port, will pass through the TCP engine. Only packets received on the specific port will pass through the TCP engine.
Chapter 1
IP Addressing
25
Case You have configured INAT to send all data packets received directly to a server. You are attempting to configure a vserver and a service to send all data packets received to two different servers.
The following procedure enables RNAT with the NAT IP set to a MIP. In the example, RNAT is enabled for the network 192.168.1.0 and subnet mask 255.255.255.0. The NetScaler changes the source IP addresses of packets originating from the 192.168.1.0 network and sent to the MIP.
To enable RNAT when the NAT IP is set to a MIP using the configuration utility
1. 2.
In the navigation pane, expand Network, expand Routing, and click Routes. On the Routes page, on the RNAT tab, click Configure RNAT.
26
3.
In the Configure RNAT dialog box, in the Network and Netmask text boxes, type the network and subnet mask for which you want to enable RNAT (for example, 192.168.1.0 and 255.255.255.0). Click Create, and then click Close.
4.
To enable RNAT when the NAT IP is set to a MIP using the NetScaler command line
Example
set rnat 192.168.1.0 255.255.255.0
Chapter 1
IP Addressing
27
The following table describes the parameter used to set a unique NAT IP address. Assigning a Unique NAT IP
Parameter Available NAT IP (s)
(natip)
The following procedures include examples in which the NetScaler is configured to use two unique IP addresses, MIP1 and MIP2, for two subnets. The NetScaler replaces the source IP addresses of packets originating from the 192.168.1.0 and 192.168.2.0 subnets to 10.102.29.50 (MIP1) and 10.102.29.60 (MIP2), respectively.
To enable RNAT when the NAT IP is set to a unique IP address using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network, expand Routing, and click Routes. On the Routes page, on the RNAT tab, select the RNAT network for which you want to configure the NAT IP address (for example, 192.168.1.0). Click Configure RNAT. In the Configure RNAT dialog box, in the Available NAT IP (s) list box, select the NAT IP address that you want to configure (for example, select 10.102.29.50). Click Add. The NAT IP you selected in Step 4 appears in the Configured NAT IP (s) list box. Click OK. Repeat steps 2-6 if you want to configure another RNAT network (for example, to configure the NAT IP address for 192.168.2.0 to 10.102.29.60).
5. 6. 7.
To enable RNAT when the NAT IP is set to a unique IP address using the NetScaler command line
Example
set rnat 192.168.1.0 255.255.255.0 -natip 10.102.29.50 set rnat 192.168.2.0 255.255.255.0 -natip 10.102.29.60
28
Note: If multiple NAT IP addresses are configured for a subnet, NAT IP selection uses the round robin algorithm.
Note: ACL-based RNAT is not applied to traffic originating from the NetScaler. For more information on ACLs, see Chapter 3, Access Control Lists (ACLs).. The following diagram illustrates RNAT configured with an ACL.
Configuring an ACL
The following procedure creates a new ACL. Alternatively, you can open and modify an existing ACL. This procedure includes examples for creating an ACL named acl1, which allows TCP traffic originating from a server with IP address 10.102.29.40 to an external client at 209.165.202.11.
IP Addressing
29
1. 2. 3. 4.
In the navigation pane, expand Network and click ACLs. On the ACLs page, click the Extended ACL tab, and then click Add. In the Add ACL dialog box, in the Name text box, type the name of the ACL (for example, acl1). In the Action, select an action (for example, ALLOW), in the Operator drop-down list, select an option (for example, =), and in the Protocol dropdown list, select a protocol (for example, TCP). Under Source, in the Low and High text boxes, type the IP addresses (for example, 10.102.29.40 and 10.102.29.40). Under Destination, in the Low and High text boxes, type the IP addresses (for example, 209.165.201.11 and 209.165.201.11). Click Create, and click Close.
5. 6. 7.
Example
add acl acl1 allow -srcip 10.102.29.40 -destip 209.165.201.11 -protocol TCP
1. 2. 3. 4.
In the navigation pane, expand Network, expand Routing, and click Routes. On the Routes page, click the RNAT tab and click Configure RNAT. In the Configure RNAT dialog box, click the ACL radio button. In the ACL Name drop-down list box, select the ACL that you want to configure (for example, acl1).
30
5. 6. 7. 8.
In the Redirect Port text box, type the port (for example, 8080). In the Available NAT IP (s) list box, select the NAT IP address that you want to configure (for example, 209.165.202.129). Click Add. The NAT IP you selected appears in the Configured NAT IP (s) list box. Click Create, and click Close.
To set RNAT to change the Source IP address and Destination Port using the NetScaler command line
Example
set rnat acl1 -natip 209.165.202.129 -redirectPort 8080
Note: The NetScaler uses ports 1024 to 64000 for mapped IP addresses and subnet IP addresses.
This behavior does not apply when a unique NAT IP address is used.
Chapter 1
IP Addressing
31
In a topology where the NetScaler performs both Link Load Balancing (LLB) and RNAT for traffic originating from the server, the NetScaler selects the source IP address based on the router. The LLB configuration determines selection of the router. Note: For more information about LLB, see the Citrix NetScaler Traffic Management Guide, Chapter 9, Link Load Balancing.
Monitoring RNAT
You can display RNAT statistics to troubleshoot issues related to IP address translation. The following tables describes the statistics associated with RNAT and RNAT IP. RNAT Statistics
Statistic Bytes received Bytes sent Packets received Packets sent Syn sent Current sessions Description Bytes received during RNAT sessions. Bytes sent during RNAT sessions. Packets received during RNAT sessions. Packets sent during RNAT sessions. Requests for connections sent during RNAT sessions. Currently active RNAT sessions.
RNAT IP Statistics
Statistic Bytes received Bytes sent Packets received Packets sent Syn sent Current sessions Description Bytes received on this IP address during RNAT sessions. Bytes sent from this IP address during RNAT sessions. Packets received on this IP address during RNAT sessions. Packets sent from this IP address during RNAT sessions. Requests for connections sent from this IP address during RNAT sessions. Currently active RNAT sessions started from this IP address.
32
Citrix NetScaler Networking Guide To display RNAT statistics using the configuration utility
1. 2.
In the navigation pane, expand Network, expand Routing, and click Routes. In the details pane, on the RNAT tab, click Statistics.
1. 2. 3.
In the navigation pane, expand Network, expand Routing, and click Routes. In the details pane, on the RNAT tab, select the NATIP whose statistics you want to view. Click Statistics.
Example
stat rnatip 10.102.29.61
Chapter 1
IP Addressing
33
Specifies The IP address of the server. The MAC address of the server. Type the MAC address with colons (:) as shown in the example below. The physical interface for the ARP entry. Use the show interface command to view the valid interface names.
MAC Address
(mac)
Interface Number
(ifnum)
Use either of the following procedures to add a static ARP entry to an ARP table.
To create an ARP entry using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click ARP Table. On the ARP Table page, click Add. In the Add ARP entry dialog box, in the IP Address, MAC Address, and Interface Number text boxes, respectively, type the IP address, MAC address and network interface number that you want to add to the ARP table (for example, 10.102.29.54, 00:aa:10:12:13:ef, and 1/8).
34
4.
Click Create and click Close. The ARP entries you added appear in the ARP Table page, as shown in the following figure.
Example
add arp -IPAddress 10.102.29.54 -mac 00:aa:10:12:13:ef -ifnum 1/8
1. 2. 3. 4.
In the navigation pane, expand Network and click ARP Table. On the ARP Table page, select the ARP entry that you want to remove (for example, 10.102.29.54). Click Remove. In the Remove dialog box, click Yes.
Chapter 1
IP Addressing
35
Example
rm arp 10.102.29.54
1.
In the navigation pane, expand Network and click ARP Table. The ARP Table page appears in the details pane, showing the details of the available ARP entries. Verify that the configured ARP entry (for example, 10.102.29.54) appears. Select the IP address (for example, 10.102.29.54) and, in the details section, verify that the parameters are configured as intended.
2. 3.
IP Tunneling
An IP Tunnel is a communication channel, that can be created by using encapsulation technologies, between two networks that do not have a routing path. Every IP packet that is shared between the two networks is encapsulated within another packet and then sent via the tunnel. The NetScaler implements IP Tunneling in the following ways: NetScaler as an Encapsulator (Load Balancing with DSR mode) NetScaler as a Decapsulator
36
NetScaler as a Decapsulator
Consider an organization having multiple data centers each having NetScalers and back-end servers. When a packet is sent from data center A to data center B it is usually sent via an intermediary, say a router or another NetScaler. The NetScaler processes the packet and then forwards the packet to the back-end server. However, if an encapsulated packet is sent, the NetScaler must be able to decapsulate the packet before sending it to the back-end servers. To enable the NetScaler to function as a decapsulator, a tunnel is added between the router and the NetScaler. When the encapsulated packet, with additional header information, reaches the NetScaler, the data packet is decapsulated i.e. the additional header information is removed, and the packet is then forwarded to the appropriate back-end servers. The NetScaler can also be used as a decapsulator for the Load Balancing feature, specifically in scenarios when the number of connections on a vserver exceeds a threshold value and all the new connections are then diverted to a back-up vserver. For more information on the spillover option, see Diverting Excess Traffic to a Backup Load Balancing Virtual Server, in the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing.
Chapter 1
IP Addressing
37
NS as a Decapsulator
Adding an IP Tunnel
This section discusses how to enable IP/IP (IP Tunneling) for a specific virtual IP (VIP) address. Enabling IP/IP involves adding an IP Tunnel manually, known as Configured tunnels. The following table lists and describes the parameters used for adding a tunnel manually.
Parameter Name Remote IP Remote Mask Local IP Type Protocol Specifies Name of the IP Tunnel. Mandatory parameter. Address of the entry point of the tunnel. Mandatory parameter. Subnet mask of the remote IP address of the tunnel. Mandatory parameter. Local IP Address of the tunnel. Possible values: Auto, MIP, SNIP, and VIP. Default: Auto. IP Tunneling protocol. Possible values: IPIP. Default: IPIP.
38
Citrix NetScaler Networking Guide To add an IP Tunnel using the configuration utility
1. 2. 3. 4. 5. 6.
In the navigation pane, expand Network, and click IP Tunnels. On the IP Tunnels page, click Add. In the Add IP Tunnel dialog box, in the Name text box, type the name of the tunnel (for example, nstnl). In the Remote IP text box, type a public VIP address owned by the NetScaler (for example, 192.168.0.0). In the Remote Mask text box, type the subnet mask of the remote IP address of the tunnel (for example, 255.255.255.0). Click Create, and then click Close.
Example
add iptunnel nstl 192.168.0.0 255.255.255.0 *
In the navigation pane, expand Network, and click IP Tunnels. On the IP Tunnels page, all the created IP tunnels are displayed.
To view all the IP Tunnels created using the NetScaler command line
1. 2.
In the navigation pane, expand Network, and click IP Tunnels. On the IP Tunnels page, verify that the configured IP tunnel appears, for example, check if the nstl tunnel appears.
Chapter 1
IP Addressing
39
3.
Select the configured IP Tunnel, for example, nstl, and in the Details section, verify that the parameters displayed are as configured.
Example
sh iptunnel nstl
Removing an IP Tunnel
A tunnel is a communication channel created between two appliances. The tunnel can be removed when either one of the appliances goes down or when you no longer use that tunnel, irrespective of the type of tunnel.
To remove an IP Tunnel using the configuration utility
1. 2. 3.
In the navigation pane, expand Network, and click IP Tunnels. On the IP Tunnels page, select the name of the IP Tunnel that you want to remove (for example, nstl), and click Remove. In the Remove pop-up window, click Yes.
Example
rm iptunnel nstl
40
The following table lists and describes the parameters required for customizing the IP tunnels globally.
Parameter Source IP Specifies The common global source IP address for all tunnels. The global source IP can either be a MIP or a SNIP. You can also create a new MIP or SNIP address to be used as the global source IP address. Packet must be dropped if it requires fragmentation. Possible values: Yes or No. If the value is set to Yes, packets that require fragmentation are dropped by the NetScaler. If the value is set to No, packets are not dropped if they require fragmentation. Default: No. Packet must be dropped if the CPU usage is greater or equal to the user configured value. This parameter is applicable only if the Drop Packet if Fragmentation is required parameter is set to No. Possible values: 1 to 100. Default: 0 (Not set). For example, let us assume that the CPU usage value is 50%. If the CPU usage is not greater than 50%, all packets are fragmented and not dropped. If the CPU usage is greater than 50%, all packets are dropped and not fragmented. If the CPU usage has not been specified, then all packets are fragmented and not dropped.
1. 2. 3.
In the navigation pane, click Network. In the Network page, in the IP Tunnels group, click IP Tunnel Global Settings. In the Configure IP Tunnel Global Parameters dialog box, in the Source IP text box, select the global source IP address of the tunnel (for example, 10.102.29.21). Note: You can also add a new IP address of type SNIP or MIP which can be used as the default source IP address for all tunnels by clicking New. An updated Add IP dialog box is displayed to enable you to add a new source IP address.
4.
Do one of the following: To enable NetScaler to drop packets if fragmentation is required, select the Drop packet if fragmentation is required check box. To enable NetScaler to fragment the packets, clear the Drop packet if fragmentation is required check box.
Chapter 1
IP Addressing
41
5.
To fragment packets until the threshold value for the CPU usage is met, type a value in the Dont fragment and drop packet if CPU usage is => text box, for instance, 50. Note: To fragment packets irrespective of the CPU usage, do not specify any value in the Dont fragment and drop packet if CPU usage is => text box.
6.
Click Ok.
Example
set iptunnelparam -srcIP dropFragCpuThreshold 50 12.12.12.22 -dropFrag No
42
C HAPTER 2
Interfaces
Before you begin configuring interfaces, decide whether your configuration can use MAC-based forwarding mode, and either enable or disable this system setting accordingly. The number of interfaces you have depends on the NetScaler that you own. In addition to configuring individual interfaces, you can logically group interfaces, using VLANs to restrict data flow within a set of interfaces, and you can aggregate links into channels. In a high availability setup, you may configure a virtual MAC (VMAC) address if necessary. If you use L2 mode, you might want to modify the ageing of the bridge table. When your configuration is complete, decide whether you should enable the system setting for path MTU discovery. NetScaler appliances can be deployed in active-active mode using VRRP. An active-active deployment, in addition to preventing downtime, makes efficient use of all the NetScaler appliances in the deployment. You can use the Network Visualizer tool to view the network configuration of a NetScaler deployment and configure interfaces, channels, VLANs, and bridge groups. In This Chapter MAC-Based Forwarding Configuring Network Interfaces Configuring VLANs Configuring Bridge Groups Configuring Link Aggregation Configuring VMACs Configuring the Bridge Table Enabling or Disabling Path MTU Behavior Configuring NetScaler Appliances in Active-Active Mode using VRRP Network Visualizer
44
MAC-Based Forwarding
Using MAC-based forwarding (MBF), when a request reaches the NetScaler, it remembers the source MAC address of the frame, and uses that MAC address as the destination MAC address for the resulting replies. In this way, MAC-based forwarding can be used to avoid multiple-route/ARP lookups and to avoid asymmetrical packet flows. MAC-based forwarding may be required when the NetScaler is connected to multiple stateful devices, such as VPN or firewalls, as it ensures that the return traffic is sent to the same device that the initial traffic came from. MAC-based forwarding is useful when you use VPN devices, because it guarantees that all traffic flowing through a VPN passes back through the same VPN device. The following topology diagram illustrates the process of MAC-based forwarding.
Chapter 2
Interfaces
45
When a server replies through the NetScaler, the NetScaler sets the destination MAC address of the response packet to the cached address, ensuring that the traffic flows in a symmetric manner, and then forwards the response to the client. The process bypasses the route table lookup and ARP lookup functions. However, when the NetScaler initiates a connection, it uses the route and ARP tables for the lookup function. When you need to use a direct server return configuration, you must enable MAC-based forwarding. For more information about direct server return configurations, see the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing. Some deployment topologies may require the incoming and outgoing paths to flow through different routers. In these situations, MAC-based forwarding breaks this topology design. MBF should be disabled in the following situations: When you configure link load balancing. In this case, asymmetric traffic flows are desirable because of link costs. When a server uses network interface card (NIC) teaming without using LACP (802.1ad Link Aggregation). To enable MAC-based forwarding in this situation, you must use a layer 3 device between the NetScaler and server. Note: MBF can be enabled when the server uses NIC teaming with LACP, because the virtual interface uses one MAC address. When firewall clustering is used. Firewall clustering assumes that ARP is used to resolve the MAC address for inbound traffic. Sometimes the inbound MAC address can be a non-clustered MAC address and should not be used for inbound packet processing.
When MBF is disabled, the NetScaler uses L2 or L3 connectivity to forward the responses from servers to the clients. Thus, depending on the route table, the routers used for outgoing connection and incoming connection can be different. In the case of reverse traffic (response from the server): If the source and destination are on different IP subnets, the NetScaler uses the route lookup to locate the destination. If the source is on the same subnet as the destination, the NetScaler looks up the ARP table to locate the network interface and forwards the traffic to it. If the ARP table does not exist, the NetScaler requests the ARP entries.
1.
46
2. 3.
In the details pane, in the Modes and Features group, click Change modes. In the Configure Modes dialog box, do one of the following: To enable MAC-based forwarding, select the MAC Based Forwarding check box. To disable MAC-based forwarding, clear the MAC Based Forwarding check box.
4. 5.
Examples
enable ns mode mbf disable ns mode mbf
Specifies The number assigned to the interface. Ethernet speed for the interface. Possible values: AUTO, 10, 100, 1000, and 10000 Mbps. Default: AUTO. A setting other than AUTO requires the same configuration for device at the other end of the link. Mismatched speed (or duplex) configurations can cause link errors, packet losses, and other errors. Some network interfaces do not support certain speeds. An attempt to set an unsupported speed is reported as an error.
Speed
(speed)
Chapter 2
Interfaces
47
Specifies Duplex mode for the interface. Possible values: AUTO, HALF, and FULL. Default: AUTO. AUTO is recommended. If you force HALF or FULL mode, you must manually configure the same mode and identical speed on both sides of the link. Apply 802.3x flow control to the interface. Possible values: OFF, RX, TX, RXTX, and ON (forced RXTX). Default: OFF. Real flow control status depends on the auto-negotiation results. Link parameter mismatches must be checked for and avoided because, for example, they can cause the NetScaler to drop packets, or the link may not be accessible. Use auto negotiation on the interface. Possible values: DISABLED and ENABLED. Monitor the interface for failure events. Possible values: ON and OFF. Default: ON. When ON in an HA configuration, failover occurs when a network interface fails. If a network interface is not being used, or if failover is not required, select OFF. (Also, if the network interface is not used in the configuration, you must disable it.) Trunk port functionality for the interface. Possible values: ON and OFF. Default: OFF. With the ON setting, traffic is tagged for the VLANs bound to this network interface, including the default VLAN. If you require 802.1q behavior with backward compatibility, you must set this parameter to OFF. LACP mode. Possible values: DISABLED, ACTIVE, and PASSIVE. Default: DISABLED LACP key for the interface. Possible values: 1 to 4. LACP port priority. Possible values: 1 to 65535. Default: 32768. LACP timeout setting. Possible values: LONG and SHORT. Default: LONG. Alias name for the interface. Minimum required throughput for the interface.
