NS Networking Guide

Citrix NetScaler Networking Guide
Citrix NetScaler 9.2.e
Copyright and Trademark Notice CITRIX SYSTEMS, INC., 2010. ALL RIGHTS RESERVED. NO PART OF THIS DOCUMENT MAY BE REPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS OR USED TO MAKE DERIVATIVE WORK (SUCH AS TRANSLATION, TRANSFORMATION, OR ADAPTATION) WITHOUT THE EXPRESS WRITTEN PERMISSION OF CITRIX SYSTEMS, INC. ALTHOUGH THE MATERIAL PRESENTED IN THIS DOCUMENT IS BELIEVED TO BE ACCURATE, IT IS PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE ALL RESPONSIBILITY FOR THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS MANUAL. CITRIX SYSTEMS, INC. OR ITS SUPPLIERS DO NOT ASSUME ANY LIABILITY THAT MAY OCCUR DUE TO THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS DOCUMENT. INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. COMPANIES, NAMES, AND DATA USED IN EXAMPLES ARE FICTITIOUS UNLESS OTHERWISE NOTED. The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radiofrequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. Modifying the equipment without Citrix' written authorization may result in the equipment no longer complying with FCC requirements for Class A digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense. You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the NetScaler Request Switch 9000 Series equipment. If the NetScaler equipment causes interference, try to correct the interference by using one or more of the following measures: Move the NetScaler equipment to one side or the other of your equipment. Move the NetScaler equipment farther away from your equipment. Plug the NetScaler equipment into an outlet on a different circuit from your equipment. (Make sure the NetScaler equipment and your equipment are on circuits controlled by different circuit breakers or fuses.) Modifications to this product not authorized by Citrix Systems, Inc., could void the FCC approval and negate your authority to operate the product. BroadCom is a registered trademark of BroadCom Corporation. Fast Ramp, NetScaler, WANScaler, Citrix XenApp, and NetScaler Request Switch are trademarks of Citrix Systems, Inc. Linux is a registered trademark of Linus Torvalds. Internet Explorer, Microsoft, PowerPoint, Windows and Windows product names such as Windows NT are trademarks or registered trademarks of the Microsoft Corporation. NetScape is a registered trademark of Netscape Communications Corporation. Red Hat is a trademark of Red Hat, Inc. Sun and Sun Microsystems are registered trademarks of Sun Microsystems, Inc. Other brand and product names may be registered trademarks or trademarks of their respective holders. Software covered by the following third party copyrights may be included with this product and will also be subject to the software license agreement: Copyright 1998 Carnegie Mellon University. All rights reserved. Copyright David L. Mills 1993, 1994. Copyright 1992, 1993, 1994, 1997 Henry Spencer. Copyright Jean-loup Gailly and Mark Adler. Copyright 1999, 2000 by Jef Poskanzer. All rights reserved. Copyright Markus Friedl, Theo de Raadt, Niels Provos, Dug Song, Aaron Campbell, Damien Miller, Kevin Steves. All rights reserved. Copyright 1982, 1985, 1986, 1988-1991, 1993 Regents of the University of California. All rights reserved. Copyright 1995 Tatu Ylonen, Espoo, Finland. All rights reserved. Copyright UNIX System Laboratories, Inc. Copyright 2001 Mark R V Murray. Copyright 1995-1998 Eric Young. Copyright 1995,1996,1997,1998. Lars Fenneberg. Copyright 1992. Livingston Enterprises, Inc. Copyright 1992, 1993, 1994, 1995. The Regents of the University of Michigan and Merit Network, Inc. Copyright 1991-2, RSA Data Security, Inc. Created 1991. Copyright 1998 Juniper Networks, Inc. All rights reserved. Copyright 2001, 2002 Networks Associates Technology, Inc. All rights reserved. Copyright (c) 2002 Networks Associates Technology, Inc. Copyright 19992001 The Open LDAP Foundation. All Rights Reserved. Copyright 1999 Andrzej Bialecki. All rights reserved. Copyright 2000 The Apache Software Foundation. All rights reserved. Copyright (C) 2001-2003 Robert A. van Engelen, Genivia inc. All Rights Reserved. Copyright (c) 1997-2004 University of Cambridge. All rights reserved. Copyright (c) 1995. David Greenman. Copyright (c) 2001 Jonathan Lemon. All rights reserved. Copyright (c) 1997, 1998, 1999. Bill Paul. All rights reserved. Copyright (c) 1994-1997 Matt Thomas. All rights reserved. Copyright 2000 Jason L. Wright. Copyright 2000 Theo de Raadt. Copyright 2001 Patrik Lindergren. All rights reserved. Last Updated: July 2010
C ONTENTS
Preface
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i New in This Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii Formatting Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv Related Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv Getting Service and Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .v Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .v
Chapter 1
IP Addressing
Configuring NetScaler-Owned IP Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 NetScaler IP Address (NSIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Virtual IP Address (VIP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Subnet IP Address (SNIP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Mapped IP Address (MIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 GSLB Site IP Address (GSLBIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Creating NetScaler-Owned IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Proxying Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 Selecting the Destination IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Selecting the Source IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Enabling the Use Source IP Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 Configuring Modes of Packet Forwarding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 Enabling and Disabling Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 Network Address Translation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 Inbound Network Address Translation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 Reverse Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Configuring Static ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32 IP Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 NetScaler as an Encapsulator (Load Balancing with DSR mode) . . . . . . . . . . .36 NetScaler as a Decapsulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Chapter 2
Interfaces
MAC-Based Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44 Enabling and Disabling MAC-based Forwarding . . . . . . . . . . . . . . . . . . . . . . .44 Configuring Network Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 Managing Network Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 Configuring VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51 Applying Rules to Classify Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53 VLANs and Packet Forwarding on the NetScaler . . . . . . . . . . . . . . . . . . . . . . .54
iv
Configuring Bridge Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65 Adding a Bridge Group and Binding VLANs and IP Subnets. . . . . . . . . . . . . .65 Verifying the Bridge Group Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . .66 Unbinding VLANs and IP Subnets from a Bridge Group . . . . . . . . . . . . . . . . .66 Removing a Bridge Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67 Configuring Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 Configuring Link Aggregation Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 Configuring the Link Aggregate Channel Protocol . . . . . . . . . . . . . . . . . . . . . .72 Verifying the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74 Configuring VMACs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75 Configuring the Bridge Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75 Enabling or Disabling Path MTU Behavior. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77 Configuring NetScaler Appliances in Active-Active Mode using VRRP . . . . . . .78 Configuring Active-Active Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81 A Deployment Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85 Network Visualizer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Chapter 3
Access Control Lists (ACLs)

ACL Precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92 Configuring Simple ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92 Creating Simple ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93 Removing Simple ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94 Verifying or Troubleshooting the Configuration . . . . . . . . . . . . . . . . . . . . . . . .95 Monitoring Simple ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95 Configuring Extended ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96 Creating a Basic Extended ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97 Applying an Extended ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98 Removing Extended ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98 Enabling and Disabling Extended ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99 Renumbering ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100 Modifying Extended ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100 Configuring Access Control List (ACL) Logging . . . . . . . . . . . . . . . . . . . . . .102 Verifying the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104 Monitoring the Extended ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104 Configuring RNAT by Using Extended ACLs. . . . . . . . . . . . . . . . . . . . . . . . .105 Configuring ACL6s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
Chapter 4
IP Routing
Contents
Configuring Dynamic Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117 Routing Tables in the NetScaler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118 High Availability Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119 Interfaces for Configuring Dynamic Routing. . . . . . . . . . . . . . . . . . . . . . . . . .120 Using RIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120 Using OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123 Using BGP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127 Using IPv6 RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132 Using IPv6 OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136 Installing Routes . . . . . . . . . . . . . . . . . . . . . . to the NetScaler Routing Table140 Configuring Route Health Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142 Enabling RHI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142 Limiting Host Route Advertising for VIPs. . . . . . . . . . . . . . . . . . . . . . . . . . . .143 Advertising Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144 Displaying Routes Learned Through Dynamic Routing Protocols . . . . . . . . .145 Configuring Static Routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145 Monitored Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146 Weighted Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147 Null Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147 Customizing a Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150 Removing a Static Route. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151 Configuring IPv6 Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152 Configuring Policy Based Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155 Creating a PBR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156 Applying a PBR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157 Removing PBRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158 Enabling and Disabling PBRs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158 Modifying PBRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159 Renumbering PBRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160 Troubleshooting Routing Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161 Generic Routing FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161 Troubleshooting OSPF Specific Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
Chapter 5
IP version 6
IPv6 Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167
vi
Implementing IPv6 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168 Enabling or Disabling IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168 Adding an IPv6 Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169 Customizing SNIP and NSIP IPv6 Addresses . . . . . . . . . . . . . . . . . . . . . . . . .171 Customizing VIP IPv6 Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172 Verifying the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173 Monitoring the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174 Configuring Neighbor Discovery and Router Learning . . . . . . . . . . . . . . . . . . . .175 Neighbor Discovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175 Router Learning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178 Adding IPv6 Support to NetScaler Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179 Adding an IPv6 Vserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179 VLAN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180 Simple Deployment Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180 Host Header Modification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184 VIP Insertion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185
Chapter 6
High Availability
How High Availability Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187 Considerations for a High Availability Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . .188 Configuring High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190 Configuring a Basic High Availability Setup . . . . . . . . . . . . . . . . . . . . . . . . . .190 Modifying an Existing HA Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192 Customizing a High Availability Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194 Configuring the Communication Intervals . . . . . . . . . . . . . . . . . . . . . . . . . . . .195 Configuring Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196 Configuring Command Propagation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197 Forcing a Node to Fail Over . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198 Configuring Virtual MAC Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202 Configuring IPv4 VMACs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202 Configuring IPv6 VMACs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206 Improving the Reliability of a High Availability Setup. . . . . . . . . . . . . . . . . . . . .209 Configuring High Availability Nodes in Different Subnets. . . . . . . . . . . . . . .209 Configuring Link Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213 Configuring Route Monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216 High Availability Health Check Computation . . . . . . . . . . . . . . . . . . . . . . . . .218 Configuring the State of a Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219 Forcing the Secondary Node to Stay Secondary . . . . . . . . . . . . . . . . . . . . . . .219 Forcing the Primary Node to Stay Primary. . . . . . . . . . . . . . . . . . . . . . . . . . . .220 Troubleshooting High Availability Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
P REFACE
Preface
Before you begin to configure the networking features, take a few minutes to review this chapter and learn about related documentation, other support options, and ways to send us feedback. In This Preface About This Guide New in This Release Audience Formatting Conventions Related Documentation Getting Service and Support Documentation Feedback
About This Guide

The Citrix NetScaler Networking Guide describes how to configure the various networking components on the NetScaler. This guide provides the following information: Chapter 1, IP Addressing. Describes the NetScaler-owned IP addresses and explains how to create, customize, and remove them. Chapter 2, Interfaces. Describes some of the basic network configurations required for getting started and how to implement them. Chapter 3, Access Control Lists (ACLs). Describes the different types of Access Control Lists and how to create, customize, and remove them. Chapter 4, IP Routing. Describes the routing functionality of the NetScaler, both static and dynamic, and route health injection. Includes configuration procedures.
ii
Chapter 5, IP version 6. Describes NetScaler support for IPv6 and how to implement it. Chapter 6, High Availability. Describes how High Availability (HA) works in a NetScaler deployment to ensure uninterrupted operation in any transaction. Includes configuration instructions.
New in This Release

NetScaler nCore Technology uses multiple CPU cores for packet handling and greatly improves the performance of many NetScaler features. Release 9.2 adds nCore support for many additional features, including load balancing and virtual private networks (VPNs). For a summary of the new features and remaining unsupported nCore features, see the Citrix NetScaler 9.2 Release Notes. In NetScaler 9.2, the following new features are also supported: Active-Active using VRRP. Now NetScaler appliances can be deployed in active-active mode. An active-active deployment, in addition to preventing downtime, makes efficient use of all the NetScaler appliances in the deployment. In active-active deployment mode, the same VIPs are configured on all NetScaler appliances in the configuration, but with different priorities, so that a given VIP can be active on only one appliance at a time. For more information, see Configuring NetScaler Appliances in Active-Active Mode using VRRP, on page 78. Bridge Groups. This feature is used to combine two or more VLANs that have been configured on a NetScaler. For more information, see Configuring Bridge Groups, on page 65. Policy Based Routing. This bases routing decisions on criteria that you specify. A policy based route (PBR) specifies criteria for selecting packets and a next hop to which to send the selected packets. For more information, see Configuring Policy Based Routes, on page 155. IPv6 VMACs. The NetScaler has been enhanced to support IPv6 VMAC. With this, you can bind any interface to IPv6 VMAC regardless of whether or not IPv4 VMAC is bound to the interface. Any IPv6 packet going out of this interface uses the IPv6 VMAC bound to that interface. For more information, see Configuring IPv6 VMACs, on page 206. Fail Safe. In a high availability (HA) setup, a new mode called fail-safe has been introduced to ensure that one node will always be primary if both nodes fail the health check. For more information, see Configuring FailSafe Mode, on page 200.
Preface
iii
IPv6 OSPF. The NetScaler is enhanced to support Open Shortest Path First (OSPF) Version 3 dynamic routing protocol. This protocol supports IPv6 route exchanges.For more information, see Using IPv6 OSPF, on page 136. IPv6 RIP. The NetScaler is enhanced to support the Routing Information Protocol next generation (RIPng) dynamic routing protocol. This protocol supports IPv6 route exchanges. For more information, see Using IPv6 RIP, on page 132. IPv6 support in BGP. The Border Gateway Protocol (BGP) dynamic routing protocol is enhanced to support IPv6 addresses. For more information, see Using BGP, on page 127. Monitored IPv6 Static Routes. NetScaler supports monitoring of IPv6 static routes. You can configure the NetScaler to monitor a IPv6 static route either by creating a new ND6 or PING monitor or by using existing ND6 or PING monitors. For more information, see Monitored Static Routes, on page 146 and Adding an IPv6 Route, on page 152. Route Monitor for IPv6 Network. In a high availability (HA) configuration in INC mode, a route monitor can now be configured for an IPv6 network. For more information, see Configuring Route Monitors, on page 216. Network Visualizer. The NetScaler configuration utility now includes the Network Visualizer. You can use this tool to view the network configuration of a NetScaler deployment and configure interfaces, channels, VLANs, and bridge groups. You can also view the NetScaler appliances that are configured as a high availability (HA) pair and perform high availability configuration tasks. For more information, see Network Visualizer, on page 86.
For a summary of the new features and remaining unsupported features, see the Citrix NetScaler 9.2 Release Notes.
Audience
This guide is intended for the following audience: Hardware Technicians System and Network Administrators
The concepts and tasks described in this guide require you to have a basic understanding of networking concepts such as Layer2 and Layer 3 modes, routing, and interfaces.
iv
Formatting Conventions
This documentation uses the following formatting conventions. Formatting Conventions
Convention Boldface Italics Meaning Information that you type exactly as shown (user input); elements in the user interface. Placeholders for information or parameters that you provide. For example, FileName in a command means you type the actual name of a file. Also, new terms, and words referred to as words (which would otherwise be enclosed in quotation marks). System output or characters in a command line. User input and placeholders also are formatted using monspace text. Optional items in command statements. For example, in the following command, [-range positiveInteger] means that you have the option of entering a range, but it is not required:
add lb vserver name serviceType IPAddress port [-range positiveInteger]
Monospace
[ brackets ]
Do not type the brackets themselves. | (vertical bar) A separator between options in braces or brackets in command statements. For example, the following indicates that you choose one of the following load balancing methods:
lbMethod = ( ROUNDROBIN | LEASTCONNECTION | LEASTRESPONSETIME | URLHASH | DOMAINHASH | DESTINATIONIPHASH | SOURCEIPHASH | SRCIPDESTIPHASH | LEASTBANDWIDTH | LEASTPACKETS | TOKEN | SRCIPSRCPORTHASH | LRTM | CALLIDHASH | CUSTOMLOAD )
Related Documentation
A complete set of documentation is available on the Documentation tab of your NetScaler and from http://support.citrix.com/. (Most of the documents require Adobe Reader, available at http://adobe.com/.)
To view the documentation
1. 2.
From a Web browser, log on to the NetScaler. Click the Documentation tab.
Preface
3.
To view a short description of each document, hover your cursor over the title. To open a document, click the title.
Getting Service and Support

Citrix offers a variety of resources for support with your Citrix environment, including the following: The Knowledge Center is a self-service, Web-based technical support database that contains thousands of technical solutions, including access to the latest hotfixes, service packs, and security bulletins. Technical Support Programs for both software support and appliance maintenance are available at a variety of support levels. The Subscription Advantage program is a one-year membership that gives you an easy way to stay current with the latest product version upgrades and enhancements. Citrix Education provides official training and certification programs on virtually all Citrix products and technologies.
For detailed information about Citrix services and support, see the Citrix Systems Support Web site at http://www.citrix.com/lang/English/support.asp. You can also participate in and follow technical discussions offered by the experts on various Citrix products at the following sites: http://community.citrix.com http://twitter.com/citrixsupport
Documentation Feedback
You are encouraged to provide feedback and suggestions so that we can enhance the documentation. You can send email to the following alias or aliases, as appropriate. In the subject line, specify Documentation Feedback. Be sure to include the document name, page number, and product release version. For NetScaler documentation, send email to nsdocs_feedback@citrix.com. For Command Center documentation, send email to ccdocs_feedback@citrix.com. For Access Gateway documentation, send email to agdocs_feedback@citrix.com.
vi
You can also provide feedback from the Knowledge Center at http:// support.citrix.com/.
To provide feedback from the Knowledge Center home page
1. 2.
Go to the Knowledge Center home page at http://support.citrix.com/. On the Knowledge Center home page, under Products, expand NetScaler, and then click the Netscaler release for which you want to provide feedback. On the Documentation tab, click the guide name, and then click Article Feedback. On the Documentation Feedback page, complete the form, and then click Submit.
3. 4.
C HAPTER 1
IP Addressing
Before you can configure the NetScaler, you must assign the NetScaler IP Address (NSIP), also known as the Management IP address. You can also create other NetScaler-owned IP addresses for abstracting servers and establishing connections with the servers. In this type of configuration, the NetScaler serves as a proxy for the abstracted servers. You can also proxy connections by using network address translations (INAT and RNAT). When proxying connections, the NetScaler can behave either as a bridging (Layer 2) device or as a packet forwarding (Layer 3) device. To make packet forwarding more efficient, you can configure static ARP entries. In This Chapter Configuring NetScaler-Owned IP Addresses Proxying Connections Configuring Modes of Packet Forwarding Network Address Translation Configuring Static ARP IP Tunneling
Configuring NetScaler-Owned IP Addresses

The NetScaler-owned IP AddressesNetScaler IP Address (NSIP), Virtual IP Addresses (VIPs), Subnet IP Addresses (SNIPs), Mapped IP Addresses (MIPs), and Global Server Load Balancing Site IP Addresses (GSLBIPs)exist only on the NetScaler. The NSIP uniquely identifies the NetScaler on your network, and it provides access to the appliance. A VIP is a public IP address to which a client sends requests. The NetScaler terminates the client connection at the VIP and initiates a connection with a server. This new connection uses a SNIP or a MIP as the source IP address for packets forwarded to the server. If you have multiple data centers that are geographically distributed, each data center can be identified by a unique GSLBIP.
NetScaler IP Address (NSIP)

The NetScaler IP (NSIP) address is the IP address at which you access the NetScaler for management purposes. The NetScaler can have only one NSIP, which is also called the Management IP address. You must add this IP address when you configure the NetScaler for the first time. If you modify this address, you must reboot the NetScaler. You cannot remove an NSIP address. For Security reasons, NSIP should be a non-routable IP address on your organization's LAN. Note: Configuring the NetScaler IP address is mandatory.
Creating the NetScaler IP Address (NSIP)

Use either of the following procedures to set the NSIP.
To configure the NetScaler IP address using the configuration utility
1. 2. 3. 4.
In the navigation pane, click NetScaler. On the System Overview page, click Setup Wizard. In the Setup Wizard dialog box, click Next. On the IP Addresses page, under System IP Address Configuration, in the IP Address, Netmask, and Host Name text boxes, type the IP address, subnet mask, and the host name, respectively (for example, 10.102.29.170, 255.255.255.0, and NS170). Follow the instructions in the Setup Wizard to complete the configuration.
5.
To configure the NetScaler IP address using the NetScaler command line
At the NetScaler command prompt, type:

set ns config -ipaddress IPAddress -netmask Subnetmask
Example
set ns config -ipaddress 10.102.29.170 -netmask 255.255.255.0
Note: With an IPv6 address configured as NSIP in NetScaler running on 8.1 release, when upgrading from release 8.1 to 9.2 the NSIP changes to SNIP.
Chapter 1
IP Addressing
Virtual IP Address (VIP)

Configuration of a Virtual Server IP address (VIP) is not mandatory during initial configuration of the NetScaler. When you configure load balancing, you assign VIPs to virtual servers. For more information about configuring the load balancing setup, see the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing. In some situations, you need to customize VIP attributes or enable/disable a VIP. You can host the same vserver on multiple NetScalers residing on the same broadcast domain by using ARP and ICMP attributes.
Customizing the Attributes of a VIP

A VIP is usually associated with a vserver, and some of the attributes of the VIP are customized to meet the requirements of the vserver. After you add a VIP (or any IP address), the NetScaler sends, then responds to, ARP requests. To control the response of a NetScaler to a PING request on a NetScaler-owned IP address, you must control the ICMP attribute of a VIP. The following table describes the parameters that can be customized for a VIP. Parameters for Customizing a VIP
Parameter ARP
(arp)
Specifies Use Address Resolution Protocol (ARP) to map IP addresses to the corresponding hardware addresses. Possible values: Enabled and Disabled. Default: Enabled. Send Internet Control Message Protocol (ICMP) messages. The user network applications that use ICMP are PING and TRACEROUTE. Possible values: Enabled and Disabled. Default Enabled. Apply the vserver attribute to this IP entity. Possible values: Enabled and Disabled. Default: Enabled. State of the VIP. Possible values: Enabled and Disabled. Default: Enabled. Advertise a route for this IP address. Possible values: Enabled and Disabled. Default: Disabled. IP address of the network advertised as the gateway to connect to external networks such as the Internet.
ICMP
(icmp)
Virtual Server
(vServer)
State (state) Host Route (hostRoute) Gateway IP

(hostRtGw)
Parameters for Customizing a VIP

Parameter Metric
(metric)
Specifies Value used by routing algorithms to compare performance of this route to others. Route with lowest metric is the preferred route. Default value depends on the routing protocol. To change default, set this parameter. Possible values: -16777215 to 2147483647. When the host route associated with the VIP is advertised. Possible values: ONE_VSERVER, ALL_VSERVERS, and NONE. Default: ONE_SERVER. Type of Link State Advertisement (LSA) used by OSPF protocol to discover and maintain neighbor relationships. Possible values: Type 1 or Type 5. Default: Disabled. Logical collection of OSPF networks, routers, and links is an Area. Areas are identified by an Area ID. Possible values: 0 to 4294967295. Default: 1.
V Server RHI Level

(vserverRHILevel)
OSPF LSA Type

(ospfLSAType)
Area
(ospfArea)
To enable or disable ARP using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click IPs. In the details pane, on the IPv4s tab, select the IP address that you want to modify (for example, 10.102.29.5), and then click Open. In the Configure IP dialog box, under Options, do one of the following: To disable ARP, clear the ARP check box. To enable ARP, check the ARP check box.
4.
Click OK.
To enable or disable ARP using the NetScaler command line

set ns ip IPAddres -ARP Value
Examples
set ns ip 10.102.29.54 -ARP disable set ns ip 10.102.29.54 -ARP enable
Enabling and Disabling a VIP

VIPs are the only NetScaler-owned IP addresses that can be disabled. When a VIP is disabled, the virtual server using it goes down and does not respond to ARP, ICMP, and L4 service requests. Use either of the following procedures to disable an IP address of type virtual IP (VIP).
Chapter 1
IP Addressing
To enable or disable an IP address using the configuration utility
1. 2.
In the navigation pane, expand Network and click IPs. In the details pane, on the IPv4s tab, select the IP address (for example, 10.102.29.5) and do one of the following: To enable the selected IP address, click Enable. To disable the selected IP address, click Disable.
To enable or disable an IP address using the NetScaler command line

enable ns ip IPAddress disable ns ip IPAddress
Example
enable ns ip 10.102.29.5 disable ns ip 10.102.29.5
Subnet IP Address (SNIP)

A subnet IP address (SNIP) is used in connection management and server monitoring. It is not mandatory to specify a SNIP when you initially configure the NetScaler. In a multiple-subnet scenario, the NSIP, the mapped IP address (MIP), and the IP address of a server can exist on different subnets. To eliminate the need to configure additional routes on devices such as servers, you can configure subnet IP addresses (SNIPs) on the NetScaler. In Use SNIP (USNIP) mode, a SNIP is the source IP address of a packet sent from the NetScaler to the server, and the SNIP is the IP address that the server uses to access the NetScaler. This mode is enabled by default. When you add a SNIP, a route corresponding to the SNIP is added to the routing table. The NetScaler determines the next hop for a service from the routing table, and if the IP address of the hop is within the range of a SNIP, the NetScaler uses the SNIP to source traffic to the service. When multiple SNIPs cover the IP addresses of the next hops, the SNIPs are used in round robin manner. Note: When you add a service having an IPv6 address, the service remains in the UP state even if you do not enable the USNIP mode. This is because the concept of MIP IPv6 addresses does not exist in NetScaler and therefore, the NetScaler looks for SNIP IPv6 addresses irrespective of the state of the USNIP mode.
The following diagram illustrates USNIP mode.
USNIP mode Use the following procedure to enable or disable the Use SNIP mode.
To enable or disable USNIP using the configuration utility
1. 2. 3.
In the navigation pane, expand System and click Settings. In the details pane, in the Modes and Features group, click Change modes. In the Configure Modes dialog box, do one of the following: To enable USNIP, select the Use Subnet IP check box. To disable USNIP, clear the Use Subnet IP check box.
4. 5.
Click OK. In the Enable/Disable Feature(s)? dialog box, click Yes.
To enable or disable use SNIP using the NetScaler command line

enable ns mode mode disable ns mode mode
Example
enable ns mode usnip disable ns mode usnip
Chapter 1
IP Addressing
Mapped IP Address (MIP)

Mapped IP addresses (MIP) are used for external connections from the NetScaler. A MIP can be considered a default Subnet IP address (SNIP) when a SNIP cannot be used. MIPs and SNIPs are used for external connections from the NetScaler. But MIPs are used for server-side connections when the USNIP address option is globally disabled on the NetScaler. If the mapped IP address is the first in the subnet, the NetScaler adds a route entry, with this IP address as the gateway to reach the subnet. You can create or delete a MIP during runtime without rebooting the NetScaler.
GSLB Site IP Address (GSLBIP)

The GSLB site IP address is the IP address associated with a GSLB site. It is not mandatory to specify this IP address when you initially configure the NetScaler. It can be used only when you create a GSLB site. For more information on creating a GSLB site IP address, see the Citrix NetScaler Traffic Management Guide, Chapter 8, Global Server Load Balancing.
Creating NetScaler-Owned IP Addresses

Most users create VIPs, SNIPs, and MIPs by setting only the required parameters, and later complete their configuration by modifying the characteristics of these addresses. The following table describes the parameters used to create an IP address. Basic Parameters for creating an IP Address
Parameter IP Address Netmask Type
(type)
Specifies Unique identification used to represent an entity. This is a mandatory parameter. Subnet mask associated with the IP address. This is a mandatory parameter. Type of the IP address. Possible values: SNIP, VIP, MIP, and GSLBsiteIP. Default: SNIP. You cannot use this procedure to configure the NSIP. For the procedure to configure the NSIP, see Creating the NetScaler IP Address (NSIP), on page 2.
Use either of the following procedures to create a NetScaler-owned IP address.