Flow Control
(flowControl)
Auto Negotiate
(autoneg)
HA Monitor
(haMonitor)
Trunk
(trunk)
LACP Mode
(lacpMode)
LACP Key
(lacpKey)
LACP Priority
(lacpPriority)
LACP Time-out
(lacpTimeout)
Alias
(ifAlias)
Throughput
(throughput)
48
Note: For more information about Link Aggregate Control Protocol (LACP), see Configuring the Link Aggregate Channel Protocol, on page 72. Use either of the following procedures to modify the duplex setting of a network interface.
To modify the duplex setting of a network interface using the configuration utility
1. 2. 3. 4. 5.
In the navigation pane, expand Network and click Interfaces. On the Interfaces page, select the network interface that you want to modify (for example, 1/8). Click Open. In the Modify Interface dialog box, select or enter a new value. (For example, from the Duplex drop-down list, select FULL.) Click OK.
To modify the duplex setting of a network interface using the NetScaler command line
Example
set interface 1/8 -duplex full
Note: The network interface configuration is neither synchronized nor propagated. For an HA pair, you must perform the configuration on each unit independently.
Chapter 2
Interfaces
49
1. 2. 3.
In the navigation pane, expand Network and click Interfaces. On the Interfaces page, select the network interface that you want to disable (for example, 1/8). Do one of the following: To enable a network interface, click Enable. To disable a network interface, click Disable.
Examples
enable interface 1/8 disable interface 1/8
1. 2. 3.
In the navigation pane, expand Network and click Interfaces. On the Interfaces page, select the network interface that must be reset (for example, 1/8). Click Reset Interface.
50
Citrix NetScaler Networking Guide To reset a network interface using the NetScaler command line
Example
reset interface 1/8
1. 2. 3.
In the navigation pane, expand Network and click Interfaces. On the Interfaces page, select the network interface whose statistics you want to clear (for example, 1/8). Click Clear Statistics.
Example
clear interface 1/8
1. 2.
In the navigation pane, expand Network and click Interfaces. On the Interfaces page, verify that your configured interface appears.
Chapter 2
Interfaces
51
3.
Highlight the interface by selecting it, and verify that the parameters are configured as intended.
To display the properties of the network interfaces using the NetScaler command line
1. 2. 3.
In the navigation pane, expand Network and click Interfaces. On the Interfaces page, select the network interface whose statistics you want to view (for example, 1/8). Click Statistics.
To view the statistics of the network interfaces using the NetScaler command line
Example
stat interface 1/8
Configuring VLANs
The NetScaler supports Layer 2 port and IEEE 802.1q tagged VLANs. VLAN configurations are useful when you need to restrict traffic to certain groups of stations. You can configure a network interface as a part of multiple VLANs using IEEE 802.1q tagging. You can configure VLANs and bind them to IP subnets. The NetScaler then performs IP forwarding between these VLANs (if it is configured as the default router for the hosts on these subnets). The NetScaler supports the following types of VLANs. Port-Based VLANs
52
Port-Based VLANs The membership of a port-based VLAN is defined by a set of network interfaces that share a common exclusive Layer 2 broadcast domain. You can configure multiple port-based VLANs. By default, all network interfaces on the NetScaler are members of VLAN 1. If you apply 802.1q tagging to the port, the network interface belongs to a portbased VLAN. Layer 2 traffic is bridged within a port-based VLAN, and Layer 2 broadcasts are sent to all members of the VLAN if Layer 2 mode is enabled. When you add an untagged network interface as a member of a new VLAN, it is removed from its current VLAN. Default VLAN By default, the network interfaces on the NetScaler are included in a single, portbased VLAN as untagged network interfaces. This VLAN is the default VLAN. It has a VLAN ID (VID) of 1. This VLAN exists permanently. It cannot be deleted, and its VID cannot be changed. When you add a network interface to a VLAN as an untagged member, the network interface is automatically removed from the default VLAN and added to this VLAN. If you unbind a network interface from its current port-based VLAN, it is added to the default VLAN again. Tagged VLAN 802.1q tagging (defined in the IEEE 802.1q standard) allows a networking device (such as the NetScaler) to add information to a frame at Layer 2 to identify the VLAN membership of the frame. Tagging allows network environments to have VLANs that span multiple devices. A device that receives the packet reads the tag and recognizes the VLAN to which the frame belongs. Some network devices do not support receiving both tagged and untagged packets on the same network interface, in particular, Force10 switches. In such cases, you need to contact customer support for assistance. The network interface can be a tagged or untagged member of a VLAN. Each network interface is an untagged member of one VLAN only (its native VLAN). This network interface transmits the frames for the native VLAN as untagged frames. A network interface can be a part of more than one VLAN if the other VLANs are tagged. When you configure tagging, be sure to match the configuration of the VLAN on both ends of the link. The port to which the NetScaler connects must be on the same VLAN as the NetScaler network interface.
Chapter 2
Interfaces
53
You can use the configuration utility to define a tagged VLAN that can have any ports bound as tagged members. Configuring this VLAN requires a reboot of the NetScaler, and therefore must be done during initial network configuration. Note: This VLAN configuration is neither synchronized nor propagated, therefore you must perform the configuration on each unit in an HA pair independently. The best practice is to set the VLAN ID for each NSIP to 1.
Ingress rules Ingress rules classify each frame as belonging only to a single VLAN. When a frame is received on a network interface, the following rules are applied to classify the frame: If the frame is untagged, or has a tag value equal to 0, the VID of the frame is set to the port VID (PVID) of the receiving interface, which is classified as belonging to the native VLAN. (PVIDs are defined in the IEEE 802.1q standard.) If the frame has a tag value equal to FFF, the frame is dropped. If the VID of the frame specifies a VLAN of which the receiving network interface is not a member, the frame is dropped. For example, if a packet is sent from a subnet associated with VLAN ID 12 to a subnet associated with VLAN ID 10, the packet is dropped. If an untagged packet with VID 9 is sent from the subnet associated with VLAN ID 10 to a network interface PVID 9, the packet is dropped.
Egress Rules The following egress rules are applied: If the VID of the frame specifies a VLAN of which the transmission network interface is not a member, the frame is discarded. During the learning process (per the IEEE 802.1q standard), the Src MAC and VID are used to update the bridge lookup table of the NetScaler. A frame is discarded if its VID specifies a VLAN that does not have any members. You can the define members that are the network interfaces configured in the VLAN.
54
When a user sends any broadcast or multicast packets without the VLAN being identified, that is, during Duplicate Address Detection (DAD) for NSIP or ND6 for the next hop of the route, the packet is sent out on all the network interfaces with appropriate tagging based on either the Ingress and Egress rules. ND6 usually identifies a VLAN, and a data packet is sent on this VLAN only. Portbased VLANs are common to IPv4 and IPv6. For IPv6, the NetScaler supports prefix-based VLANs.
Creating a VLAN
You can implement VLANs in the following environments: Single subnet Multiple subnets Single LAN VLANs (no tagging) VLANs (802.1q tagging)
Chapter 2
Interfaces
55
When you create VLANs that have only untagged network interfaces as their members, the total number of possible VLANs is limited to the number of network interfaces available in the NetScaler. If more IP subnets are required with a VLAN configuration, 802.1q tagging must be used. To create a VLAN, use the VLAN ID parameter described in the following table. Basic Parameter for creating a VLAN
Parameter VLAN Identifiers (VIDs)
(id)
Specifies An integer from 1 to 4094 that uniquely identifies the VLAN to which a particular frame belongs. (The NetScaler supports a maximum of 4094 VLANs.) VID 1 is reserved for the default VLAN.
1. 2. 3. 4.
In the navigation pane, expand Network and click VLANs. On the VLANs page, click Add. In the Create VLAN dialog box, in the VLAN Id text box, type the ID of the VLAN (for example, 2). Click Create and click Close. The VLAN you added appears in the VLANs page.
Example
add vlan 2
56
Note: If you use network interface-specific commands in an HA setup, the configurations you perform are not propagated to the other NetScaler. You must perform these commands on each NetScaler in an HA pair to ensure that the configuration of the two NetScalers in the HA pair remains synchronized.
VLAN on a Single Subnet In the above figure: 1. 2. The default router for the NetScaler and the servers is Router 1. Layer 2 mode must be enabled on the NetScaler for the NetScaler to have direct access to the servers. For the procedure to enable Layer 2 mode, see Configuring Modes of Packet Forwarding, on page 17. For this subnet, a virtual server can be configured for load balancing on the NetScaler.
3.
To configure a VLAN on a single subnet, follow the procedure described in Creating a VLAN, on page 54. VLAN configuration parameters are not required, because the network interfaces are members of this VLAN.
Chapter 2
Interfaces
57
Multiple Subnets in a Single VLAN To configure a single VLAN across multiple subnets, perform the following tasks: 1. 2. 3. Disable Layer 2 mode. For the procedure to disable Layer 2 mode, see Configuring Modes of Packet Forwarding, on page 17. Add a VIP. For the procedure to add a VIP, see Virtual IP Address (VIP), on page 3. Configure RNAT ID. For the procedure to configure the RNAT ID, see Reverse Network Address Translation, on page 25.
Note: The NetScaler supports only the procedure described in Adding a Static Route, on page 148, to add multiple IP subnets in single-subnet VLAN configurations.
58
Multiple Subnets with VLANs - No Tagging To implement the configuration shown in the above figure, perform the following tasks: 1. 2. Add VLAN 2. For the procedure to create a VLAN, see Creating a VLAN, on page 54. Bind the 1/2 network interface of the NetScaler to VLAN 2 as an untagged network interface. For the procedure to bind a network interface to a VLAN, see Binding a Network Interface to a VLAN, on page 60. Bind the IP address and netmask to VLAN 2. For the procedure to bind an IP address to a VLAN, see Binding an IP Address to a VLAN, on page 60.
3.
Chapter 2
Interfaces
59
Multiple VLANs with IEEE 802.1q Tagging To implement the configuration shown in the above figure, perform the following tasks: 1. 2. Add VLAN 2. For the procedure to create a VLAN, see Creating a VLAN, on page 54. Bind the 1/2 network interface of the NetScaler to VLAN 2 as an untagged network interface. For the procedure to bind a network interface to a VLAN, see Binding a Network Interface to a VLAN, on page 60. Bind the IP address and netmask to VLAN 2. For the procedure to bind an IP address to a VLAN, see Binding an IP Address to a VLAN, on page 60. Add VLAN 3. For the procedure to create a VLAN, see Creating a VLAN, on page 54. Bind the 1/2 network interface of the NetScaler to VLAN 3 as a tagged network interface. For the procedure to bind a network interface to a VLAN, see Binding a Network Interface to a VLAN, on page 60. For the
3.
4. 5.
60
procedure to bind a tagged network interface, see Modifying a VLAN, on page 61. 6. Bind the IP address and netmask to VLAN 3. For the procedure to bind an IP address to a VLAN, see Binding an IP Address to a VLAN, on page 60.
1. 2. 3.
In the navigation pane, expand Network and click VLANs. On the VLANs page, select the VLAN to which you want to bind the network interface (for example, 2), and then click Open. In the Modify VLAN dialog box, under Interfaces, select the Active check box corresponding to the interface that you want to bind to the VLAN (for example, 1/8). Click OK.
4.
Example
bind vlan 2 -ifnum 1/8
Chapter 2
Interfaces
61
Note: When you configure the NetScaler, you must not create overlapping IP subnets. Doing so impedes Layer 3 functionality. Each VLAN is a unique Layer 2 broadcast domain. Two VLANs, each bound to separate IP subnets, cannot be combined into a single broadcast domain. Forwarding traffic between two VLANs requires a Layer 3 forwarding (routing) device, such as the NetScaler. For a VLAN, a route added to the route table defines the IP subnet for the VLAN. A route is added for the gateway, which is a SNIP. When you bind an IP address to a VLAN, the NetScaler need not use the bound IP address to proxy the traffic to the VLAN, and can select a SNIP or a MIP. Note: For a VIP, you must assign a subnet mask to the VIP address before binding it to a VLAN, or the binding procedure fails. To assign a subnet mask to a VIP, use one of procedures described in Configuring NetScaler-Owned IP Addresses, on page 1. Use either of the following procedures to bind an IP address to a VLAN.
To bind an IP address to a VLAN using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network and click VLANs. On the VLANs page, select the VLAN for which you want to bind the IP address (for example, 2). Click Open. In the Modify VLAN dialog box, under IPs, select the Active check box corresponding to the IP address that you want to bind to the VLAN (for example, 10.102.29.54). Click OK.
5.
Example
bind vlan 2 -IPAddress 10.102.29.54 255.255.255.0
Modifying a VLAN
Use either of the following procedures to modify a VLAN.
62
Citrix NetScaler Networking Guide To modify a VLAN using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network and click VLANs. On the VLANs page, select the VLAN that you want to modify (for example, 2). Click Open. In the Modify VLAN dialog box, Modify one or more settings. (For example, to tag an interface, under Interfaces, select the Tagged check box next to the name of the network interface that you want to tag.) Click OK.
5.
Note: To make a network interface a tagged member of a VLAN using the NetScaler command line, you must first unbind the network interface from the VLAN, then bind it as a tagged member as shown in the following procedure. For more information about unbinding a network interface from a VLAN, see Unbinding a Network Interface from a VLAN, on page 62.
Examples
unbind vlan 2 -ifnum 1/8 bind vlan 2 -ifnum 1/8 -tagged
Managing VLANs
To manage VLANs, you can unbind network interfaces or IP addresses from VLANs, or remove VLANs.
1. 2. 3.
In the navigation pane, expand Network and click VLANs. In the details pane, select the VLAN from which you want to unbind the network interface (for example, 2). Click Open. The Modify VLAN dialog box appears.
Chapter 2
Interfaces
63
4. 5.
Under Interfaces, clear the Active check box corresponding to the interface that you want to unbind from the VLAN (for example, 1/8). Click OK.
Example
unbind vlan 2 -ifnum 1/8
1. 2. 3.
In the navigation pane, expand Network and click VLANs. In the details pane, select the VLAN from which you want to unbind the IP address (for example, 2), and then click Open. In the Modify VLAN dialog box, under IPs, clear the Active check box corresponding to the IP address that you want to unbind from the VLAN (for example, 10.102.29.54). Click OK.
4.
Example
unbind vlan 2 -IPAddress 10.102.29.54 255.255.255.0
Removing a VLAN
When you remove a VLAN, the network interfaces are bound to the default VLAN. Use either of the following procedures.
To remove a VLAN using the configuration utility
1. 2.
In the navigation pane, expand Network and click VLANs. On the VLANs page, select the VLAN that you want to remove (for example, 2), and then click Remove.
64
3.
Example
rm vlan 2
Displaying VLANs
Use either of the following procedures to display the properties of the VLANs.
To display VLAN properties using the configuration utility
1. 2.
In the navigation pane, expand Network and click VLANs. On the VLANs page, select a VLAN and verify that the settings are configured as intended.
1. 2. 3.
In the navigation pane, expand Network and click VLANs. On the VLANs page, select the VLAN whose statistics you want to view (for example, 2). Click Statistics.
Chapter 2
Interfaces
65
Example
stat vlan 2
VLANS
66
Citrix NetScaler Networking Guide To add a bridge group and bind VLANs by using the configuration utility
1. 2. 3. 4. 5. 6.
In the navigation pane, expand Network, and then click Bridge Groups. In the details pane, click Add. In the Create Bridge Groups dialog box, in Bridge Group Id text box, type a number between 1 and 1000 (for example, 100). Under VLANs, select the desired VLANs (for example, 2 and 71) that you want to bind to the bridge group. Under IPs, select the select the desired subnets that you want to bind to the bridge group. Click Create.
To add a bridge group and bind VLANs by using the NetScaler command line
Example
add bridgegroup 100 bind bridgegroup 100 -vlan 2 71 -ipaddress 10.102.29.4 255.255.0.0
1. 2.
In the navigation pane, expand Network, and then click Bridge Groups. Examine the settings.
Chapter 2
Interfaces
67
1. 2. 3.
In the navigation pane, expand Network, and then click Bridge Groups. In the details pane, select a bridge group ID (for example, 100), and click Open. In the Modify Bridge Group dialog box, under VLANs, clear the active check boxes for the VLANs (for example, 2) that you want to unbind from the bridge group. Under IPs, clear the active check boxes for the subnets that you want to unbind from the bridge group. Click OK.
4. 5.
To unbind vlans from a bridge group by using the NetScaler command line
Example
unbind bridgegroup 100 -vlan 2 -ipaddress 10.102.29.4 255.255.255.0
1. 2. 3.
In the navigation pane, expand Network, and then click Bridge Groups. In the details pane, select a bridge group ID (for example, 100) that you want to remove. Click Remove.
Example
rm bridgegroup 100
68
1. 2. 3.
In the navigation pane, expand Network and click Channels. On the Channels page, click Add. In the Add Channel dialog box, in the Channel ID drop-down list, select the link aggregate ID that you want to add (for example, LA/1).
Note: Adding a channel without binding it to a network interface can cause a failover. To avoid this possibility, include the next step in this procedure. For more information about binding a link aggregate channel to an interface, see Binding a Network Interface to a Link Aggregate Channel, on page 69. 4. On the Bind/Unbind tab, select an interface to be bound (for example, 1/8).
Chapter 2
Interfaces
69
5.
Click Create and click Close. The link aggregate channel you added appears in the Channel page.
Example
add channel LA/1 -ifnum 1/8
1. 2. 3. 4. 5.
In the navigation pane, expand Network and click Channels. In the details pane, select the channel that you want to bind to a network interface (for example, LA/1). Click Open. In the Modify Channel dialog box, in the Available Interface list box, select the network interface (for example, 1/8). Click Add. The network interface you selected appears in the Configured list.
6.
Click OK.
70
Example
bind channel LA/1 1/8
Specifies Initial state for the channel. Possible values: ENABLED and DISABLED. Default: ENABLED. Initial mode for the channel. Possible values: MANUAL, AUTO, and DESIRED. Connection distribution mode for the channel. Possible values: DISABLED and ENABLED. MAC distribution mode for the channel. Possible values: SOURCE, DESTINATION, and BOTH. Speed for the channel. Possible values: AUTO, 10, 100, and 1000. Flow control for the channel. Possible values: OFF, RX, TX, and RXTX. HA-monitoring control for the channel. Possible values: ON and OFF. Make this port a trunk port. Possible values: ON and OFF. Default: OFF. When ON, port membership in all VLANs is tagged. If 802.1q behavior with native VLAN is required, use the OFF setting. Alias name for the channel. Minimum required throughput for the network interface.
Mode
(Mode)
Connection Distribution
(connDistr)
MAC Distribution
(macDistr)
Speed
(speed)
Flow Control
(flowControl)
HA Monitor
(haMonitor)
Trunk
(trunk)
Alias
(ifAlias)
Throughput
(throughput)
1.
Chapter 2
Interfaces
71
2. 3.
In the details pane, select the channel that you want to modify (for example, LA/1), and then click Open. In the Modify Channel dialog box, select or enter a new value. (For example, click the Settings tab and, in the Speed drop-down list box, select a speed, such as 100.) Click OK.
4.
Example
set channel LA/1 -speed 100
1. 2. 3.
In the navigation pane, expand Network and click Channels. In the details pane, select the channel from which you want to unbind a network interface (for example, LA/1), and then click Open. In the Modify Channel dialog box, in the Configured list box, select the network interface (for example, 1/8), and then click Remove. The channel that you selected appears in the Available Interface list.
4.
Click OK.
Example
unbind channel LA/1 1/8
72
1. 2. 3.
In the navigation pane, expand Network and click Channels. In the details pane, select the channel that you want to remove (for example, LA/1), and click Remove. In the Remove dialog box, click Yes.
Example
rm channel LA/1
Specifies The LACP system priority. Possible values: 1 to 65535. Default: 32768.
Also, you can configure the following LACP parameters when you configure the network interface: LACP mode LACP time-out Port key
Chapter 2
Interfaces
73
Port priority
For more information about these parameters, see Configuring Network Interfaces, on page 46. Note: LACP configurations are neither propagated nor synchronized. By default, LACP is disabled on all network interfaces. You cannot use LACP to modify channels that you created manually. Therefore, you cannot enable LACP on network interfaces that are members of a channel that you created manually. If LACP creates a channel dynamically, you cannot create, bind, unbind, or remove operations on that channel. However, you can configure parameters such as distribution mode. LACP dynamically creates a channel, which is deleted when LACP is disabled on all its member network interfaces. To enable LACP on a network interface, you can use the procedure to modify the network interface, which is described in Managing Network Interfaces, on page 48. When you enable LACP on a network interface, the NetScaler creates channels dynamically. The NetScaler currently supports two channels, LA/1 and LA/2, based on the LACP Key values. Therefore, if you enable LACP on a network interface and set the LACP Key to 1, the network interface is automatically bound to the channel LA/1. Note: While enabling LACP on a network interface, you must simultaneously specify the LACP Key. The following example describes the procedure to configure the link aggregate channel protocol with a system priority of 12.
To configure a link aggregate channel protocol using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network and click Interfaces. On the Interfaces page, click Set LACP. In the Configure LACP dialog box, in the System Priority text box, type the priority you want to configure (for example, 12). Click OK.
To configure a link aggregate channel protocol using the NetScaler command line
74
1. 2. 3.
In the navigation pane, expand Network and click Channels. On the Channels page, verify that your configured channels appear. Select a channel (for example, LA/1) and verify that the parameters displayed are configured as intended.
1. 2. 3.
In the navigation pane, expand Network and click Interfaces. On the Interfaces page, click View LACP Details. In the View LACP Details dialog box, click Close.
Chapter 2
Interfaces
75
Configuring VMACs
The primary and secondary nodes in a high availability (HA) setup share the floating entity, Virtual MAC address (VMAC). The primary node owns the floating IP addresses (such as MIP, SNIP, and VIP) and responds to ARP requests for these IP addresses with its own MAC address. Therefore, the ARP table of an external device, such as an upstream router, is updated with the floating IP address and the MAC address of the primary node. When a failover occurs, the secondary node takes over as the new primary node. The former secondary node uses Gratuitous ARP (GARP) to advertise the floating IP addresses that had learned from the old primary node. The MAC address that the new primary node advertises is the MAC address of its own network interface. Some devices (a few routers) do not accept these GARP messages. Therefore, these external devices retain the IP address-to-MAC address mapping that the old primary node had advertised. This can result in a GSLB site going down. Therefore, you must configure a VMAC on both nodes of an HA pair. This means that both nodes have identical MAC addresses. When a failover occurs, the MAC address of the secondary node remains unchanged, and the ARP tables on the external devices do not need to be updated. For the procedures to configure a VMAC, see Chapter 6, High Availability.
Specifies The bridge ageing time in seconds. Default: 300. Minimum value: 60. Maximum value: 300.
1.
76
2.
On the Bridge Table page, optionally select an entry to display its properties at the bottom of the screen.
To change the ageing time for all bridge table entries, use either of the following procedures.
To modify the bridge table using the configuration utility
1. 2. 3.
On the Bridge Table page, click Change Ageing Time. In the Change Ageing Time dialog box, in the Ageing Time (seconds) text box, type the ageing time (for example, 70). Click OK. All the MAC entries in the bridge table are updated with the ageing time. The following figure shows an example.
Example
set bridgetable -bridgeAge 70
Chapter 2
Interfaces
77
1. 2.
On the Bridge Table page, select the MAC address for which you want to view the statistics (for example, 00:12:01:0a:5f:46). Click Statistics.
To view the statistics of a bridge table using the NetScaler command line
1. 2. 3.
In the navigation pane, expand System and click Settings. In the details pane, under the Modes and Features group, click Change modes. In the Configure Modes dialog box, do one of the following: To enable Path MTU Discovery, select the Path MTU Discovery check box. To disable Path MTU Discovery, clear the Path MTU Discovery check box.
4. 5.
To enable or disable Path MTU discovery using the NetScaler command line
78
Chapter 2
Interfaces
79
An Active-Active Configuration
The NetScaler appliances in the above diagram process traffic as follows: 1. 2. 3. Client C1 sends a request to VIP1. The request reaches R1. R1 does not have an APR entry for VIP1, so it broadcasts an ARP request for VIP1. VIP1 is active in NS1, so NS1 replies with a source MAC address as the VMAC (for example VMAC1) associated with VIP1, and VIP1 as the source IP address. SW1 learns the port for VIP1 from the ARP reply and updates its bridge table. R1 updates the ARP entry with VMAC1 and VIP1. R1 forwards the packet to the VIP1 on NS1. NS1's load balancing algorithm selects server S2, and NS1 opens a connection between one of its SNIP or MIP addresses and S2.
4. 5. 6. 7.
80
8. 9.
S2 replies to the SNIP or MIP on the NetScaler. NS1 sends S2's reply to the client. In the reply, NS1 inserts MAC address of the physical interface as the source MAC address and VIP1 as the source IP address. Should NS1 fail, the NetScaler appliances use the VRRP protocol to select the VIP1 with the highest priority. In this case, VIP1 on NS3 becomes active, and the following two steps update the active-active configuration. NS3 broadcasts a GARP message for VIP1. In the message, VMAC1 is the source MAC address and VIP1 is the source IP address. SW1 learns the new port for VMAC1 from the GARP broadcast and updates its bridge table to send subsequent client requests for VIP1 to NS3. R1 updates its ARP table.
10.
11. 12.
The priority of a VIP can be modified by health tracking. If you enable health tracking, you should make sure that preemption is also enabled, so that a VIP whose priority is lowered can be preempted by another VIP. In some situations, traffic might reach a backup VIP. To avoid dropping such traffic, you can enable sharing, on a per-node basis, as you create an active-active configuration. Or you can enable the global send to master option. On a node on which sharing is enabled, it takes precedence over send to master.
Health Tracking
Base priority (BP-range 1-255) ordinarily determines which VIP is the master VIP, but effective priority (EP) can also affect the determination. For example, if a VIP on NS1 has a priority of 101 and same VIP on NS2 has a priority of 99, the VIP on NS1 is active. However, if two vservers are using the VIP on NS1 and one of them goes DOWN, health tracking can reduce the EP of VIP on NS1. VRRP then makes the VIP on NS2 the active VIP. Following are the health tracking options for modifying EP: NONE. No tracking. EP = BP ALL. If all vservers are UP then EP = BP. Otherwise, EP = 0. ONE. If at least one vserver is UP then EP = BP. Otherwise, EP = 0. PROGRESSIVE. If ALL vservers are UP then EP = BP. If ALL vservers are DOWN then EP = 0. Otherwise EP = BP (1 - K/N), where N is the total number of vservers associated with the VIP and k is the number of vservers that are down.
Chapter 2
Interfaces
81
Note: If you specify a value other than NONE, preemption should be enabled, so that the backup VIP with the highest priority becomes active if the priority of the master VIP is downgraded.
Preemption
Preemption of an active VIP by another VIP that attains a higher priority is enabled by default, and normally should be enabled. In some cases, however, you may want to disable it. Preemption is a per-node setting for each VIP. Preemption can occur in the following situations: An active VIP goes down and a VIP with a lower priority takes its place. If the VIP with the higher priority comes back online, it preempts the currently active VIP. Health tracking causes the priority of a backup VIP to become higher than that of the active VIP. The backup VIP then preempts the active VIP.
Sharing
In the event that traffic reaches a backup VIP, the traffic is dropped unless the sharing option is enabled on the backup VIP. This behavior is a per node setting for each VIP and is disabled by default. In the An Active-Active Configuration diagram, VIP1 on NS1 is active and VIP1 VIPs on NS2 and NS3 are backups. Under certain circumstances, traffic may reach VIP1 on NS2. If Sharing is enabled on NS2, this traffic is processed instead of dropped.
82
Adding a VMAC
To add a VMAC for an active-active configuration, you create a virtual router ID.
Parameter Virtual Router ID
(vrID)
Specifies The VRID that identifies the VMAC. Possible values: 1 to 255. The base priority of the VMAC. Range: 1 255. Default: 255. The health tracking options for this VMAC. Possible values: NONE, ONE, ALL, PROGRESSIVE Default value: NONE.
Priority
(Priority)
Tracking
(tracking)
Preemption
(preemption)
Make a backup VIP the master if its priority becomes higher than that of a master VIP that is bound to this VMAC. Possible values: ENABLED, DISABLED. Default: ENABLED. Enable or disable sharing for this VMAC. Default: Disabled.
Sharing
(sharing)
1. 2. 3. 4. 5. 6. 7. 8.
In the navigation pane, expand Network and click VMAC. On the VMAC page, click Add. In the Add VMAC dialog box, in Virtual Router ID text box, type a number (for example, 125). In the Priority text box, enter a priority number (for example, 100) that will associated with VIPs bound this VMAC. In the Tracking drop down box, select a health tracking option (for example, ONE). Unselect or select Preemption to disable or enable preemption on VIPs that are bound to this VMAC. Select or unselect Sharing to enable or disable sharing on VIPs that are bound to this VMAC. Click Create.
Interfaces
83
Example
add vrID 125 -priority 100 -sharing ENABLED -tracking ONE
1. 2. 3. 4.
In the navigation pane, expand Network, and then click IPs. In the details pane, on the IPv4s tab, select the VIP address (for example, 10.102.29.5) that you want to bind to a VMAC, and then click Open. In the Configure IP dialog box, in the Virtual Router Id drop down box, select a virtual router ID (for example, 125). Click OK.
Example
set ns ip 10.102.29.5 -vrid 125
84
For example, in the following diagram, VIP1 is configured on NS1, NS2, and NS3 and is active on NS1. Under certain circumstances, traffic for VIP1 (active on NS1) may reach VIP1 on NS3. When the send to master option is enabled on NS3, NS3 forwards the traffic to NS1 through NS2 by using route entries for NS1. An Active-Active Configuration with Send to Master Option Enabled
The following table describes the parameters you need to enable send to master option.
Parameter Send to Master
(sendToMaster)
Specifies Forward the packet to the master node if the VIP bound to the VMAC is in backup state and sharing is disabled. Possible values: ENABLED, DISABLED. Default: DISABLED.
Interfaces
85
1. 2. 3. 4.
In the navigation pane, expand Network. In the details pane, under Settings, click Virtual Router Parameters. In the Virtual Router Parameters dialog box, select Send to Master option. Click OK.
Example
set vrIDParam -sendToMaster ENABLED
A Deployment Scenario
Following is one of the possible active-active deployment scenario:
86
In the following diagram, VIP1, VIP 2 and VIP3 are configured on all three appliances, NS1, NS2, and NS3. Base Priorities for each VIPs are as shown in the diagram. Health tracking is disabled for each VIP. The priorities of VIPs are set so that VIP1, VIP2, and VIP3 are active on NS3. If NS3 fails, VIP1, VIP2, and VIP3 become active on NS1. An Active-Active Deployment Scenario
Network Visualizer
The Network Visualizer is a tool that you can use to view the network configuration of a NetScaler node, including the network configuration of the nodes in a high availability (HA) deployment. You can also modify the configuration of VLANs, interfaces, channels, and bridge groups, and perform HA configuration tasks. In an HA deployment, you can both view and configure network entities on the node to which you are logged on, but you can view the details of only the network entities that are configured on the peer node. However, you can perform certain tasks, such as viewing details and statistics of the peer node and forcing a failover.
Chapter 2
Interfaces
87
When you are logged on to a standalone appliance, you can use Network Visualizer to do the following: View a consolidated graphical summary of key network components, such as VLANs, interfaces, channels, and bridge groups. You can also view the individual details of various network components. Modify appliance settings. Add, modify, and enable and disable interfaces and channels that are configured on the appliance. Add and modify VLANs and bridge groups. Configure an HA deployment (add a node). View node details, node statistics, and statistics for VLANs and interfaces. Copy the properties of a network entity to a document or spreadsheet.
When you are logged on to an appliance in an HA deployment, you can perform the above tasks only on the appliance to which you are logged on. Following are additional tasks that you can perform in the Network Visualizer when you are logged on to one of the appliances in an HA pair: View the configuration details and high availability details of both nodes in an HA pair. Perform HA configuration tasks, such as synchronization and force failover. Remove the peer node from the HA configuration. View statistics for the peer node. Copy the properties of the peer node to a document or spreadsheet.
1. 2.
In the navigation pane, click Network. In Monitor Connections, click Network Visualizer.
Open the Network Visualizer, and then do the following: To locate a VLAN or bridge group, in the Search text field, begin typing the ID of the VLAN or the bridge group that you want to locate.
88
Alternatively, begin typing the IP address of a bound subnet or the ID of a bound interface. The VLANs or bridge groups whose names match the typed characters are highlighted. To highlight multiple entities simultaneously, separate the IDs and IP addresses with white spaces. Entities whose IDs or IP addresses match any of the typed IDs and IP addresses are highlighted. To clear the Search field, click the x adjacent to the field.
Open the Network Visualizer and do one of the following: To view a brief summary of the entity, place the pointer on the entity. A brief summary of the entity appears at the bottom of the viewable area. To view the detailed configuration information of the entity, click the entity. The configuration details for that entity appear in the Details area.
To modify the network settings of the appliance by using the Visualizer
1. 2.
Open the Network Visualizer and click the icon representing the appliance to which you are logged on. In Related Tasks, click Open.
1. 2.
Open the Network Visualizer and click a network interface. In Related Tasks, click Add Channel.
Open the Network Visualizer, click the appliance to which you are logged on, and then do one of the following: Click an existing VLAN, and then, in Related Tasks, click Add. Click an existing bridge group, and then, in Related Tasks, click Add VLAN.
Open the Network Visualizer, click the appliance to which you are logged on, and then do one of the following: Click an existing bridge group, and then, in Related Tasks, click Add.
Chapter 2
Interfaces
89
Click an existing VLAN, and then, in Related Tasks, click Add Bridge Group.
1. 2.
Open the Network Visualizer and click the interface whose settings you want to modify. In Related Tasks, click Open.
1. 2.
Open the Network Visualizer and click the interface or channel that you want to enable or disable. In Related Tasks, do one of the following. To enable the interface or channel, click Enable. To disable the interface or channel, click Disable.
1. 2.
Open the Network Visualizer and click the channel, VLAN, or bridge group that you want to remove from the configuration. In Related Tasks, click Remove.
To view statistics for a node, channel, interface, or VLAN by using the Visualizer
1. 2.
Open the Network Visualizer and click the node, interface, or VLAN whose statistics you want to view. In Related Tasks, click Statistics.
1. 2.
Open the Network Visualizer and click the appliance. In Related Tasks, click HA Setup.
1. 2.
Open the Network Visualizer and click the node whose high availability details you want to view. In Related Tasks, click Details.
90
Citrix NetScaler Networking Guide To force the secondary node to take over as the primary by using the Visualizer
1. 2.
Open the Network Visualizer and click one of the nodes. In Related Tasks, click Force Failover.
To synchronize the secondary node's configuration with the primary node by using the Visualizer
1. 2.
Open the Network Visualizer and click one of the nodes. In Related Tasks, click Force Synchronization.
1. 2.
Open the Network Visualizer and click the peer node. In Related Tasks, click Remove.
1. 2.
Open the Network Visualizer and click the appliance or network entity whose properties you want to copy to a document or spreadsheet. In Related Tasks, click Copy Properties.
C HAPTER 3
Access Control Lists (ACLs) are a means of filtering IP traffic and securing your network from unauthorized access. An ACL consists of a set of conditions or criteria that the NetScaler uses to allow or deny access. Consider a small organization that consists of 3 departments, Finance, HR, and Documentation, where no department wants another to access its data. The administrator of the organization can configure ACLs on the NetScaler to allow or deny access. When the NetScaler receives a data packet, it compares the information in the data packet with the conditions specified in the ACL and allows or denies access. The NetScaler supports simple ACLs, extended ACLs, and ACL6s. In This Chapter ACL Precedence Configuring Simple ACLs Configuring Extended ACLs Configuring ACL6s
92
ACL Precedence
A packet that matches the conditions specified in a simple ACL is dropped. If no simple ACL matches the packet, the NetScaler compares the packets characteristics to those specified in any configured extended ACLs. If the packet matches an extended ACL, the NetScaler applies the action specified in the extended ACL, as shown in the following diagram.
Chapter 3
93
Specifies Alphanumeric name of the ACL. Maximum length: 127 characters. What to do with matching packets. Possible value: DENY. Protocol in which packets arrive. Possible values: TCP and UDP. Default: either. IP address of the source machine. You can also specify a range of addresses. A destination port on the NetScaler. If you do not specify a port, you create an all-ports ACL, which matches any port. In that case, you cannot create another ACL specifying a specific port and the same source IP address. The time in which to expire this ACL, in seconds. Possible values: 1 to 0x7FFFFFFF. Default: ACL does not expire.
Destination Port
TTL
(TTL)
1. 2. 3. 4. 5. 6. 7.