To configure an IP address using the configuration utility
1.
In the navigation pane, expand Network and click IPs.
2. 3.
In the details pane, click Add. In the Create IP dialog box, in the IP Address and Netmask text boxes, type the IP address and subnet mask, respectively (for example, 10.102.29.54 and 255.255.255.0). Under IP Type, select the type of IP address to be created. Click Create and click Close. The subnet IP address you created appears in the IPs page.
4. 5.
To add an IP address using the NetScaler command line

add ns ip IPaddress Subnetmask -type Type
Example
add ns ip 10.102.29.54 255.255.255.0 -type SNIP
Removing an IP Address
You can remove any IP address except the NSIP. The following table provides information on the processes you must follow to remove the various types of IP addresses. Removing an IP Address
IP address type Subnet IP address (SNIP) Implications If IP address being removed is the last IP address in the subnet, the associated route from the route table is deleted. If IP address being removed is the gateway in the corresponding route entry, the gateway for that subnet route is changed to another NetScaler-owned IP address. If a SNIP exists, you can remove the MIPs. NetScaler uses NSIP and SNIPs to communicate with the servers when the MIP is removed. Therefore, you must also enable Use SNIP. For information on enabling and disabling Use SNIP, see To configure an IP address using the configuration utility, on page 7. Before removing a VIP, you must first remove the vserver associated with it. For information on removing the vserver, see the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing. Before removing a GSLB site IP address, you must remove the site associated with it. For information on removing the site, see the Citrix NetScaler Traffic Management Guide, Chapter 8, Global Server Load Balancing.
Mapped IP address (MIP)
Virtual Server IP address (VIP)
GSLB-Site-IP address
Chapter 1
IP Addressing
Use either of the following procedures to remove a MIP, GSLBIP, SNIP, or VIP. (Before removing a VIP, remove the associated virtual server.)
To remove an IP address using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click IPs. On the IPs page, on the IPv4s tab, select the IP address that you want to remove (for example, 10.102.29.54), and then click Remove. In the Remove dialog box, click Yes.
To remove an IP address using the NetScaler command line

rm ns ip IPaddress
Example
rm ns ip 10.102.29.54
Customizing Access to IP Addresses

Application Access Controls, also known as Management Access control, form a unified mechanism for managing user authentication and implementing rules that determine user access to applications and data. You can configure management access to MIPs and SNIPs. Management access for the NSIP is enabled by default and cannot be disabled. You can, however, control it by using ACLs. For information about using ACLs, see Chapter 3, Access Control Lists (ACLs). The NetScaler does not support management access to VIPs. The following table provides a summary of the interaction between management access and specific service settings for Telnet.
Management access Enable Enable Disable Disable
Telnet (state configured on Telnet (effective state at the IP the NetScaler) level) Enable Disable Enable Disable Enable Disable Disable Disable
10
The following table provides an overview of the IP addresses used as source IP addresses in outbound traffic.
Application/ IP ARP Server side traffic RNAT ICMP PING Dynamic Routing
NSIP Yes No No Yes Yes
MIP Yes Yes Yes Yes No
SNIP Yes Yes Yes Yes Yes
VIP No No Yes No Yes
The following table provides an overview of the applications available on these IP addresses.
Application/ IP SNMP System Access
NSIP Yes Yes
MIP Yes Yes
SNIP Yes Yes
VIP No No
You can access and manage the NetScaler by using applications such as Telnet, SSH, GUI, and FTP. Note: Telnet and FTP are disabled on the NetScaler for security reasons. To enable them, contact the customer support. After the applications are enabled, you can apply the controls at the IP level. The following table lists and describes the parameters used for customizing the SNIP and MIP addresses on your NetScaler. Parameters for customizing a SNIP and MIP Address
Parameter Telnet
(telnet)
Specifies Allow Telnet access to the IP address. Possible values: ENABLED and DISABLED. Default: ENABLED. Allow File Transfer Protocol (FTP) access to the IP address. Possible values: ENABLED and DISABLED. Default: ENABLED. Allow Graphical User Interface (GUI) access to the IP address. Possible values: ENABLED, SECUREONLY, and DISABLED. Default: ENABLED.
FTP
(ftp)
GUI
(gui)
Chapter 1
IP Addressing
11
Parameters for customizing a SNIP and MIP Address

Parameter SSH
(ssh)
Specifies Allow Secure Shell (SSH) access to the IP address. Possible values: ENABLED and DISABLED. Default: ENABLED. Allow Simple Network Management Protocol (SNMP) access to the IP address. Possible values: ENABLED and DISABLED. Default: ENABLED. Allow external access to the IP address. Possible values: ENABLED or DISABLED. Default: DISABLED. Allow dynamic routing on the IP address. Specific to SNIP. Possible values: Enabled or Disabled. Default: Disabled. Block access to non-management applications on this IP. This options is applicable for MIPs, SNIPs, and NSIP and is disabled by default. Non-management applications may run on the underlying NetScaler Free BSD operating system. Possible values: ENABLED and DISABLED. Default: DISABLED.
SNMP
(snmp)
Management Access
(mgmtAccess)
Dynamic Routing
(dynamicRouting )
Allow access only to management applications (restrictAccess)
To configure the NetScaler to respond to these applications using a specific IP address, you need to enable the specific management applications. If you disable management access for an IP address, existing connections that use the IP address are not terminated. However, if you close the session, you cannot initiate a connection. Also, the non-management applications running on the underlying FreeBSD operating system are open to protocol attacks, and these applications do not take advantage of the attack prevention capabilities of the NetScaler. You can block access to these non-management applications on a MIP, SNIP, and NSIP. When access is blocked, a user connecting to a NetScaler using a MIP, SNIP, or NSIP will not be able to access the non-management applications running on the underlying operating system.
To enable management access for an IP address using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click IPs. On the IPs page, select the IP address that you want to modify (for example, 10.102.29.54), and then click Open. In the Configure IP dialog box, under Application Access Control, select the Enable Management Access control to support the below listed applications check box.
12
4. 5. 6.
Select the application or applications that you want to enable. To block access to non-management applications on this IP address, select the Allow access only to management applications check box. click OK.
To enable management access for an IP address using the NetScaler command line

set ns ip IPAddress -mgmtAccess value -telnet value -ftp value -gui value -ssh value -snmp value -restrictAccess ENABLED | DISABLED
Example
set ns ip 10.102.29.54 -mgmtAccess enabled -restrictAccess ENABLED
Verifying the Configuration

You can display IP address properties to troubleshoot any fault in the configuration. You can display some of the properties in a list of all the IP addresses, and you can display details of individual addresses.
Displaying properties in a list of IP addresses

To display a list of your configured IP addresses, with some of their properties, use either of the following procedures.
To display all the configured IP addresses using the configuration utility
In the navigation pane, expand Network and click IPs. The IPs page appears in the details pane, listing the available IP addresses and some of their properties.
To display all the IP addresses using the NetScaler command line

sh ns ip
Displaying details of an individual IP Address

To display detailed information about an individual IP address, use either of the following procedures.
To display detailed properties of an IP address using the configuration utility
1. 2.
In the navigation pane, expand Network and click IPs. On the IPs page, verify that the configured IP address (for example, 10.102.29.5) appears.
Chapter 1
IP Addressing
13
3.
Select the IP address. Information about the address appears in the details pane.
To view the IP addresses using the NetScaler command line

sh ns ip 10.102.29.5
Proxying Connections
When a client initiates a connection, the NetScaler terminates the client connection, initiates a connection to an appropriate server, and sends the packet to the server. The NetScaler does not perform this action for service type UDP or ANY. For more information about service types, see the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing. You can configure the NetScaler to process the packet before initiating the connection with a server. The default behavior of the NetScaler is to change the source and destination IP addresses of a packet before sending the packet to the server. You can configure the NetScaler to retain the source IP address of the packets by enabling Use Source IP mode.
14
Selecting the Destination IP Address

Traffic arriving at the NetScaler can be bound to a virtual server (vserver) or to a service. The NetScaler handles traffic to vservers and services differently. The NetScaler terminates traffic bound to vservers and changes the vserver IP address (VIP) to the IP address of the server before forwarding the traffic to the server, as shown in the following diagram.
Proxying Connections to VIPs Packets bound to a service are sent directly to the appropriate server, and the NetScaler does not modify the destination IP addresses.
Selecting the Source IP Address

The mapped IP address (MIP), source IP address (SIP), or subnet IP address (SNIP) will be used as the source IP address to establish a connection with a server. By default, the NetScaler terminates traffic bound to vservers and configured services. Then, it changes the source IP address of the packet to the MIP or SNIP and sends the packet to the appropriate server. This default behavior is illustrated in the diagram Proxying Connections to VIPs, on page 14.
Chapter 1
IP Addressing
15
Enabling the Use Source IP Mode

Many e-commerce applications that use web server logging require that the original client IP addresses be recorded in the Web server logs. The NetScaler can forward the source IP address of the client to the server without masking it, to ensure that the client IP address appears in the logs. The Use Source IP mode (USIP) accommodates such applications. If you enable USIP mode, the NetScaler forwards each packet to the appropriate server without changing the source IP address, as shown in the following diagram.
USIP Mode When USIP mode is enabled for HTTP protocols, the NetScaler provides limited connection reuse, WAN latency, and denial of service (SYN) attack prevention benefits. When USIP mode is disabled, the NetScaler uses mapped IP addresses and subnet IP addresses to establish server-side connections. USIP mode has the following restrictions: One-arm installations. You should not enable USIP mode if you install the NetScaler in a logical one-arm configuration, because in a one-arm configuration the NetScaler cannot bypass its own processing and send
16
responses directly to the client. If the IP address of the default gateway for a service is one of the NetScaler-owned IP addresses, the traffic continues to flow through the NetScaler and the response is also processed correctly. Concurrent HTTP connection limit. For HTTP protocols, USIP mode supports up to 64,000 concurrent connections. If concurrent HTTP connections between the NetScaler and servers are expected to exceed 64,000, you must disable USIP or contact customer support for the method to override this behavior. The concurrent connection limit applies only to HTTP. It does not affect other services types, for example, TCP, UDP, and FTP. Delay when disabling USIP. Disabling USIP mode does not affect the existing connections. This delay avoids outages on long-lived connections. Performance Impact on HTTP traffic. USIP mode prevents use of the same HTTP connection for multiple clients, and therefore can result in a large number of connections to the server. Furthermore, idle server connections can block connections for other clients. Therefore, you need to carefully set limits on the number of connections to services. Citrix suggests that you set the HTTP server time-out values on your services to a value lower than the default, so that idle client connections are cleared quickly on the server side. For more information about setting an idle timeout value, see the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing. Also, with USIP enabled, you must configure persistence (for example, source IP persistence) to ensure repeated selection of the same server and reuse of the client connection. Because TCP handles the traffic on a one-to-one basis, the USIP option does not affect TCP services. Note: Citrix does not recommend the use of Surge Protection (SP) with USIP. By default, USIP mode is disabled. You can enable or disable it globally or for a specific service. The setting for a specific service overrides the global setting. A newly created service inherits the global setting by default. To enable or disable USIP mode for a specific service, see the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing. To enable or disable USIP mode globally, use either of the following procedures.
To globally enable or disable USIP mode using the configuration utility
1. 2.
In the navigation pane, expand System and click Settings. On the Settings page, under Modes and Features, click Change modes.
Chapter 1
IP Addressing
17
3.
In the Configure Modes dialog box, do one of the following: To enable Use Source IP mode, select the Use Source IP check box. To disable Use Source IP mode, clear the Use Source IP check box.
4. 5.
To globally enable or disable USIP mode using the NetScaler command line
At the NetScaler command prompt, type one of the following commands:

Examples
enable ns mode USIP disable ns mode USIP
Note: Services that are created before you enable USIP mode globally do not inherit the global settings. For these services, you need to enable the USIP mode at the service level. To enable or disable USIP mode for a specific service, see the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing.
Configuring Modes of Packet Forwarding

You can enable Layer 2 mode to bridge packets that are not destined for the MAC address of the NetScaler. Layer 3 mode routes packets that are not destined for NetScaler-owned IP addresses, unless you disable it.
18
With Layer 2 mode enabled, packets that are not destined for the NetScaler MAC address are bridged or processed, as shown in the following diagram.
Interaction between the Layer 2 and Layer 3 modes By default, Layer 2 mode is disabled causing the NetScaler to drop packets that are not destined for its MAC address. If another Layer 2 device is installed in parallel with the NetScaler, Layer 2 mode must be disabled to prevent bridging (Layer 2) loops. By default, Layer 3 mode is enabled. The NetScaler performs a route table lookup and forwards packets that are not destined to any NetScaler-owned IP address. If you disable Layer 3 mode, the NetScaler drops received packets if they are not destined for a NetScaler-owned IP address, as shown in the diagram, Interaction between the Layer 2 and Layer 3 modes, on page 18. To enable or disable the Layer 2 mode or Layer 3 mode, use either of the following procedures.
Chapter 1
IP Addressing
19
Enabling and Disabling Modes

To enable or disable the Layer 2 mode or Layer 3 mode using the configuration utility
1. 2. 3.
In the navigation pane, expand System and click Settings. On the Settings page, under Modes and Features, click Change modes. In the Configure Modes dialog box, do one of the following: To enable Layer 2 mode, select the Layer 2 Mode check box. To disable Layer 2 mode, clear the Layer 2 Mode check box. To enable Layer 3 mode, select the Layer 3 Mode check box. To disable Layer 3 mode, clear the Layer 3 Mode check box.
4. 5.
Click OK. In the Enable/Disable Mode(s)? dialog box, click Yes.
To enable or disable the Layer 2 mode or Layer 3 mode using the NetScaler command line

Examples
enable ns mode l2 disable ns mode l2 enable ns mode l3 disable ns mode l3
Network Address Translation

Network address translation (NAT) involves modification of the source and/or destination IP address and/or the TCP/UDP port numbers of IP packets that pass through the NetScaler. Enabling NAT on the NetScaler enhances security of your private network and protects it from a public network such as the Internet by modifying the source IP address of your system when data passes through the NetScaler. Also, with the help of NAT entries, your entire private network can be represented using a few shared public IP addresses. The NetScaler supports the following two types of network address translation:
20
Inbound NAT (INAT), in which the NetScaler replaces the destination IP address in the packets generated by the client with the private IP address of the server. Reverse NAT (RNAT), in which the NetScaler replaces the source IP address in the packets generated by the servers with the public NAT IP addresses.
Inbound Network Address Translation

When a client sends a packet to a NetScaler that is configured for INAT, the NetScaler translates the packets public destination IP Address to a private destination IP Address and forwards the packet to the server at that address. This section provides information on the following aspects of INAT: Configuring Inbound NAT Address Translation Customizing the INAT Configuration Removing an INAT Configuration Coexistence of INAT and Vservers
Configuring Inbound NAT Address Translation

This section describes how to configure a basic INAT that is functional and also how to modify it to add provide protection to the NetScaler from DOS attacks by enabling TCP Proxy and/or FTP. By default, the NetScaler selects the source IP Address based on the mode that you select. If you select the Use Subnet IP (USNIP) Address mode, assignment of the source IP address is based on the state of the USNIP mode. For instance: If USNIP is off, the NetScaler uses the Mapped IP Address (MIP) as the source IP Address If USNIP is on, the NetScaler uses the Subnet IP Address (SNIP) as the source IP Address
If you select the Use Source IP Address (USIP) mode, the Client IP address (CIP) is selected as the source IP address. However, if you have selected both USIP and USNIP modes, USIP mode takes precedence over USNIP. You can also configure the NetScaler to use a unique IP address as the source IP address, by using the ProxyIP parameter. For additional information on how to configure the NetScaler to use a unique IP address, see Customizing the INAT Configuration, on page 22.
Chapter 1
IP Addressing
21
Note: If the modes have not been selected and the unique IP has also not been specified, an attempt is made to send the packet using Mapped IP Address (MIP). If both USIP and USNIP modes have been selected and the unique IP has also been specified, the order of precedence used is as follows: USIP --- unique IP--- USNIP --- MIP --- Error. The following table describes the parameters used to configure a basic INAT for incoming packets. Inbound NAT Basic Parameters
Parameter Name Public IP Address Private IP Address Specifies Name of the Inbound NAT configuration being added. Mandatory parameter. Public destination IP address of packets received on the NetScaler. Mandatory parameter. Possible values: NetScaler owned VIPs. Private destination IP address of the server to which the packet is sent by the NetScaler. Mandatory parameter. Possible values: IP addresses of the servers. Use Source IP mode. Possible values: Enabled and Disabled. Default: Enabled. Use Subnet IP mode is enabled. Possible values: Enabled and Disabled. Default: Enabled. A unique IP address that is represented as the source IP address for the server.
USIP
(usip)
USNIP
(usnip)
ProxyIP
(proxyIP)
The following procedure includes examples for creating an INAT configuration in which the NetScaler replaces the public VIP of 10.102.29.55 with 192.168.1.0, the private IP address of a physical server.
To configure INAT with a VIP as the destination IP address using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network, expand Routing, and click Routes. On the Routes page, click the INAT tab, and then click Add. In the Create INAT dialog box, in the Name textbox, type the name of the INAT (for example, MyNAT). In the Public IP Address textbox, type a public VIP address owned by the NetScaler (for example, 10.102.29.55).
22
5. 6.
In the Private IP Address textbox, type the private IP address of the server (for example, 192.168.1.0). Click Create, and then click Close.
To configure INAT with a VIP as the destination IP address using the NetScaler command line

add inat Name PublicIPAddress PrivateIPAddress
Example
add inat MyNAT 10.102.29.55 192.168.1.0
Customizing the INAT Configuration

The following procedure sets the source IP address to a unique IP address. In the example, MyNAT1 replaces the destination IP address of a packet generated by the client from 10.102.29.55 (Public destination IP address) to 192.168.20.0 (private destination IP address). Also, MyNAT1 replaces the source IP address of the packet to a unique IP address.
To assign a unique IP address as the INAT Source IP address using the configuration utility
1. 2. 3.
In the navigation pane, expand Network, expand Routing, and click Routes. On the Routes page, click the INAT tab, select the INAT and then click Open. In the Configure INAT dialog box, from the Proxy IP Address drop-down menu, select an IP address that the NetScaler will use as the client IP address (for example, 10.102.29.56). Click Create and then click Close.
4.
To assign a unique IP address as the INAT source IP Address using the NetScaler command line

set inat NameofINAT proxyip Value
Example
add inat MyNAT1 proxyip 10.102.29.56
You can configure INAT to provide protection to the NetScaler from DOS attacks by enabling TCP Proxy and/or FTP. However, if other protection mechanisms are used in your network, you may want to disable these features.
Chapter 1
IP Addressing
23
The following table lists and describes the parameters used to configure an existing INAT with the FTP and TCPProxy features. Customizing INAT Configuration
Parameter TCPProxy
(tcpproxy)
Specifies Allow TCP traffic. Possible values: Enabled and Disabled. Default: Disabled. Allow Active FTP. Possible values: Enabled and Disabled. Default: Disabled.
FTP
(ftp)
Use either of the following procedures to enable or disable TCP traffic on an existing INAT. In the example, MyNAT1 is the existing INAT.
To enable or disable TCPProxy on the INAT using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network, expand Routing, and then click Routes. On the Routes page, click the INAT tab, select the name of the INAT that you want to modify (for example, MyNAT1) and then click Open. In the Configure INAT dialog box, do one of the following: To enable TCPProxy, select the TCP Proxy Mode checkbox. To disable TCPProxy, clear the TCP Proxy Mode checkbox. Click Ok and then click Close.
To enable or disable TCP Proxy mode on the INAT using the NetScaler command line

set inat NameofINAT tcpproxy Value
Example
set inat TestINAT set inat TestINAT tcpproxy enabled tcpproxy disabled
Removing an INAT Configuration

Use either of the following procedures to remove an INAT configuration.
To remove an INAT configuration using the Configuration Utility
1.
In the navigation pane, expand Network, expand Routing, and click Routes.
24
2. 3. 4.
On the Routes page, click the INAT tab. In the details pane, select the name of the INAT configuration that you want to remove (for example, MyNAT). Click Remove, and then click Close.
To remove an INAT configuration using the NetScaler command line

rm inat Name
Example
rm inat MyNAT
Coexistence of INAT and Vservers

If both INAT and RNAT are configured, the INAT rule takes precedence over the RNAT rule. If RNAT is configured with a network address translation IP (NAT IP) address, the NAT IP address is selected as the source IP address for that RNAT client. The default public destination IP in an INAT configuration is the virtual IP (VIP) of the NetScaler device. Vservers also use VIPs. When both INAT and a Vserver use the same IP address, the Vserver configuration overrides the INAT configuration. Following are a few sample configuration setup scenarios and their effects.
Case You have configured a vserver and a service to send all data packets received on a specific NetScaler port to the server directly. You have also configured INAT and enabled TCP. Configuring INAT in this manner sends all data packets received through a TCP engine before sending them to the server. You have configured a vserver and a service to send all data packets of service type TCP, that are received on a specific port on the NetScaler, to the server after passing through the TCP engine. You have also configured INAT and disabled TCP. Configuring INAT in this manner sends the data packets received directly to the server. You have configured a vserver and a service to send all data packets received to either of two servers. You are attempting to configure INAT to send all data packets received to a different server.
Result All packets received on the NetScaler, except those received on the specific port, will pass through the TCP engine. Only packets received on the specific port will pass through the TCP engine.
The INAT configuration is not allowed.
Chapter 1
IP Addressing
25
Case You have configured INAT to send all data packets received directly to a server. You are attempting to configure a vserver and a service to send all data packets received to two different servers.
Result The vserver configuration is not allowed.
Reverse Network Address Translation

In Reverse Network Address Translation (RNAT), the NetScaler replaces the source IP addresses in the packets generated by the servers with public NAT IP addresses. By default, the NetScaler uses a Mapped IP address (MIP) as the NAT IP address. You can also configure the NetScaler to use a unique NAT IP address for each subnet. You can also configure RNAT by using Access Control Lists (ACLs). Use Source IP (USIP), Use Subnet IP (USNIP), and Link Load Balancing (LLB) modes affect the operation of RNAT. You can display statistics to monitor RNAT.
Configuring RNAT to Use a MIP as the NAT IP Address

When using a MIP as the NAT IP address, the NetScaler replaces the source IP addresses of server-generated packets with the MIP. Therefore, the MIP address must be a public IP address. If Use Subnet IP (USNIP) mode is enabled, the NetScaler uses the subnet IP address (SNIP) as the NAT IP address. The following table describes the parameters for using a MIP as the NAT IP address. Parameters for configuring MIP as the NAT IP
Parameter Network Netmask Specifies Network or subnet from which the traffic is flowing. Subnet mask of the network.
The following procedure enables RNAT with the NAT IP set to a MIP. In the example, RNAT is enabled for the network 192.168.1.0 and subnet mask 255.255.255.0. The NetScaler changes the source IP addresses of packets originating from the 192.168.1.0 network and sent to the MIP.
To enable RNAT when the NAT IP is set to a MIP using the configuration utility
1. 2.
In the navigation pane, expand Network, expand Routing, and click Routes. On the Routes page, on the RNAT tab, click Configure RNAT.
26
3.
In the Configure RNAT dialog box, in the Network and Netmask text boxes, type the network and subnet mask for which you want to enable RNAT (for example, 192.168.1.0 and 255.255.255.0). Click Create, and then click Close.
4.
To enable RNAT when the NAT IP is set to a MIP using the NetScaler command line
At a NetScaler command prompt, type:

set rnat IPAddress Subnetmask
Example
set rnat 192.168.1.0 255.255.255.0
Configuring RNAT by Using a Unique IP Address as the NAT IP Address

When using a unique IP address as the NAT IP address, the NetScaler replaces the source IP addresses of server-generated packets with the unique IP address specified. The unique IP address must be a public NetScaler-owned IP address. This is illustrated in the following diagram.
Using a Unique NAT IP Address for a Subnet
Chapter 1
IP Addressing
27
The following table describes the parameter used to set a unique NAT IP address. Assigning a Unique NAT IP
Parameter Available NAT IP (s)
(natip)
Specifies NAT IP(s) assigned to a source IP or NetScaler IP.
The following procedures include examples in which the NetScaler is configured to use two unique IP addresses, MIP1 and MIP2, for two subnets. The NetScaler replaces the source IP addresses of packets originating from the 192.168.1.0 and 192.168.2.0 subnets to 10.102.29.50 (MIP1) and 10.102.29.60 (MIP2), respectively.
To enable RNAT when the NAT IP is set to a unique IP address using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network, expand Routing, and click Routes. On the Routes page, on the RNAT tab, select the RNAT network for which you want to configure the NAT IP address (for example, 192.168.1.0). Click Configure RNAT. In the Configure RNAT dialog box, in the Available NAT IP (s) list box, select the NAT IP address that you want to configure (for example, select 10.102.29.50). Click Add. The NAT IP you selected in Step 4 appears in the Configured NAT IP (s) list box. Click OK. Repeat steps 2-6 if you want to configure another RNAT network (for example, to configure the NAT IP address for 192.168.2.0 to 10.102.29.60).
5. 6. 7.
To enable RNAT when the NAT IP is set to a unique IP address using the NetScaler command line
At a NetScaler command prompt, type:

set rnat IPAddress Subnetmask -natip NATIPAddress set rnat IPAddress Subnetmask -natip NATIPAddress
Example
set rnat 192.168.1.0 255.255.255.0 -natip 10.102.29.50 set rnat 192.168.2.0 255.255.255.0 -natip 10.102.29.60
28
Note: If multiple NAT IP addresses are configured for a subnet, NAT IP selection uses the round robin algorithm.
Configuring RNAT by Using ACLs

You can configure the NetScaler to use a unique IP address for traffic that matches an ACL. The configuration requires three tasks: 1. 2. 3. Configure the ACL. Configure RNAT to change the source IP address and Destination Port. Apply the ACL.
Note: ACL-based RNAT is not applied to traffic originating from the NetScaler. For more information on ACLs, see Chapter 3, Access Control Lists (ACLs).. The following diagram illustrates RNAT configured with an ACL.
Changing Source IP Address and Port
Configuring an ACL
The following procedure creates a new ACL. Alternatively, you can open and modify an existing ACL. This procedure includes examples for creating an ACL named acl1, which allows TCP traffic originating from a server with IP address 10.102.29.40 to an external client at 209.165.202.11.
Chapter 1 To configure an ACL using the configuration utility
IP Addressing
29
1. 2. 3. 4.
In the navigation pane, expand Network and click ACLs. On the ACLs page, click the Extended ACL tab, and then click Add. In the Add ACL dialog box, in the Name text box, type the name of the ACL (for example, acl1). In the Action, select an action (for example, ALLOW), in the Operator drop-down list, select an option (for example, =), and in the Protocol dropdown list, select a protocol (for example, TCP). Under Source, in the Low and High text boxes, type the IP addresses (for example, 10.102.29.40 and 10.102.29.40). Under Destination, in the Low and High text boxes, type the IP addresses (for example, 209.165.201.11 and 209.165.201.11). Click Create, and click Close.
5. 6. 7.
To configure an ACL using the NetScaler command line

add acl Name allow -srcip SourceIPAddress -destip DestinationIPAddress -protocol Protocoltype
Example
add acl acl1 allow -srcip 10.102.29.40 -destip 209.165.201.11 -protocol TCP
Configuring RNAT to change the source IP address and Destination Port

The following procedure includes examples for configuring RNAT to replace the source IP address of packets matching acl1 with NAT IP address 209.165.202.129, and to change the destination port to 8080.
To set RNAT to change the Source IP address and Destination Port using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network, expand Routing, and click Routes. On the Routes page, click the RNAT tab and click Configure RNAT. In the Configure RNAT dialog box, click the ACL radio button. In the ACL Name drop-down list box, select the ACL that you want to configure (for example, acl1).
30
5. 6. 7. 8.
In the Redirect Port text box, type the port (for example, 8080). In the Available NAT IP (s) list box, select the NAT IP address that you want to configure (for example, 209.165.202.129). Click Add. The NAT IP you selected appears in the Configured NAT IP (s) list box. Click Create, and click Close.
To set RNAT to change the Source IP address and Destination Port using the NetScaler command line

set rnat ACLname -natip NATIPAddress -redirectPort Value
Example
set rnat acl1 -natip 209.165.202.129 -redirectPort 8080
Applying the ACL

An ACL does not function until you apply it. For instructions on how to apply an ACL using the configuration utility, see Configuring Extended ACLs, on page 96.
To apply an ACL using the NetScaler command line

apply ns acls
Note: The NetScaler uses ports 1024 to 64000 for mapped IP addresses and subnet IP addresses.
RNAT in USIP, USNIP, and LLB Modes

When RNAT and Use Source IP (USIP) are both configured, RNAT takes precedence. When RNAT and USNIP are configured, selection of the source IP address is based on the state of USNIP as follows: If USNIP is off, the NetScaler uses the mapped IP addresses. If USNIP is on, the NetScaler uses SNIP as the NAT IP address.
This behavior does not apply when a unique NAT IP address is used.
Chapter 1
IP Addressing
31
In a topology where the NetScaler performs both Link Load Balancing (LLB) and RNAT for traffic originating from the server, the NetScaler selects the source IP address based on the router. The LLB configuration determines selection of the router. Note: For more information about LLB, see the Citrix NetScaler Traffic Management Guide, Chapter 9, Link Load Balancing.
Monitoring RNAT
You can display RNAT statistics to troubleshoot issues related to IP address translation. The following tables describes the statistics associated with RNAT and RNAT IP. RNAT Statistics
Statistic Bytes received Bytes sent Packets received Packets sent Syn sent Current sessions Description Bytes received during RNAT sessions. Bytes sent during RNAT sessions. Packets received during RNAT sessions. Packets sent during RNAT sessions. Requests for connections sent during RNAT sessions. Currently active RNAT sessions.
RNAT IP Statistics
Statistic Bytes received Bytes sent Packets received Packets sent Syn sent Current sessions Description Bytes received on this IP address during RNAT sessions. Bytes sent from this IP address during RNAT sessions. Packets received on this IP address during RNAT sessions. Packets sent from this IP address during RNAT sessions. Requests for connections sent from this IP address during RNAT sessions. Currently active RNAT sessions started from this IP address.
Displaying RNAT Statistics

Use either of the following procedures to display RNAT summary statistics.
32
Citrix NetScaler Networking Guide To display RNAT statistics using the configuration utility
1. 2.
In the navigation pane, expand Network, expand Routing, and click Routes. In the details pane, on the RNAT tab, click Statistics.
To view RNAT statistics using the NetScaler command line

stat rnat
Displaying RNAT IP Statistics

Use either of the following procedures to display RNAT IP statistics.
To view RNAT IP statistics using the configuration utility
1. 2. 3.
In the navigation pane, expand Network, expand Routing, and click Routes. In the details pane, on the RNAT tab, select the NATIP whose statistics you want to view. Click Statistics.
To view RNAT IP statistics using the NetScaler command line

stat rnatip NATIPAddress
Example
stat rnatip 10.102.29.61
Configuring Static ARP

You can add static ARP entries to and remove static ARP entries from the ARP table. After adding an entry, you should verify the configuration. Note: If the IP address, port, or MAC address changes after you create a static ARP entry, you must remove or manually adjust the static entry. Therefore, creating static ARP entries is not recommended unless necessary.
Chapter 1
IP Addressing
33
Adding Static ARP Entries

The following table describes the parameters you set to add an entry to the ARP table. Parameters used to create an ARP Entry
Parameters IP Address
(IPAddress)
Specifies The IP address of the server. The MAC address of the server. Type the MAC address with colons (:) as shown in the example below. The physical interface for the ARP entry. Use the show interface command to view the valid interface names.
MAC Address
(mac)
Interface Number
(ifnum)
Use either of the following procedures to add a static ARP entry to an ARP table.
To create an ARP entry using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click ARP Table. On the ARP Table page, click Add. In the Add ARP entry dialog box, in the IP Address, MAC Address, and Interface Number text boxes, respectively, type the IP address, MAC address and network interface number that you want to add to the ARP table (for example, 10.102.29.54, 00:aa:10:12:13:ef, and 1/8).
34
4.
Click Create and click Close. The ARP entries you added appear in the ARP Table page, as shown in the following figure.
ARP Table page

To create an ARP entry using the NetScaler command line

add arp -IPAddress IPAddress -mac MACAddress -ifnum Interface
Example
add arp -IPAddress 10.102.29.54 -mac 00:aa:10:12:13:ef -ifnum 1/8
Removing Static ARP Entries

The following example describes the procedure to remove the IP address 10.102.29.54 from an ARP table.
To remove an ARP entry using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network and click ARP Table. On the ARP Table page, select the ARP entry that you want to remove (for example, 10.102.29.54). Click Remove. In the Remove dialog box, click Yes.
Chapter 1
IP Addressing
35
To remove an ARP entry using the NetScaler command line

rm arp ARPentry
Example
rm arp 10.102.29.54

You can display the properties of the ARP entries, such as IP address, MAC address, interface, VLAN, and origin, and use this information to troubleshoot any fault in the configuration.
To verify the ARP entries of IP addresses using the configuration utility
1.
In the navigation pane, expand Network and click ARP Table. The ARP Table page appears in the details pane, showing the details of the available ARP entries. Verify that the configured ARP entry (for example, 10.102.29.54) appears. Select the IP address (for example, 10.102.29.54) and, in the details section, verify that the parameters are configured as intended.
2. 3.
To view the ARP entries using the NetScaler command line

sh arp
IP Tunneling
An IP Tunnel is a communication channel, that can be created by using encapsulation technologies, between two networks that do not have a routing path. Every IP packet that is shared between the two networks is encapsulated within another packet and then sent via the tunnel. The NetScaler implements IP Tunneling in the following ways: NetScaler as an Encapsulator (Load Balancing with DSR mode) NetScaler as a Decapsulator
36
NetScaler as an Encapsulator (Load Balancing with DSR mode)

Consider an organization that has multiple data centers across different countries, where the NetScaler maybe at one location and the back-end servers are located in a different country. In essence, the NetScaler and the back-end servers are on different networks and are connected via a router. When you configure Direct Server Return (DSR) on this NetScaler, the packet sent from the source subnet is encapsulated by the NetScaler and sent via a router and tunnel to the appropriate back-end server. The back-end server decapsulates the packet and responds directly to the client, without allowing the packet to pass via the NetScaler. For information on how to configure DSR, see the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing.
NetScaler as a Decapsulator
Consider an organization having multiple data centers each having NetScalers and back-end servers. When a packet is sent from data center A to data center B it is usually sent via an intermediary, say a router or another NetScaler. The NetScaler processes the packet and then forwards the packet to the back-end server. However, if an encapsulated packet is sent, the NetScaler must be able to decapsulate the packet before sending it to the back-end servers. To enable the NetScaler to function as a decapsulator, a tunnel is added between the router and the NetScaler. When the encapsulated packet, with additional header information, reaches the NetScaler, the data packet is decapsulated i.e. the additional header information is removed, and the packet is then forwarded to the appropriate back-end servers. The NetScaler can also be used as a decapsulator for the Load Balancing feature, specifically in scenarios when the number of connections on a vserver exceeds a threshold value and all the new connections are then diverted to a back-up vserver. For more information on the spillover option, see Diverting Excess Traffic to a Backup Load Balancing Virtual Server, in the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing.
Chapter 1
IP Addressing
37
NetScaler as a decapsulator is illustrated in the diagram specified below.
NS as a Decapsulator
Adding an IP Tunnel
This section discusses how to enable IP/IP (IP Tunneling) for a specific virtual IP (VIP) address. Enabling IP/IP involves adding an IP Tunnel manually, known as Configured tunnels. The following table lists and describes the parameters used for adding a tunnel manually.
Parameter Name Remote IP Remote Mask Local IP Type Protocol Specifies Name of the IP Tunnel. Mandatory parameter. Address of the entry point of the tunnel. Mandatory parameter. Subnet mask of the remote IP address of the tunnel. Mandatory parameter. Local IP Address of the tunnel. Possible values: Auto, MIP, SNIP, and VIP. Default: Auto. IP Tunneling protocol. Possible values: IPIP. Default: IPIP.
38
Citrix NetScaler Networking Guide To add an IP Tunnel using the configuration utility
1. 2. 3. 4. 5. 6.
In the navigation pane, expand Network, and click IP Tunnels. On the IP Tunnels page, click Add. In the Add IP Tunnel dialog box, in the Name text box, type the name of the tunnel (for example, nstnl). In the Remote IP text box, type a public VIP address owned by the NetScaler (for example, 192.168.0.0). In the Remote Mask text box, type the subnet mask of the remote IP address of the tunnel (for example, 255.255.255.0). Click Create, and then click Close.
To add an IP Tunnel using the NetScaler command line

add iptunnel Name RemoteIPAddress RemoteSubnetMask LocalIP Address
Example
add iptunnel nstl 192.168.0.0 255.255.255.0 *
Verifying the IP Tunnel Configuration

You can view all the IP tunnels (user configured and internal) that have been created. You can also view the following properties of a specific IP Tunnel: Name, Remote, Protocol, and others. Viewing these details of the configured IP Tunnel can be helpful when you are troubleshooting any issues in the configuration.
To view all the IP Tunnels created using the configuration utility
In the navigation pane, expand Network, and click IP Tunnels. On the IP Tunnels page, all the created IP tunnels are displayed.
To view all the IP Tunnels created using the NetScaler command line

sh iptunnel
To view the IP Tunnel configuration using the configuration utility
1. 2.
In the navigation pane, expand Network, and click IP Tunnels. On the IP Tunnels page, verify that the configured IP tunnel appears, for example, check if the nstl tunnel appears.
Chapter 1
IP Addressing
39
3.
Select the configured IP Tunnel, for example, nstl, and in the Details section, verify that the parameters displayed are as configured.
To view the IP Tunnel using the NetScaler command line

sh iptunnel Name
Example
sh iptunnel nstl
Removing an IP Tunnel
A tunnel is a communication channel created between two appliances. The tunnel can be removed when either one of the appliances goes down or when you no longer use that tunnel, irrespective of the type of tunnel.
To remove an IP Tunnel using the configuration utility
1. 2. 3.
In the navigation pane, expand Network, and click IP Tunnels. On the IP Tunnels page, select the name of the IP Tunnel that you want to remove (for example, nstl), and click Remove. In the Remove pop-up window, click Yes.
To remove an IP Tunnel using the NetScaler command line

rm iptunnel Name
Example
rm iptunnel nstl
Customizing the IP Tunnel Globally

By globally specifying the Source IP address parameter, you can assign a common source IP address across all tunnels. Fragmentation is CPU-intensive and so if a packet requires fragmentation, you can globally specify that the NetScaler must drop the packet. However, if you would like to fragment all packets as long as a CPU threshold value is not met, you can globally specify the CPU threshold value.
40
The following table lists and describes the parameters required for customizing the IP tunnels globally.
Parameter Source IP Specifies The common global source IP address for all tunnels. The global source IP can either be a MIP or a SNIP. You can also create a new MIP or SNIP address to be used as the global source IP address. Packet must be dropped if it requires fragmentation. Possible values: Yes or No. If the value is set to Yes, packets that require fragmentation are dropped by the NetScaler. If the value is set to No, packets are not dropped if they require fragmentation. Default: No. Packet must be dropped if the CPU usage is greater or equal to the user configured value. This parameter is applicable only if the Drop Packet if Fragmentation is required parameter is set to No. Possible values: 1 to 100. Default: 0 (Not set). For example, let us assume that the CPU usage value is 50%. If the CPU usage is not greater than 50%, all packets are fragmented and not dropped. If the CPU usage is greater than 50%, all packets are dropped and not fragmented. If the CPU usage has not been specified, then all packets are fragmented and not dropped.
Drop Packet if Fragmentation is required
Dont fragment and drop packet if CPU usage is >=
To customize the IP Tunnel using the configuration utility
1. 2. 3.
In the navigation pane, click Network. In the Network page, in the IP Tunnels group, click IP Tunnel Global Settings. In the Configure IP Tunnel Global Parameters dialog box, in the Source IP text box, select the global source IP address of the tunnel (for example, 10.102.29.21). Note: You can also add a new IP address of type SNIP or MIP which can be used as the default source IP address for all tunnels by clicking New. An updated Add IP dialog box is displayed to enable you to add a new source IP address.
4.
Do one of the following: To enable NetScaler to drop packets if fragmentation is required, select the Drop packet if fragmentation is required check box. To enable NetScaler to fragment the packets, clear the Drop packet if fragmentation is required check box.
Chapter 1
IP Addressing
41
5.
To fragment packets until the threshold value for the CPU usage is met, type a value in the Dont fragment and drop packet if CPU usage is => text box, for instance, 50. Note: To fragment packets irrespective of the CPU usage, do not specify any value in the Dont fragment and drop packet if CPU usage is => text box.
6.
Click Ok.
To customize the IP Tunnel using the NetScaler command line

set iptunnelparam srcIP SourceIPAddress dropFrag Value dropFragCpuThreshold Value
Example
set iptunnelparam -srcIP dropFragCpuThreshold 50 12.12.12.22 -dropFrag No
42
C HAPTER 2
Interfaces
Before you begin configuring interfaces, decide whether your configuration can use MAC-based forwarding mode, and either enable or disable this system setting accordingly. The number of interfaces you have depends on the NetScaler that you own. In addition to configuring individual interfaces, you can logically group interfaces, using VLANs to restrict data flow within a set of interfaces, and you can aggregate links into channels. In a high availability setup, you may configure a virtual MAC (VMAC) address if necessary. If you use L2 mode, you might want to modify the ageing of the bridge table. When your configuration is complete, decide whether you should enable the system setting for path MTU discovery. NetScaler appliances can be deployed in active-active mode using VRRP. An active-active deployment, in addition to preventing downtime, makes efficient use of all the NetScaler appliances in the deployment. You can use the Network Visualizer tool to view the network configuration of a NetScaler deployment and configure interfaces, channels, VLANs, and bridge groups. In This Chapter MAC-Based Forwarding Configuring Network Interfaces Configuring VLANs Configuring Bridge Groups Configuring Link Aggregation Configuring VMACs Configuring the Bridge Table Enabling or Disabling Path MTU Behavior Configuring NetScaler Appliances in Active-Active Mode using VRRP Network Visualizer
44
MAC-Based Forwarding
Using MAC-based forwarding (MBF), when a request reaches the NetScaler, it remembers the source MAC address of the frame, and uses that MAC address as the destination MAC address for the resulting replies. In this way, MAC-based forwarding can be used to avoid multiple-route/ARP lookups and to avoid asymmetrical packet flows. MAC-based forwarding may be required when the NetScaler is connected to multiple stateful devices, such as VPN or firewalls, as it ensures that the return traffic is sent to the same device that the initial traffic came from. MAC-based forwarding is useful when you use VPN devices, because it guarantees that all traffic flowing through a VPN passes back through the same VPN device. The following topology diagram illustrates the process of MAC-based forwarding.
Working of MAC-based forwarding mode
Enabling and Disabling MAC-based Forwarding

When MAC-based forwarding (MBF) is enabled, the NetScaler caches the MAC address of: The source (a transmitting device such as router, firewall, or VPN device) of the inbound connection. The server that responds to the requests.
Chapter 2
Interfaces
45
When a server replies through the NetScaler, the NetScaler sets the destination MAC address of the response packet to the cached address, ensuring that the traffic flows in a symmetric manner, and then forwards the response to the client. The process bypasses the route table lookup and ARP lookup functions. However, when the NetScaler initiates a connection, it uses the route and ARP tables for the lookup function. When you need to use a direct server return configuration, you must enable MAC-based forwarding. For more information about direct server return configurations, see the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing. Some deployment topologies may require the incoming and outgoing paths to flow through different routers. In these situations, MAC-based forwarding breaks this topology design. MBF should be disabled in the following situations: When you configure link load balancing. In this case, asymmetric traffic flows are desirable because of link costs. When a server uses network interface card (NIC) teaming without using LACP (802.1ad Link Aggregation). To enable MAC-based forwarding in this situation, you must use a layer 3 device between the NetScaler and server. Note: MBF can be enabled when the server uses NIC teaming with LACP, because the virtual interface uses one MAC address. When firewall clustering is used. Firewall clustering assumes that ARP is used to resolve the MAC address for inbound traffic. Sometimes the inbound MAC address can be a non-clustered MAC address and should not be used for inbound packet processing.
When MBF is disabled, the NetScaler uses L2 or L3 connectivity to forward the responses from servers to the clients. Thus, depending on the route table, the routers used for outgoing connection and incoming connection can be different. In the case of reverse traffic (response from the server): If the source and destination are on different IP subnets, the NetScaler uses the route lookup to locate the destination. If the source is on the same subnet as the destination, the NetScaler looks up the ARP table to locate the network interface and forwards the traffic to it. If the ARP table does not exist, the NetScaler requests the ARP entries.
To enable or disable MAC-based forwarding using the configuration utility
1.
In the navigation pane, expand System and click Settings.
46
2. 3.
In the details pane, in the Modes and Features group, click Change modes. In the Configure Modes dialog box, do one of the following: To enable MAC-based forwarding, select the MAC Based Forwarding check box. To disable MAC-based forwarding, clear the MAC Based Forwarding check box.
4. 5.
To enable or disable MAC-based forwarding using the NetScaler command line

enable ns mode Value disable ns mode Value
Examples
enable ns mode mbf disable ns mode mbf
Configuring Network Interfaces

Network interfaces in the NetScaler are numbered in <slot>/<port> notation. After you customize the interface settings for your network interfaces or perform general interface-management tasks, you should verify your configuration. To modify the network interfaces, use the parameters listed in the following table. Parameters for modifying Network Interfaces
Parameter ID
(id)
Specifies The number assigned to the interface. Ethernet speed for the interface. Possible values: AUTO, 10, 100, 1000, and 10000 Mbps. Default: AUTO. A setting other than AUTO requires the same configuration for device at the other end of the link. Mismatched speed (or duplex) configurations can cause link errors, packet losses, and other errors. Some network interfaces do not support certain speeds. An attempt to set an unsupported speed is reported as an error.
Speed
(speed)
Chapter 2
Interfaces
47
Parameters for modifying Network Interfaces

Parameter Duplex
(duplex)
Specifies Duplex mode for the interface. Possible values: AUTO, HALF, and FULL. Default: AUTO. AUTO is recommended. If you force HALF or FULL mode, you must manually configure the same mode and identical speed on both sides of the link. Apply 802.3x flow control to the interface. Possible values: OFF, RX, TX, RXTX, and ON (forced RXTX). Default: OFF. Real flow control status depends on the auto-negotiation results. Link parameter mismatches must be checked for and avoided because, for example, they can cause the NetScaler to drop packets, or the link may not be accessible. Use auto negotiation on the interface. Possible values: DISABLED and ENABLED. Monitor the interface for failure events. Possible values: ON and OFF. Default: ON. When ON in an HA configuration, failover occurs when a network interface fails. If a network interface is not being used, or if failover is not required, select OFF. (Also, if the network interface is not used in the configuration, you must disable it.) Trunk port functionality for the interface. Possible values: ON and OFF. Default: OFF. With the ON setting, traffic is tagged for the VLANs bound to this network interface, including the default VLAN. If you require 802.1q behavior with backward compatibility, you must set this parameter to OFF. LACP mode. Possible values: DISABLED, ACTIVE, and PASSIVE. Default: DISABLED LACP key for the interface. Possible values: 1 to 4. LACP port priority. Possible values: 1 to 65535. Default: 32768. LACP timeout setting. Possible values: LONG and SHORT. Default: LONG. Alias name for the interface. Minimum required throughput for the interface.
Flow Control
(flowControl)
Auto Negotiate
(autoneg)
HA Monitor
(haMonitor)
Trunk
(trunk)
LACP Mode
(lacpMode)
LACP Key
(lacpKey)
LACP Priority
(lacpPriority)
LACP Time-out
(lacpTimeout)
Alias
(ifAlias)
Throughput
(throughput)
48
Note: For more information about Link Aggregate Control Protocol (LACP), see Configuring the Link Aggregate Channel Protocol, on page 72. Use either of the following procedures to modify the duplex setting of a network interface.
To modify the duplex setting of a network interface using the configuration utility
1. 2. 3. 4. 5.
In the navigation pane, expand Network and click Interfaces. On the Interfaces page, select the network interface that you want to modify (for example, 1/8). Click Open. In the Modify Interface dialog box, select or enter a new value. (For example, from the Duplex drop-down list, select FULL.) Click OK.
To modify the duplex setting of a network interface using the NetScaler command line

set interface Value -Argument Value
Example
set interface 1/8 -duplex full
Note: The network interface configuration is neither synchronized nor propagated. For an HA pair, you must perform the configuration on each unit independently.
Managing Network Interfaces

To manage the network interfaces, you might have to enable some interfaces and disable others. You can reset an interface to renegotiate its settings. You can clear the accumulated statistics for an interface. To verify the configuration, you can display the interface settings.
Chapter 2
Interfaces
49
Enabling and Disabling Network Interfaces

By default, the network interfaces are enabled. You must disable any network interface that is not connected to the network, so that it cannot send or receive packets. Disabling a network interface that is connected to the network in a high availability setup can cause failover. For more information about high availability, see Chapter 6, How High Availability Works. Use either of the following procedures to enable or disable a network interface.
To enable or disable a network interface using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click Interfaces. On the Interfaces page, select the network interface that you want to disable (for example, 1/8). Do one of the following: To enable a network interface, click Enable. To disable a network interface, click Disable.
To enable or disable a network interface using the NetScaler command line

enable interface Value disable interface Value
Examples
enable interface 1/8 disable interface 1/8
Resetting Network Interfaces

Network interface settings control properties such as duplex and speed. To renegotiate the settings of a network interface, you must reset it. Use either of the following procedures.
To reset a network interface using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click Interfaces. On the Interfaces page, select the network interface that must be reset (for example, 1/8). Click Reset Interface.
50
Citrix NetScaler Networking Guide To reset a network interface using the NetScaler command line

reset interface Value
Example
reset interface 1/8
Removing the Statistics of a Network Interface