In the navigation pane, expand Network and click ACLs. In the details pane, on the Simple ACLs tab, click Add. In the Add Simple ACL dialog box, in the Name text box, type a name for the ACL (for example, rule1). Optionally, from the Protocol drop-down list, select a protocol. In the Source IP Address text box, type the IP address on which to filter (for example, 10.102.29.10). In the Destination Port text box, type the destination port on which to filter, or leave the text box blank to create an all-ports ACL. Optionally, in the TTL text box, type the number of seconds in which the ACL is to expire.
94
8.
Click Create and click Close. The ACL you created appears on the ACLs page.
Examples
add simpleacl rule1 deny -srcip 10.102.29.10 add simpleacl block_20 deny -srcip 10.102.29.11 -TTL 10
1. 2. 3. 4.
In the navigation pane, expand Network and click ACLs. In the details pane, on the Simple ACLs tab, select the simple ACL that you want to remove (for example, rule1). Click Remove. In the Remove dialog box, click Yes.
Example
remove simpleacl rule1
1. 2. 3.
In the navigation pane, expand Network and click ACLs. In the details pane, on the Simple ACLs tab, click Clear. In the Clear Simple ACL (s) dialog box, click Yes.
Chapter 3
95
1. 2. 3.
In the navigation pane, expand Network and click ACLs. On the ACLs page, click the Simple ACLs tab. Optionally, select an ACL (for example, rule1) to display its properties at the bottom of the screen.
Examples
show simpleacl show simpleacl rule1
1. 2. 3.
In the navigation pane, expand Network and click ACLs. In the details pane, select the ACL whose statistics you want to view (for example, rule1). Click Statistics.
96
Citrix NetScaler Networking Guide To view simple-ACL statistics using the NetScaler command line
Example
stat simpleacl rule1 stat simpleacl
The NetScaler processes an IP packet directly when both of the following conditions exist: ACLs are configured on the NetScaler. The IP packet does not match any of the ACLs.
The NetScaler does not apply ACLs for self originated packets. For example, you create an ACL that denies the packets from destination IP address 10.102.29.234. When the NetScaler sends a ping request to 10.102.29.234, it is not evaluated by the blockping ACL, because the traffic originated from the NetScaler. Many users begin by creating basic extended ACLs and then modifying them. To activate a new ACL, you must apply it. To deactivate an ACL, you can either remove or disable it. You can change the priority number of an extended ACL to give it a higher or lower precedence. You can perform various other modifications, and you can configure ACL logging. You should verify your configuration, and you can monitor ACL statistics. You can also configure RNAT by using extended ACLs. For more information about using ACLs with RNAT, see Configuring RNAT by Using ACLs, on page 28. You cannot create two ACLs with the same parameters. If you attempt to create a duplicate, an error message appears.
Chapter 3
97
Note: If you configure both simple and extended ACLs, simple ACLs take precedence over the extended ACLs.
Specifies Alphanumeric name of the ACL. Maximum length: 127 characters. IP address of the source machine. You can also specify a range of addresses. You can also specify an IP address with a value of 0.0.0.0. The action associated with the ACL. The valid options for this parameter are BRIDGE, DENY, and ALLOW. You can use the following operators while creating ACLs: = and !=.
Action Operator
The following example describes the procedure to create an ACL named rule1. The NetScaler drops the IP packets originating from the device when its source IP address is between 10.102.0.0 and 10.102.255.255.
To create an extended ACL using the configuration utility
1. 2. 3. 4. 5. 6.
In the navigation pane, expand Network and click ACLs. In the details pane, on the Extended ACLs tab, click Add. In the Add ACL dialog box, in the Name text box, type the name of the ACL (for example, rule1). In the Action and Operator list boxes, select the action and operator that you want to configure (for example, DENY and =). Under Source, in the Low and High text boxes, type the IP addresses (for example, 10.102.0.0 and 10.102.255.255). Click Create and click Close. The ACL you created appears on the ACLs page.
98
Citrix NetScaler Networking Guide To create a extended ACL using the NetScaler command line
Example
add ns acl rule1 deny -srcip 10.102.0.0-10.102.255.255
1. 2. 3. 4.
In the navigation pane, expand Network and click ACLs. In the details pane, on the Extended ACLs tab, select the ACL that you want to apply (for example, rule1). Click Commit. In the Apply ACL(s) dialog box, click Yes.
1.
Chapter 3
99
2. 3. 4.
In the details pane, on the Extended ACLs tab, select the ACL that you want to remove (for example, rule1). Click Remove. In the Remove dialog box, click Yes.
Example
rm ns acl rule1
1. 2. 3.
In the navigation pane, expand Network and click ACLs. In the details pane, on the Extended ACLs tab, click Clear. In the Clear ACL (s) dialog box, click Yes.
1. 2.
In the navigation pane, expand Network and click ACLs. In the details pane, on the Extended ACLs tab, select the ACL (for example, rule1) and do one of the following: To enable the extended ACL, click Enable. To disable the extended ACL, click Disable.
100
Citrix NetScaler Networking Guide To enable or disable an extended ACL using the NetScaler command line
Example
enable ns acl rule1 disable ns acl rule1
Renumbering ACL
This section describes the procedure to renumber ACLs. This procedure resets the priorities of the ACLs to multiples of 10. For more information about priorities, see Modifying Extended ACLs, on page 100.
To renumber ACLs using the configuration utility
1. 2. 3.
In the navigation pane, expand Network, and then click ACLs. In the details pane, on the Extended ACLs tab, click Renumber Priority (s) ACL(s). In the Renumber Priority (s)) ACL(s) dialog box, click Yes.
Chapter 3
101
If a packet matches the condition defined by the ACL, the NetScaler performs an action. If the packet does not match the condition defined by the ACL, the NetScaler compares the packet against the ACL with the next-highest priority. To modify the extended ACL, use the parameters listed in the following table. Parameters for customizing an Extended ACL
Parameter Source PORT
(srcPort)
Specifies The port address of the source system. You can specify a range or a specific port address. You can also specify a port address with a value of 0. The IP address of the destination system. You can specify a range or a specific address. You can also specify an IP address with a value of 0.0.0.0. The port address of the destination system. You can specify either a range or a specific port address. You can also specify a port address with a value of 0. The MAC address of the source system. Only the last 32 bits are considered during a lookup. This is the protocol field in the IP header. Possible values: ICMP, IGMP, TCP, EGP, IGP, ARGUS, UDP, RDP, RSVP, EIGRP, L2TP, and ISIS. The IP protocol number (decimal). The minimum value is 1 and the maximum value is 255. The VLAN ID present in the VLAN tag of the packet. The minimum value is 1 and the maximum value is 255. This is the network interface on which the packet arrived. The ICMP message type. For example, to block DESTINATION UNREACHABLE messages, you must specify 3 as the ICMP type. For a complete list of ICMP types, see http://www.iana.org/assignments/ icmp-parameters. The minimum value is 0 and the maximum value is 255. The ICMP message code. For example, to block DESTINATION HOST UNREACHABLE messages, specify 3 as the ICMP type and 1 as the ICMP code. For a complete list of ICMP types, see http://www.iana.org/ assignments/icmp-parameters. The minimum value is 0 and the maximum value is 255. The state of the ACL. Possible Values: ENABLED and DISABLED. Default: Enabled. The priority of the ACL. The minimum value is 0 and the maximum value is 10240.
Destination PORT
(destPort)
Protocol
(protocol)
Protocol Number
(protocolNumber)
VLAN ID
(vlan)
Interface
(interface)
ICMP Type
(icmpType)
ICMP Code
(icmpCode)
State
(state)
Priority
(priority)
102
Consider the following example. Two ACLs, rule 1 and rule 2, are configured on the NetScaler and automatically assigned priorities 20 and 30. You need to add a third ACL, rule 3, to be evaluated immediately after Rule 1. Rule 3 must have a priority between 20 and 30. In this case, you can specify the priority as 25. The following procedure describes the steps to set the priority of rule1 to 20.
To modify the priority of an ACL using the configuration utility
1. 2. 3. 4. 5.
In the navigation pane, expand Network and click ACLs. In the ACLs page, on the Extended ACLs tab, select the ACL that you want to modify (for example, rule1). Click Open. In the Configure ACL(s) dialog box, in the Priority text box, type the priority that you want to configure on the ACL (for example, 20). Click OK.
Example
set acl rule1 -priority 20
Chapter 3
103
If the packet is not from the same flow, or if the time duration is beyond the mean time, a new flow is created. Mean time is the time during which packets of the same flow do not generate additional messages (although the counter is incremented). Note: The total number of different flows that can be logged at any given time is limited to 10,000. The following table describes the parameters with which you can configure ACL logging at the rule level for extended ACLs. Logging Parameters of an Extended ACL
Parameter Logstate
(logstate)
Specifies State of the logging feature for the ACL. Possible Values: Enabled or Disabled. Default: Disabled. Number of log messages that a specific ACL can generate. Default: 100.
RateLimit
(ratelimit)
Use either of the following procedures to configure logging for an ACL and specify the number of log messages that the rule can generate.
To configure ACL Logging using the configuration utility
1. 2. 3. 4. 5.
In the navigation pane, expand Network and click ACLs. In the details pane, click the Extended ACLs tab, and then select the ACL for which you want to configure logging (for example, rule1). Click Open. In the Modify ACL dialog box, select the Log State checkbox. In the Log Rate Limit text box, type the rate limit that you want to specify for the rule (for example, 200), and click OK.
104
1. 2. 3. 4.
In the navigation pane, expand Network and click ACLs. In the details pane, click the Extended ACLs tab. The details of the available ACLs appear in this page. Verify that the configured ACL, rule1, appears. Select the ACL, rule1, and in the Details section, verify that the parameters displayed are as configured.
Chapter 3
105
Use the following procedure to view the statistics of the extended ACLs, such as ACL Hits, NAT ACL Hits, Allow ACL Hits, Deny ACL Hits, Bridge ACL Hits, and ACL Misses.
To view the statistics of an extended ACL using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click ACLs. In the details pane, on the Extended ACLs tab, select the ACL whose statistics you want to view (for example, rule1). Click Statistics.
To view the statistics of an extended ACL using the NetScaler command line
Example
stat ns acl rule1
106
Changing Source IP Address and Port In the following procedure, an acl, acl1, that allows traffic originating from a server with IP address 10.102.29.40 to an external client 209.165.202.11 is configured. The protocol is specified as TCP.
To configure an ACL using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network and click ACLs. In the details pane, on the Extended ACLs tab, click Add. In the Add ACL dialog box, in the Name text box, type the name of the ACL (for example, acl1). In the Action, select an action (for example, ALLOW), in the Operator drop-down list, select an option (for example, =), and in the Protocol dropdown list, select a protocol (for example, TCP). Under Source, in the Low and High text boxes, type the IP addresses (for example, 10.102.29.40 and 10.102.29.40). Under Destination, in the Low and High text boxes, type the IP addresses (for example, 209.165.201.11 and 209.165.201.11). Click Create and click Close.
5. 6. 7.
Example
add acl acl1 allow -srcip 10.102.29.40 -destip 209.165.201.11
Chapter 3
107
-protocol TCP
In the following procedure, an RNAT is configured to replace the source IP address of packets related to the example ACL, acl1, with the NAT IP address, 209.165.202.129. The destination port is configured to 8080.
To set RNAT to change the source IP address and destination port using the configuration utility
1. 2. 3. 4. 5. 6. 7. 8.
In the navigation pane, expand Network, expand Routing, and click Routes. In the details pane, on the RNAT tab, click Configure RNAT. In the Configure RNAT dialog box, click the ACL radio button. In the ACL Name drop-down list box, select the ACL that you want to configure (for example, acl1). In the Redirect Port text box, type the port (for example, 8080). In the Available NAT IP (s) list box, select the NAT IP address which you want to configure (for example, 209.165.202.129). Click Add. The NAT IP you selected appears in the Configured NAT IP (s) list box. Click Create, and click Close.
To set RNAT to change the source IP address and destination port using the NetScaler command line
Example
set rnat acl1 -natip 209.165.202.129 -redirectPort 8080
To apply an ACL
You must apply the ACL for the ACL to function. For instructions on how to apply an extended ACL using the configuration utility, see Applying an Extended ACL, on page 98.
To apply an ACL using the NetScaler command line
108
Note: The NetScaler uses ports 1024 to 64000 for mapped IP addresses and subnet IP addresses.
Configuring ACL6s
ACL6s are ACLs created specifically for IPv6 addresses. ACL6s also filter packets based on the parameters of the packet, such as source IP address, source port, action, and so on. An ACL6 defines the condition that a packet must satisfy for the NetScaler to process the packet, bridge the packet, or drop the packet. These actions are known as processing modes. The processing modes are: ALLOW - The NetScaler processes the packet. BRIDGE The NetScaler bridges the packet to the destination without processing it. DENY The NetScaler drops the packet.
The NetScaler processes an IP packet directly when both of the following conditions exist: ACL6s are configured on the NetScaler. The IP packet does not match any of the ACL6s.
Creating ACL6s
You cannot create two ACL6s with the same parameters. If you attempt to create a duplicate, an error message appears. To create an ACL6, use the parameters described in the following table. Basic Parameters for configuring an ACL6
Parameter Name Source IP Address (subnet or host)
(srcIPv6)
Specifies The alphanumeric name of the ACL6. Maximum length: 127 characters. The IPv6 address of the source system. You can specify a range or a specific address. You can also specify an IP address with a value of 0.0.0.0. The action associated with the ACL6. Possible values: BRIDGE, DENY, and ALLOW. You can use the following operators while creating ACL6s: = and !=.
Action Operator
Chapter 3
109
The following example describes the procedure to create an ACL named rule. The NetScaler drops the IP packets originating from the device when its source IP address is between 10.102.0.0 and 10.102.255.255.
To create an ACL6 using the configuration utility
1. 2. 3. 4. 5. 6.
In the navigation pane, expand Network and click ACLs. In the details pane, on the ACL6s tab, click Add. In the Add ACL6 dialog box, in the Name text box, type the name of the ACL6 (for example, rule1). In the Action and Operator list boxes, select the action and operator that you want to configure (for example, DENY and =). Under Source, in the Low and High text boxes, type the IP addresses (for example, 10.102.0.0 and 10.102.255.255). Click Create and click Close. The ACL you created appears in the ACL6s page.
Example
add ns acl6 rule1 deny -srcip 10.102.0.0-10.102.255.255
Applying ACL6s
After you create an ACL6, you must activate it using the following procedure. This procedure re-applies all the ACL6s. For example, if you have created the ACL6s rule1 through rule10, and then you create rule11 ACL6, and apply it, all of the ACL6s (rule1 through rule11) are freshly applied. If a session has a DENY ACL related to it, the session is destroyed. You must apply this procedure after every action you perform on an ACL6. For example, you must follow this procedure after disabling an ACL6. Note: ACL6s created on the NetScaler do not work until they are applied.
110
Citrix NetScaler Networking Guide To apply an ACL6 using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network and click ACLs. In the details pane, on the ACL6s tab, select the ACL6 that you want to apply (for example, rule1). Click Commit. In the Apply ACL(s) dialog box, click Yes.
Removing ACL6s
This section describes the procedure to remove ACL6s.
To remove an ACL6 using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network and click ACLs. In the details pane, on the ACL6s tab, select the ACL that you want to remove (for example, rule1). Click Remove. In the Remove dialog box, click Yes.
Example
rm ns acl6 rule1
1. 2. 3.
In the navigation pane, expand Network and click ACLs. In the details pane, on the ACL6s tab, click Clear. In the Clear ACL (s) dialog box, click Yes.
Chapter 3
111
1. 2.
In the navigation pane, expand Network and click ACLs. In the details pane, on the ACL6s tab, select the ACL (for example, rule1) and do one of the following: To enable the ACL6, click Enable. To disable the ACL6, click Disable.
Example
enable ns acl6 rule1 disable ns acl6 rule1
Renumbering ACL6s
This section describes the procedure to renumber ACL6s. This procedure resets the priorities of the ACL6s to multiples of 10. For more information about priorities, see Modifying Extended ACLs, on page 100.
To renumber ACL6s using the configuration utility
1. 2.
In the navigation pane, expand Network and click ACLs. In the details pane, on the ACL6s tab, click Renumber Priority (s)) ACL(s).
112
3.
Modifying ACL6s
This section describes the procedure to modify ACL6s. You can configure the priority of an ACL. The priority (an integer value) defines the order in which the NetScaler evaluates ACL6s. All priorities are multiples of 10, unless you configure a specific priority to an integer value. When you create an ACL6 without specifying a priority, the NetScaler automatically assigns a priority that is a multiple of 10. If a packet matches the condition defined by the ACL6, the NetScaler performs an action. If the packet does not match the condition defined by the ACL6, the NetScaler compares the packet against the ACL6 with the next-highest priority. To modify the ACL6, use the parameters listed in the following table. Parameters for customizing an ACL6
Parameter Source PORT
(srcPort)
Specifies The port address of the source system. You can specify a range or a specific port address. You can also specify a port address with a value of 0. The IP address of the destination system. You can specify a range or a specific address. You can also specify an IP address with a value of 0.0.0.0. The port address of the destination system. You can specify either a range or a specific port address. You can also specify a port address with a value of 0. The MAC address of the source system. Only the last 32 bits are considered during a lookup. This is the protocol field in the IP header. The valid options for this parameter are ICMP, IGMP, TCP, EGP, IGP, ARGUS, UDP, RDP, RSVP, EIGRP, L2TP, and ISIS. The IP protocol number (decimal). The minimum value is 1 and the maximum value is 255. The VLAN ID present in the VLAN tag of the packet. The minimum value is 1 and the maximum value is 255. This is the network interface on which the packet arrived.
Destination PORT
(destPort)
Protocol
(protocol)
Protocol Number
(protocolNumber)
VLAN ID
(vlan)
Interface
(interface)
Chapter 3
113
Specifies The ICMP message type. For example, to block DESTINATION UNREACHABLE messages, you must specify 3 as the ICMP type. For a complete list of ICMP types, see http://www.iana.org/assignments/ icmp-parameters. The minimum value is 0 and the maximum value is 255. The ICMP message code. For example, to block DESTINATION HOST UNREACHABLE messages, specify 3 as the ICMP type and 1 as the ICMP code. For a complete list of ICMP types, see http://www.iana.org/ assignments/icmp-parameters. The minimum value is 0 and the maximum value is 255. The state of the ACL. Possible values: ENABLED and DISABLED. The priority of the ACL. The minimum value is 0 and the maximum value is 10240.
ICMP Code
(icmpCode)
State
(state)
Priority
(priority)
Consider the following example. Two ACL6s, rule 1 and rule 2, are configured on the NetScaler and automatically assigned priorities 20 and 30. You have added a third ACL6, rule 3, with priority 40. However, you want rule3 to be evaluated immediately after Rule 1. Hence, rule 3 must have a priority between 20 and 30. You can modify the priority of rule3 to 25. The following procedure describes the steps to set the priority of rule3 to 25.