You can use network interface statistics to monitor parameters such as packets sent and packets received. You can clear the statistics of a network interface to monitor its statistics from the time the statistics are cleared. Use either of the following procedures.
To clear a network interfaces statistics using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click Interfaces. On the Interfaces page, select the network interface whose statistics you want to clear (for example, 1/8). Click Clear Statistics.
To clear a network interfaces statistics using the NetScaler command line

clear interface Value
Example
clear interface 1/8
Verifying and Monitoring the Configuration

When your interfaces are configured, you should display the interfaces and their settings to verify the configuration. You can also display this information to troubleshoot a problem in the configuration. You can display the statistics for an interface to evaluate its health.
Displaying Network Interfaces

Use either of the following procedures to display the properties of the network interfaces, including the loopback interface.
To display the network interfaces using the configuration utility
1. 2.
In the navigation pane, expand Network and click Interfaces. On the Interfaces page, verify that your configured interface appears.
Chapter 2
Interfaces
51
3.
Highlight the interface by selecting it, and verify that the parameters are configured as intended.
To display the properties of the network interfaces using the NetScaler command line

show interface
Displaying the Statistics for a Network Interface

You can display network interface statistics such as throughput, types of packets, Link Aggregate Control Protocol (LACP) data units, and errors, and use the information to check the health of the network interface. Use either of the following procedures.
To view the statistics of an Interface using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click Interfaces. On the Interfaces page, select the network interface whose statistics you want to view (for example, 1/8). Click Statistics.
To view the statistics of the network interfaces using the NetScaler command line

stat interface Value
Example
stat interface 1/8
Configuring VLANs
The NetScaler supports Layer 2 port and IEEE 802.1q tagged VLANs. VLAN configurations are useful when you need to restrict traffic to certain groups of stations. You can configure a network interface as a part of multiple VLANs using IEEE 802.1q tagging. You can configure VLANs and bind them to IP subnets. The NetScaler then performs IP forwarding between these VLANs (if it is configured as the default router for the hosts on these subnets). The NetScaler supports the following types of VLANs. Port-Based VLANs
52
Default VLAN Tagged VLANs
Port-Based VLANs The membership of a port-based VLAN is defined by a set of network interfaces that share a common exclusive Layer 2 broadcast domain. You can configure multiple port-based VLANs. By default, all network interfaces on the NetScaler are members of VLAN 1. If you apply 802.1q tagging to the port, the network interface belongs to a portbased VLAN. Layer 2 traffic is bridged within a port-based VLAN, and Layer 2 broadcasts are sent to all members of the VLAN if Layer 2 mode is enabled. When you add an untagged network interface as a member of a new VLAN, it is removed from its current VLAN. Default VLAN By default, the network interfaces on the NetScaler are included in a single, portbased VLAN as untagged network interfaces. This VLAN is the default VLAN. It has a VLAN ID (VID) of 1. This VLAN exists permanently. It cannot be deleted, and its VID cannot be changed. When you add a network interface to a VLAN as an untagged member, the network interface is automatically removed from the default VLAN and added to this VLAN. If you unbind a network interface from its current port-based VLAN, it is added to the default VLAN again. Tagged VLAN 802.1q tagging (defined in the IEEE 802.1q standard) allows a networking device (such as the NetScaler) to add information to a frame at Layer 2 to identify the VLAN membership of the frame. Tagging allows network environments to have VLANs that span multiple devices. A device that receives the packet reads the tag and recognizes the VLAN to which the frame belongs. Some network devices do not support receiving both tagged and untagged packets on the same network interface, in particular, Force10 switches. In such cases, you need to contact customer support for assistance. The network interface can be a tagged or untagged member of a VLAN. Each network interface is an untagged member of one VLAN only (its native VLAN). This network interface transmits the frames for the native VLAN as untagged frames. A network interface can be a part of more than one VLAN if the other VLANs are tagged. When you configure tagging, be sure to match the configuration of the VLAN on both ends of the link. The port to which the NetScaler connects must be on the same VLAN as the NetScaler network interface.
Chapter 2
Interfaces
53
You can use the configuration utility to define a tagged VLAN that can have any ports bound as tagged members. Configuring this VLAN requires a reboot of the NetScaler, and therefore must be done during initial network configuration. Note: This VLAN configuration is neither synchronized nor propagated, therefore you must perform the configuration on each unit in an HA pair independently. The best practice is to set the VLAN ID for each NSIP to 1.
Applying Rules to Classify Frames

VLANs have two types of rules for classifying frames Ingress rules Egress rules
Ingress rules Ingress rules classify each frame as belonging only to a single VLAN. When a frame is received on a network interface, the following rules are applied to classify the frame: If the frame is untagged, or has a tag value equal to 0, the VID of the frame is set to the port VID (PVID) of the receiving interface, which is classified as belonging to the native VLAN. (PVIDs are defined in the IEEE 802.1q standard.) If the frame has a tag value equal to FFF, the frame is dropped. If the VID of the frame specifies a VLAN of which the receiving network interface is not a member, the frame is dropped. For example, if a packet is sent from a subnet associated with VLAN ID 12 to a subnet associated with VLAN ID 10, the packet is dropped. If an untagged packet with VID 9 is sent from the subnet associated with VLAN ID 10 to a network interface PVID 9, the packet is dropped.
Egress Rules The following egress rules are applied: If the VID of the frame specifies a VLAN of which the transmission network interface is not a member, the frame is discarded. During the learning process (per the IEEE 802.1q standard), the Src MAC and VID are used to update the bridge lookup table of the NetScaler. A frame is discarded if its VID specifies a VLAN that does not have any members. You can the define members that are the network interfaces configured in the VLAN.
54
VLANs and Packet Forwarding on the NetScaler

The forwarding process on the NetScaler is similar to that on any standard switch. However, the NetScaler performs forwarding only when Layer 2 mode is on. The key features of the forwarding process are: Topology restrictions are enforced. Enforcement involves selecting each network interface in the VLAN as a transmission port, based on the state of the network interface, bridging restrictions (do not forward on the receiving network interface), MTU restrictions, and so on. Frames are filtered based on the bridge table lookup in the forwarding database (FDB) table of the NetScaler. The bridge table lookup is based on the destination MAC and the VID. Packets addressed to the MAC address of the NetScaler are processed at the upper layers. All broadcast and multicast frames are forwarded to each network interface that is a member of the VLAN, but forwarding occurs only if L2 mode is enabled. If L2 mode is disabled, the broadcast and multicast packets are dropped. This is also true for MAC addresses that are not currently in the bridging table. A VLAN entry has a list of member network interfaces that are part of its untagged member set. When forwarding frames to these network interfaces, a tag is not inserted in the frame. If the network interface is a tagged member of this VLAN, the tag is inserted in the frame when the frame is forwarded.
When a user sends any broadcast or multicast packets without the VLAN being identified, that is, during Duplicate Address Detection (DAD) for NSIP or ND6 for the next hop of the route, the packet is sent out on all the network interfaces with appropriate tagging based on either the Ingress and Egress rules. ND6 usually identifies a VLAN, and a data packet is sent on this VLAN only. Portbased VLANs are common to IPv4 and IPv6. For IPv6, the NetScaler supports prefix-based VLANs.
Creating a VLAN
You can implement VLANs in the following environments: Single subnet Multiple subnets Single LAN VLANs (no tagging) VLANs (802.1q tagging)
Chapter 2
Interfaces
55
When you create VLANs that have only untagged network interfaces as their members, the total number of possible VLANs is limited to the number of network interfaces available in the NetScaler. If more IP subnets are required with a VLAN configuration, 802.1q tagging must be used. To create a VLAN, use the VLAN ID parameter described in the following table. Basic Parameter for creating a VLAN
Parameter VLAN Identifiers (VIDs)
(id)
Specifies An integer from 1 to 4094 that uniquely identifies the VLAN to which a particular frame belongs. (The NetScaler supports a maximum of 4094 VLANs.) VID 1 is reserved for the default VLAN.
Use either of the following procedures to create a VLAN.

To create a VLAN using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network and click VLANs. On the VLANs page, click Add. In the Create VLAN dialog box, in the VLAN Id text box, type the ID of the VLAN (for example, 2). Click Create and click Close. The VLAN you added appears in the VLANs page.
To create a VLAN using the NetScaler command line

add vlan Value
Example
add vlan 2
Configuring VLANs in an HA Setup

VLAN configuration requires the NetScalers in a high-availability setup to have the same hardware configuration, and the VLANs configured on them must be mirror images. This happens automatically when the configuration is synchronized between NetScalers. The result is identical actions on all the NetScalers. For example, adding network interface 0/1 to VLAN2 adds this network interface to VLAN 2 on all the participating NetScalers in the high-availability setup.
56
Note: If you use network interface-specific commands in an HA setup, the configurations you perform are not propagated to the other NetScaler. You must perform these commands on each NetScaler in an HA pair to ensure that the configuration of the two NetScalers in the HA pair remains synchronized.
Configuring VLANs on a Single Subnet

Before configuring a VLAN on a single subnet, make sure that Layer 2 Mode is enabled. The following figure shows a single subnet environment
VLAN on a Single Subnet In the above figure: 1. 2. The default router for the NetScaler and the servers is Router 1. Layer 2 mode must be enabled on the NetScaler for the NetScaler to have direct access to the servers. For the procedure to enable Layer 2 mode, see Configuring Modes of Packet Forwarding, on page 17. For this subnet, a virtual server can be configured for load balancing on the NetScaler.
3.
To configure a VLAN on a single subnet, follow the procedure described in Creating a VLAN, on page 54. VLAN configuration parameters are not required, because the network interfaces are members of this VLAN.
Chapter 2
Interfaces
57
Configuring VLANs on Multiple Subnets

To configure a single VLAN across multiple subnets, you must add a VIP for the VLAN and configure the routing appropriately. The following figure shows a single VLAN configured across multiple subnets.
Multiple Subnets in a Single VLAN To configure a single VLAN across multiple subnets, perform the following tasks: 1. 2. 3. Disable Layer 2 mode. For the procedure to disable Layer 2 mode, see Configuring Modes of Packet Forwarding, on page 17. Add a VIP. For the procedure to add a VIP, see Virtual IP Address (VIP), on page 3. Configure RNAT ID. For the procedure to configure the RNAT ID, see Reverse Network Address Translation, on page 25.
Note: The NetScaler supports only the procedure described in Adding a Static Route, on page 148, to add multiple IP subnets in single-subnet VLAN configurations.
58
Configuring Multiple Untagged VLANS across Multiple Subnets

In environments with multiple untagged VLANs across multiple subnets, a VLAN is configured for each IP subnet. A network interface is bound to one VLAN only. The following figure shows this configuration.
Multiple Subnets with VLANs - No Tagging To implement the configuration shown in the above figure, perform the following tasks: 1. 2. Add VLAN 2. For the procedure to create a VLAN, see Creating a VLAN, on page 54. Bind the 1/2 network interface of the NetScaler to VLAN 2 as an untagged network interface. For the procedure to bind a network interface to a VLAN, see Binding a Network Interface to a VLAN, on page 60. Bind the IP address and netmask to VLAN 2. For the procedure to bind an IP address to a VLAN, see Binding an IP Address to a VLAN, on page 60.
3.
Chapter 2
Interfaces
59
Configuring Multiple VLANs with 802.1q Tagging

For multiple VLANs with 802.1q tagging, each VLAN is configured with a different IP subnet. Each network interface is in one VLAN. One of the VLANs is set up as tagged. The following figure shows this configuration.
Multiple VLANs with IEEE 802.1q Tagging To implement the configuration shown in the above figure, perform the following tasks: 1. 2. Add VLAN 2. For the procedure to create a VLAN, see Creating a VLAN, on page 54. Bind the 1/2 network interface of the NetScaler to VLAN 2 as an untagged network interface. For the procedure to bind a network interface to a VLAN, see Binding a Network Interface to a VLAN, on page 60. Bind the IP address and netmask to VLAN 2. For the procedure to bind an IP address to a VLAN, see Binding an IP Address to a VLAN, on page 60. Add VLAN 3. For the procedure to create a VLAN, see Creating a VLAN, on page 54. Bind the 1/2 network interface of the NetScaler to VLAN 3 as a tagged network interface. For the procedure to bind a network interface to a VLAN, see Binding a Network Interface to a VLAN, on page 60. For the
3.
4. 5.
60
procedure to bind a tagged network interface, see Modifying a VLAN, on page 61. 6. Bind the IP address and netmask to VLAN 3. For the procedure to bind an IP address to a VLAN, see Binding an IP Address to a VLAN, on page 60.
Binding a Network Interface to a VLAN

When you bind a network interface to a VLAN, the network interface is moved from the default VLAN. If the network interfaces need to be a part of more than one VLAN, you can bind the network interfaces to the VLANs as tagged members.
To bind a network interface to a VLAN using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click VLANs. On the VLANs page, select the VLAN to which you want to bind the network interface (for example, 2), and then click Open. In the Modify VLAN dialog box, under Interfaces, select the Active check box corresponding to the interface that you want to bind to the VLAN (for example, 1/8). Click OK.
4.
To bind an interface to a VLAN using the NetScaler command line

bind vlan Value -ifnum Value
Example
bind vlan 2 -ifnum 1/8
Binding an IP Address to a VLAN

You can configure the NetScaler to forward traffic between VLANs at Layer 3. In this case, a VLAN is associated with a single IP subnet. The hosts in a VLAN that belong to a single subnet use the same subnet mask and one or more default gateways connected to that subnet. Configuring Layer 3 for a VLAN is optional. Layer 3 is used for IP forwarding (inter-VLAN routing). Each VLAN has a unique IP address and subnet mask that define an IP subnet for the VLAN. In an HA configuration, this IP address is shared with the other NetScalers. The NetScaler forwards packets between configured IP subnets (VLANs).
Chapter 2
Interfaces
61
Note: When you configure the NetScaler, you must not create overlapping IP subnets. Doing so impedes Layer 3 functionality. Each VLAN is a unique Layer 2 broadcast domain. Two VLANs, each bound to separate IP subnets, cannot be combined into a single broadcast domain. Forwarding traffic between two VLANs requires a Layer 3 forwarding (routing) device, such as the NetScaler. For a VLAN, a route added to the route table defines the IP subnet for the VLAN. A route is added for the gateway, which is a SNIP. When you bind an IP address to a VLAN, the NetScaler need not use the bound IP address to proxy the traffic to the VLAN, and can select a SNIP or a MIP. Note: For a VIP, you must assign a subnet mask to the VIP address before binding it to a VLAN, or the binding procedure fails. To assign a subnet mask to a VIP, use one of procedures described in Configuring NetScaler-Owned IP Addresses, on page 1. Use either of the following procedures to bind an IP address to a VLAN.
To bind an IP address to a VLAN using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network and click VLANs. On the VLANs page, select the VLAN for which you want to bind the IP address (for example, 2). Click Open. In the Modify VLAN dialog box, under IPs, select the Active check box corresponding to the IP address that you want to bind to the VLAN (for example, 10.102.29.54). Click OK.
5.
To bind an IP address to a VLAN using the NetScaler command line

bind vlan Value -IPAddress IPAddress Subnetmask
Example
bind vlan 2 -IPAddress 10.102.29.54 255.255.255.0
Modifying a VLAN
Use either of the following procedures to modify a VLAN.
62
Citrix NetScaler Networking Guide To modify a VLAN using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network and click VLANs. On the VLANs page, select the VLAN that you want to modify (for example, 2). Click Open. In the Modify VLAN dialog box, Modify one or more settings. (For example, to tag an interface, under Interfaces, select the Tagged check box next to the name of the network interface that you want to tag.) Click OK.
5.
Note: To make a network interface a tagged member of a VLAN using the NetScaler command line, you must first unbind the network interface from the VLAN, then bind it as a tagged member as shown in the following procedure. For more information about unbinding a network interface from a VLAN, see Unbinding a Network Interface from a VLAN, on page 62.
To modify a VLAN using the NetScaler command line

Command vlan Value -ifnum Value [Argument]
Examples
unbind vlan 2 -ifnum 1/8 bind vlan 2 -ifnum 1/8 -tagged
Managing VLANs
To manage VLANs, you can unbind network interfaces or IP addresses from VLANs, or remove VLANs.
Unbinding a Network Interface from a VLAN

Use either of the following procedures to unbind a network interface from a VLAN.
To unbind a network interface from a VLAN using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click VLANs. In the details pane, select the VLAN from which you want to unbind the network interface (for example, 2). Click Open. The Modify VLAN dialog box appears.
Chapter 2
Interfaces
63
4. 5.
Under Interfaces, clear the Active check box corresponding to the interface that you want to unbind from the VLAN (for example, 1/8). Click OK.
To unbind an interface to a VLAN using the NetScaler command line

unbind vlan VID -ifnum Value
Example
unbind vlan 2 -ifnum 1/8
Unbinding an IP Address from a VLAN

Use either of the following procedures to unbind an IP address from a VLAN.
To unbind an IP address from a VLAN using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click VLANs. In the details pane, select the VLAN from which you want to unbind the IP address (for example, 2), and then click Open. In the Modify VLAN dialog box, under IPs, clear the Active check box corresponding to the IP address that you want to unbind from the VLAN (for example, 10.102.29.54). Click OK.
4.
To unbind an IP address to a VLAN using the NetScaler command line

unbind vlan VID -IPAddress Address Mask
Example
unbind vlan 2 -IPAddress 10.102.29.54 255.255.255.0
Removing a VLAN
When you remove a VLAN, the network interfaces are bound to the default VLAN. Use either of the following procedures.
To remove a VLAN using the configuration utility
1. 2.
In the navigation pane, expand Network and click VLANs. On the VLANs page, select the VLAN that you want to remove (for example, 2), and then click Remove.
64
3.
In the Remove dialog box, click Yes.
To remove a VLAN using the NetScaler command line

rm vlan Value
Example
rm vlan 2
Verifying and Monitoring the Configuration

To verify your configuration, you can display properties such as VLAN ID, members, and tagging of the configured VLANs. This information can also be useful for troubleshooting. You can also display VLAN statistics to monitor the health of your configuration.
Displaying VLANs
Use either of the following procedures to display the properties of the VLANs.
To display VLAN properties using the configuration utility
1. 2.
In the navigation pane, expand Network and click VLANs. On the VLANs page, select a VLAN and verify that the settings are configured as intended.
To display VLAN properties using the NetScaler command line

sh vlan
Viewing the Statistics of a VLAN

You can view VLAN statistics such as packets received, bytes received, packets sent, and bytes sent, and use the information to identify anomalies and or debug a VLAN. Use either of the following procedures.
To view the statistics of a VLAN using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click VLANs. On the VLANs page, select the VLAN whose statistics you want to view (for example, 2). Click Statistics.
Chapter 2
Interfaces
65
To view the statistics of a VLAN using the NetScaler command line

stat vlan Value
Example
stat vlan 2
Configuring Bridge Groups

The bridge groups feature is used to combine two or more VLANs that have been configured on a NetScaler. Typically, when you want to merge two or more VLANs into a single domain, you change the VLAN configuration on all the devices in the separate domains. This can be a tedious task. To more easily merge multiple VLANs into a single broadcast domain, you can use bridge groups. The bridge groups feature works the same way as a VLAN. Multiple VLANS can be bound to a single bridge group, and all VLANs bound to same bridge group form a single broadcast domain. You can bind only Layer 2 VLANs to a bridge group. For Layer 3 functionality, you must assign an IP address to a bridge group. In Layer 2 mode, a broadcast packet received on an interface belonging to a particular VLAN is bridged to other VLANs that belong to the same bridge group. In the case of a unicast packet, the NetScaler searches its bridge table for the learned MAC addresses of all the VLANs belonging to same bridge group. In Layer 3 forwarding mode, an IP subnet is bound to a bridge group. The NetScaler accepts incoming packets belonging to the bound subnet and forwards the packets only on VLANs that are bound to the bridge group. IPv6 routing can be enabled on a configured bridge group.
Adding a Bridge Group and Binding VLANs and IP Subnets

To add a bridge group, use the parameters in the following table.
Parameter Bridge Group Id Specifies A unique number that identifies a bridge group. Possible values: 1 to 1000. The ID of a VLAN to be bound to the bridge group.
VLANS
66
Citrix NetScaler Networking Guide To add a bridge group and bind VLANs by using the configuration utility
1. 2. 3. 4. 5. 6.
In the navigation pane, expand Network, and then click Bridge Groups. In the details pane, click Add. In the Create Bridge Groups dialog box, in Bridge Group Id text box, type a number between 1 and 1000 (for example, 100). Under VLANs, select the desired VLANs (for example, 2 and 71) that you want to bind to the bridge group. Under IPs, select the select the desired subnets that you want to bind to the bridge group. Click Create.
To add a bridge group and bind VLANs by using the NetScaler command line

add bridgegroup id bind bridgegroup id -vlan vlanId -ipaddress IPaddress Netmask
Example
add bridgegroup 100 bind bridgegroup 100 -vlan 2 71 -ipaddress 10.102.29.4 255.255.0.0
Verifying the Bridge Group Configuration

To verify the bridge group configuration, you should display and examine the bridge group and the VLANs and IP subnets bound to the bridge group.
To verify bridge groups by using the configuration utility
1. 2.
In the navigation pane, expand Network, and then click Bridge Groups. Examine the settings.
To verify bridge groups by using the NetScaler command line

sh bridgegroup
Unbinding VLANs and IP Subnets from a Bridge Group

This section describes how to unbind VLANs and IP subnets from a bridge group.
Chapter 2
Interfaces
67
To unbind VLANs from a bridge group by using the configuration utility
1. 2. 3.
In the navigation pane, expand Network, and then click Bridge Groups. In the details pane, select a bridge group ID (for example, 100), and click Open. In the Modify Bridge Group dialog box, under VLANs, clear the active check boxes for the VLANs (for example, 2) that you want to unbind from the bridge group. Under IPs, clear the active check boxes for the subnets that you want to unbind from the bridge group. Click OK.
4. 5.
To unbind vlans from a bridge group by using the NetScaler command line

unbind bridgegroup id -vlan vlanId
Example
unbind bridgegroup 100 -vlan 2 -ipaddress 10.102.29.4 255.255.255.0
Removing a Bridge Group

This section describes how to remove a bridge group.
To remove a bridge group by using the configuration utility
1. 2. 3.
In the navigation pane, expand Network, and then click Bridge Groups. In the details pane, select a bridge group ID (for example, 100) that you want to remove. Click Remove.
To remove a bridge group by using the NetScaler command line

rm bridgegroup id
Example
rm bridgegroup 100
68
Configuring Link Aggregation

Link aggregation combines data coming from multiple ports into a single highspeed link. Configuring link aggregation increases the capacity and availability of the communication channel between the NetScaler and other connected devices. An aggregated link is also referred to as a channel. You can configure the channels manually, or you can use Link Aggregate Control Protocol (LACP). You cannot apply LACP to a manually configured channel, nor can you manually configure a channel created by LACP.
Configuring Link Aggregation Manually

When you create a link aggregate channel, its state is DOWN until you bind it to an active interface. You can modify a channel at any time. You can remove channels, or you can enable/disable them.
Creating Link Aggregate Channels

To create a link aggregate channel, use the parameter described in the following table. Basic Parameter for Creating a Channel
Parameter Channel ID
(id)
Specifies LA channel name, in form LA/* (* An ID number for this channel)
Use either of the following procedures to create a link aggregate channel.

To create a link aggregate channel using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click Channels. On the Channels page, click Add. In the Add Channel dialog box, in the Channel ID drop-down list, select the link aggregate ID that you want to add (for example, LA/1).
Note: Adding a channel without binding it to a network interface can cause a failover. To avoid this possibility, include the next step in this procedure. For more information about binding a link aggregate channel to an interface, see Binding a Network Interface to a Link Aggregate Channel, on page 69. 4. On the Bind/Unbind tab, select an interface to be bound (for example, 1/8).
Chapter 2
Interfaces
69
5.
Click Create and click Close. The link aggregate channel you added appears in the Channel page.
To create a link aggregate channel using the NetScaler command line

add channel Value -ifnum Value
Example
add channel LA/1 -ifnum 1/8
Binding a Network Interface to a Link Aggregate Channel

When a network interface is bound to a channel, the channel parameters have precedence over the network interface parameters. (That is, the network interface parameters are ignored.) A network interface can be bound only to one channel. When a network interface is bound to a channel, it drops its VLAN configuration. When network interfaces are bound to a channel, either manually or by LACP, they are removed from the VLANs that they originally belonged to and added to the default VLAN. However, you can bind the channel back to the old VLAN, or to a new one. For example, if you bind the network interfaces 1/2 and 1/3 to a VLAN with ID 2, and then bind them to a channel LA/1, the network interfaces are moved to the default VLAN, but you can bind them back to VLAN 2. Use either of the following procedures to bind a network interface to a link aggregate channel.
To bind a link aggregate channel using the configuration utility
1. 2. 3. 4. 5.
In the navigation pane, expand Network and click Channels. In the details pane, select the channel that you want to bind to a network interface (for example, LA/1). Click Open. In the Modify Channel dialog box, in the Available Interface list box, select the network interface (for example, 1/8). Click Add. The network interface you selected appears in the Configured list.
6.
Click OK.
To bind a link aggregate channel using the NetScaler command line
70
bind channel ChannelValue InterfaceValue
Example
bind channel LA/1 1/8
Modifying Link Aggregate Channels

To modify a link aggregate channel, use the parameters described in the following table. Parameters for modifying an LA Channel
Parameter State
(state)
Specifies Initial state for the channel. Possible values: ENABLED and DISABLED. Default: ENABLED. Initial mode for the channel. Possible values: MANUAL, AUTO, and DESIRED. Connection distribution mode for the channel. Possible values: DISABLED and ENABLED. MAC distribution mode for the channel. Possible values: SOURCE, DESTINATION, and BOTH. Speed for the channel. Possible values: AUTO, 10, 100, and 1000. Flow control for the channel. Possible values: OFF, RX, TX, and RXTX. HA-monitoring control for the channel. Possible values: ON and OFF. Make this port a trunk port. Possible values: ON and OFF. Default: OFF. When ON, port membership in all VLANs is tagged. If 802.1q behavior with native VLAN is required, use the OFF setting. Alias name for the channel. Minimum required throughput for the network interface.
Mode
(Mode)
Connection Distribution
(connDistr)
MAC Distribution
(macDistr)
Speed
(speed)
Flow Control
(flowControl)
HA Monitor
(haMonitor)
Trunk
(trunk)
Alias
(ifAlias)
Throughput
(throughput)
Use either of the following procedures to modify a link aggregate channel.