To modify the priority of an ACL6 using the configuration utility
1. 2. 3. 4. 5.
In the navigation pane, expand Network and click ACLs. In the details pane, on the ACL6s tab, select the ACL that you want to modify (for example, rule3). Click Open. In the Configure ACL(s) dialog box, in the Priority text box, type the priority that you want to configure on the ACL (for example, 25). Click OK.
Example
set acl rule3 -priority 25
114
1. 2. 3. 4.
In the navigation pane, expand Network and click ACLs. In the details pane, click the ACL6s tab. The details of the available ACL6s appear on this page. Verify that the configured ACL6, rule1, appears. Select the ACL6, rule1, and in the Details section, verify that the parameters displayed are as configured.
Monitoring ACL6s
This section describes the procedure to view the statistics of an ACL6. The following table lists the statistics associated with ACL6s and their descriptions. ACL6 Statistics
Statistic Allow ACL6 hits NAT ACL6 hits Deny ACL6 hits Bridge ACL6 hits ACL6 hits ACL6 misses Specifies Packets matching IPv6 ACLs with processing mode set to ALLOW. NetScaler processes these packets. Packets matching a NAT ACL6, resulting in a NAT session. Packets dropped because they match IPv6 ACLs with processing mode set to DENY. Packets matching a bridge IPv6 ACL, which in transparent mode bypasses service processing. Packets matching an IPv6 ACL. Packets not matching any IPv6 ACL.
Chapter 3
115
1. 2. 3.
In the navigation pane, expand Network and click ACLs. In the details pane, on the ACL6s tab, select the ACL whose statistics you want to view (for example, rule1). Click Statistics.
To view the statistics of an extended ACL using the NetScaler command line
Example
stat ns acl6 rule1
116
C HAPTER 4
IP Routing
The NetScaler supports both dynamic and static routing. Because simple routing is not the primary role of a NetScaler, the main objective of running dynamic routing protocols is to enable route health injection (RHI), so that an upstream router can choose the best among multiple routes to a topographically distributed virtual server. Most NetScaler implementations use some static routes to reduce routing overhead. You can create backup static routes and monitor routes to enable automatic switchover in the event that a static route goes down. You can also assign weights to facilitate load balancing among static routes, create null routes to prevent routing loops, and configure IPv6 static routes. You can configures Policy based routes (PBRs), which bases routing decisions on criteria that you specify In This Chapter Configuring Dynamic Routes Configuring Route Health Injection Configuring Static Routes Configuring Policy Based Routes Troubleshooting Routing Issues
118
Border Gateway Protocol (BGP) Routing Information Protocol next generation (RIPng) for IPv6 Open Shortest Path First (OSPF) version 3 for IPv6
Chapter 4
IP Routing
119
Connected routes. IP subnets that are directly reachable from the NetScaler. Typically, routes corresponding to the NSIP subnet and subnets over which routing protocols are enabled are present in NSM FIB as connected routes. Kernel routes. All the VIP addresses on which the -hostRoute option is enabled are present in NSM FIB as kernel routes if they satisfy the required RHI Levels. In addition, NSM FIB contains any static routes configured on the nscli that have the -advertise option enabled. Alternatively, if the NetScaler is operating in Static Route Advertisement (SRADV) mode, all static routes configured on the nscli are present in NSM FIB. These static routes are marked as kernel routes in NSM FIB, because they actually belong to the NS kernel. Static routes. Normally, any static route configured in VTYSH is present in NSM FIB. If administrative distances of protocols are modified, this may not always be the case. An important point to note is that these routes can never get into the NS kernel. Learned routes. If the NetScaler is configured to learn routes dynamically, the NSM FIB contains routes learned by the various dynamic routing protocols. Routes learned by OSPF, however, need certain special processing. They are downloaded to FIB only if the fib-install option is enabled for the OSPF process. This can be done from the router-config view in VTYSH.
Non-stop Forwarding
After failover, the secondary node takes some time to start the protocol, learn the routes, and update its routing table. But this does not affect routing, because the routing table on the secondary node is identical to the routing table on the primary node. This mode of operation is known as non-stop forwarding.
120
Using RIP
Routing Information Protocol (RIP) is a Distance Vector protocol. The NetScaler supports RIP as defined in RFC 1058 and RFC 2453. RIP can run on any subnet.
1. 2. 3.
In the navigation pane, expand System and click Settings. In the details pane, under Modes and Features group, click Change advanced features. In the Configure Advanced Features dialog box, do one of the following: To enable RIP routing, select the RIP Routing check box. To disable RIP routing, clear the RIP Routing check box.
4. 5.
Chapter 4
IP Routing
121
Examples
enable ns feature rip disable ns feature rip
Configuring RIP
On the NetScaler, RIP can function in one of the following modes: Advertising Routes Limiting RIP Propagations Displaying RIP Information
Advertising Routes
RIP enables an upstream router to load balance traffic between two identical vservers hosted on two standalone NetScaler devices. By using route advertisement, an upstream router can track network entities located behind the NetScaler. The following table describes the commands you have to set to advertise routes. Route Advertising VTYSH commands for RIP
Commands
passive-interface interface_name network ipaddress/prefix length redistribute static
Specifies Suppress routing updates on an interface. Broadcast network on which RIP is to be run. State of the router in redistributing static routes. Use this command to enable the redistribution of static routes. State of the router in redistributing kernel routes. Use this command to enable the redistribution of kernel routes.
redistribute kernel
Use the following procedures to configure RIP to advertise routes on the NetScaler.
To configure RIP to advertise routes using the VTYSH command line
To use the VTYSH command-line interface to configure RIP as the routing protocol, proceed as follows: At the NetScaler command prompt, type:
122
VTYSH
You are now at the VTYSH command prompt. At the VTYSH command prompt, type:
NS170# configure terminal NS170(config)# router rip NS170(config-router)# network IPaddress/PrefixLength NS170(config-router)# redistribute kernel [route-map map-tag]
Use the following procedures to limit RIP propagation by setting an interface to listen-only mode.
To limit RIP propagations using the VTYSH command line
You are now at the VTYSH command prompt. At the VTYSH command prompt, type:
NS170# configure terminal NS170(config)# router rip NS170(config-router)# passive-interface interface_name
Chapter 4 To view the RIP settings using the VTYSH command line
IP Routing
123
You are now in the VTYSH command prompt. An output similar to the following appears:
NS170#
Using OSPF
The NetScaler supports Open Shortest Path First (OSPF) Version 2 (RFC 2328). The features of OSPF on the NetScaler are: The NetScaler supports OSPF within a single area only. If a vserver is active, the host routes to the vserver can be injected into the routing protocols. OSPF can run on any subnet. Route learning advertised by neighboring OSPF routers can be disabled on the NetScaler. The NetScaler can advertise Type-1 or Type-2 external metrics for all routes. The NetScaler can advertise user-specified metric settings for VIP routes. For example, you can configure a metric per VIP without special route maps. You can specify the OSPF area ID for the NetScaler.
1.
124
2. 3.
In the details pane, under the Modes and Features group, click Change advanced features. In the Configure Advanced Features dialog box, do one of the following: To enable OSPF routing, select the OSPF Routing check box. To disable OSPF routing, clear the OSPF Routing check box.
4. 5.
Configuring OSPF
You can configure OSPF on an existing route. In addition to basic configuration, you can configure route learning and route advertising. If necessary, you can limit OSPF propagation. The NetScaler supports the OSPF NSSA enhancement. After configuration, you should review your settings.
Specifies ID for the OSPF process. OSPF router-id is specified IP address format. Broadcast network on which RIP is to be run. Area ID of the area in which OSPF is running. The stub link or the host address.
To use the VTYSH command-line interface to configure OSPF as the routing protocol, proceed as follows: At the NetScaler command prompt, type:
VTYSH
Chapter 4
IP Routing
125
You are now in the VTYSH command prompt. An output similar to the following appears:
NS170#
Specifies
Redistribute static routes.
Use the following procedures to configure OSPF to advertise routes on the NetScaler.
To configure OSPF to advertise routes using the VTYSH command line
You are now in the VTYSH command prompt. An output similar to the following appears:
NS170#
126
You are now in the VTYSH command prompt. An output similar to the following appears:
NS170#
You are now in the VTYSH command prompt. An output similar to the following appears:
NS170#
Chapter 4
IP Routing
127
NSSA Support
The NetScaler now supports not-so-stubby-areas (NSSAs). An NSSA is similar to an OSPF stub area but allows injection of external routes in a limited fashion into the stub area. To support NSSAs, a new option bit (the N bit) and a new type (Type 7) of Link State Advertisement (LSA) area have been defined. Type 7 LSAs support external route information within an NSSA. An NSSA area border router (ABR) translates a type 7 LSA into a type 5 LSA that is propagated into the OSPF domain. The OSPF specification defines only the following general classes of area configuration: Type 5 LSA: Originated by routers internal to the area are flooded into the domain by AS boarder routers (ASBRs). Stub: Allows no type 5 LSAs to be propagated into/throughout the area and instead depends on default routing to external destinations.
Using BGP
The NetScaler supports BGP-4 (RFC 1771). The features of BGP on the NetScaler are: The NetScaler advertises routes to BGP peers. The NetScaler injects host routes to virtual IP addresses (VIPs) based on the health of the underlying vservers. The NetScaler generates configuration files for running BGP on the secondary node after failover in an HA configuration. This protocol supports IPv6 route exchanges.
128
Citrix NetScaler Networking Guide To enable or disable BGP routing using the configuration utility
1. 2. 3.
In the navigation pane, expand System and click Settings. In the details pane, under the Modes and Features group, click Change advanced features. In the Configure Advanced Features dialog box, do one of the following: To enable BGP routing, select the BGP Routing check box. To disable BGP routing, clear the BGP Routing check box.
4. 5.
Example
enable ns feature BGP disable ns feature BGP
Configuring BGP
You can use BGP on a NetScaler to advertise routes and to learn routes. The following table describes the required command for configuring BGP. Basic BGP VTYSH command
Command router bgp ASnumber Specifies BGP autonomous system. As number is a mandatory parameter. Possible values: 1 to 4,294,967,295.
You are now in the VTYSH command prompt. An output similar to the following appears:
NS170#
Chapter 4
IP Routing
129
Advertising Routes
You can configure the NetScaler to advertise host routes to VIPs and to advertise routes to downstream networks. The following table describes the commands for configuring the NetScaler to advertise BGP routes.
Commands
redistribute static redistribute kernel redistribute connected
Specifies
Redistribute static routes.
Use the following procedures to configure BGP to advertise routes on the NetScaler.
To configure BGP to advertise routes using the VTYSH command line
You are now in the VTYSH command prompt. An output similar to the following appears:
NS170#
130
You can associate both prefix lists and access lists with route maps by using the following command:
NS170(config-router)# match ip address <prefix-list> | <accesslist> <1-199> <1300-2699> WORD prefix-list IP access-list name IP access-list name IP access-list name Match entries of prefix-lists
At the NetScaler command prompt, type the following commands in the following order:
Commands
VTYSH Example: >VTYSH configure terminal Example: NS# configure terminal router BGP ASnumber Example: NS(config)# router BGP 5
Neighbor IPv6 address remote-as as- Updates the IPv6 BGP neighbor table with the link local IPv6 address of the number Example: NS(config-router)# Neighbor a1bc::102 remote-as 100
Chapter 4
IP Routing
131
Commands
Address-family ipv6 Example: NS(config-router)# Address-family ipv6
Exchanges prefixes for the IPv6 router family between the peer and the local node using the link local address.
redistribute kernel Example: NS(config-router)# redistribute kernel redistribute static Example: NS(config-router)# redistribute static
You are now in the VTYSH command prompt. An output similar to the following appears:
NS170#
132
Prerequisites
The procedures in this topic require some knowledge of the IPv6 RIP protocol. Before you begin configuring IPv6 RIP, do the following: Install the IPv6PT license on the NetScaler for supporting IPv6. Enable the IPv6 feature by using the configuration utility or NetScaler command line.
At the NetScaler command prompt, type the following commands in the following order:
Commands
VTYSH Example: > VTYSH configure terminal
Chapter 4
IP Routing
133
Commands
ns IPv6-routing
134
Citrix NetScaler Networking Guide To configure IPv6 RIP to advertise IPv6 routes by using the VTYSH command line
At the NetScaler command prompt, type the following commands in the following order:
Commands
VTYSH
Starts IPv6 RIP routing process and enters into configuration mode for the routing process.
Example: NS(config-router)# redistribute static redistribute kernel Example: NS(config-router)# redistribute kernel
Chapter 4
IP Routing
135
At the NetScaler command prompt, type the following commands in the following order:
Commands
VTYSH
Starts IPv6 RIP routing process and enters into configuration mode for the routing process.
At the NetScaler command prompt, type the following commands in the following order:
Commands
VTYSH
136
Commands
sh ipv6 rip
Prerequisites
The procedures in this topic require some knowledge of the IPv6 OSPF protocol. Before you begin configuring IPv6 OSPF, do the following: Install the IPv6PT license on the NetScaler for supporting IPv6. Enable the IPv6 feature by using the configuration utility or NetScaler command line.
IP Routing
137
At the NetScaler command prompt, type the following commands in the following order:
Commands
VTYSH
138
At the NetScaler command prompt, type the following commands in the following order:
Commands
VTYSH
Starts IPv6 OSPF routing process and enters into configuration mode for the routing process.
Chapter 4
IP Routing
139
At the NetScaler command prompt, type the following commands in the following order:
Commands
VTYSH
Starts IPv6 OSPF routing process and enters into configuration mode for the routing process.
140
At the NetScaler command prompt, type the following commands in the following order:
Commands
VTYSH
At the NetScaler command prompt, type the following commands for the routes you want to install:
Commands
VTYSH
Example: >VTYSH
Chapter 4
IP Routing
141
Commands
configure terminal Example: NS# configure terminal ns route-install Default
142
Commands
ns route-install IPv6 OSPF
Specifies Installs IPv6 OSPF specific routes to the internal routing table.
Enabling RHI
Use either of the following procedures to enable RHI. (The procedures include examples for enabling RHI for the IPv4 VIP 10.102.29.54, so that the NetScaler advertises the host route associated with this IP address.)
To enable RHI using the configuration Utility
1. 2.
In the navigation pane, expand Network and click IPs. On the IPs page, on the IPV4s tab, select the vserver IP address for which you want to enable RHI (for example, select 10.102.29.54), and then click Open. In the Configure IP dialog box, under Host Route, select the Enable check box. Click OK.
3. 4.
Example
set ip 10.102.29.54 -hostroute enabled
Chapter 4
IP Routing
143
Note: To enable RHI for IPv6 addresses, use the same procedure but with an IPv6 address. For more information on the parameters, see Customizing VIP IPv6 Addresses, on page 172.
Advertising of RHI host routes depends on the vserver RHI level setting, as shown in the following table. Limiting Route Advertising Parameters for VIPs
VserverRHILevel Setting ONE_VSERVER ALL_VSERVERS None Specifies Host route is advertised when at least a single vserver is running. Host route is advertised only when all the vservers are running. Host route is advertised when none of the vservers are running.
In the configuration utility, you can set the vserver RHI level in either the Create IP or the Configure IP dialog box. At the NetScaler command line, enter one of the settings shown in the preceding table as the value for the vserverRHILevel argument of either the add ns ip or set ns ip command. For more information on the parameters required, see Customizing the Attributes of a VIP, on page 3.
144
Advertising Networks
The following table describes the required parameters for advertising networks for RHI. Route Advertising for RHI
Parameter Network
(network)
Specifies Destination network. Subnet mask of the destination network. Gateway for this route. Advertise this route. Possible values: DISABLED and ENABLED.
Netmask
(netmask)
Gateway IP
(gateway)
Over-ride Global
(advertise)
Use either of the following procedure to advertise networks. (The procedures include examples that set the first IP address in the network to 10.102.29.0, the subnet mask of the network to 255.255.255.0, and the gateway for the network to 10.102.29.50. The dynamic routing protocol is set to OSPF, but RIP and BGP are also valid choices.)
To advertise networks using the configuration utility
1. 2. 3.
In the navigation pane, expand Network, click Routes, and then click the Basic tab. In the details pane, click Add. In the Create Route dialog box, in the Network, Netmask and Gateway IP text boxes, respectively, type the network, subnet mask and the gateway IP address for the network you want to advertise (for example, 10.102.29.0, 255.255.255.0, and 10.102.29.50). Under Route Advertisement, select the Over-ride Global check box. Select Enable. Under Protocol, select a check box (for example, OSPF). Click Create and click Close.
4. 5. 6. 7.
IP Routing
145
Note: If you have configured static routes on the NetScaler and enabled L3 mode, static routes configuration takes precedence over the L3 mode configuration. For instance, if you have configured a firewall load balancing vserver and static routes on the NetScaler, the NetScaler uses the routing table to route the traffic instead of sending the traffic to the firewall load balancing vserver.
In the navigation pane, expand Network, and click Routes. The Basic page appears in the details pane. The information about the networks, subnet mask, gateway IP, costs, flags and route advertising appear on the Routes page.
To view the routes using the NetScaler command line
146
Chapter 4
IP Routing
147
Router R1 moves traffic between the client and the NetScaler appliance. The NetScaler can reach servers S1 and S2 through routers R2 or R3. NetScaler has two static routes to reach the servers subnet, one with R2 as the gateway and another with R3 as the gateway. Both these routes have monitoring enabled. The administrative distance of the static route with gateway R2 is lower than that of the static route with gateway R3. Therefore, R2 is preferred over R3 to forward traffic to the servers. Also, the default route on the NetScaler points to R1 so that all Internet traffic exits properly. If R2 fails as monitoring is enabled on the static route, which is with R2 as the gateway, the NetScaler marks it as DOWN. The NetScaler now uses the R3 static route as the gateway and forwards the traffic to the servers through R3. NetScaler supports monitoring of IPv4 as well IPv6 as static routes. You can configure the NetScaler to monitor an IPv4 static route either by creating a new ARP or PING monitor or by using existing ARP or PING monitors. You can configure the NetScaler to monitor a IPv6 static route either by creating a new ND6 or PING monitor or by using existing ND6 or PING monitors. NetScaler supports monitoring of IPv4 as well IPv6 as static routes. You can configure the NetScaler to monitor an IPv4 static route either by creating a new ARP or PING monitor or by using existing ARP or PING monitors. You can configure the NetScaler to monitor a IPv6 static route either by creating a new Neighbor discovery for IPv6 (ND6) or PING monitor or by using the existing ND6 or PING monitors.
Null Routes
If the route chosen in a routing decision is inactive, the NetScaler chooses a backup route. If all the routes become inaccessible, the NetScaler might reroute the packet to the sender, which could result in a routing loop leading to network congestion. To prevent this situation, you can create a null route, which adds a null interface as a gateway. The null route is never the preferred route, because it has a higher administrative distance than the other static routes. But it is selected if the other static routes become inaccessible. In that case, the NetScaler drops the packet and prevents a routing loop.
148
Specifies Network for which the route is being created. Subnet mask for the network
Drop the packets this route receives. Possible values: Yes and No. Default: No. Null routes have a fixed distance of 255. Gateway for this route. Administrative distance of this route. Possible values: 1 through 255. Default: 1. Value used by the routing algorithms to compare performance. Route having lowest cost is the most preferred route. Value that this parameter can take is between 0 and 65535. Value to facilitate balancing the load on ECMP routes. This value is compared with the hashed value of the packet and a route is chosen. Specific to ECMP routes. Possible values: 1 to 65535. Default: 1. State of advertisement of this route. Possible values: Enabled or Disabled. Default: Enabled. Routing protocols used for advertising routes. Possible values: OSPF, RIP, and BGP. Monitor this route. Possible values: Enabled and Disabled. Default: Disabled. Type of monitor. Determines the protocol used for monitoring the route (for example, PING or ARP).
Gateway IP
(gateway)
Distance
(distance)
Cost
(cost)
Weight
(weight)
Over-ride Global
(advertise)
Protocol
(protocol)
Monitor
(monitor)
Chapter 4
IP Routing
149
The following procedure includes sample IP addresses that you could use to create three different static routes. By performing the procedure three times, and using different values each time, you could create a simple static route to destination network 192.168.20.0 with a gateway IP of 192.168.20.2, a null route to destination 10.10.1.0, and a monitored static route to destination 192.168.10.0 with a gateway IP of 192.168.10.10.
To create a static route using the configuration utility
1. 2. 3.
In the navigation pane, expand Network, expand Routing, and click Routes. In the details pane, on the Basic tab, click Add. In the Create Route dialog box, in the Network, Netmask, and Gateway IP text boxes, type the network IP address, the subnet mask of the network and the Gateway IP address (for example, 192.168.20.0, 255.255.255.0, or 10.10.1.0 and 255.255.255.0, or 192,168,10.0 and 255.255.255.0). If you are creating a null route, set the NULL Route radio button to Yes, and then click Create and Close. If this is not to be a null route, leave the radio button set to No and proceed with the following steps. In the Gateway IP textbox, enter the Gateway IP address (for example, 192.168.20.2 or 192.168.10.10). In the Cost textbox, type the cost metric of the route (for example, 2). Optionally, to assign a weight to the route, change the value in the Weight text box from the default value of 1 to a higher value. Optionally, to advertise the route, select the Over-ride Global checkbox, and then select the Enable radio button. To create an unmonitored static route, click Create, and then click Close. To create a monitored static route, proceed with the following steps. In the Distance textbox, type the administrative distance of the route (for example, 3). Select the Monitored Static Route check box. In the Monitor list box, select the monitor that you want to use for monitoring the static route (for example, PING). Click Create, and then click Close.
4.
5. 6. 7. 8. 9. 10. 11.
12.
150
Example
add network route 192.168.10.0 255.255.255.0 192.168.10.10 -weight 5 distance 3 msr ENABLED monitor PING
Example
add network route 10.10.1.0 255.255.255.0 null
1. 2. 3.
In the navigation pane, expand Network, expand Routing, and click Routes. On the Routes page, click the Basic tab, select the route you want to modify (for example, 192.168.10.0), and then click Open. In the Configure Route dialog box, which contains the same elements as does the Add Route dialog box as described in Adding a Static Route, on page 148, change one or more values. To change a text field, select it and enter a new value. (For example, in the Weight text box, you could enter a value such as 5.) To change values that do not have text fields, select or clear check boxes as appropriate, or select a different radio button. (For example, to disable monitoring of the route, clear the Monitored Static Route check box.)
4.
Chapter 4
IP Routing
151
5.
To assign weights to a monitored static route using the NetScaler command line
Example
set network route 192.168.10.0 255.255.255.0 192.10.10.10 weight 5
Example
set network route 192.168.10.0 255.255.255.0 192.10.10.0 msr disabled
1. 2. 3.
In the navigation pane, expand Network, expand Routing, and click Routes. On the Routes page, click the Basic tab, select the route you want to remove (for example, 192.168. 20.2), and then click Remove. In the Remove dialog box, click Yes.
Example
rm network route 192.168.20.0 255.255.255.0 192.10.20.2
152
Specifies Network for which the route is being created. Mandatory. Gateway for this route. Mandatory. Virtual LAN (VLAN) number associated with the route. Possible values: 1 to 4094. Default: 0. Mandatory for linklocal address type. Administrative distance of this route. Possible values: 1 through 255. Default: 1 Value used by the routing algorithms to compare performance. Route having lowest cost is the most preferred route. Possible values: 0 to 65535. Value for balancing the load on ECMP routes. This value is compared with the hashed value of the packet and a route is chosen. Specific to ECMP routes. Possible values: 1 to 65535. Default: 1. Advertise this route. Possible values: Enabled and Disabled. Default: Enabled. Monitor this route. Possible values: Enabled and Disabled. Default: Disabled. A ND6 or a PING monitor that will be used for monitoring the IPv6 static route.
Gateway IP
(gateway)
VLAN
(vlan)
Distance
(distance)
Cost
(cost)
Weight
(weight)
Advertise
(advertise)
Monitor
(monitor)
IP Routing
153
1. 2. 3.
In the navigation pane, expand Network, expand Routing, and click Routes. On the Routes page, click the IPv6 tab, and then click Add. In the Create IPv6 Route dialog box, in the Network, Gateway IP text boxes, type the network, Gateway IP address, for which you want to add a route (for example, ::/0 and fe80::67). If you are adding a link-local IP address, in the VLAN text box, type the VLAN for which you want add the route (for example, 5). To create an unmonitored static route, click Create, and then click Close. To create a monitored static route, proceed with the following steps. In the Distance text box, type the administrative distance of the route (for example, 3). Select the Monitored Static Route check box. In the Monitor list box, select the monitor that you want to use for monitoring the static route (for example, ND6). Click Create, and then click Close.
4. 5. 6. 7. 8. 9.
Example
add route6 ::/0 fe80::67 -vlan 5
To create a monitored IPv6 static route by using the NetScaler command line
Example
add network route6 ::/0 fe80::67 -distance 3 -msr ENABLED monitor ND6
154
Citrix NetScaler Networking Guide To remove an IPv6 route using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network, expand Routing, and click Routes. On the Routes page, click the IPV6 tab. Select the network from which you want to remove the route (for example, ::/0), and then click Remove. In the Remove dialog box, click Yes.
Example
rm route6 ::/0 2001::1
Specifies Administrative distance of this route. Possible values: 1 through 255. Default: 1 Value used by the routing algorithms to compare performance. Route having lowest cost is the most preferred route. Possible values: 0 to 65535. Value for balancing the load on ECMP routes. This value is compared with the hashed value of the packet and a route is chosen. Specific to ECMP routes. Possible values: 1 to 65535. Default: 1. Advertise this route. Possible values: Enabled and Disabled. Default: Enabled.
Cost
(cost)
Weight
(weight)
Advertise
(advertise)
1. 2. 3.
In the navigation pane, expand Network, expand Routing, and click Routes. On the Routes page, click the IPV6 tab. Select the network that you want to customize (for example, ::/0) and click Open.
Chapter 4
IP Routing
155
4.
In the Configure IPv6 Route dialog box, in the Distance, Cost, and Weight text boxes, modify the distance, cost, and weight (for example, 1, 2, and 5). To enable advertising the IPv6 route, select the Advertise check box.
5.
Example
set route6 1::1/100 2000::1 -distance 1 -cost 2 -advertise Enabled
1. 2.
In the navigation pane, expand Network, and then click Routes. On the Routes page, click the IPV6 tab.
156
ALLOW The NetScaler sends the packet to the desired next-hop router. DENY The NetScaler applies the routing table for normal destinationbased routing.
Also the NetScaler process PBRs before the RNAT rules. Many users begin by creating PBRs and then modifying them. To activate a new PBR, you must apply it. To deactivate a PBR, you can either remove or disable it. You can change the priority number of a PBR to give it a higher or lower precedence.
Creating a PBR
You cannot create two PBRs with the same parameters. If you attempt to create a duplicate, an error message appears. The following table describes the parameters you use to create a basic PBR. Basic Parameters for configuring a PBR
Parameter Name (name) Next Hop (nexthop) Source IP Address (subnet or host)
(srcIP)
The IP address of the next hop router to which to send matching packets if action is set to ALLOW. The IP address of the source machine. You can specify a range or a specific IP address. To specify a specific address, type the same value for both the beginning and the end of the range. You can also specify an IP address with a value 0.0.0.0. The action to perform on packets that match the PBR. Possible values: ALLOW and DENY. Either the = or the != operator.
Action
(action)
Operator
(operator)
1. 2. 3. 4.
In the navigation pane, expand Network, and then click PBRs. In the details pane, click Add. In the Add PBR dialog box, in the Name text box, type the name of the PBR (for example, p1). In the Action list, select the action that you want to configure (for example, Allow).
Chapter 4
IP Routing
157
5. 6. 7.
In the Next Hop text box, type the IP address of the next hop router (for example, 10.102.1.1). In IP Address, under Source, in the Operator list, select the operator. In the Low and High text boxes, respectively, type the lowest and highest IP address in the range that you want to specify (for example, 10.102.0.0 10.102.255.255). To specify a single IP address, type the same address in both boxes. Click Create, and then click Close. The PBR you created appears on the PBRs page.
8.
Example
add ns PBR p11 ALLOW -srcip 10.102.0.0-10.102.255.255 -nexthop 10.102.1.1
Applying a PBR
You must apply a PBR to activate it. The following procedure reapplies all PBRs that you have not disabled. The PBRs constitute a memory tree (lookup table). For example, if you create 10 PBRs (p1 - p10), and then you create another PBR (p11) and apply it, all of the PBRs (p1 - p11) are freshly applied and a new lookup table is created. If a session has a DENY PBR related to it, the session is destroyed. You must apply this procedure after every modification you make to any PBR. For example, you must follow this procedure after disabling a PBR. Note: PBRs created on the NetScaler do not work until they are applied.
1. 2. 3. 4.
In the navigation pane, expand Network, and then click PBRs. In the details pane, select the PBR that you want to apply (for example, p1). Click Commit. In the Apply PBR(s) dialog box, click Yes.
158
Citrix NetScaler Networking Guide To apply a PBR by using the NetScaler command line
Removing PBRs
You can remove a single PBR or all PBRs.
To remove one or all PBRs by using the configuration utility
1. 2. 3.
In the navigation pane, expand Network, and then click PBRs. To remove a single PBR, in the details pane, select the PBR that you want to remove (for example, p1), and then click Remove. To remove all PBRs, click Clear.
At the NetScaler command prompt, type one of the following commands. Use the first command to remove a specific PBR or the second command to remove all PBRs.
rm ns PBR PBRname clear ns PBRs
Example
rm ns PBR p1
1. 2.
In the navigation pane, expand Network, and then click PBRs. In the details pane, select the PBR (for example, p1) and do one of the following: To enable the PBR, click Enable. To disable the PBR, click Disable.
Chapter 4
IP Routing
159
Examples
enable ns PBR p1 disable ns PBR p1
Modifying PBRs
You can configure the priority of a PBR. The priority (an integer value) defines the order in which the NetScaler evaluates PBRs. All priorities are multiples of 10, unless you configure a specific priority to an integer value. When you create a PBR without specifying a priority, the NetScaler automatically assigns a priority that is a multiple of 10. If a packet matches the condition defined by the PBR, the NetScaler performs an action. If the packet does not match the condition defined by the PBR, the NetScaler compares the packet against the PBR with the next-highest priority. To modify the PBR, use the parameters described in the following table. Parameters for customizing a PBR
Parameter Source PORT
(srcPort)
Specifies The port address of the source machine. You can specify either a range or a specific port address. The IP address of the destination machine. You can specify a range or a specific address. You can also specify an IP address with a value of 0.0.0.0. The port address of the destination machine. You can specify either a range or a specific port address. You can also specify a port address with a value of 0. The MAC address of the source machine. Only the last 32 bits are considered during a lookup. Protocol field in the IP header. Possible values: ICMP, IGMP, TCP, EGP, IGP, ARGUS, UDP, RDP, RSVP, EIGRP, L2TP, and ISIS. The IP protocol number (decimal). The minimum value is 1 and the maximum value is 255. The VLAN ID present in the VLAN tag of the packet. The minimum value is 1 and the maximum value is 255.
Destination PORT
(destPort)
Protocol
(protocol)
Protocol Number
(protocolNumber)
VLAN ID
(vlan)
160
Specifies The network interface on which the packet arrived. The state of the PBR. Possible Values: ENABLED, DISABLED. Default: ENABLED The priority of the PBR. Minimum value: 0. Maximum value: 10240
State
(state)
Priority
(priority)
Consider the following example. Two PBRs, p1 and p2, are configured on the NetScaler and automatically assigned priorities 20 and 30. You need to add a third PBR, p3, to be evaluated immediately after the first PBR, p1. The new PBR, p3, must have a priority between 20 and 30. In this case, you can specify the priority as 25.
To modify the priority of a PBR by using the configuration utility
1. 2. 3. 4. 5.
In the navigation pane, expand Network, and then click PBRs. In details pane, select the PBR that you want to modify (for example, p1). Click Open. In the Modify PBR dialog box, in the Priority text box, type the priority that you want to configure on the PBR (for example, 20). Click OK.
Example
set PBR p1 -priority 20
Renumbering PBRs
You can automatically renumber the PBRs to set their priorities to multiples of 10.
To renumber PBRs by using the configuration utility
1. 2.
In the navigation pane, expand Network, and then click PBRs. In the details pane, click Renumber Priority (s).
Chapter 4
IP Routing
161
3.
162
By default, the states of content switching vservers are not updated. Therefore, these servers always remain up, which prevents RHI from working effectively for cs vservers. Use the nsapimgr knob to enable updating CS vserver states.
root@ns# nsapimgr -y -s csw_state_update=1
How do I save the config files? The write command from VTYSH saves only ZebOS.conf. Run the save config command from nscli to save both ns.conf and ZebOS.conf files.
If I have configured both a static default route and a dynamically learned default route, which is the preferred default route? The dynamically learned route is the preferred default route. This behavior is unique to default routes. However, in case of the Network Services Module (NSM), unless the administrative distances are modified, a statically configured route in the RIB is preferred over a dynamic route. The route that is downloaded to the NSM FIB is the static route.
How do I block the advertisement of default routes? After release 7.0, the default route is not injected into ZebOS. However, if you are working with 7.0 or an earlier release, you must apply a suitable route map in the redistribute kernel command for each protocol to block default route advertisement. For example:
ns(config)#access-list 1 deny 0.0.0.0 ns(config)#access-list 2 permit any ns(config)#route-map redist-kernel permit 5 ns(config-route-map)#match ip address 1 ns(config)#route-map redist-kernel permit 10 ns(config-route-map)#match ip address 2 ns(config-route-map)#q ns(config)#router ospf 1 ns(config-router)#redistribute kernel route-map redist-kernel ns(config-router)#q ns(config)#q ns#show route-map route-map redist-kernel, permit, sequence 5 Match clauses: ip address 1
Chapter 4
IP Routing
163
Set clauses: route-map redist-kernel, permit, sequence 10 Match clauses: ip address 2 Set clauses: ns#show access-list Standard IP access list 1 deny 0.0.0.0 Standard IP access list 2 permit any ns#
How do I view the debug output of networking daemons? You can write debugging output from networking daemons to a file by entering the following log file command from the global configuration view in VTYSH:
ns(config)#log file /var/ZebOS.log
With release 8.1, you can direct debug output to the console by entering the terminal monitor command from VTYSH user view.
ns#terminal monitor
How do I collect cores of running daemons? You can use the gcore utility to collect cores of running daemons for processing by gdb. This might be helpful in debugging misbehaving daemons without bringing the whole routing operation to a standstill.
gcore [-s] [-c core] [executable] pid
The -s option temporarily stops the daemon while gathering the core image. This is a recommended option because it guarantees that the resulting image shows the core in a consistent state.
root@ns#gcore -s -c nsm.core /netscaler/nsm 342
How do I reload ZebOS.conf without rebooting the NetScaler? The recommended method is to reload the configuration on the NetScaler through a reboot. Do not reload the ZebOS.conf file without rebooting the NetScaler except in unavoidable circumstances. To reload the ZebOS.conf file, you must: A. Kill all routing protocol daemons, such as nsm, ospfd, ripd, and bgpd.
164
B. C.
Edit the ZebOS.conf file or copy the ZebOS.conf file, and create a new one. Restart each daemon with the new config file.
How do I run a batch of ZebOS commands? You can run a batch of ZebOS commands from a file by entering the VTYSH -f <file-name> command. This does not replace the running configuration, but appends to it. However, by including commands to delete the existing configuration in the batch file and then add those for the new, desired configuration, you can use this mechanism to replace a specific configuration.
! router bgp 234 network 1.1.1.1 255.255.255.0 ! route-map bgp-out2 permit 10 set metric 9900 set community 8602:300 !
B. 7.
show ip ospf
Chapter 4
IP Routing
165
8. 9.
show ns ip This ensures that the details of all VIPs of interest are included. Get the logs from peering devices and run the following command:
gcore -s -c xyz.core /netscaler/ospfd <pid>
Note: The gcore command is non-disruptive. Collect additional information from the NetScaler as follows: 1. Enable logging of error messages by entering the following command from the global configuration view in VTYSH:
ns(config)#log file /var/ospf.log
2. 3.
Note: This command is not supported in NetScaler 9.2 nCore. 4. Enable debugging ospf events ifsm nfsm route and log them using the following command:
ns(config)#log file /var/ospf.log
Enable debug ospf lsa packet only if the number of LSAs in the database is relatively small (< 500).
166
C HAPTER 5
IP version 6
The NetScaler supports most, but not all, features of IPv6. You have to license the IPv6 feature before you can implement it. After setting up your basic configuration, you can configure neighbor discovery and router learning, and you can apply IPv6 support to various NetScaler features. In This Chapter IPv6 Features Implementing IPv6 Support Configuring Neighbor Discovery and Router Learning Adding IPv6 Support to NetScaler Features
IPv6 Features
The NetScaler supports both server-side and client-side IPv6. This means that the NetScaler can function as an IPv6 node. It can accept connections from IPv6 nodes (both hosts and routers) and from IPv4 nodes. Depending on the configuration of your servers, the NetScaler can perform Protocol Translation (RFC 2765) before sending traffic to the services. The following table shows which IPv6 features the NetScaler supports. Supported and Unsupported IPv6 Features
Features IPv6 addresses for SNIPs (NSIP6, VIP6, and SNIP6) Neighbor Discovery (Address Resolution, Duplicated Address Detection, Neighbor Unreachability Detection, Router Discovery, PD) Management Applications (ping6, telnet6, ssh6) Static Routing and Dynamic routing (OSPF) Port Based VLANs Access Control Lists for IPv6 addresses (ACL6) IPv6 Protocols (TCP6, UDP6, ICMP6, FTP6) Supported on NetScaler Yes Yes Yes Yes Yes Yes Yes
168
1. 2. 3.