To modify a link aggregate channel using the configuration utility
1.
In the navigation pane, expand Network and click Channels.
Chapter 2
Interfaces
71
2. 3.
In the details pane, select the channel that you want to modify (for example, LA/1), and then click Open. In the Modify Channel dialog box, select or enter a new value. (For example, click the Settings tab and, in the Speed drop-down list box, select a speed, such as 100.) Click OK.
4.
To modify a link aggregate channel using the NetScaler command line

set channel Value -speed Value
Example
set channel LA/1 -speed 100
Unbinding a Network Interface from a Link Aggregate Channel

Use either of the following procedures to unbind a Link Aggregate Channel.
To unbind a link aggregate channel using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click Channels. In the details pane, select the channel from which you want to unbind a network interface (for example, LA/1), and then click Open. In the Modify Channel dialog box, in the Configured list box, select the network interface (for example, 1/8), and then click Remove. The channel that you selected appears in the Available Interface list.
4.
Click OK.
To unbind a link aggregate channel using the NetScaler command line

unbind channel Value Value
Example
unbind channel LA/1 1/8
72
Removing Link Aggregate Channels

When a channel is removed, the network interfaces bound to it induce network loops that decrease network performance. You must disable the network interfaces before you remove the channel. For information on disabling a network interface, see Enabling and Disabling Network Interfaces, on page 49. The following example describes the procedure to remove the channel, LA/1.
To remove a link aggregate channel using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click Channels. In the details pane, select the channel that you want to remove (for example, LA/1), and click Remove. In the Remove dialog box, click Yes.
To remove a link aggregate channel using the NetScaler command line

rm channel Value
Example
rm channel LA/1
Configuring the Link Aggregate Channel Protocol

The Link Aggregation Control Protocol (LACP) enables network devices to exchange link aggregation information, by exchanging LACP Data Units (LACPDUs). To configure the link aggregate channel protocol, use the parameter described in the following table. This parameter sets the priority of the NetScaler globally.
Parameter System priority

(sysPriority)
Specifies The LACP system priority. Possible values: 1 to 65535. Default: 32768.
Also, you can configure the following LACP parameters when you configure the network interface: LACP mode LACP time-out Port key
Chapter 2
Interfaces
73
Port priority
For more information about these parameters, see Configuring Network Interfaces, on page 46. Note: LACP configurations are neither propagated nor synchronized. By default, LACP is disabled on all network interfaces. You cannot use LACP to modify channels that you created manually. Therefore, you cannot enable LACP on network interfaces that are members of a channel that you created manually. If LACP creates a channel dynamically, you cannot create, bind, unbind, or remove operations on that channel. However, you can configure parameters such as distribution mode. LACP dynamically creates a channel, which is deleted when LACP is disabled on all its member network interfaces. To enable LACP on a network interface, you can use the procedure to modify the network interface, which is described in Managing Network Interfaces, on page 48. When you enable LACP on a network interface, the NetScaler creates channels dynamically. The NetScaler currently supports two channels, LA/1 and LA/2, based on the LACP Key values. Therefore, if you enable LACP on a network interface and set the LACP Key to 1, the network interface is automatically bound to the channel LA/1. Note: While enabling LACP on a network interface, you must simultaneously specify the LACP Key. The following example describes the procedure to configure the link aggregate channel protocol with a system priority of 12.
To configure a link aggregate channel protocol using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network and click Interfaces. On the Interfaces page, click Set LACP. In the Configure LACP dialog box, in the System Priority text box, type the priority you want to configure (for example, 12). Click OK.
To configure a link aggregate channel protocol using the NetScaler command line

set lacp -syspriority Value
74
Citrix NetScaler Networking Guide Example

set lacp -syspriority 12

To verify or troubleshoot your Link Aggregate Channel configuration, you can display channel properties and LACP properties.
Displaying Link Aggregate Channels

You can display properties such as channel ID, description, uptime, and VRID of the configured channels. Use either of the following procedures.
To display the link aggregate channels using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click Channels. On the Channels page, verify that your configured channels appear. Select a channel (for example, LA/1) and verify that the parameters displayed are configured as intended.
To view link aggregate channels using the NetScaler command line

show channels
Displaying LACP Properties

You can display properties such as system priority and system MAC of the configured channels and use the information for troubleshooting. Use either of the following procedures.
To view LACP properties using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click Interfaces. On the Interfaces page, click View LACP Details. In the View LACP Details dialog box, click Close.
To view LACP properties using the NetScaler command line

show lacp
Chapter 2
Interfaces
75
Configuring VMACs
The primary and secondary nodes in a high availability (HA) setup share the floating entity, Virtual MAC address (VMAC). The primary node owns the floating IP addresses (such as MIP, SNIP, and VIP) and responds to ARP requests for these IP addresses with its own MAC address. Therefore, the ARP table of an external device, such as an upstream router, is updated with the floating IP address and the MAC address of the primary node. When a failover occurs, the secondary node takes over as the new primary node. The former secondary node uses Gratuitous ARP (GARP) to advertise the floating IP addresses that had learned from the old primary node. The MAC address that the new primary node advertises is the MAC address of its own network interface. Some devices (a few routers) do not accept these GARP messages. Therefore, these external devices retain the IP address-to-MAC address mapping that the old primary node had advertised. This can result in a GSLB site going down. Therefore, you must configure a VMAC on both nodes of an HA pair. This means that both nodes have identical MAC addresses. When a failover occurs, the MAC address of the secondary node remains unchanged, and the ARP tables on the external devices do not need to be updated. For the procedures to configure a VMAC, see Chapter 6, High Availability.
Configuring the Bridge Table

The NetScaler bridges frames based on bridge table lookup of the destination MAC address and the VLAN ID. However, the NetScaler performs forwarding only when Layer 2 mode is enabled. For more information about enabling Layer 2 mode, see Configuring Modes of Packet Forwarding, on page 17. The bridge table is dynamically generated, but you can display it, modify the parameter shown in the following table, and view bridging statistics. Parameter for Modifying the Bridge Table
Parameter Bridge Age
(bridgeAge)
Specifies The bridge ageing time in seconds. Default: 300. Minimum value: 60. Maximum value: 300.
To display the bridge table, use either of the following procedures.

To display the bridge table using the configuration utility
1.
In the navigation pane, expand Network and click Bridge Table.
76
2.
On the Bridge Table page, optionally select an entry to display its properties at the bottom of the screen.
To view the bridge table using the NetScaler command line

show bridgetable
To change the ageing time for all bridge table entries, use either of the following procedures.
To modify the bridge table using the configuration utility
1. 2. 3.
On the Bridge Table page, click Change Ageing Time. In the Change Ageing Time dialog box, in the Ageing Time (seconds) text box, type the ageing time (for example, 70). Click OK. All the MAC entries in the bridge table are updated with the ageing time. The following figure shows an example.
Bridge Table Page

To modify the bridge table using the NetScaler command line

set bridgetable -bridgeAge Value
Example
set bridgetable -bridgeAge 70
Use either of the following procedures to view the bridging statistics.
Chapter 2
Interfaces
77
To view the statistics of a bridge table using the configuration utility
1. 2.
On the Bridge Table page, select the MAC address for which you want to view the statistics (for example, 00:12:01:0a:5f:46). Click Statistics.
To view the statistics of a bridge table using the NetScaler command line

stat bridge
Enabling or Disabling Path MTU Behavior

Depending on the installation type and configuration, the NetScaler can have some limitations in how it handles Path Maximum Transmission Unit Discovery (MTU). Therefore, you may have to change your configuration. For more information about direct server return configurations, see the Citrix NetScaler Administration Guide, Chapter 5, Advanced Configurations.
To enable or disable Path MTU discovery using the configuration utility
1. 2. 3.
In the navigation pane, expand System and click Settings. In the details pane, under the Modes and Features group, click Change modes. In the Configure Modes dialog box, do one of the following: To enable Path MTU Discovery, select the Path MTU Discovery check box. To disable Path MTU Discovery, clear the Path MTU Discovery check box.
4. 5.
Click OK. At the Enable/Disable Feature(s)? message, click Yes.
To enable or disable Path MTU discovery using the NetScaler command line
At the NetScaler command prompt, type one of the following:

enable ns mode pmtud disable ns mode pmtud
78
Configuring NetScaler Appliances in Active-Active Mode using VRRP

An active-active deployment, in addition to preventing downtime, makes efficient use of all the NetScaler appliances in the deployment. In active-active deployment mode, the same VIPs are configured on all NetScaler appliances in the configuration, but with different priorities, so that a given VIP can be active on only one appliance at a time. Note: The Active-Active feature is supported in NetScaler 9.2 nCore only. The active VIP is called the master VIP, and the corresponding VIPs on the other NetScaler appliances are called the backup VIPs. If a master VIP fails, the backup VIP with the highest priority takes over and becomes the master VIP. All the NetScaler appliances in an active-active deployment use the Virtual Router Redundancy Protocol (VRRP) protocol to advertise their VIPs and the corresponding priorities at regular intervals. NetScaler appliances in active-active mode can be configured so that no NetScaler is idle. In this configuration, different sets of VIPs are active on each NetScaler. For example, in the following diagram, VIP1, VIP2, VIP3, and VIP4 are configured on appliances NS1, NS2, and NS3. Because of their priorities, VIP1 and VIP 2 are active on NS1, VIP3 is active on NS2 and VIP 4 is active on NS3. If, for example, NS1 fails, VIP1 on NS3 and VIP2 on NS2 become active.
Chapter 2
Interfaces
79
An Active-Active Configuration
The NetScaler appliances in the above diagram process traffic as follows: 1. 2. 3. Client C1 sends a request to VIP1. The request reaches R1. R1 does not have an APR entry for VIP1, so it broadcasts an ARP request for VIP1. VIP1 is active in NS1, so NS1 replies with a source MAC address as the VMAC (for example VMAC1) associated with VIP1, and VIP1 as the source IP address. SW1 learns the port for VIP1 from the ARP reply and updates its bridge table. R1 updates the ARP entry with VMAC1 and VIP1. R1 forwards the packet to the VIP1 on NS1. NS1's load balancing algorithm selects server S2, and NS1 opens a connection between one of its SNIP or MIP addresses and S2.
4. 5. 6. 7.
80
8. 9.
S2 replies to the SNIP or MIP on the NetScaler. NS1 sends S2's reply to the client. In the reply, NS1 inserts MAC address of the physical interface as the source MAC address and VIP1 as the source IP address. Should NS1 fail, the NetScaler appliances use the VRRP protocol to select the VIP1 with the highest priority. In this case, VIP1 on NS3 becomes active, and the following two steps update the active-active configuration. NS3 broadcasts a GARP message for VIP1. In the message, VMAC1 is the source MAC address and VIP1 is the source IP address. SW1 learns the new port for VMAC1 from the GARP broadcast and updates its bridge table to send subsequent client requests for VIP1 to NS3. R1 updates its ARP table.
10.
11. 12.
The priority of a VIP can be modified by health tracking. If you enable health tracking, you should make sure that preemption is also enabled, so that a VIP whose priority is lowered can be preempted by another VIP. In some situations, traffic might reach a backup VIP. To avoid dropping such traffic, you can enable sharing, on a per-node basis, as you create an active-active configuration. Or you can enable the global send to master option. On a node on which sharing is enabled, it takes precedence over send to master.
Health Tracking
Base priority (BP-range 1-255) ordinarily determines which VIP is the master VIP, but effective priority (EP) can also affect the determination. For example, if a VIP on NS1 has a priority of 101 and same VIP on NS2 has a priority of 99, the VIP on NS1 is active. However, if two vservers are using the VIP on NS1 and one of them goes DOWN, health tracking can reduce the EP of VIP on NS1. VRRP then makes the VIP on NS2 the active VIP. Following are the health tracking options for modifying EP: NONE. No tracking. EP = BP ALL. If all vservers are UP then EP = BP. Otherwise, EP = 0. ONE. If at least one vserver is UP then EP = BP. Otherwise, EP = 0. PROGRESSIVE. If ALL vservers are UP then EP = BP. If ALL vservers are DOWN then EP = 0. Otherwise EP = BP (1 - K/N), where N is the total number of vservers associated with the VIP and k is the number of vservers that are down.
Chapter 2
Interfaces
81
Note: If you specify a value other than NONE, preemption should be enabled, so that the backup VIP with the highest priority becomes active if the priority of the master VIP is downgraded.
Preemption
Preemption of an active VIP by another VIP that attains a higher priority is enabled by default, and normally should be enabled. In some cases, however, you may want to disable it. Preemption is a per-node setting for each VIP. Preemption can occur in the following situations: An active VIP goes down and a VIP with a lower priority takes its place. If the VIP with the higher priority comes back online, it preempts the currently active VIP. Health tracking causes the priority of a backup VIP to become higher than that of the active VIP. The backup VIP then preempts the active VIP.
Sharing
In the event that traffic reaches a backup VIP, the traffic is dropped unless the sharing option is enabled on the backup VIP. This behavior is a per node setting for each VIP and is disabled by default. In the An Active-Active Configuration diagram, VIP1 on NS1 is active and VIP1 VIPs on NS2 and NS3 are backups. Under certain circumstances, traffic may reach VIP1 on NS2. If Sharing is enabled on NS2, this traffic is processed instead of dropped.
Configuring Active-Active Mode

On each NetScaler appliance that you want to deploy in active-active mode, you must add a VMAC and bind the VMAC to a VIP. The VMAC for a given VIP must be same on each appliance. For example, if VIP 10.102.29.5, is created on the appliances, a virtual router ID must be created on each NetScaler and bound to VIP 10.102.29.5 on each NetScaler. When you bind a VMAC to a VIP, the NetScaler sends VRRP advertisements to each VLAN that is bound to that VIP. The VMAC can be shared by different VIPs configured on the same NetScaler.
82
Adding a VMAC
To add a VMAC for an active-active configuration, you create a virtual router ID.
Parameter Virtual Router ID
(vrID)
Specifies The VRID that identifies the VMAC. Possible values: 1 to 255. The base priority of the VMAC. Range: 1 255. Default: 255. The health tracking options for this VMAC. Possible values: NONE, ONE, ALL, PROGRESSIVE Default value: NONE.
Priority
(Priority)
Tracking
(tracking)
Preemption
(preemption)
Make a backup VIP the master if its priority becomes higher than that of a master VIP that is bound to this VMAC. Possible values: ENABLED, DISABLED. Default: ENABLED. Enable or disable sharing for this VMAC. Default: Disabled.
Sharing
(sharing)
To add a VMAC by using the configuration utility
1. 2. 3. 4. 5. 6. 7. 8.
In the navigation pane, expand Network and click VMAC. On the VMAC page, click Add. In the Add VMAC dialog box, in Virtual Router ID text box, type a number (for example, 125). In the Priority text box, enter a priority number (for example, 100) that will associated with VIPs bound this VMAC. In the Tracking drop down box, select a health tracking option (for example, ONE). Unselect or select Preemption to disable or enable preemption on VIPs that are bound to this VMAC. Select or unselect Sharing to enable or disable sharing on VIPs that are bound to this VMAC. Click Create.
Chapter 2 To add a VMAC by using the NetScaler command line
Interfaces
83

add vrID id -priority value -preemption (ENABLED|DISABLED) -sharing (ENABLED | DISABLED) -tracking (NONE|ONE|ALL|PROGRESSIVE)
Example
add vrID 125 -priority 100 -sharing ENABLED -tracking ONE
Binding a VMAC to a VIP

To bind a VMAC to a VIP, you associate the VMAC's virtual router ID with the VIP.
To bind a VMAC to a VIP by using the NetScaler command line
1. 2. 3. 4.
In the navigation pane, expand Network, and then click IPs. In the details pane, on the IPv4s tab, select the VIP address (for example, 10.102.29.5) that you want to bind to a VMAC, and then click Open. In the Configure IP dialog box, in the Virtual Router Id drop down box, select a virtual router ID (for example, 125). Click OK.
To add a VMAC by using the NetScaler command line

set ns ip VIP address -vrid value
Example
set ns ip 10.102.29.5 -vrid 125
Configuring Send to Master

Usually, the traffic destined to a VIP reaches the NetScaler on which the VIP is active, because an ARP request with the VIP and a VMAC on that NetScaler has reached the upstream router. But in some cases, such as static routes configured on the upstream router for the VIP subnet, or a topology that blocks this route, the traffic can reach a NetScaler on which the VIP is in backup state. If you want this NetScaler to forward the data packets to the NetScaler on which the VIP is active, you need to enable the send to master option. This behavior is a per node setting and is disabled by default.
84
For example, in the following diagram, VIP1 is configured on NS1, NS2, and NS3 and is active on NS1. Under certain circumstances, traffic for VIP1 (active on NS1) may reach VIP1 on NS3. When the send to master option is enabled on NS3, NS3 forwards the traffic to NS1 through NS2 by using route entries for NS1. An Active-Active Configuration with Send to Master Option Enabled
The following table describes the parameters you need to enable send to master option.
Parameter Send to Master
(sendToMaster)
Specifies Forward the packet to the master node if the VIP bound to the VMAC is in backup state and sharing is disabled. Possible values: ENABLED, DISABLED. Default: DISABLED.
Chapter 2 To enable send to master by using the configuration utility
Interfaces
85
1. 2. 3. 4.
In the navigation pane, expand Network. In the details pane, under Settings, click Virtual Router Parameters. In the Virtual Router Parameters dialog box, select Send to Master option. Click OK.
To enable send to master by using the NetScaler command line

set vrIDParam -sendToMaster (ENABLED|DISABLED)
Example
set vrIDParam -sendToMaster ENABLED
A Deployment Scenario
Following is one of the possible active-active deployment scenario:
86
In the following diagram, VIP1, VIP 2 and VIP3 are configured on all three appliances, NS1, NS2, and NS3. Base Priorities for each VIPs are as shown in the diagram. Health tracking is disabled for each VIP. The priorities of VIPs are set so that VIP1, VIP2, and VIP3 are active on NS3. If NS3 fails, VIP1, VIP2, and VIP3 become active on NS1. An Active-Active Deployment Scenario
Network Visualizer
The Network Visualizer is a tool that you can use to view the network configuration of a NetScaler node, including the network configuration of the nodes in a high availability (HA) deployment. You can also modify the configuration of VLANs, interfaces, channels, and bridge groups, and perform HA configuration tasks. In an HA deployment, you can both view and configure network entities on the node to which you are logged on, but you can view the details of only the network entities that are configured on the peer node. However, you can perform certain tasks, such as viewing details and statistics of the peer node and forcing a failover.
Chapter 2
Interfaces
87
When you are logged on to a standalone appliance, you can use Network Visualizer to do the following: View a consolidated graphical summary of key network components, such as VLANs, interfaces, channels, and bridge groups. You can also view the individual details of various network components. Modify appliance settings. Add, modify, and enable and disable interfaces and channels that are configured on the appliance. Add and modify VLANs and bridge groups. Configure an HA deployment (add a node). View node details, node statistics, and statistics for VLANs and interfaces. Copy the properties of a network entity to a document or spreadsheet.
When you are logged on to an appliance in an HA deployment, you can perform the above tasks only on the appliance to which you are logged on. Following are additional tasks that you can perform in the Network Visualizer when you are logged on to one of the appliances in an HA pair: View the configuration details and high availability details of both nodes in an HA pair. Perform HA configuration tasks, such as synchronization and force failover. Remove the peer node from the HA configuration. View statistics for the peer node. Copy the properties of the peer node to a document or spreadsheet.
To open the Network Visualizer
1. 2.
In the navigation pane, click Network. In Monitor Connections, click Network Visualizer.
To locate a VLAN or bridge group in the Visualizer
Open the Network Visualizer, and then do the following: To locate a VLAN or bridge group, in the Search text field, begin typing the ID of the VLAN or the bridge group that you want to locate.
88
Alternatively, begin typing the IP address of a bound subnet or the ID of a bound interface. The VLANs or bridge groups whose names match the typed characters are highlighted. To highlight multiple entities simultaneously, separate the IDs and IP addresses with white spaces. Entities whose IDs or IP addresses match any of the typed IDs and IP addresses are highlighted. To clear the Search field, click the x adjacent to the field.
To view the configuration details of an entity by using the Visualizer
Open the Network Visualizer and do one of the following: To view a brief summary of the entity, place the pointer on the entity. A brief summary of the entity appears at the bottom of the viewable area. To view the detailed configuration information of the entity, click the entity. The configuration details for that entity appear in the Details area.
To modify the network settings of the appliance by using the Visualizer
1. 2.
Open the Network Visualizer and click the icon representing the appliance to which you are logged on. In Related Tasks, click Open.
To add a channel by using the Visualizer
1. 2.
Open the Network Visualizer and click a network interface. In Related Tasks, click Add Channel.
To add a VLAN by using the Visualizer
Open the Network Visualizer, click the appliance to which you are logged on, and then do one of the following: Click an existing VLAN, and then, in Related Tasks, click Add. Click an existing bridge group, and then, in Related Tasks, click Add VLAN.
To add a bridge group by using the Visualizer
Open the Network Visualizer, click the appliance to which you are logged on, and then do one of the following: Click an existing bridge group, and then, in Related Tasks, click Add.
Chapter 2
Interfaces
89
Click an existing VLAN, and then, in Related Tasks, click Add Bridge Group.
To modify the settings of an interface or channel by using the Visualizer
1. 2.
Open the Network Visualizer and click the interface whose settings you want to modify. In Related Tasks, click Open.
To enable or disable an interface or channel by using the Visualizer
1. 2.
Open the Network Visualizer and click the interface or channel that you want to enable or disable. In Related Tasks, do one of the following. To enable the interface or channel, click Enable. To disable the interface or channel, click Disable.
To remove a configured channel, VLAN, or bridge group by using the Visualizer
1. 2.
Open the Network Visualizer and click the channel, VLAN, or bridge group that you want to remove from the configuration. In Related Tasks, click Remove.
To view statistics for a node, channel, interface, or VLAN by using the Visualizer
1. 2.
Open the Network Visualizer and click the node, interface, or VLAN whose statistics you want to view. In Related Tasks, click Statistics.
To set up an HA deployment by using the Visualizer
1. 2.
Open the Network Visualizer and click the appliance. In Related Tasks, click HA Setup.
To view the high availability details of a node by using the Visualizer
1. 2.
Open the Network Visualizer and click the node whose high availability details you want to view. In Related Tasks, click Details.
90
Citrix NetScaler Networking Guide To force the secondary node to take over as the primary by using the Visualizer
1. 2.
Open the Network Visualizer and click one of the nodes. In Related Tasks, click Force Failover.
To synchronize the secondary node's configuration with the primary node by using the Visualizer
1. 2.
Open the Network Visualizer and click one of the nodes. In Related Tasks, click Force Synchronization.
To remove the peer node from the HA configuration
1. 2.
Open the Network Visualizer and click the peer node. In Related Tasks, click Remove.
To copy the properties of a node or network entity by using the Visualizer
1. 2.
Open the Network Visualizer and click the appliance or network entity whose properties you want to copy to a document or spreadsheet. In Related Tasks, click Copy Properties.
C HAPTER 3
Access Control Lists (ACLs) are a means of filtering IP traffic and securing your network from unauthorized access. An ACL consists of a set of conditions or criteria that the NetScaler uses to allow or deny access. Consider a small organization that consists of 3 departments, Finance, HR, and Documentation, where no department wants another to access its data. The administrator of the organization can configure ACLs on the NetScaler to allow or deny access. When the NetScaler receives a data packet, it compares the information in the data packet with the conditions specified in the ACL and allows or denies access. The NetScaler supports simple ACLs, extended ACLs, and ACL6s. In This Chapter ACL Precedence Configuring Simple ACLs Configuring Extended ACLs Configuring ACL6s
92
ACL Precedence
A packet that matches the conditions specified in a simple ACL is dropped. If no simple ACL matches the packet, the NetScaler compares the packets characteristics to those specified in any configured extended ACLs. If the packet matches an extended ACL, the NetScaler applies the action specified in the extended ACL, as shown in the following diagram.
Simple and Extended ACLs Flow Sequence
Configuring Simple ACLs

Simple ACLs filter packets based only on their source IP address and, optionally, their destination port and/or their protocol. Any packet that has the characteristics specified in the ACL is dropped. A simple ACL, which uses few parameters, cannot be modified once created. When creating a simple ACL, you can specify a time to live (TTL), which expires the ACL after the specified number of seconds. ACLs with TTLs are not saved when you save the configuration. You can also remove a simple ACL manually. You can display simple ACLs to verify their configuration, and you can display statistics to monitor their performance.
Chapter 3
93
Creating Simple ACLs

To create a simple ACL, use the parameters described in the following table. All the parameters except Name and TTL specify packet characteristics for matching packets to the ACL. Basic Parameters for configuring a SimpleACL
Parameter Name Action Protocol (protocol) Source IP Address (subnet or host)
(srcIP)
Specifies Alphanumeric name of the ACL. Maximum length: 127 characters. What to do with matching packets. Possible value: DENY. Protocol in which packets arrive. Possible values: TCP and UDP. Default: either. IP address of the source machine. You can also specify a range of addresses. A destination port on the NetScaler. If you do not specify a port, you create an all-ports ACL, which matches any port. In that case, you cannot create another ACL specifying a specific port and the same source IP address. The time in which to expire this ACL, in seconds. Possible values: 1 to 0x7FFFFFFF. Default: ACL does not expire.
Destination Port
TTL
(TTL)
Use either of the following procedures to create a simple ACL.