In the navigation pane, expand System and click Settings. In the Settings page, under the Modes & Features group, click change advanced features. In the Configure Advanced Features dialog box, do one of the following: To enable IPv6, select the IPv6 Protocol Translation check box.
Chapter 5
IP version 6
169
4. 5.
Example
enable ns feature ipv6pt disable ns feature ipv6pt
Specifies Unique identification used to represent the NetScaler. IPv6 address. Mandatory parameter. Scope of the IPV6 address. Possible values: global and link-local. Default: global. Type of IPV6 address. Possible values: NSIP, SNIP, and VIP. Default: SNIP. Mapped IPV4 address for IPV6. All incoming requests are translated into a form that is acceptable to the servers by modifying the host header information.
Type
(type)
Mapped IP
(map)
The following procedure includes an example for adding fe80::2c0:95ff:fec5:d9b8 as a link-local IPv6 address.
170
Citrix NetScaler Networking Guide To add an IPv6 address using the configuration utility
1. 2. 3. 4. 5.
In the navigation pane, expand Network and click IPs. In the IPs page, on the IPV6s tab, click Add. In the Create IP6 dialog box, in the IPv6 Address text box, type the IPv6 address that you want to configure (for example, fe80::2c0:95ff:fec5:d9b8). In the Scope drop-down list box, select the scope of the IPv6 address (for example, link-local). Click Create and click Close.
Example
add nsip6 fe80::2c0:95ff:fec5:d9b8 -scope link-local
The following procedure includes examples for adding a global IPv6 address (2002::50) with a specified prefix length (64). Note: You can configure only one link-local IPv6 address. The default linklocal IPv6 address type is SNIP.
To add an IPv6 address with prefix length using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click IPs. In the IPs page, click the IPV6s tab and click Add. In the Create IP6 dialog box, in the IPv6 Address text box, type the IPv6 address and prefix length that you want to configure (for example, 2002::50/64). In the Scope drop-down list box, select the scope of the IPv6 address (for example, global). In the Type drop-down list box, select the type of the IPv6 address (for example, NSIP). Click Create and click Close.
4. 5. 6.
To add an IPv6 address with prefix length using the NetScaler command line
Chapter 5 Example
add nsip6 2002::50/64 -scope global -type NSIP
IP version 6
171
Specifies Telnet access to the IPv6 address. Possible values: Enabled and Disabled. Default: Enabled. File Transfer Protocol (FTP) access to the IPv6 address. Possible values: Enabled and Disabled. Default: Enabled. Graphical User Interface (GUI) access to the IPv6 address. Possible values: Enabled, SECUREONLY, and Disabled. Default: Enabled. Secure Shell (SSH) access to the IPv6 address. Possible values: Enabled and Disabled. Default: Enabled. Simple Network Management Protocol (SNMP) access to the IPv6 address. Possible values: Enabled and Disabled. Default: Enabled. External access to the IPv6 address. Possible values: Enabled and Disabled. Default: Disabled. Enable dynamic routing on the IPv6 address. Possible values: Enabled and Disabled. Default: Disabled.
FTP
(ftp)
GUI
(gui)
SSH
(ssh)
SNMP
(snmp)
Management Access
(mgmtAccess)
The following procedures include examples for modifying IPv6 address 2008:0:0:0:0:0:0:13/128 to enable management access control. These procedures do not affect the existing connections.
To modify a SNIP or NSIP IPv6 address using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click IPs. In the IPs page, click the IPV6s tab and select the IP address that you want to modify (for example, 2008:0:0:0:0:0:0:13/64). Click Open.
172
4.
In the Configure IPV6 dialog box, select the parameter or parameters to enable (for example, under Application Access Controls, select the Enable Management Access control to support the below listed applications check box, and then select the application(s) to enable. Click OK.
5.
Example
set ns ip6 2008:0:0:0:0:0:0:13/64 -mgmtAccess enabled
Specifies Use Internet Control Message Protocol (ICMP) to send error messages. The user network applications that use ICMP are ping and traceroute. Possible values: Enabled and Disabled. Default: Enabled. Vserver attribute of the IPv6 address. Possible values: Enabled and Disabled. Default: Enabled. Send neighbor discovery responses from this IPv6 address. Possible values: Enabled and Disabled. Default: Enabled. Advertising a route to this address. Possible values: Enabled and Disabled. Default: Disabled. IPv6 address of the network that is advertised as the route to connect the network to external networks such as the Internet. Default: 0 Value used by routing algorithms to compare performance of the route. The route with lowest metric is the preferred route. Based on the routing protocol selected, a default value is assigned to the route. To change the default value, assign a value to this parameter. Possible values: +a to -z.
Virtual Server
(virtualServer)
ND Responses
(nd)
Host Route
(hostRoute)
metric
(metric)
Chapter 5
IP version 6
173
Specifies Advertise the host route associated with the VIP when the specified vservers are UP. Possible values: ONE_VSERVER, ALL_VSERVERS, and NONE. Default: ONE_VSERVER. Route Advertisement type used by the OSPF6 protocol to discover and maintain neighbor relationships.Possible values: Intra_Area, External. Default: External. Logical collection of OSPF networks, routers, and links that are identified by an Area ID. Possible values: 0.
OSPF Area ID
(ospfArea)
If Host Route is disabled, this route is not advertised. The following procedure includes example for modifying VIP IPv6 address 2002:0:0:0:0:0:0:45/128 by enabling host route advertising and specifying OSPF advertising.
To modify a VIP IPv6 address using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network and click IPs. In the IPs page, click the IPV6s tab and select the VIP IPv6 address that you want to modify (for example, 2002:0:0:0:0:0:0:45/64). Click Open. In the Configure IPV6 dialog box, select or enter values for the parameters you want to set. For example, in the Host Route, VIP RHI Controls, and OSPF6 Route Adv Type list boxes, select the host route, VIP RHI controls, and OSPF6 route advertisement type (for example, enabled, ONE_VSERVER, External). Click OK.
5.
Example
set ns ip6 2002:0:0:0:0:0:0:45/64 -mgmtAccess enabled
174
Citrix NetScaler Networking Guide To display a configured IPv6 address using the configuration utility
In the navigation pane, expand Networks and click IPs. The IPs page appears in the details pane. Click the IPV6s tab. The IPs page displays the configured the IPv6 addresses, and for each address shows the state, scope, type, and mapped IP address. (To set a mapped IP address, see Host Header Modification, on page 184.)
To display a configured IPv6 address using the NetScaler command line
IPv6 Land-attacks
Chapter 5
IP version 6
175
IPv6 Statistics
Statistic Zero fragment length received Description Packets received with a fragment length of 0 bytes.
Use either of the following procedures to display IPv6 statistics, such as the number of IPv6 packets transmitted and received and the number of IPv6 bytes transmitted and received.
To display the IPv6 statistics using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click IPs. In the IPs page, click the IPV6s tab and select the IPv6 address for which you want to view statistics. Click Statistics.
Neighbor Discovery
Neighbor discovery (ND) is one of the most important protocols of IPv6. It is a message-based protocol that combines the functionality of the Address Resolution Protocol (ARP), Internet Control Message Protocol (ICMP), and Router Discovery. ND allows nodes to advertise their link layer addresses and obtain the MAC addresses or link layer addresses of the neighboring nodes.This process is performed by the Neighbor Discovery protocol (ND6). Neighbor discovery can perform the following functions:
Router Discovery. Enables a host to discover the local routers on an attached link and automatically configure a default router. Prefix Discovery. Enables the host to discover the network prefixes for local destinations.
176
Note: The NetScaler does not support IPv6 Redirect. To enable neighbor discovery, you must create entries for the neighbors.
Specifies IPv6 neighbor entry. Mandatory. Unique address assigned to identify the network appliance. Mandatory. The interface on which the MAC resides. Mandatory. Virtual LAN (VLAN) that the neighbor is part of.
MAC Address
(mac)
Interface
(ifnum)
VLAN
(vlan)
1.
Chapter 5
IP version 6
177
2. 3.
In the IPv6 Neighbors page, click Add. In the Create IPv6 Neighbor dialog box, in the Neighbor and MAC Address text boxes, respectively, type IPv6 address and MAC Address of the neighbour (for example, 3ffe:100:100::1, 00:d0:68:0b:58:da). If the neighbor is part of a VLAN, in the and VLAN field, type the VLAN ID (for example, 1). In the Interface list box, select the interface of the neighbour (for example, LO/1). Click Create, and click Close.
4. 5. 6.
Example
add nd6 3ffe:100:100::1 00:d0:68:0b:58:da 1/3 -vlan 1
1. 2. 3.
In the navigation pane, expand Network and click IPv6 Neighbor. In the IPv6 Neighbors page, select the neighbour entry that you want to remove (for example,3ffe:100:100::1). Click Remove.
Example
rm nd6 3ffe:100:100::1 -vlan 1
Use either of the following procedures to clear the Neighbor Discovery (ND6) entries from the NetScaler.
To remove neighbor discovery entries using the configuration utility
1.
178
2.
In the navigation pane, expand Network and click IPv6 Neighbor. The IPv6 Neighbors page appears in the details pane, displaying information about the Neighbors, MAC Address, VLAN, Interface, State, and Time parameters.
To view discovered neighbors using the NetScaler command line
Router Learning
The NetScaler can learn default routers from RA and RS messages. However, the NetScaler ignores other properties in RA messages, such as prefix list and MTU. Use either of the following procedures to enable router advertisement learning.
To enable router discovery learning using the configuration utility
1. 2. 3. 4.
In the navigation pane, click Network. In the Network page, click the Router Advertisement Learning link. In the Configure RA Learning dialog box, select the Enable Router Advertisement Learning check box. Click OK.
Example
set ipv6 -ralearning enabled
Chapter 5
IP version 6
179
Citrix NetScaler Networking Guide Citrix NetScaler Traffic Management Guide Citrix NetScaler Traffic Management Guide Citrix NetScaler Traffic Management Guide Citrix NetScaler Traffic Management Guide Citrix NetScaler Traffic Management Guide Citrix NetScaler Traffic Management Guide Citrix NetScaler Traffic Management Guide
You can also configure LB, CS, and CR vservers with IPv6 addresses, and you can create IPv6 VLANs. You can configure host header modification to send IPv6 requests to servers with IPv4 addresses, and VIP insertion to enable the servers to identify IPv6 vservers that send requests.
1. 2.
In the navigation pane, expand Load Balancing and click Virtual Servers. In the Load Balancing Virtual Servers page, click Add. The Create Virtual Servers (Load Balancing) dialog box appears.
180
3. 4. 5. 6.
Select the IPv6 check box. In the Name, Port, and IP Address text boxes, type the name, port, and IP address of the vserver (for example, vserver-LB-6, 80, and 2002::45/64). In the Protocol drop-down list box, select the type of the vserver, for example, HTTP. Click Create and click Close.
Example
add lb vserver vserver-LB-6 HTTP 2002::45/64 80
VLAN Support
If you need to send broadcast or multicast packets without identifying the VLAN (for example, during DAD for NSIP, or ND6 for the next hop of the route), you can configure the NetScaler to send the packet on all the interfaces with appropriate tagging. The VLAN is identified by ND6, and a data packet is sent only on the VLAN. For more information on ND6 and VLANs, see Adding IPv6 Neighbors. Port-based VLANs are common for IPv4 and IPv6. Prefix-based VLANs are supported for IPv6.
Chapter 5
IP version 6
181
IPv6 sample topology The following table summarizes the names and values of the entities that must be configured on the NetScaler. Entity values to be configured on the NetScaler
Entity Type LB Vserver Services Name VS1_IPv6 SVC1 SVC2 Value 2002::9 10.102.29.1 10.102.29.2
182
The following figure shows the entities and values of the parameters to be configured on the NetScaler.
IPv6 Entity Diagram To configure this deployment scenario, you need to do the following: 1. 2. 3. Create an IPv6 service Create an IPv6 LB vserver Bind the services to the vserver
The following procedure describes the steps to add two services, SVC1 and SVC2, of type HTTP.
To create the IPv4 services using the configuration utility
1. 2. 3.
In the navigation pane, expand Load Balancing and click Services. On the Services page, click Add. In the Create Service dialog box, in the Service Name, Server, and Port text boxes, type the name, IP address, and port of the service (for example, SVC1, 10.102.29.1, and 80). In the Protocol drop-down list box, select the type of the service (for example, HTTP). Click Create and click Close.
4. 5.
Chapter 5
IP version 6
183
6.
Repeat Steps 1-5 to create a service SVC2 with IP address 10.102.29.2 and port 80.
Example
add service SVC1 10.102.29.1 HTTP 80 add service SVC2 10.102.29.2 HTTP 80
You can use either of the following procedures to add an IPv6 vserver named VS1_IPv6 of type HTTP, with an IP address of 2002::9.
To create the IPv6 vserver using the configuration utility
1. 2. 3. 4. 5.
In the navigation pane, expand Load Balancing and click Virtual Servers. In the Load Balancing Virtual Servers page, click Add. In the Create Virtual Servers (Load Balancing) dialog box, select the IPv6 check box. In the Name, Port, and IP Addresses text boxes, type the name, port, and IP address of the vserver (for example, VS1_IPv6, 80, and 2002::9). Click Create and click Close.
Example
add lb vserver VS1_IPv6 HTTP 2002::9 80
Use either of the following procedures to bind the services to the vserver.
To bind a service to an LB vserver using the configuration utility
1. 2. 3.
In the navigation pane, expand Load Balancing and click Virtual Servers. In the Load Balancing Virtual Servers page, select the vserver for which you want to bind the service (for example, VS1_IPv6). Click Open.
184
4.
In the Configure Virtual Server (Load Balancing) dialog box, on the Services tab, select the Active check box corresponding to the service that you want to bind to the vserver (for example, SVC1). Click OK. Repeat Steps 1-4 to bind the service (for example, SVC2 to the vserver).
5. 6.
Example
bind lb vserver VS1_IPv6 SVC1
The vservers receive IPv6 packets and the NetScaler performs Protocol Translation (RFC 2765) before sending traffic to the IPv4-based services.
1. 2. 3. 4.
In the navigation pane, expand Networks and click IPs. In the IPs page, click the IPV6s tab and select the IP address for which you want to configure a mapped IP address, for example, 2002:0:0:0:0:0:0:9. Click Open. In the Configure IP6 dialog box, in the Mapped IP text box, type the mapped IP address that you want to configure, for example, 200.200.200.200. Click OK.
5.
To change the IPv6 address in the host header to an IPv4 address using the NetScaler command line
Chapter 5 Example
set ns ip6 2002::9 -map 200.200.200.200
IP version 6
185
VIP Insertion
If an IPv6 address is sent to an IPv4-based server, the server may not understand the IP address in the HTTP header, and may generate an error. To avoid this, you can map an IPv4 address to the IPv6 VIP and enable VIP insertion The following procedures include examples for mapping IPv4 address 200.200.200.200 to VIP 2002::9.
To configure a mapped IPv6 address using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Networks and click IPs. In the IPs page, click the IPV6s tab and select the IP address for which you want to configure a mapped IP address (for example, 2002:0:0:0:0:0:0:9). Click Open. In the Configure IP6 dialog box, in the Mapped IP text box, type the mapped IP address that you want to configure (for example, 200.200.200.200). Click OK.
5.
Example
set ns ip6 2002::9 -map 200.200.200.200
Use either of the following procedures to enable insertion of an Ipv4 VIP address and port number in the HTTP requests sent to the servers.
To enable VIP insertion using the configuration utility
1. 2.
In the navigation pane, expand Load Balancing and click Virtual Servers. In the Load Balancing Virtual Servers page, in the Load Balancing Virtual Servers page, select the vserver that you want to enable port insertion (for example, VS1_IPv6). Click Open. In the Configure Virtual Server (Load Balancing) dialog box, click the Advanced tab.
3. 4.
186
5. 6.
In the Vserver IP Port Insertion drop-down list box, select VIPADDR. In the Vserver IP Port Insertion text box, type the vip header.
Example
set lb vserver VS1_IPv6 -insertVserverIPPort ON
C HAPTER 6
High Availability
This chapter describes how High Availability (HA) works in a NetScaler deployment to ensure uninterrupted operation in any transaction. It tells you about the prerequisites of an HA setup, and also how to configure an HA setup in NetScaler and later customize it. You can also improve the reliability of an HA setup by configuring virtual MAC addresses, link redundancy, and route monitors. You can configure the state of a node such that the primary is forced to stay as primary or the secondary is forced to stay as a secondary. Also, learn how to troubleshoot HA issues that you may encounter after setting up the NetScaler HA pair. In This Chapter How High Availability Works Considerations for a High Availability Setup Configuring High Availability Customizing a High Availability Setup Configuring Virtual MAC Addresses Improving the Reliability of a High Availability Setup Configuring the State of a Node Troubleshooting High Availability Issues
188
The secondary node monitors the primary by sending periodic messages (often called heartbeat messages or health checks) to determine whether the primary node is accepting connections. If a health check fails, the secondary node retries the connection for a specified period, after which it determines that the primary node is not functioning normally. The secondary node then takes over for the primary (a process called failover). After a failover, all clients must reestablish their connections to the managed servers, but the session persistence rules are maintained as they were before the failover. With Web server logging persistence enabled, no log data is lost due to the failover. For logging persistence to be enabled, the log server configuration must carry entries for both systems in the log.conf file. The following figure shows a network configuration with an HA pair.
Chapter 6
High Availability
189
The primary and the secondary systems must each be configured with their own unique NetScaler IPs (NSIPs.) In an HA pair, the node ID and associated IP address of one node must point to the other node. For example, if you have nodes, NS1 and NS2, you must configure NS1 with a the unique node ID and the IP address of NS2, and you must configure NS2 with a unique node ID and the IP address of NS1.
If you create a configuration file on either node using a method other than the direct GUI or the CLI (for example, SSL certificates, or changes to startup scripts), you must copy the configuration file to the other node or create an identical file on that node. Initially, all NetScaler appliances are configured with the same RPC node password. RPC nodes are internal system entities used for system-tosystem communication of configuration and session information. For security, you should change the default RPC node passwords. One RPC node exists on each NetScaler. This node stores the password, which is checked against the password provided by the contacting system. In order to communicate with other systems, each NetScaler requires knowledge of those systems, including how to authenticate on those systems. RPC nodes maintain this information, which includes the IP addresses of the other systems, and the passwords they require for authentication. RPC nodes are implicitly created when adding a node or adding a Global Server Load Balancing (GSLB) site. You cannot create or delete RPC nodes manually. Note: If the NetScaler appliances in a high availability setup are configured in one-arm mode, you must disable all system interfaces except the one connected to the switch or hub.