To create a simple ACL using the configuration utility
1. 2. 3. 4. 5. 6. 7.
In the navigation pane, expand Network and click ACLs. In the details pane, on the Simple ACLs tab, click Add. In the Add Simple ACL dialog box, in the Name text box, type a name for the ACL (for example, rule1). Optionally, from the Protocol drop-down list, select a protocol. In the Source IP Address text box, type the IP address on which to filter (for example, 10.102.29.10). In the Destination Port text box, type the destination port on which to filter, or leave the text box blank to create an all-ports ACL. Optionally, in the TTL text box, type the number of seconds in which the ACL is to expire.
94
8.
Click Create and click Close. The ACL you created appears on the ACLs page.
To create a simple ACL using the NetScaler command line

add simpleacl deny -srcip SourceIPAddress [-TTL Value]
Examples
add simpleacl rule1 deny -srcip 10.102.29.10 add simpleacl block_20 deny -srcip 10.102.29.11 -TTL 10
Removing Simple ACLs

This section describes how to remove a single simple ACL and all simple ACLs.
To remove a single simple ACL using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network and click ACLs. In the details pane, on the Simple ACLs tab, select the simple ACL that you want to remove (for example, rule1). Click Remove. In the Remove dialog box, click Yes.
To remove a single simple ACL using the NetScaler command line

remove simpleacl ACLname
Example
remove simpleacl rule1
To remove all simple ACLs using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click ACLs. In the details pane, on the Simple ACLs tab, click Clear. In the Clear Simple ACL (s) dialog box, click Yes.
To remove all simple ACLs using the NetScaler command line

clear simpleacl
Chapter 3
95
Verifying or Troubleshooting the Configuration

You can display the configured ACLs for verification or troubleshooting. Use either of the following procedures.
To display simple ACLs using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click ACLs. On the ACLs page, click the Simple ACLs tab. Optionally, select an ACL (for example, rule1) to display its properties at the bottom of the screen.
To view a simple ACL using the NetScaler command line

show simpleacl [ACLname]
Examples
show simpleacl show simpleacl rule1
Monitoring Simple ACLs

The following table describes statistics you can display for simple ACLs. Simple ACL Statistics
Statistic Deny SimpleACL hits SimpleACL hits SimpleACL misses SimpleACL count Specifies Packets dropped because they match deny simple ACL. Packets matching a simple ACL. Packets not matching any simple ACL. Number of simple ACLs configured.
Use either of the following procedures to display the statistics.

To display simple-ACL statistics using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click ACLs. In the details pane, select the ACL whose statistics you want to view (for example, rule1). Click Statistics.
96
Citrix NetScaler Networking Guide To view simple-ACL statistics using the NetScaler command line

stat simpleacl [ACLname]
Example
stat simpleacl rule1 stat simpleacl
Configuring Extended ACLs

Extended ACLs filter data packets based on various parameters, such as source IP address, source port, action, and protocol. An extended ACL defines the conditions that a packet must satisfy for the NetScaler to process the packet, bridge the packet, or drop the packet. These actions are known as processing modes. The processing modes are: ALLOW The NetScaler processes the packet. BRIDGE The NetScaler bridges the packet to the destination without processing it. DENY The NetScaler drops the packet.
The NetScaler processes an IP packet directly when both of the following conditions exist: ACLs are configured on the NetScaler. The IP packet does not match any of the ACLs.
The NetScaler does not apply ACLs for self originated packets. For example, you create an ACL that denies the packets from destination IP address 10.102.29.234. When the NetScaler sends a ping request to 10.102.29.234, it is not evaluated by the blockping ACL, because the traffic originated from the NetScaler. Many users begin by creating basic extended ACLs and then modifying them. To activate a new ACL, you must apply it. To deactivate an ACL, you can either remove or disable it. You can change the priority number of an extended ACL to give it a higher or lower precedence. You can perform various other modifications, and you can configure ACL logging. You should verify your configuration, and you can monitor ACL statistics. You can also configure RNAT by using extended ACLs. For more information about using ACLs with RNAT, see Configuring RNAT by Using ACLs, on page 28. You cannot create two ACLs with the same parameters. If you attempt to create a duplicate, an error message appears.
Chapter 3
97
Note: If you configure both simple and extended ACLs, simple ACLs take precedence over the extended ACLs.
Creating a Basic Extended ACL

The following table describes the parameters you use to create a basic extended ACL. Basic Parameters for configuring an Extended ACL
Parameter Name Source IP Address (subnet or host)
(srcIP)
Specifies Alphanumeric name of the ACL. Maximum length: 127 characters. IP address of the source machine. You can also specify a range of addresses. You can also specify an IP address with a value of 0.0.0.0. The action associated with the ACL. The valid options for this parameter are BRIDGE, DENY, and ALLOW. You can use the following operators while creating ACLs: = and !=.
Action Operator
The following example describes the procedure to create an ACL named rule1. The NetScaler drops the IP packets originating from the device when its source IP address is between 10.102.0.0 and 10.102.255.255.
To create an extended ACL using the configuration utility
1. 2. 3. 4. 5. 6.
In the navigation pane, expand Network and click ACLs. In the details pane, on the Extended ACLs tab, click Add. In the Add ACL dialog box, in the Name text box, type the name of the ACL (for example, rule1). In the Action and Operator list boxes, select the action and operator that you want to configure (for example, DENY and =). Under Source, in the Low and High text boxes, type the IP addresses (for example, 10.102.0.0 and 10.102.255.255). Click Create and click Close. The ACL you created appears on the ACLs page.
98
Citrix NetScaler Networking Guide To create a extended ACL using the NetScaler command line

add ns acl ACLname ACLaction -srcip SourceIPAddressRange
Example
add ns acl rule1 deny -srcip 10.102.0.0-10.102.255.255
Applying an Extended ACL

After you create an extended ACL, you must activate it using the following procedure. This procedure re-applies all the ACLs. For example, if you have created the ACLs rule1 through rule10, and then you create rule11 ACL, and apply it, all of the ACLs (rule1 through rule11) are freshly applied. If a session has a DENY ACL related to it, the session is destroyed. You must apply this procedure after every action you perform on an ACL. For example, you must follow this procedure after disabling an ACL. Note: Extended ACLs created on the NetScaler do not work until they are applied.
To apply an ACL using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network and click ACLs. In the details pane, on the Extended ACLs tab, select the ACL that you want to apply (for example, rule1). Click Commit. In the Apply ACL(s) dialog box, click Yes.

apply ns acls
Removing Extended ACLs

This section describes how to remove a single extended ACL and all extended ACLs.
To remove a single extended ACL using the configuration utility
1.
In the navigation pane, expand Network and click ACLs.
Chapter 3
99
2. 3. 4.
In the details pane, on the Extended ACLs tab, select the ACL that you want to remove (for example, rule1). Click Remove. In the Remove dialog box, click Yes.
To remove a single extended ACL using the NetScaler command line

rm ns acl ACLname
Example
rm ns acl rule1
To remove all extended ACLs using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click ACLs. In the details pane, on the Extended ACLs tab, click Clear. In the Clear ACL (s) dialog box, click Yes.
To remove all extended ACLs using the NetScaler command line

clear ns acls
Enabling and Disabling Extended ACLs

This section describes the procedures to enable or disable extended ACLs. By default, the ACLs are enabled. This means that when ACLs are applied, the NetScaler compares incoming packets against the configured ACLs. If an ACL is not required to be part of the lookup table, but needs to be retained in the configuration, it must be disabled before the ACLs are applied. After the ACLs are applied, the NetScaler does not compare incoming packets against disabled ACLs.
To enable or disable an extended ACL using the configuration utility
1. 2.
In the navigation pane, expand Network and click ACLs. In the details pane, on the Extended ACLs tab, select the ACL (for example, rule1) and do one of the following: To enable the extended ACL, click Enable. To disable the extended ACL, click Disable.
100
Citrix NetScaler Networking Guide To enable or disable an extended ACL using the NetScaler command line

enable ns acl ACLname disable ns acl ACLname
Example
enable ns acl rule1 disable ns acl rule1
Renumbering ACL
This section describes the procedure to renumber ACLs. This procedure resets the priorities of the ACLs to multiples of 10. For more information about priorities, see Modifying Extended ACLs, on page 100.
To renumber ACLs using the configuration utility
1. 2. 3.
In the navigation pane, expand Network, and then click ACLs. In the details pane, on the Extended ACLs tab, click Renumber Priority (s) ACL(s). In the Renumber Priority (s)) ACL(s) dialog box, click Yes.
To renumber ACL using the NetScaler command line

renumber ns acls
Modifying Extended ACLs

This section describes the procedure to modify extended ACLs. You can configure the priority of an ACL. The priority (an integer value) defines the order in which the NetScaler evaluates ACLs. All priorities are multiples of 10, unless you configure a specific priority to an integer value. When you create an ACL without specifying a priority, the NetScaler automatically assigns a priority that is a multiple of 10.
Chapter 3
101
If a packet matches the condition defined by the ACL, the NetScaler performs an action. If the packet does not match the condition defined by the ACL, the NetScaler compares the packet against the ACL with the next-highest priority. To modify the extended ACL, use the parameters listed in the following table. Parameters for customizing an Extended ACL
Parameter Source PORT
(srcPort)
Specifies The port address of the source system. You can specify a range or a specific port address. You can also specify a port address with a value of 0. The IP address of the destination system. You can specify a range or a specific address. You can also specify an IP address with a value of 0.0.0.0. The port address of the destination system. You can specify either a range or a specific port address. You can also specify a port address with a value of 0. The MAC address of the source system. Only the last 32 bits are considered during a lookup. This is the protocol field in the IP header. Possible values: ICMP, IGMP, TCP, EGP, IGP, ARGUS, UDP, RDP, RSVP, EIGRP, L2TP, and ISIS. The IP protocol number (decimal). The minimum value is 1 and the maximum value is 255. The VLAN ID present in the VLAN tag of the packet. The minimum value is 1 and the maximum value is 255. This is the network interface on which the packet arrived. The ICMP message type. For example, to block DESTINATION UNREACHABLE messages, you must specify 3 as the ICMP type. For a complete list of ICMP types, see http://www.iana.org/assignments/ icmp-parameters. The minimum value is 0 and the maximum value is 255. The ICMP message code. For example, to block DESTINATION HOST UNREACHABLE messages, specify 3 as the ICMP type and 1 as the ICMP code. For a complete list of ICMP types, see http://www.iana.org/ assignments/icmp-parameters. The minimum value is 0 and the maximum value is 255. The state of the ACL. Possible Values: ENABLED and DISABLED. Default: Enabled. The priority of the ACL. The minimum value is 0 and the maximum value is 10240.
Destination IP Address (subnet or host)

(destIP)
Destination PORT
(destPort)
Source MAC Address

(srcMac)
Protocol
(protocol)
Protocol Number
(protocolNumber)
VLAN ID
(vlan)
Interface
(interface)
ICMP Type
(icmpType)
ICMP Code
(icmpCode)
State
(state)
Priority
(priority)
102
Consider the following example. Two ACLs, rule 1 and rule 2, are configured on the NetScaler and automatically assigned priorities 20 and 30. You need to add a third ACL, rule 3, to be evaluated immediately after Rule 1. Rule 3 must have a priority between 20 and 30. In this case, you can specify the priority as 25. The following procedure describes the steps to set the priority of rule1 to 20.
To modify the priority of an ACL using the configuration utility
1. 2. 3. 4. 5.
In the navigation pane, expand Network and click ACLs. In the ACLs page, on the Extended ACLs tab, select the ACL that you want to modify (for example, rule1). Click Open. In the Configure ACL(s) dialog box, in the Priority text box, type the priority that you want to configure on the ACL (for example, 20). Click OK.
To modify the priority of an ACL using the NetScaler command line

set acl ACLname -priority Value
Example
set acl rule1 -priority 20
Configuring Access Control List (ACL) Logging

You can configure the NetScaler to log details for packets that match an extended ACL. In addition to the ACL name, the logged details include packet-specific information such as the source and destination IP addresses. The information is stored either in the syslog file or in the nslog file, depending on the type of global logging (syslog or nslog) enabled. Logging can be enabled at both the global level and the ACL level. However, to enable logging at the ACL level, you must also enable it at the global level. The global setting takes precedence. For instructions on how to enable logging globally, see Configuring the Citrix NetScaler Audit Server Log. To optimize logging, when multiple packets from the same flow match an ACL, only the first packets details are logged, and the counter is incremented for every other packet that belongs to the same flow. A flow is defined as a set of packets that have the same values for the following parameters: Source IP address Destination IP address
Chapter 3
103
Source port Destination port Protocol
If the packet is not from the same flow, or if the time duration is beyond the mean time, a new flow is created. Mean time is the time during which packets of the same flow do not generate additional messages (although the counter is incremented). Note: The total number of different flows that can be logged at any given time is limited to 10,000. The following table describes the parameters with which you can configure ACL logging at the rule level for extended ACLs. Logging Parameters of an Extended ACL
Parameter Logstate
(logstate)
Specifies State of the logging feature for the ACL. Possible Values: Enabled or Disabled. Default: Disabled. Number of log messages that a specific ACL can generate. Default: 100.
RateLimit
(ratelimit)
Use either of the following procedures to configure logging for an ACL and specify the number of log messages that the rule can generate.
To configure ACL Logging using the configuration utility
1. 2. 3. 4. 5.
In the navigation pane, expand Network and click ACLs. In the details pane, click the Extended ACLs tab, and then select the ACL for which you want to configure logging (for example, rule1). Click Open. In the Modify ACL dialog box, select the Log State checkbox. In the Log Rate Limit text box, type the rate limit that you want to specify for the rule (for example, 200), and click OK.
To configure ACL Logging using the NetScaler command line

set acl NameOfRule logstate enabled ratelimit Value
104

set acl rule1 logstate enabled ratelimit 200

This section describes the procedure to verify the ACLs that you have configured. This can be useful for troubleshooting. You can view the properties such as name, action, and protocol of the configured ACLs. Use the following procedure to view the extended ACLs.
To view extended ACLs using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network and click ACLs. In the details pane, click the Extended ACLs tab. The details of the available ACLs appear in this page. Verify that the configured ACL, rule1, appears. Select the ACL, rule1, and in the Details section, verify that the parameters displayed are as configured.
To view extended ACLs using the NetScaler command line

show ns acl
Monitoring the Extended ACL

This section describes the procedure to view the statistics of an extended ACL. The following table lists the statistics associated with extended ACLs and their descriptions. Extended ACL Statistics
Statistic Allow ACL hits NAT ACL hits Deny ACL hits Bridge ACL hits ACL hits ACL misses Specifies Packets matching ACLs with processing mode set to ALLOW. NetScaler processes these packets. Packets matching a NAT ACL, resulting in a NAT session. Packets dropped because they match ACLs with processing mode set to DENY. Packets matching a bridge ACL, which in transparent mode bypasses service processing. Packets matching an ACL. Packets not matching any ACL.
Chapter 3
105
Use the following procedure to view the statistics of the extended ACLs, such as ACL Hits, NAT ACL Hits, Allow ACL Hits, Deny ACL Hits, Bridge ACL Hits, and ACL Misses.
To view the statistics of an extended ACL using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click ACLs. In the details pane, on the Extended ACLs tab, select the ACL whose statistics you want to view (for example, rule1). Click Statistics.
To view the statistics of an extended ACL using the NetScaler command line

stat ns acl ACLname
Example
stat ns acl rule1
Configuring RNAT by Using Extended ACLs

You can configure the NetScaler to use a unique IP address for traffic that matches an extended ACL. The following section describes how to configure RNAT and then apply the extended ACL. This section provides the procedure to change the source IP and destination port information based on an ACL. Note: ACL-based RNAT is not applied to traffic originating from the NetScaler.
Changing the Source IP and Destination Port Based on an ACL

The steps to change the source IP and destination port based on an ACL are divided into the following tasks: 1. 2. 3. Configure the ACL. Configure RNAT to change the source IP address and Destination Port. Apply the ACL.
106
This is illustrated in the following figure.
Changing Source IP Address and Port In the following procedure, an acl, acl1, that allows traffic originating from a server with IP address 10.102.29.40 to an external client 209.165.202.11 is configured. The protocol is specified as TCP.
To configure an ACL using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network and click ACLs. In the details pane, on the Extended ACLs tab, click Add. In the Add ACL dialog box, in the Name text box, type the name of the ACL (for example, acl1). In the Action, select an action (for example, ALLOW), in the Operator drop-down list, select an option (for example, =), and in the Protocol dropdown list, select a protocol (for example, TCP). Under Source, in the Low and High text boxes, type the IP addresses (for example, 10.102.29.40 and 10.102.29.40). Under Destination, in the Low and High text boxes, type the IP addresses (for example, 209.165.201.11 and 209.165.201.11). Click Create and click Close.
5. 6. 7.
To configure an ACL using the NetScaler command line

add acl ACLname ACLaction -srcip SourceIPAddress -destip DestinationIPAddress -protocol Value
Example
add acl acl1 allow -srcip 10.102.29.40 -destip 209.165.201.11
Chapter 3
107
-protocol TCP
In the following procedure, an RNAT is configured to replace the source IP address of packets related to the example ACL, acl1, with the NAT IP address, 209.165.202.129. The destination port is configured to 8080.
To set RNAT to change the source IP address and destination port using the configuration utility
1. 2. 3. 4. 5. 6. 7. 8.
In the navigation pane, expand Network, expand Routing, and click Routes. In the details pane, on the RNAT tab, click Configure RNAT. In the Configure RNAT dialog box, click the ACL radio button. In the ACL Name drop-down list box, select the ACL that you want to configure (for example, acl1). In the Redirect Port text box, type the port (for example, 8080). In the Available NAT IP (s) list box, select the NAT IP address which you want to configure (for example, 209.165.202.129). Click Add. The NAT IP you selected appears in the Configured NAT IP (s) list box. Click Create, and click Close.
To set RNAT to change the source IP address and destination port using the NetScaler command line

set rnat ACLname -natip NATIPAddress -redirectPort Value
Example
set rnat acl1 -natip 209.165.202.129 -redirectPort 8080
To apply an ACL
You must apply the ACL for the ACL to function. For instructions on how to apply an extended ACL using the configuration utility, see Applying an Extended ACL, on page 98.

apply ns acls
108
Note: The NetScaler uses ports 1024 to 64000 for mapped IP addresses and subnet IP addresses.
Configuring ACL6s
ACL6s are ACLs created specifically for IPv6 addresses. ACL6s also filter packets based on the parameters of the packet, such as source IP address, source port, action, and so on. An ACL6 defines the condition that a packet must satisfy for the NetScaler to process the packet, bridge the packet, or drop the packet. These actions are known as processing modes. The processing modes are: ALLOW - The NetScaler processes the packet. BRIDGE The NetScaler bridges the packet to the destination without processing it. DENY The NetScaler drops the packet.
The NetScaler processes an IP packet directly when both of the following conditions exist: ACL6s are configured on the NetScaler. The IP packet does not match any of the ACL6s.
The NetScaler does not apply ACL6s for self-originated packets.
Creating ACL6s
You cannot create two ACL6s with the same parameters. If you attempt to create a duplicate, an error message appears. To create an ACL6, use the parameters described in the following table. Basic Parameters for configuring an ACL6
Parameter Name Source IP Address (subnet or host)
(srcIPv6)
Specifies The alphanumeric name of the ACL6. Maximum length: 127 characters. The IPv6 address of the source system. You can specify a range or a specific address. You can also specify an IP address with a value of 0.0.0.0. The action associated with the ACL6. Possible values: BRIDGE, DENY, and ALLOW. You can use the following operators while creating ACL6s: = and !=.
Action Operator
Chapter 3
109
The following example describes the procedure to create an ACL named rule. The NetScaler drops the IP packets originating from the device when its source IP address is between 10.102.0.0 and 10.102.255.255.
To create an ACL6 using the configuration utility
1. 2. 3. 4. 5. 6.
In the navigation pane, expand Network and click ACLs. In the details pane, on the ACL6s tab, click Add. In the Add ACL6 dialog box, in the Name text box, type the name of the ACL6 (for example, rule1). In the Action and Operator list boxes, select the action and operator that you want to configure (for example, DENY and =). Under Source, in the Low and High text boxes, type the IP addresses (for example, 10.102.0.0 and 10.102.255.255). Click Create and click Close. The ACL you created appears in the ACL6s page.
To create an ACL6 using the NetScaler command line

add ns acl6 ACLname ACLaction -srcip SourceIPAddressRange
Example
add ns acl6 rule1 deny -srcip 10.102.0.0-10.102.255.255
Applying ACL6s
After you create an ACL6, you must activate it using the following procedure. This procedure re-applies all the ACL6s. For example, if you have created the ACL6s rule1 through rule10, and then you create rule11 ACL6, and apply it, all of the ACL6s (rule1 through rule11) are freshly applied. If a session has a DENY ACL related to it, the session is destroyed. You must apply this procedure after every action you perform on an ACL6. For example, you must follow this procedure after disabling an ACL6. Note: ACL6s created on the NetScaler do not work until they are applied.
110
Citrix NetScaler Networking Guide To apply an ACL6 using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network and click ACLs. In the details pane, on the ACL6s tab, select the ACL6 that you want to apply (for example, rule1). Click Commit. In the Apply ACL(s) dialog box, click Yes.

apply ns acls6
Removing ACL6s
This section describes the procedure to remove ACL6s.
To remove an ACL6 using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network and click ACLs. In the details pane, on the ACL6s tab, select the ACL that you want to remove (for example, rule1). Click Remove. In the Remove dialog box, click Yes.
To remove an Extended ACL using the NetScaler command line

rm ns acl6 ACLname
Example
rm ns acl6 rule1
Removing all ACL6s

This procedure provides instruction to remove all the configured extended ACLs.
To remove all extended ACLs using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click ACLs. In the details pane, on the ACL6s tab, click Clear. In the Clear ACL (s) dialog box, click Yes.
Chapter 3
111
To remove all extended ACLs using the NetScaler command line

clear ns acls6
Enabling and Disabling ACL6

This section describes the procedures to enable or disable ACL6s. By default, ACL6s are enabled. This means that when ACL6s are applied, the NetScaler compares incoming packets against the configured ACL6s. If an ACL6 is not required to be part of the lookup table, but needs to be retained in the configuration, it must be disabled before the ACL6s are applied. After the ACL6s are applied, the NetScaler does not compare incoming packets against disabled ACL6s.
To enable or disable an ACL6 using the configuration utility
1. 2.
In the navigation pane, expand Network and click ACLs. In the details pane, on the ACL6s tab, select the ACL (for example, rule1) and do one of the following: To enable the ACL6, click Enable. To disable the ACL6, click Disable.
To enable or disable an ACL6 using the NetScaler command line

enable ns acl6 ACLname disable ns acl6 ACLname
Example
enable ns acl6 rule1 disable ns acl6 rule1
Renumbering ACL6s
This section describes the procedure to renumber ACL6s. This procedure resets the priorities of the ACL6s to multiples of 10. For more information about priorities, see Modifying Extended ACLs, on page 100.
To renumber ACL6s using the configuration utility
1. 2.
In the navigation pane, expand Network and click ACLs. In the details pane, on the ACL6s tab, click Renumber Priority (s)) ACL(s).
112
3.
In the Renumber Priority (s)) ACL(s) dialog box, click Yes.
To renumber ACL6s using the NetScaler command line

renumber ns acls6
Modifying ACL6s
This section describes the procedure to modify ACL6s. You can configure the priority of an ACL. The priority (an integer value) defines the order in which the NetScaler evaluates ACL6s. All priorities are multiples of 10, unless you configure a specific priority to an integer value. When you create an ACL6 without specifying a priority, the NetScaler automatically assigns a priority that is a multiple of 10. If a packet matches the condition defined by the ACL6, the NetScaler performs an action. If the packet does not match the condition defined by the ACL6, the NetScaler compares the packet against the ACL6 with the next-highest priority. To modify the ACL6, use the parameters listed in the following table. Parameters for customizing an ACL6
(srcPort)
Specifies The port address of the source system. You can specify a range or a specific port address. You can also specify a port address with a value of 0. The IP address of the destination system. You can specify a range or a specific address. You can also specify an IP address with a value of 0.0.0.0. The port address of the destination system. You can specify either a range or a specific port address. You can also specify a port address with a value of 0. The MAC address of the source system. Only the last 32 bits are considered during a lookup. This is the protocol field in the IP header. The valid options for this parameter are ICMP, IGMP, TCP, EGP, IGP, ARGUS, UDP, RDP, RSVP, EIGRP, L2TP, and ISIS. The IP protocol number (decimal). The minimum value is 1 and the maximum value is 255. The VLAN ID present in the VLAN tag of the packet. The minimum value is 1 and the maximum value is 255. This is the network interface on which the packet arrived.

(destIPv6)
Destination PORT
(destPort)
Source MAC Address

(srcMac)
Protocol
(protocol)
Protocol Number
(protocolNumber)
VLAN ID
(vlan)
Interface
(interface)
Chapter 3
113
Parameters for customizing an ACL6

Parameter ICMP Type
(icmpType)
Specifies The ICMP message type. For example, to block DESTINATION UNREACHABLE messages, you must specify 3 as the ICMP type. For a complete list of ICMP types, see http://www.iana.org/assignments/ icmp-parameters. The minimum value is 0 and the maximum value is 255. The ICMP message code. For example, to block DESTINATION HOST UNREACHABLE messages, specify 3 as the ICMP type and 1 as the ICMP code. For a complete list of ICMP types, see http://www.iana.org/ assignments/icmp-parameters. The minimum value is 0 and the maximum value is 255. The state of the ACL. Possible values: ENABLED and DISABLED. The priority of the ACL. The minimum value is 0 and the maximum value is 10240.
ICMP Code
(icmpCode)
State
(state)
Priority
(priority)
Consider the following example. Two ACL6s, rule 1 and rule 2, are configured on the NetScaler and automatically assigned priorities 20 and 30. You have added a third ACL6, rule 3, with priority 40. However, you want rule3 to be evaluated immediately after Rule 1. Hence, rule 3 must have a priority between 20 and 30. You can modify the priority of rule3 to 25. The following procedure describes the steps to set the priority of rule3 to 25.
To modify the priority of an ACL6 using the configuration utility
1. 2. 3. 4. 5.
In the navigation pane, expand Network and click ACLs. In the details pane, on the ACL6s tab, select the ACL that you want to modify (for example, rule3). Click Open. In the Configure ACL(s) dialog box, in the Priority text box, type the priority that you want to configure on the ACL (for example, 25). Click OK.
To modify the priority of an ACL using the NetScaler command line

set acl ACLname -priority Value
Example
set acl rule3 -priority 25
114

This section describes the procedure to verify the ACL6s that you have configured. This can be useful for troubleshooting. You can view the properties such as name, action, and protocol of the configured ACL6s. Use the following procedure to view the ACL6s.
To view ACL6s using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network and click ACLs. In the details pane, click the ACL6s tab. The details of the available ACL6s appear on this page. Verify that the configured ACL6, rule1, appears. Select the ACL6, rule1, and in the Details section, verify that the parameters displayed are as configured.
To view ACL6s using the NetScaler command line

show ns acl6
Monitoring ACL6s
This section describes the procedure to view the statistics of an ACL6. The following table lists the statistics associated with ACL6s and their descriptions. ACL6 Statistics
Statistic Allow ACL6 hits NAT ACL6 hits Deny ACL6 hits Bridge ACL6 hits ACL6 hits ACL6 misses Specifies Packets matching IPv6 ACLs with processing mode set to ALLOW. NetScaler processes these packets. Packets matching a NAT ACL6, resulting in a NAT session. Packets dropped because they match IPv6 ACLs with processing mode set to DENY. Packets matching a bridge IPv6 ACL, which in transparent mode bypasses service processing. Packets matching an IPv6 ACL. Packets not matching any IPv6 ACL.
Viewing the Statistics of an ACL6

Use the following procedure to view the statistics of the ACL6s such as ACL6 Hits, NAT ACL6 Hits, Allow ACL6 Hits, and others.
Chapter 3
115
To view the statistics of an ACL6 using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click ACLs. In the details pane, on the ACL6s tab, select the ACL whose statistics you want to view (for example, rule1). Click Statistics.
To view the statistics of an extended ACL using the NetScaler command line

stat ns acl6 ACLname
Example
stat ns acl6 rule1
116
C HAPTER 4
IP Routing
The NetScaler supports both dynamic and static routing. Because simple routing is not the primary role of a NetScaler, the main objective of running dynamic routing protocols is to enable route health injection (RHI), so that an upstream router can choose the best among multiple routes to a topographically distributed virtual server. Most NetScaler implementations use some static routes to reduce routing overhead. You can create backup static routes and monitor routes to enable automatic switchover in the event that a static route goes down. You can also assign weights to facilitate load balancing among static routes, create null routes to prevent routing loops, and configure IPv6 static routes. You can configures Policy based routes (PBRs), which bases routing decisions on criteria that you specify In This Chapter Configuring Dynamic Routes Configuring Route Health Injection Configuring Static Routes Configuring Policy Based Routes Troubleshooting Routing Issues
Configuring Dynamic Routes

When a dynamic routing protocol is enabled, the corresponding routing process monitors route updates and advertises routes. Routing protocols enable an upstream router to use the Equal Cost Multipath technique to load balance traffic to identical vservers hosted on two standalone NetScaler appliances. Dynamic routing on a NetScaler uses three routing tables. In a high-availability setup, the routing tables on the secondary NetScaler mirror those on the primary. The NetScaler supports the following protocols: Routing Information Protocol (RIP) version 2 Open Shortest Path First (OSPF) version 2
118
Border Gateway Protocol (BGP) Routing Information Protocol next generation (RIPng) for IPv6 Open Shortest Path First (OSPF) version 3 for IPv6
You can enable more than one protocol simultaneously.
Routing Tables in the NetScaler

In a NetScaler, the NetScaler kernel routing table, the FreeBSD kernel routing table, and the NSM FIB routing table each hold a different set of routes and serve a different purpose. They communicate with each other using UNIX routing sockets. Route updates are not automatically propagated from one routing table to another. You must configure propagation of route updates for each routing table.
NS Kernel Routing Table

The NS kernel routing table holds subnet routes corresponding to the NSIP and to each SNIP and MIP. Usually, no routes corresponding to VIPs are present in the NS kernel routing table. The exception is a VIP added by using the add ns ip command and configured with a netmask other than 255.255.255.255. If there are multiple IP addresses belonging to the same subnet, they are abstracted as a single subnet route. In addition, this table holds a route to the loopback network (127.0.0.0) and any static routes added through the NetScaler command-line interface (nscli). The entries in this table are used by the NetScaler in packet forwarding. From the nscli, they can be inspected with the show route command.
FreeBSD Routing Table

The sole purpose of the FreeBSD routing table is to facilitate initiation and termination of management traffic (telnet, ssh, etc.). In a NetScaler, these applications are tightly coupled to FreeBSD, and it is imperative for FreeBSD to have the necessary information to handle traffic to and from these applications. This routing table contains a route to the NSIP subnet and a default route. In addition, FreeBSD adds routes of type WasCloned (W) when the NetScaler establishes connections to hosts on local networks. Because of the highly specialized utility of the entries in this routing table, all other route updates from NS kernel and NSM bypass the FreeBSD routing table. Do not modify it with the route command. The FreeBSD routing table can be inspected by using the netstat command from any UNIX shell.
Network Services Module (NSM) FIB

The NSM FIB routing table contains the advertisable routes that are distributed by the dynamic routing protocols to their peers in the network. It may contain:
Chapter 4
IP Routing
119
Connected routes. IP subnets that are directly reachable from the NetScaler. Typically, routes corresponding to the NSIP subnet and subnets over which routing protocols are enabled are present in NSM FIB as connected routes. Kernel routes. All the VIP addresses on which the -hostRoute option is enabled are present in NSM FIB as kernel routes if they satisfy the required RHI Levels. In addition, NSM FIB contains any static routes configured on the nscli that have the -advertise option enabled. Alternatively, if the NetScaler is operating in Static Route Advertisement (SRADV) mode, all static routes configured on the nscli are present in NSM FIB. These static routes are marked as kernel routes in NSM FIB, because they actually belong to the NS kernel. Static routes. Normally, any static route configured in VTYSH is present in NSM FIB. If administrative distances of protocols are modified, this may not always be the case. An important point to note is that these routes can never get into the NS kernel. Learned routes. If the NetScaler is configured to learn routes dynamically, the NSM FIB contains routes learned by the various dynamic routing protocols. Routes learned by OSPF, however, need certain special processing. They are downloaded to FIB only if the fib-install option is enabled for the OSPF process. This can be done from the router-config view in VTYSH.
High Availability Setup

In a high availability setup, the primary node runs the routing process and propagates routing table updates to the secondary node. The routing table of the secondary node mirrors the routing table on the primary node.
Non-stop Forwarding
After failover, the secondary node takes some time to start the protocol, learn the routes, and update its routing table. But this does not affect routing, because the routing table on the secondary node is identical to the routing table on the primary node. This mode of operation is known as non-stop forwarding.
Black Hole Avoidance Mechanism

After failover, the new primary node injects all its VIP routes into the upstream router. However, that router retains the old primary nodes routes for 180 seconds. Because the router is not aware of the failover, it attempts to load balance traffic between the two nodes. During the 180 seconds before the old routes expire, the router sends half the traffic to the old, inactive primary node, which is, in effect, a black hole. To prevent this, the new primary node, when injecting a route, assigns it a metric that is slightly lower than the one specified by the old primary node.
120
Interfaces for Configuring Dynamic Routing

To configure dynamic routing, you can use either the configuration utility or a command-line interface. The NetScaler supports two independent command-line interfaces: NetScaler Command-Line Interface (NSCLI) and Virtual Teletype Shell (VTYSH). The NSCLI is the native shell of the NetScaler while VTYSH is exposed by ZebOS. The NetScaler routing suite is based on ZebOS, the commercial version of GNU Zebra. Note: Citrix recommends that you use VTYSH for all commands except those that can be configured only on NSCLI. Use of NSCLI should generally be limited to commands for enabling the routing protocols, configuring host route advertisement, and adding static routes for packet forwarding.
Using RIP
Routing Information Protocol (RIP) is a Distance Vector protocol. The NetScaler supports RIP as defined in RFC 1058 and RFC 2453. RIP can run on any subnet.
Enabling and Disabling RIP

You can enable or disable RIP using the configuration utility or the NSCLI. Use either of the following procedures to enable or disable RIP. After you enable RIP, the NetScaler starts the RIP process. After you disable RIP, the NetScaler stops the RIP process.
To enable or disable RIP routing using the configuration utility
1. 2. 3.
In the navigation pane, expand System and click Settings. In the details pane, under Modes and Features group, click Change advanced features. In the Configure Advanced Features dialog box, do one of the following: To enable RIP routing, select the RIP Routing check box. To disable RIP routing, clear the RIP Routing check box.
4. 5.
To enable or disable RIP routing using the NetScaler command line

enable ns feature protocol
Chapter 4
IP Routing
121
disable ns feature protocol
Examples
enable ns feature rip disable ns feature rip
Configuring RIP
On the NetScaler, RIP can function in one of the following modes: Advertising Routes Limiting RIP Propagations Displaying RIP Information
Advertising Routes
RIP enables an upstream router to load balance traffic between two identical vservers hosted on two standalone NetScaler devices. By using route advertisement, an upstream router can track network entities located behind the NetScaler. The following table describes the commands you have to set to advertise routes. Route Advertising VTYSH commands for RIP
Commands
passive-interface interface_name network ipaddress/prefix length redistribute static
Specifies Suppress routing updates on an interface. Broadcast network on which RIP is to be run. State of the router in redistributing static routes. Use this command to enable the redistribution of static routes. State of the router in redistributing kernel routes. Use this command to enable the redistribution of kernel routes.
redistribute kernel
Use the following procedures to configure RIP to advertise routes on the NetScaler.
To configure RIP to advertise routes using the VTYSH command line
To use the VTYSH command-line interface to configure RIP as the routing protocol, proceed as follows: At the NetScaler command prompt, type:
122
VTYSH
An output similar to the following appears:

NS170#
You are now at the VTYSH command prompt. At the VTYSH command prompt, type:
NS170# configure terminal NS170(config)# router rip NS170(config-router)# network IPaddress/PrefixLength NS170(config-router)# redistribute kernel [route-map map-tag]
Limiting RIP Propagations

If you need to troubleshoot your configuration, you can configure the listen-only mode on any given interface. The following table describes the commands you have to set to configure an interface for listen-only mode. Limiting RIP VTYSH Command
Commands
passive-interface interface_name
Specifies Suppress routing updates on an interface.
Use the following procedures to limit RIP propagation by setting an interface to listen-only mode.
To limit RIP propagations using the VTYSH command line

VTYSH
An output similar to the following appears:

NS170#
You are now at the VTYSH command prompt. At the VTYSH command prompt, type:
NS170# configure terminal NS170(config)# router rip NS170(config-router)# passive-interface interface_name
Displaying RIP Information

Use the following procedures to display the RIP settings.
Chapter 4 To view the RIP settings using the VTYSH command line
IP Routing
123

VTYSH
You are now in the VTYSH command prompt. An output similar to the following appears:
NS170#
At the VTYSH command prompt, type:

NS170# sh ip rip NS170# sh ip rip database NS170# sh ip rip interface
Using OSPF
The NetScaler supports Open Shortest Path First (OSPF) Version 2 (RFC 2328). The features of OSPF on the NetScaler are: The NetScaler supports OSPF within a single area only. If a vserver is active, the host routes to the vserver can be injected into the routing protocols. OSPF can run on any subnet. Route learning advertised by neighboring OSPF routers can be disabled on the NetScaler. The NetScaler can advertise Type-1 or Type-2 external metrics for all routes. The NetScaler can advertise user-specified metric settings for VIP routes. For example, you can configure a metric per VIP without special route maps. You can specify the OSPF area ID for the NetScaler.
Enabling and Disabling OSPF

You can enable or disable OSPF using the configuration utility or the NSCLI only. When OSPF is enabled, the NetScaler starts the OSPF process. When OSPF is disabled, the NetScaler stops the OSPF routing process. Use either of the following procedures to enable or disable the OSPF routing protocol.
To enable or disable OSPF routing using the configuration utility
1.
In the navigation pane, expand System, and then click Settings.
124
2. 3.
In the details pane, under the Modes and Features group, click Change advanced features. In the Configure Advanced Features dialog box, do one of the following: To enable OSPF routing, select the OSPF Routing check box. To disable OSPF routing, clear the OSPF Routing check box.
4. 5.
To enable or disable OSPF routing using the NetScaler command line

enable ns feature OSPF disable ns feature OSPF
Configuring OSPF
You can configure OSPF on an existing route. In addition to basic configuration, you can configure route learning and route advertising. If necessary, you can limit OSPF propagation. The NetScaler supports the OSPF NSSA enhancement. After configuration, you should review your settings.
Configuring the Basic OSPF Parameters

The following table describes the commands you have to configure to use OSPF. OSPF Basic VTYSH commands
Commands
router-id IPAddress network IPaddress/prefix length area area_id host
Specifies ID for the OSPF process. OSPF router-id is specified IP address format. Broadcast network on which RIP is to be run. Area ID of the area in which OSPF is running. The stub link or the host address.
Use the following procedures to configure the basic OSPF parameters.

To configure basic OSPF using the VTYSH command line
To use the VTYSH command-line interface to configure OSPF as the routing protocol, proceed as follows: At the NetScaler command prompt, type:
VTYSH
Chapter 4
IP Routing
125
NS170#

NS170# configure terminal NS170(config)# router ospf NS170(config-router)# router-id IPaddress NS170(config-router)# network IPaddress/prefix length NS170(config-router)# area AreaID
Configuring Route Advertisement

OSPF enables an upstream router to load balance traffic between two identical vservers hosted on two standalone NetScaler devices. By using route advertising, an upstream router can track network entities located behind the NetScaler. The following table lists and describes the commands required for advertising routes. Route Advertising VTYSH commands for OSPF
Commands
redistribute static redistribute kernel redistribute connected
Specifies
Redistribute static routes.
Redistribute kernel routes. Redistribute connected routes.
Use the following procedures to configure OSPF to advertise routes on the NetScaler.
To configure OSPF to advertise routes using the VTYSH command line

VTYSH
NS170#

NS170# configure terminal NS170(config)# router ospf NS170(config-router)# redistribute kernel [route-map map-tag]
126
Limiting OSPF Propagation

To facilitate troubleshooting, you can set an interface to listen-only mode. The following table describes the relevant commands. Limiting OSPF Propagation Parameter
Commands
passive-interface interface_name
Specifies Suppress routing updates on an interface.
Use the following procedures to limit OSPF propagation.

To limit OSPF propagations using the VTYSH command line

VTYSH
NS170#

NS170# configure terminal NS170(config)# router ospf NS170(config-router)# passive-interface interface_name
Displaying OSPF Settings

To view the OSPF settings using the VTYSH command line

VTYSH
NS170#

NS170# sh ip ospf NS170# sh ip ospf border-routers NS170# sh ip ospf database NS170# sh ip ospf interface NS170# sh ip ospf neighbor NS170# sh ip ospf route
Chapter 4
IP Routing
127
NS170# sh ip ospf virtual-links
NSSA Support
The NetScaler now supports not-so-stubby-areas (NSSAs). An NSSA is similar to an OSPF stub area but allows injection of external routes in a limited fashion into the stub area. To support NSSAs, a new option bit (the N bit) and a new type (Type 7) of Link State Advertisement (LSA) area have been defined. Type 7 LSAs support external route information within an NSSA. An NSSA area border router (ABR) translates a type 7 LSA into a type 5 LSA that is propagated into the OSPF domain. The OSPF specification defines only the following general classes of area configuration: Type 5 LSA: Originated by routers internal to the area are flooded into the domain by AS boarder routers (ASBRs). Stub: Allows no type 5 LSAs to be propagated into/throughout the area and instead depends on default routing to external destinations.
Using BGP
The NetScaler supports BGP-4 (RFC 1771). The features of BGP on the NetScaler are: The NetScaler advertises routes to BGP peers. The NetScaler injects host routes to virtual IP addresses (VIPs) based on the health of the underlying vservers. The NetScaler generates configuration files for running BGP on the secondary node after failover in an HA configuration. This protocol supports IPv6 route exchanges.
Prerequisites for IPv6 BGP

The procedures in this topic require some knowledge of the IPv6 BGP protocol. Before you begin configuring IPv6 BGP, do the following: Install the IPv6PT license on the NetScaler for supporting IPv6. After installing IPv6PT license, enable IPv6 feature by using the configuration utility or NetScaler command line.
Enabling and Disabling BGP

You can enable or disable BGP by using the configuration utility or the NSCLI only. When BGP is enabled, the NetScaler starts the BGP process and when disabled, the NetScaler stops the BGP process.
128
Citrix NetScaler Networking Guide To enable or disable BGP routing using the configuration utility
1. 2. 3.
In the navigation pane, expand System and click Settings. In the details pane, under the Modes and Features group, click Change advanced features. In the Configure Advanced Features dialog box, do one of the following: To enable BGP routing, select the BGP Routing check box. To disable BGP routing, clear the BGP Routing check box.
4. 5.
To enable or disable BGP routing using the NetScaler command line

enable ns feature Protocol disable ns feature Protocol
Example
enable ns feature BGP disable ns feature BGP
Configuring BGP
You can use BGP on a NetScaler to advertise routes and to learn routes. The following table describes the required command for configuring BGP. Basic BGP VTYSH command
Command router bgp ASnumber Specifies BGP autonomous system. As number is a mandatory parameter. Possible values: 1 to 4,294,967,295.
Use the following procedures to create a basic BGP configuration.

To create a basic BGP configuration using the VTYSH command line

VTYSH
NS170#
Chapter 4
IP Routing
129

NS170# configure terminal NS170(config)# router bgp ASnumber
Advertising Routes
You can configure the NetScaler to advertise host routes to VIPs and to advertise routes to downstream networks. The following table describes the commands for configuring the NetScaler to advertise BGP routes.
Commands
redistribute static redistribute kernel redistribute connected
Specifies
Redistribute static routes.
Redistribute kernel routes. Redistribute connected routes.
Use the following procedures to configure BGP to advertise routes on the NetScaler.
To configure BGP to advertise routes using the VTYSH command line

VTYSH
NS170#

NS170# configure terminal NS170(config)# router bgp ASnumber NS170(config-router)# redistribute kernel [route-map map-tag]
Configuring Route Maps

You can configure route maps to define policies for route redistribution. Route maps can be associated with BGP neighbors or with the redistribute directive. You can use route maps on the NetScaler to: Set the next hops for the routes being advertised to a neighbor (setting the next-hop in a route map, then associating it with that neighbor). Control the prefixes that are advertised (using the matchIP argument and associating it with the redistribute directive).
To configure route maps, use the following VTYSH commands:
130
NS170# configure terminal NS170(config)# route-map abcd deny 1
You can associate both prefix lists and access lists with route maps by using the following command:
NS170(config-router)# match ip address <prefix-list> | <accesslist> <1-199> <1300-2699> WORD prefix-list IP access-list name IP access-list name IP access-list name Match entries of prefix-lists
Advertising IPv6 Routes

Border Gateway Protocol (BGP) enables an upstream router to load balance traffic between two identical vservers hosted on two standalone NetScaler devices. By using route advertising, an upstream router can track network entities located behind the NetScaler. The following table describes the commands you have to set to advertise routes.
To configure BGP to advertise IPv6 routes by using the VTYSH command line
At the NetScaler command prompt, type the following commands in the following order:
Commands
VTYSH Example: >VTYSH configure terminal Example: NS# configure terminal router BGP ASnumber Example: NS(config)# router BGP 5
Specifies Enters into VTYSH command prompt.
Enters into global configuration mode.
BGP autonomous system. Asnumber is a mandatory parameter. Possible values: 1 to 4,294,967,295.
Neighbor IPv6 address remote-as as- Updates the IPv6 BGP neighbor table with the link local IPv6 address of the number Example: NS(config-router)# Neighbor a1bc::102 remote-as 100
neighbor in the specified autonomous system.
Chapter 4
IP Routing
131
Commands
Address-family ipv6 Example: NS(config-router)# Address-family ipv6
Specifies Enters into address family configuration mode.
Neighbor IPv6 address activate Example: NS(config-router-af)# Neighbor a1bc::102 activate
Exchanges prefixes for the IPv6 router family between the peer and the local node using the link local address.
redistribute kernel Example: NS(config-router)# redistribute kernel redistribute static Example: NS(config-router)# redistribute static
Redistributes kernel routes.
Redistributes static routes.
Displaying BGP Settings

Use the following procedures to view the BGP settings.
To view the BGP settings using the VTYSH command line

VTYSH
NS170#

NS170# sh ip BGP NS170# sh BGP NS170# sh ip BGP neighbors NS170# sh ip BGP summary NS170# sh ip BGP route-map map-tag
132
Enabling BGP on a Non-NSIP Network

To enable BGP on a non-NSIP network, perform the following tasks: 1. 2. 3. Enable management access on the Subnet IP (SNIP). Enable dynamic routing on the IP. Enable mode Use Subnet IP (USNIP).
Using IPv6 RIP

IPv6 Routing Information Protocol (RIP) or RIPng is a Distance Vector protocol. This protocol is an extension of RIP to support IPv6.
Prerequisites
The procedures in this topic require some knowledge of the IPv6 RIP protocol. Before you begin configuring IPv6 RIP, do the following: Install the IPv6PT license on the NetScaler for supporting IPv6. Enable the IPv6 feature by using the configuration utility or NetScaler command line.
Enabling IPv6 RIP

You can enable or disable IPv6 RIP by using VTYSH. Use either of the following procedures to enable or disable RIP. After you enable IPv6 RIP, the NetScaler starts the IPv6 RIP daemon. After you disable IPv6 RIP, the NetScaler stops the RIP daemon.
To enable IPv6 RIP using the VTYSH command line
Commands
VTYSH Example: > VTYSH configure terminal
Example: NS# configure terminal
Chapter 4
IP Routing
133
Commands
ns IPv6-routing
Specifies Starts IPv6 dynamic routing daemon.
Example: NS(config)# ns IPv6-routing interface vlan_name
Enters into the VLAN configuration mode.
Example: NS(config)# interface vlan0 router ipv6 RIP
Starts IPv6 RIP routing process on a VLAN.
Example: NS(config-if)# router ipv6 RIP
Configuring IPv6 RIP

On the NetScaler, IPv6 RIP can function in one of the following modes: Advertising IPv6 routes Limiting IPv6 RIP Propagations

IPv6 RIP enables an upstream router to load balance traffic between two identical vservers hosted on two standalone NetScaler devices. By using route advertisement, an upstream router can track network entities located behind the NetScaler. The following table describes the commands you have to set to advertise routes.
134
Citrix NetScaler Networking Guide To configure IPv6 RIP to advertise IPv6 routes by using the VTYSH command line
Commands
VTYSH
Example: >VTYSH configure terminal
Example: NS# configure terminal router ipv6 rip
Starts IPv6 RIP routing process and enters into configuration mode for the routing process.
Example: NS(config)# router ipv6 rip redistribute static
Example: NS(config-router)# redistribute static redistribute kernel Example: NS(config-router)# redistribute kernel
Limiting IPv6 RIP Propagations

If you need to troubleshoot your configuration, you can configure the listen-only mode on any given interface. The following table describes the commands you have to set to configure an interface for listen-only mode.
Chapter 4
IP Routing
135
To limit IPv6 RIP propagation by using the VTYSH command line
Commands
VTYSH
Example: NS# configure terminal router ipv6 rip
Starts IPv6 RIP routing process and enters into configuration mode for the routing process.
Example: NS(config)# router ipv6 rip passive-interface vlan_name
Suppresses routing updates on interfaces bound to the specified VLAN.
Example: NS(config-router)# passiveinterface VLAN0
Verifying IPv6 RIP Configuration

To view the IPv6 RIP settings by using the VTYSH command line
Commands
VTYSH
Example: NS# VTYSH
136
Commands
sh ipv6 rip
Specifies Displays the updated IPv6 RIP routing table.
Example: NS# sh ipv6 rip sh ipv6 rip interface vlan_name
Displays IPv6 RIP information for the specified VLAN.
Example: NS# sh ipv6 rip interface VLAN0
Using IPv6 OSPF

IPv6 OSPF or OSPF version 3 (OSPF v3) is a link state protocol that is used to exchange IPv6 routing information.
Prerequisites
The procedures in this topic require some knowledge of the IPv6 OSPF protocol. Before you begin configuring IPv6 OSPF, do the following: Install the IPv6PT license on the NetScaler for supporting IPv6. Enable the IPv6 feature by using the configuration utility or NetScaler command line.
Enabling IPv6 OSPF

You can enable IPv6 OSPF by using only the VTYSH command line. When IPv6 OSPF is enabled, the NetScaler starts the IPv6 OSPF daemon and when disabled, the NetScaler stops the IPv6 OSPF daemon.
Chapter 4 To enable IPv6 OSPF by using the VTYSH command line
IP Routing
137
Commands
VTYSH
Example: NS# configure terminal ns IPv6-routing
Starts IPv6 dynamic routing process.
Example: NS(config)# ns IPv6routing interface vlan_name
Enters into the VLAN configuration mode.
Example: NS(config)# interface vlan0 ipv6 router OSPF area area-id
Starts IPv6 OSPF routing process on a VLAN.
Example: NS(config-if)# ipv6 router OSPF area 3
Configuring IPv6 OSPF

You can configure OSPF on an existing route. In addition to the basic configuration, you can configure route learning and route advertising. If necessary, you can limit OSPF propagation.
138

IPv6 OSPF enables an upstream router to load balance traffic between two identical vservers hosted on two standalone NetScaler devices. By using route advertising, an upstream router can track network entities located behind the NetScaler. The following table describes the commands you have to set to advertise routes.
To configure IPv6 OSPF to advertise IPv6 routes by using the VTYSH command line
Commands
VTYSH
Example: NS# configure terminal router ipv6 OSPF
Starts IPv6 OSPF routing process and enters into configuration mode for the routing process.
Example: NS(config)# router ipv6 OSPF redistribute static
Example: NS(config-router)# redistribute static redistribute kernel
Example: NS(config-router)# redistribute kernel
Chapter 4
IP Routing
139
Limiting IPv6 OSPF Propagations