To configure a NetScaler HA pair over IPv6: Install the IPv6PT license on both NetScaler appliances for supporting IPv6. After installing IPv6PT license, enable IPv6 feature by using the configuration utility or NetScaler command line. Both the NetScaler appliances require a global NSIP IPv6 address. In addition, network entities (for example, switches and routers) between the two nodes need to support IPv6 for proper configuration.
190
Two NetScaler connected in an High Availability configuration In the figure, nodes NS1 and NS2 are on the same subnet. To configure high availability, you must configure one NetScaler as the primary and the other as the secondary node. You need to perform the following procedures: Add a node Disable HA monitoring for unused interfaces Verify the configuration
Adding a Node
This section describes how to add a node in an HA setup. The new node is identified by a unique ID and its NSIP. The maximum number of node IDs for systems in a high availability setup is 64.
Chapter 6
High Availability
191
Note: To ensure that each node in the High Availability configuration has the same settings, you should synchronize your SSL certificates, startup scripts, and other configuration files with those on the primary node. To add a node, use the parameters described in the following table.
Parameter Node ID IP Address Specifies Unique number that identifies the node to be added. Possible values: 1 to 64. IP Address of the node to be added.
1. 2. 3. 4.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Nodes tab. Click Add. In the High Availability Setup dialog box, in the Remote Node IP Address text box, type an IP Address (for example, 10.102.29.170). If you want to configure HA over IPv6, select the IPv6 check box and enter the NSIP IPv6 address of the peer node (for example, 1000:0000:0000:0000:0005:0600:700a:888b). Select or clear the Configure remote system to participate in High Availability setup check box based on whether you want to add the local node to the peer node. By default, this check box is selected. Select the Turn off HA monitor on interfaces/channels that are down check box to disable the HA monitor on interfaces that are down. By default, this check box is selected. Click Ok and click Close.
5.
6.
7.
Example
Example add HA node 3 10.102.29.170 add HA node 3 1000:0000:0000:0000:0005:0600:700a:888b
192
Example
set interface 1/3 -haMonitor OFF
1. 2.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Nodes tab. The Nodes page displays the primary and the secondary nodes.
Chapter 6
High Availability
193
Removing a Node
Disabling a Node
You can disable only a secondary node. When you disable a secondary node, it stops sending heartbeat messages to the primary node, and therefore the primary node therefore can no longer check the status of the secondary.
To disable a node using the configuration utility
1. 2. 3. 4. 5.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Nodes tab. On Nodes page, select the secondary node and click Open. In the Configure Node dialog box, under High Availability Status, select the DISABLED (Do not participate in HA) option. Click OK.
Example
set HA node -hastatus DISABLED
Enabling a Node
When you enable a node, the node takes part in the high availability configuration. You can enable only a secondary node.
To enable a node using the configuration utility
1. 2. 3. 4. 5.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Nodes tab. On the Nodes page, select the secondary node and click Open. In the Configure Node dialog box, under High Availability Status, select the ENABLED (Actively participates in HA) option. Click OK, and click Close.
194
Removing a Node
If you remove a node, the nodes are no longer in high availability configuration.
To remove a node using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Nodes tab. On the Nodes page, select the node that you want to remove. On the Remove dialog box, click Yes.
Example
rm ha node 3
Note: You can use the Network Visualizer to view the NetScaler appliances that are configured as a high availability (HA) pair and perform high availability configuration tasks. For more information, see Network Visualizer, on page 86.
Chapter 6
High Availability
195
Dead Interval
To set the hello and dead intervals using the configuration utility
1. 2. 3. 4. 5. 6.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Nodes tab. On the Nodes page, select the node for which you want to change the hello interval and click Open. In the Configure dialog box, under Intervals, in the Hello Interval (msecs), type the interval (for example, 400). In the Dead Interval (secs), type the interval (for example, 6). Click OK.
To set the hello and dead intervals using the NetScaler command line
Example
set HA node -helloInterval 400 -deadInterval 6
196
Configuring Synchronization
Synchronization is a process of duplicating the configuration of the primary node on the secondary node. The purpose of synchronization is to ensure that there is no loss of configuration information between the primary and the secondary nodes, regardless of the number of failovers that occur. Synchronization uses port 3010. Synchronization is triggered by the following circumstances: The secondary node in an HA setup comes up after a restart. The primary node becomes secondary after a failover.
1. 2. 3. 4. 5.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Nodes tab. On Nodes page, select the local node and click Open. In the Configure dialog box, under HA Synchronization, clear the Secondary node will fetch the configuration from Primary option. Click OK and then click Close.
Note: To enable HA synchronization, in step 4 above, you must select Secondary node will fetch the configuration from Primary.
Example
set HA node -haSync ENABLED set HA node -haSync DISABLED
Chapter 6
High Availability
197
1. 2. 3.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Nodes tab. On the Nodes page, click Force Synchronization.
198
If synchronization occurs while you are disabling propagation, any configurationrelated changes that you make before the disabling of propagation takes effect are synchronized with the secondary node. This is also true for cases where propagation is disabled while synchronization is in progress.
To disable or enable command propagation using the configuration utility
1. 2. 3. 4. 5.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Nodes tab. On the Nodes page, select the local node and click Open. In the Configure Node dialog box, under HA Propagation, clear the Primary node will propagate configuration to the Secondary option. Click OK.
Note: To enable HA synchronization, in Step 4 you must select the Primary node will propagate configuration to the Secondary.
Example
set HA node -haProp ENABLED set HA node -haProp DISABLED
Chapter 6
High Availability
199
1. 2. 3. 4.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Nodes tab. Click Force Failover. In the Warning dialog box, click Yes.
To force the primary node to fail over using the NetScaler command line
1. 2. 3. 4.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Nodes tab. Click Force Failover. In the Warning dialog box, click Yes.
200
Citrix NetScaler Networking Guide To force the secondary node to fail over using the NetScaler command line
1. 2. 3. 4.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Nodes tab. Click Force Failover. In the Warning dialog box, click Yes.
To force failover when nodes are in listen mode using the NetScaler command line
Chapter 6
High Availability
201
The following table shows some of the fail-safe cases. The NOT_UP state means that the node failed the health check yet it is partially available. The UP state means that the node passed the health check. Fail-safe mode cases
Node A Node B (Secondary) (Primary) Health Health State State NOT_UP (failed last) NOT_UP (failed first) Default HA Behavior A (Secondary), B (Secondary) A(S), B(S) Fail-Safe Enabled HA Behavior A (Primary), B (Secondary) A(S),B(P) Description
If both nodes fail, one after the other, the node that was the last primary remains primary. If both nodes fail, one after the other, the node that was the last primary remains primary. If both nodes pass the health check, no change in behavior with fail-safe enabled. If only the secondary node fails, no change in behavior with fail-safe enabled. If only the primary fails, no change in behavior with fail-safe enabled. If the secondary is configured as STAYSECONDARY, the primary remains primary even if it fails.
UP
UP
A (Primary), B (Secondary)
A(P), B(S)
UP
NOT_UP
A(P), B(S)
A(P), B(S)
NOT_UP
UP
A(S), B(P)
A(S), B(P)
NOT_UP
UP (STAYSECONDARY)
A(S), B(S)
A(P),B(S)
Example
set ha node -failsafe ON
1. 2.
In the navigation pane, expand System, and then click High Availability. In the details pane, on the Nodes tab, select the local node, and then click Open.
202
3.
In the Configure Node dialog box, under Fail-Safe Mode, select the Maintain one Primary node even when both nodes are unhealthy check box. Click OK.
4.
Chapter 6
High Availability
203
This section covers the following procedures: Adding a Virtual MAC Addresses Binding Interfaces to the VMAC Verifying the VMAC Configuration Managing VMACs
Adding a VMAC
The scenario described in this section illustrates the configuration of a VMAC on a standalone system with a VRID value of 100. To add a virtual MAC, use the parameters in the following table.
Parameter Virtual Router ID Interface Number. Specifies The VRID that identifies the VMAC. Possible values: 1 to 255. The interface number (slot/port notation) to be bound to the VMAC.
1. 2. 3. 4.
In the navigation pane, expand Network and click VMAC. On the VMAC page, click Add. In the Add VMAC dialog box, in Virtual Router ID text box, type a number (for example, 100). Click Create.
Example
add vrID 100
204
To bind an interface to a VMAC, use the parameters listed in the following table.
Parameter Virtual Router ID. Interface Name Specifies The VRID that identifies the VMAC. Possible values: 1 to 255. The interface number (slot/port notation) to be bound to the VMAC.
1. 2. 3. 4.
In the navigation pane, expand Network and click VMAC. On the VMAC page, click Open. In the Configure VMAC dialog box, select the desired interfaces from the Available Interfaces table and click Add (for example, 1/1, 1/2, and 1/3). Click OK.
Example
bind vrid 100 -ifnum 1/1 1/2 1/3
1. 2.
In the navigation pane, expand Network and click VMAC. Examine the settings on the VMAC page.
To verify the interfaces bound to the VMAC using the configuration utility
1. 2.
In the navigation pane, expand Network and click VMAC. On the VMAC page, select a virtual router id (for example, 100) and examine the settings displayed at the bottom of the page.
Chapter 6
High Availability
205
To view the interfaces bound to the VMAC using the NetScaler command line
At the NetScaler command prompt, type the following command and examine the output:
sh vrID id
Example
sh vrID 100
Managing VMACs
This section describes procedures for unbinding the interfaces from a VMAC and deleting the created VMAC from the system.
To unbind interfaces from a VMAC using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click VMAC. On the VMAC page, select a virtual router id (for example, 100), and click Open. In the Modify VMAC dialog box, under Configured Interfaces, select interfaces that you want to unbind from the VMAC (for example, 1/2 and 1/3). Click Remove. Click OK.
4. 5.
Example
unbind vrID 100 1/2 1/3
1. 2. 3. 4.
In the navigation pane, expand Network and click VMAC. On the VMAC page, select the virtual router id that you want to remove (for example, 100). Click Remove. In the Remove dialog box, click Yes.
206
Citrix NetScaler Networking Guide To remove a VMAC using the NetScaler command line
Example
rm vrid 100
Adding a VMAC6
The scenario described in this section illustrates the configuration of a VMAC6 on a standalone NetScaler with a VRID value of 100. To add a virtual MAC, use the parameters in the following table.
Parameter Virtual Router ID Interface Number Specifies The VRID that identifies the VMAC6. Possible values: 1 to 255. The interface number (slot/port notation) to be bound to the VMAC6.
1. 2. 3. 4.
In the navigation pane, expand Network, and then click VMAC. On the VMAC6 tab, click Add. In the Add VMAC6 dialog box, in Virtual Router ID text box, type a number (for example, 100). Click Create.
High Availability
207
Example
add vrID6 100
1. 2. 3.
In the navigation pane, expand Network, and then click VMAC. In the details pane, on the VMAC6 tab, click virtual router ID that you want to bind to an interface, and then click Open. In the Configure VMAC6 dialog box, select the desired interfaces from the Available Interfaces table, and then click Add (for example, 1/1, 1/2, and 1/3). Click OK.
4.
Example
bind vrid 100 -ifnum 1/1 1/2 1/3
208
Citrix NetScaler Networking Guide To verify VMAC6 configurations using the configuration utility
1. 2.
In the navigation pane, expand Network, and then click VMAC. In the details pane, on the VMAC6 tab, examine the settings.
To verify the interfaces bound to the VMAC6 using the configuration utility
1. 2.
In the navigation pane, expand Network, and then click VMAC. In the details pane, on the VMAC6 tab, select a virtual router ID (for example, 100), and then examine the settings displayed at the bottom of the page.
To verify the interfaces bound to the VMAC6 using the NetScaler command line
Example
sh vrID6 100
1. 2. 3.
In the navigation pane, expand Network, and then click VMAC. In the details pane, on the VMAC6 tab, select a virtual router id (for example, 100), and click Open. In the Modify VMAC6 dialog box, under Configured Interfaces, select interfaces that you want to unbind from the VMAC6 (for example, 1/2 and 1/3). Click Remove. Click OK.
4. 5.
Chapter 6
High Availability
209
Example
unbind vrID6 100 1/2 1/3
1. 2.
In the navigation pane, expand Network, and then click VMAC. In the details pane, on the VMAC6 tab, select the virtual router ID that you want to remove (for example, 100), and then click Remove.
Example
rm vrid6 100
210
The following figure shows an HA deployment with the two systems located in different subnets:
High Availability over a routed network In the figure, the systems NS1 and NS2 are connected to two separate routers, R3 and R4, on two different subnets. The systems exchange heartbeat packets through the routers. This configuration could be expanded to accommodate deployments involving any number of interfaces. Note: If you use static routing on your network, you must add static routes between all the systems to ensure that heartbeat packets are sent and received successfully. (If you use dynamic routing on your systems, static routes are unnecessary.) If the nodes in an HA pair reside on two separate networks, the secondary node must have an independent network configuration. This means that nodes on different networks cannot share entities such as MIPs, SNIPs, VLANs, and routes. This type of configuration, where the nodes in an HA pair have different configurable parameters, is known as Independent Network Configuration (INC) or Symmetric Network Configuration (SNC). The following table describes the parameters that you must set on each node in an INC.
Configurable Parameters IPs (NSIP/MIP/SNIPs) Behavior Node-specific. Active only on that unit.
Chapter 6
High Availability
211
Behavior Floating. Node-specific. Active only on that unit. Node-specific. Active only on that unit. LLB route is floating. Floating (Common). Active on both units. Node-specific. Active only on that unit. The secondary node should also run the routing protocols and peer with upstream routers. Floating (Common). Active on both units. Floating (Common). Active on both units. Node-specific. RNAT with VIP, because NATIP is floating.
When two nodes of an HA pair reside on different subnets, each node must have a different network configuration. Therefore, to configure two independent systems to function as an HA pair, you must specify an INC mode during the configuration process. To specify an INC mode, perform the following tasks: Add a node with the -inc option enabled. Disable HA monitoring for unused interfaces.
Adding a Node
This section describes the procedure to add a node in a different subnet than the local node, using the parameters listed in the following table.
Parameter Node ID IP Address Specifies Unique number that identifies the node to be added. Possible values: 1 to 64. IP Address of the node to be added.
1. 2. 3. 4.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Nodes tab. Click Add. In the High Availability Setup dialog box, in the Remote Node IP Address text box, type an IP Address (for example, 10.102.29.170).
212
5.
Select or clear the Configure remote system to participate in High Availability setup check box based on whether you want to add the local node to the peer node. By default, this check box is selected. Select the Turn off HA monitor on interfaces/channels that are down check box to disable the HA monitor on interfaces that are down. By default, this check box is selected. Select or clear the Turn off INC (Independent Network Configuration) mode on self mode check box based on whether your nodes are on the same subnet or different subnets. By default, this check box is not selected. Click Ok and click Close.
6.
7.
8.
Example
add HA node 3 10.102.29.170 - inc ENABLED
Example
set interface 1/3 -haMonitor OFF
Chapter 6
High Availability
213
1. 2. 3. 4. 5.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Failover Interface Set tab. On the Failover Interface Set page, click Add. In the Create FIS dialog box, in Name text box, type a name for the FIS to be created (for example, FIS1). Click Create.
Example
add fis FIS1
214
1. 2. 3. 4.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Failover Interface Set tab. On the Failover Interface Set page, select a FIS, and then click Open. In the Configure FIS dialog box, select interfaces under Available Interfaces and click Add.
Example
bind fis FIS1 1/1 1/2 1/3
1. 2.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Failover Interface Set tab.
Example
sh fis FIS1
Chapter 6
High Availability
215
To unbind an interfaces from the FIS, use either of the following procedures.
To unbind an interface from a FIS using the configuration utility
1. 2. 3. 4. 5.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Failover Interface Set tab. On the Failover Interface Set page, select the FIS from which you want to unbind interfaces and click Open. In the Configure FIS dialog box, under Configured Interfaces table, select the interface you want to unbind from the FIS, and click Remove. Click OK.
Example
unbind fis FIS1 1/1 1/2
Removing a FIS
The following sample procedure describes the steps to remove a FIS that you have created. Once the FIS is removed, its interfaces become CIs.
216
To remove a Failover Interface Set, use the parameter in the following table.
Parameter FIS Name Specifies Name of the FIS that is to be removed.
1. 2. 3. 4.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Failover Interface Set tab. On the Failover Interface Set page, select the FIS that you want to remove (for example, FIS1) and click Remove. In the Remove dialog box, click Yes.
Example
rm fis FIS1
Chapter 6
High Availability
217
1. 2. 3. 4.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Route Monitors tab. On the Route Monitors page, click Configure. In Bind / Unbind Route Monitor(s) dialog box, in the Network text box, do one of the following: For a IPv4 network, type a IPv4 network address (for example, 10.102.29.30) and in the Netmask text box, type a subnet mask (for example, 255.255.255.0). For a IPv6 network, select the IPv6 check box and type a IPv6 network address (for example, 1000:0000:0000:0000:0005:0600:700a:888b).
5. 6.
Click Add. The Route Monitor is added and appears in the Configured Route Monitors table. Click OK.
Note: When a route monitor is not bound to a node, the HA state (primary or secondary) of the node is determined solely by the state of the interfaces.
218
1. 2.
In the navigation pane, expand System and click High Availability. On High Availability page, select the Route Monitors tab.
1. 2. 3. 4.
In the navigation pane, expand System and click High Availability. On High Availability page, select the Route Monitors tab. On the Route Monitors page, click Configure. In the Bind / Unbind Route Monitor(s) dialog box, under Configured Route Monitors, select a route monitor to remove and click Remove.
Chapter 6
High Availability
219
To force the secondary node to stay secondary using the configuration utility
1.
220
2. 3. 4. 5.
On the High Availability page, click the Nodes tab. On Nodes page, click Open. In the Configure Dialog box, under High Availability Status, select STAY SECONDARY. Click OK.
To force the secondary node to stay secondary using the NetScaler command line
Example
set node -hastatus STAYSECONDARY
1. 2. 3. 4. 5.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Nodes tab. On Nodes page, select a node, and then click Open. In the Configure Node dialog box, under High Availability Status, select STAY PRIMARY. Click OK.
To force the secondary node to stay secondary using the NetScaler command line
Example
set node -hastatus STAYPRIMARY
Chapter 6
High Availability
221
1.
Exit from the CLI to FreeBSD by typing the following command and pressing the Enter key:
> shell
2.
Copy the latest backup file to /nsconfig/ns.conf, using the following command:
# cp ls -t /nsconfig/ns.conf.? | head -1` /nsconfig/ns.conf
If you perform a configuration using the NSConfig utility, it is not propagated. If you create a configuration using NSconfig, you must repeat the configuration steps separately for each node in an HA pair.
222