If you need to troubleshoot your configuration, you can configure the listen-only mode on any given VLAN. The following table describes the commands you have to set a VLAN for listen-only mode.
To limit IPv6 OSPF propagation by using the VTYSH command line
Commands
VTYSH
Example: NS# configure terminal router ipv6 OSPF
Starts IPv6 OSPF routing process and enters into configuration mode for the routing process.
Example: NS(config)# router ipv6 OSPF passive-interface vlan_name
Suppresses routing updates on interfaces bound to the specified VLAN.
Example: NS(config-router)# passiveinterface VLAN0
140
Verifying IPv6 OSPF Configuration

To view the IPv6 OSPF settings by using the VTYSH command line
Commands
VTYSH
Example: >VTYSH sh ipv6 OSPF neighbor
Displays current neighbors.
Example: NS# sh ipv6 OSPF neighbor sh ipv6 OSPF route
Displays IPv6 OSPF routes.
Example: NS# sh ipv6 OSPF route
Installing Routes to the NetScaler Routing Table

For a NetScaler to use routes learned by various routing protocols, you need to install these routes to the appliance's routing table.
To install various routes to the internal routing table by using the VTYSH command line
At the NetScaler command prompt, type the following commands for the routes you want to install:
Commands
VTYSH
Example: >VTYSH
Chapter 4
IP Routing
141
Commands
configure terminal Example: NS# configure terminal ns route-install Default
Specifies Enters into global configuration mode.
Installs IPv4 default routes to the internal routing table.
Example: NS# ns route-install Default ns route-install RIP
Installs IPv4 RIP specific routes to the internal routing table.
Example: NS(config)# ns route-install RIP ns route-install BGP
Installs IPv4 BGP specific routes to the internal routing table.
Example: NS(config)# ns route-install BGP ns route-install OSPF
Installs IPv4 OSPF specific routes to the internal routing table.
Example: NS(config)# ns route-install OSPF ns route-install IPv6 Default
Installs IPv6 default routes to the internal routing table.
Example: NS# ns route-install IPv6 Default ns route-install IPv6 RIP
Installs IPv6 RIP specific routes to the internal routing table.
Example: NS(config)# ns route-install IPv6 RIP ns route-install IPv6 BGP
Installs IPv6 BGP specific routes to the internal routing table.
Example: NS(config)# ns route-install IPv6 BGP
142
Commands
ns route-install IPv6 OSPF
Specifies Installs IPv6 OSPF specific routes to the internal routing table.
Example: NS(config)# ns route-install IPv6 OSPF
Configuring Route Health Injection

The NetScaler uses RIP, OSPF, and BGP to advertise routes to networks and/or VIPs owned by the NetScaler and to the neighboring router. For VIPs owned by the NetScaler, the advertisement of host routes depends on the state of the entity associated with the host route. These entities are vservers, services, or other downstream devices. If an entity is not active, its host route is not advertised. This controlled advertisement of host routes through the routing protocol is known as Route Health Injection (RHI).
Enabling RHI
Use either of the following procedures to enable RHI. (The procedures include examples for enabling RHI for the IPv4 VIP 10.102.29.54, so that the NetScaler advertises the host route associated with this IP address.)
To enable RHI using the configuration Utility
1. 2.
In the navigation pane, expand Network and click IPs. On the IPs page, on the IPV4s tab, select the vserver IP address for which you want to enable RHI (for example, select 10.102.29.54), and then click Open. In the Configure IP dialog box, under Host Route, select the Enable check box. Click OK.
3. 4.
To enable RHI using the NetScaler command line

set ip IPAddress -hostroute Value
Example
set ip 10.102.29.54 -hostroute enabled
Chapter 4
IP Routing
143
Note: To enable RHI for IPv6 addresses, use the same procedure but with an IPv6 address. For more information on the parameters, see Customizing VIP IPv6 Addresses, on page 172.
Limiting Host Route Advertising for VIPs

If a VIP represents primary and backup vservers, the state of the VIP depends on the effective state of the vservers it represents. By default, a host route associated with a VIP is not advertised if the effective state of the vserver is either DOWN or DISABLED. The effective state of a VIP is UP if either the primary vserver or a backup vserver is UP. For example, the following table lists the possible effective states of a VIP assigned to a primary vserver that has only a single backup. Establishing Effective State of the VIP
State of the Primary Vserver UP UP DOWN DOWN State of the Backup Vserver UP DOWN UP DOWN Effective State of the VIP UP UP UP DOWN Advertising of RHI Routes Yes* Yes* Yes* No*
Advertising of RHI host routes depends on the vserver RHI level setting, as shown in the following table. Limiting Route Advertising Parameters for VIPs
VserverRHILevel Setting ONE_VSERVER ALL_VSERVERS None Specifies Host route is advertised when at least a single vserver is running. Host route is advertised only when all the vservers are running. Host route is advertised when none of the vservers are running.
In the configuration utility, you can set the vserver RHI level in either the Create IP or the Configure IP dialog box. At the NetScaler command line, enter one of the settings shown in the preceding table as the value for the vserverRHILevel argument of either the add ns ip or set ns ip command. For more information on the parameters required, see Customizing the Attributes of a VIP, on page 3.
144
Advertising Networks
The following table describes the required parameters for advertising networks for RHI. Route Advertising for RHI
Parameter Network
(network)
Specifies Destination network. Subnet mask of the destination network. Gateway for this route. Advertise this route. Possible values: DISABLED and ENABLED.
Netmask
(netmask)
Gateway IP
(gateway)
Over-ride Global
(advertise)
Use either of the following procedure to advertise networks. (The procedures include examples that set the first IP address in the network to 10.102.29.0, the subnet mask of the network to 255.255.255.0, and the gateway for the network to 10.102.29.50. The dynamic routing protocol is set to OSPF, but RIP and BGP are also valid choices.)
To advertise networks using the configuration utility
1. 2. 3.
In the navigation pane, expand Network, click Routes, and then click the Basic tab. In the details pane, click Add. In the Create Route dialog box, in the Network, Netmask and Gateway IP text boxes, respectively, type the network, subnet mask and the gateway IP address for the network you want to advertise (for example, 10.102.29.0, 255.255.255.0, and 10.102.29.50). Under Route Advertisement, select the Over-ride Global check box. Select Enable. Under Protocol, select a check box (for example, OSPF). Click Create and click Close.
4. 5. 6. 7.
Chapter 4 To advertise networks using the NetScaler command line
IP Routing
145

add route IPAddress Subnetmask GatewayIPAddress -advertise Value -protocol Protocol Example add route 10.102.29.0 255.255.255.0 10.102.29.50 -advertise ENABLED -protocol OSPF
Note: If you have configured static routes on the NetScaler and enabled L3 mode, static routes configuration takes precedence over the L3 mode configuration. For instance, if you have configured a firewall load balancing vserver and static routes on the NetScaler, the NetScaler uses the routing table to route the traffic instead of sending the traffic to the firewall load balancing vserver.
Displaying Routes Learned Through Dynamic Routing Protocols

You can view all routes in the routing table. Dynamically installed routes are marked as DYNAMIC.
To view the routes using the configuration utility
In the navigation pane, expand Network, and click Routes. The Basic page appears in the details pane. The information about the networks, subnet mask, gateway IP, costs, flags and route advertising appear on the Routes page.
To view the routes using the NetScaler command line

show route
Configuring Static Routes

Static routes are manually created to improve the performance of your network. You can monitor static routes to avoid service disruptions. Also, you can assign weights to ECMP routes, and you can create null routes to prevent routing loops.
146
Monitored Static Routes

If a manually created (static) route goes down, a backup route is not automatically activated. You must manually delete the inactive primary static route. However, if you configure the static route as a monitored route, the NetScaler can automatically activate a backup route. Static route monitoring can also be based on the accessibility of the subnet. A subnet is usually connected to a single interface, but it can be logically accessed through other interfaces. Subnets bound to a VLAN are accessible only if the VLAN is up. VLANs are logical interfaces through which packets are transmitted and received by the NetScaler. A static route is marked as DOWN if the next hop resides on a subnet that is unreachable. Note: In a high availability (HA) setup, the default value for monitored state routes (MSRs) on the secondary node is UP. The value is set to avoid a state transition gap upon failover, which results in dropping packets on those routes. Consider the following simple topology where a NetScaler is load balancing traffic to a site across multiple servers.
Chapter 4
IP Routing
147
Router R1 moves traffic between the client and the NetScaler appliance. The NetScaler can reach servers S1 and S2 through routers R2 or R3. NetScaler has two static routes to reach the servers subnet, one with R2 as the gateway and another with R3 as the gateway. Both these routes have monitoring enabled. The administrative distance of the static route with gateway R2 is lower than that of the static route with gateway R3. Therefore, R2 is preferred over R3 to forward traffic to the servers. Also, the default route on the NetScaler points to R1 so that all Internet traffic exits properly. If R2 fails as monitoring is enabled on the static route, which is with R2 as the gateway, the NetScaler marks it as DOWN. The NetScaler now uses the R3 static route as the gateway and forwards the traffic to the servers through R3. NetScaler supports monitoring of IPv4 as well IPv6 as static routes. You can configure the NetScaler to monitor an IPv4 static route either by creating a new ARP or PING monitor or by using existing ARP or PING monitors. You can configure the NetScaler to monitor a IPv6 static route either by creating a new ND6 or PING monitor or by using existing ND6 or PING monitors. NetScaler supports monitoring of IPv4 as well IPv6 as static routes. You can configure the NetScaler to monitor an IPv4 static route either by creating a new ARP or PING monitor or by using existing ARP or PING monitors. You can configure the NetScaler to monitor a IPv6 static route either by creating a new Neighbor discovery for IPv6 (ND6) or PING monitor or by using the existing ND6 or PING monitors.
Weighted Static Routes

When the NetScaler makes routing decisions involving routes with equal distance and cost, that is, Equal Cost Multi-Path (ECMP) routes, it balances the load between them by using a hashing mechanism based on the source and destination IP addresses. For an ECMP route, however, you can configure a weight value. The NetScaler then uses both the weight and the hashed value for balancing the load.
Null Routes
If the route chosen in a routing decision is inactive, the NetScaler chooses a backup route. If all the routes become inaccessible, the NetScaler might reroute the packet to the sender, which could result in a routing loop leading to network congestion. To prevent this situation, you can create a null route, which adds a null interface as a gateway. The null route is never the preferred route, because it has a higher administrative distance than the other static routes. But it is selected if the other static routes become inaccessible. In that case, the NetScaler drops the packet and prevents a routing loop.
148
Adding a Static Route

You can add a simple static route or a null route by setting a few parameters, or you can set additional parameters to configure a monitored or monitored and weighted static route. The following table describes the parameters for configuring a static route. Basic Static Route Parameters
Parameter Network
(network)
Specifies Network for which the route is being created. Subnet mask for the network
Netmask (netmask) Null Route

(null)
Drop the packets this route receives. Possible values: Yes and No. Default: No. Null routes have a fixed distance of 255. Gateway for this route. Administrative distance of this route. Possible values: 1 through 255. Default: 1. Value used by the routing algorithms to compare performance. Route having lowest cost is the most preferred route. Value that this parameter can take is between 0 and 65535. Value to facilitate balancing the load on ECMP routes. This value is compared with the hashed value of the packet and a route is chosen. Specific to ECMP routes. Possible values: 1 to 65535. Default: 1. State of advertisement of this route. Possible values: Enabled or Disabled. Default: Enabled. Routing protocols used for advertising routes. Possible values: OSPF, RIP, and BGP. Monitor this route. Possible values: Enabled and Disabled. Default: Disabled. Type of monitor. Determines the protocol used for monitoring the route (for example, PING or ARP).
Gateway IP
(gateway)
Distance
(distance)
Cost
(cost)
Weight
(weight)
Over-ride Global
(advertise)
Protocol
(protocol)
Monitored Static Route

(msr)
Monitor
(monitor)
Chapter 4
IP Routing
149
The following procedure includes sample IP addresses that you could use to create three different static routes. By performing the procedure three times, and using different values each time, you could create a simple static route to destination network 192.168.20.0 with a gateway IP of 192.168.20.2, a null route to destination 10.10.1.0, and a monitored static route to destination 192.168.10.0 with a gateway IP of 192.168.10.10.
To create a static route using the configuration utility
1. 2. 3.
In the navigation pane, expand Network, expand Routing, and click Routes. In the details pane, on the Basic tab, click Add. In the Create Route dialog box, in the Network, Netmask, and Gateway IP text boxes, type the network IP address, the subnet mask of the network and the Gateway IP address (for example, 192.168.20.0, 255.255.255.0, or 10.10.1.0 and 255.255.255.0, or 192,168,10.0 and 255.255.255.0). If you are creating a null route, set the NULL Route radio button to Yes, and then click Create and Close. If this is not to be a null route, leave the radio button set to No and proceed with the following steps. In the Gateway IP textbox, enter the Gateway IP address (for example, 192.168.20.2 or 192.168.10.10). In the Cost textbox, type the cost metric of the route (for example, 2). Optionally, to assign a weight to the route, change the value in the Weight text box from the default value of 1 to a higher value. Optionally, to advertise the route, select the Over-ride Global checkbox, and then select the Enable radio button. To create an unmonitored static route, click Create, and then click Close. To create a monitored static route, proceed with the following steps. In the Distance textbox, type the administrative distance of the route (for example, 3). Select the Monitored Static Route check box. In the Monitor list box, select the monitor that you want to use for monitoring the static route (for example, PING). Click Create, and then click Close.
4.
5. 6. 7. 8. 9. 10. 11.
12.
To create a static route using the NetScaler command line

add network route Network Netmask GatewayIPAddress cost Value advertise Value
150

add network route 192.168.20.0 255.255.255.0 192.10.20.2 cost 2 advertise enabled
To create a monitored static route using the NetScaler command line

add network route Network Netmask Gateway IP -weight Value distance Value msr Value monitor Value
Example
add network route 192.168.10.0 255.255.255.0 192.168.10.10 -weight 5 distance 3 msr ENABLED monitor PING
To add a null route using the NetScaler command line
At the NetScaler command prompt type,

add network route Network Netmask null
Example
add network route 10.10.1.0 255.255.255.0 null
Customizing a Static Route

You can change the parameters of a static route. For example, you might want to assign a weight to an unweighted route, or you might want to disable monitoring on a monitored route. In the configuration utility, you just open the route and specify a new value or values. To modify a route at the NetScaler command line, you specify the route, the parameter(s) to be changed, and the new value(s).
To customize a static route using the configuration utility
1. 2. 3.
In the navigation pane, expand Network, expand Routing, and click Routes. On the Routes page, click the Basic tab, select the route you want to modify (for example, 192.168.10.0), and then click Open. In the Configure Route dialog box, which contains the same elements as does the Add Route dialog box as described in Adding a Static Route, on page 148, change one or more values. To change a text field, select it and enter a new value. (For example, in the Weight text box, you could enter a value such as 5.) To change values that do not have text fields, select or clear check boxes as appropriate, or select a different radio button. (For example, to disable monitoring of the route, clear the Monitored Static Route check box.)
4.
Chapter 4
IP Routing
151
5.
Click Create and then click Close.
To assign weights to a monitored static route using the NetScaler command line

set network route Network Netmask GatewayIPAddress weight Value
Example
set network route 192.168.10.0 255.255.255.0 192.10.10.10 weight 5
To disable monitoring of a static route using the NetScaler command line
At the NetScaler command prompt type,

set network route Network Netmask GatewayIPAddress msr Value
Example
set network route 192.168.10.0 255.255.255.0 192.10.10.0 msr disabled
Removing a Static Route

Use either of the following procedures to remove a static route. The procedures include examples for removing the static route created in an earlier example.
To remove a route using the configuration utility
1. 2. 3.
In the navigation pane, expand Network, expand Routing, and click Routes. On the Routes page, click the Basic tab, select the route you want to remove (for example, 192.168. 20.2), and then click Remove. In the Remove dialog box, click Yes.
To remove a static route using the NetScaler command line

rm network route Network Netmask GatewayIPAddress
Example
rm network route 192.168.20.0 255.255.255.0 192.10.20.2
152
Configuring IPv6 Static Routes

You can configure a maximum of six default IPv6 static routes. IPv6 routes are selected based on whether the MAC address of the destination device is reachable. This can be determined by using the IPv6 Neighbor Discovery feature. Routes are load balanced and only source/destination-based hash mechanisms are used. Therefore, route selection mechanisms such as round robin are not supported. The next hop address in the default route need not belong to the NSIP subnet.
Adding an IPv6 Route

The following table describes the parameters used to add an IPv6 route. Parameters for creating an IPv6 Route
Parameter Network
(network)
Specifies Network for which the route is being created. Mandatory. Gateway for this route. Mandatory. Virtual LAN (VLAN) number associated with the route. Possible values: 1 to 4094. Default: 0. Mandatory for linklocal address type. Administrative distance of this route. Possible values: 1 through 255. Default: 1 Value used by the routing algorithms to compare performance. Route having lowest cost is the most preferred route. Possible values: 0 to 65535. Value for balancing the load on ECMP routes. This value is compared with the hashed value of the packet and a route is chosen. Specific to ECMP routes. Possible values: 1 to 65535. Default: 1. Advertise this route. Possible values: Enabled and Disabled. Default: Enabled. Monitor this route. Possible values: Enabled and Disabled. Default: Disabled. A ND6 or a PING monitor that will be used for monitoring the IPv6 static route.
Gateway IP
(gateway)
VLAN
(vlan)
Distance
(distance)
Cost
(cost)
Weight
(weight)
Advertise
(advertise)
Monitored Static Route

(msr)
Monitor
(monitor)
Use either of the following procedures to add an IPv6 route.
Chapter 4 To add an IPv6 route using the configuration utility
IP Routing
153
1. 2. 3.
In the navigation pane, expand Network, expand Routing, and click Routes. On the Routes page, click the IPv6 tab, and then click Add. In the Create IPv6 Route dialog box, in the Network, Gateway IP text boxes, type the network, Gateway IP address, for which you want to add a route (for example, ::/0 and fe80::67). If you are adding a link-local IP address, in the VLAN text box, type the VLAN for which you want add the route (for example, 5). To create an unmonitored static route, click Create, and then click Close. To create a monitored static route, proceed with the following steps. In the Distance text box, type the administrative distance of the route (for example, 3). Select the Monitored Static Route check box. In the Monitor list box, select the monitor that you want to use for monitoring the static route (for example, ND6). Click Create, and then click Close.
4. 5. 6. 7. 8. 9.
To add a IPv6 route using the NetScaler command line

add route6 Network GatewayIPAddress -vlan Value
Example
add route6 ::/0 fe80::67 -vlan 5
To create a monitored IPv6 static route by using the NetScaler command line

add network route6 Network Gateway IP -distance Value -msr Value monitor monitor name
Example
add network route6 ::/0 fe80::67 -distance 3 -msr ENABLED monitor ND6
Removing an IPv6 Route

Use either of the following procedures to remove an IPv6 route from the NetScaler.
154
Citrix NetScaler Networking Guide To remove an IPv6 route using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network, expand Routing, and click Routes. On the Routes page, click the IPV6 tab. Select the network from which you want to remove the route (for example, ::/0), and then click Remove. In the Remove dialog box, click Yes.
To remove an IPv6 route using the NetScaler command line

rm route6 Network GatewayIPAddress
Example
rm route6 ::/0 2001::1
Customizing an IPv6 Route

The following procedure describes the steps to customize a configured IPv6 route. Parameters for customizing an IPv6 Route
Parameter Distance
(distance)
Specifies Administrative distance of this route. Possible values: 1 through 255. Default: 1 Value used by the routing algorithms to compare performance. Route having lowest cost is the most preferred route. Possible values: 0 to 65535. Value for balancing the load on ECMP routes. This value is compared with the hashed value of the packet and a route is chosen. Specific to ECMP routes. Possible values: 1 to 65535. Default: 1. Advertise this route. Possible values: Enabled and Disabled. Default: Enabled.
Cost
(cost)
Weight
(weight)
Advertise
(advertise)
To customize an IPv6 route using the configuration utility
1. 2. 3.
In the navigation pane, expand Network, expand Routing, and click Routes. On the Routes page, click the IPV6 tab. Select the network that you want to customize (for example, ::/0) and click Open.
Chapter 4
IP Routing
155
4.
In the Configure IPv6 Route dialog box, in the Distance, Cost, and Weight text boxes, modify the distance, cost, and weight (for example, 1, 2, and 5). To enable advertising the IPv6 route, select the Advertise check box.
5.
To customize an IPv6 route using the NetScaler command line

set route6 Network GatewayIP -distance Value -cost Value -advertise Value
Example
set route6 1::1/100 2000::1 -distance 1 -cost 2 -advertise Enabled

Use either of the following procedures to display the configured IPv6 routes so that you can verify the settings.
To display the IPv6 routes using the configuration utility
1. 2.
In the navigation pane, expand Network, and then click Routes. On the Routes page, click the IPV6 tab.
To display the IPv6 routes using the NetScaler command line

show route6
Configuring Policy Based Routes

Policy based routing bases routing decisions on criteria that you specify. A policy based route (PBR) specifies criteria for selecting packets and a next hop to which to send the selected packets. For example, you can configure the NetScaler to route outgoing packets from a specific IP address or range to a particular next hop router. Each packet is matched against each configured PBR, in the order determined by the specified priorities, until a match is found. If no match is found, or if the matching PBR specifies a DENY action, the NetScaler applies the routing table for normal destination-based routing. A PBR bases routing decisions for the data packets on parameters, such as source IP address, source port, destination IP address, destination port, protocol, and source MAC address. A PBR defines the conditions that a packet must satisfy for the NetScaler to route the packet. These actions are known as processing modes. The processing modes are:
156
ALLOW The NetScaler sends the packet to the desired next-hop router. DENY The NetScaler applies the routing table for normal destinationbased routing.
Also the NetScaler process PBRs before the RNAT rules. Many users begin by creating PBRs and then modifying them. To activate a new PBR, you must apply it. To deactivate a PBR, you can either remove or disable it. You can change the priority number of a PBR to give it a higher or lower precedence.
Creating a PBR
You cannot create two PBRs with the same parameters. If you attempt to create a duplicate, an error message appears. The following table describes the parameters you use to create a basic PBR. Basic Parameters for configuring a PBR
Parameter Name (name) Next Hop (nexthop) Source IP Address (subnet or host)
(srcIP)
Specifies An alphanumeric name of the PBR.
The IP address of the next hop router to which to send matching packets if action is set to ALLOW. The IP address of the source machine. You can specify a range or a specific IP address. To specify a specific address, type the same value for both the beginning and the end of the range. You can also specify an IP address with a value 0.0.0.0. The action to perform on packets that match the PBR. Possible values: ALLOW and DENY. Either the = or the != operator.
Action
(action)
Operator
(operator)
To create a PBR by using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network, and then click PBRs. In the details pane, click Add. In the Add PBR dialog box, in the Name text box, type the name of the PBR (for example, p1). In the Action list, select the action that you want to configure (for example, Allow).
Chapter 4
IP Routing
157
5. 6. 7.
In the Next Hop text box, type the IP address of the next hop router (for example, 10.102.1.1). In IP Address, under Source, in the Operator list, select the operator. In the Low and High text boxes, respectively, type the lowest and highest IP address in the range that you want to specify (for example, 10.102.0.0 10.102.255.255). To specify a single IP address, type the same address in both boxes. Click Create, and then click Close. The PBR you created appears on the PBRs page.
8.
To create a PBR by using the NetScaler command line

add ns PBR PBRname PBRaction -srcip SourceIPAddressRange -nexthop NextHopIPaddress
Example
add ns PBR p11 ALLOW -srcip 10.102.0.0-10.102.255.255 -nexthop 10.102.1.1
Applying a PBR
You must apply a PBR to activate it. The following procedure reapplies all PBRs that you have not disabled. The PBRs constitute a memory tree (lookup table). For example, if you create 10 PBRs (p1 - p10), and then you create another PBR (p11) and apply it, all of the PBRs (p1 - p11) are freshly applied and a new lookup table is created. If a session has a DENY PBR related to it, the session is destroyed. You must apply this procedure after every modification you make to any PBR. For example, you must follow this procedure after disabling a PBR. Note: PBRs created on the NetScaler do not work until they are applied.
To apply a PBR by using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network, and then click PBRs. In the details pane, select the PBR that you want to apply (for example, p1). Click Commit. In the Apply PBR(s) dialog box, click Yes.
158
Citrix NetScaler Networking Guide To apply a PBR by using the NetScaler command line

apply ns PBRs
Removing PBRs
You can remove a single PBR or all PBRs.
To remove one or all PBRs by using the configuration utility
1. 2. 3.
In the navigation pane, expand Network, and then click PBRs. To remove a single PBR, in the details pane, select the PBR that you want to remove (for example, p1), and then click Remove. To remove all PBRs, click Clear.
To remove one or all PBRs by using the NetScaler command line
At the NetScaler command prompt, type one of the following commands. Use the first command to remove a specific PBR or the second command to remove all PBRs.
rm ns PBR PBRname clear ns PBRs
Example
rm ns PBR p1
Enabling and Disabling PBRs

By default, the PBRs are enabled. This means that when PBRs are applied, the NetScaler automatically compares incoming packets against the configured PBRs. If a PBR is not required in the lookup table, but it needs to be retained in the configuration, it must be disabled before the PBRs are applied. After the PBRs are applied, the NetScaler does not compare incoming packets against disabled PBRs.
To enable or disable a PBR by using the configuration utility
1. 2.
In the navigation pane, expand Network, and then click PBRs. In the details pane, select the PBR (for example, p1) and do one of the following: To enable the PBR, click Enable. To disable the PBR, click Disable.
Chapter 4
IP Routing
159
To enable or disable a PBR by using the NetScaler command line

enable ns PBR PBRname disable ns PBR PBRname
Examples
enable ns PBR p1 disable ns PBR p1
Modifying PBRs
You can configure the priority of a PBR. The priority (an integer value) defines the order in which the NetScaler evaluates PBRs. All priorities are multiples of 10, unless you configure a specific priority to an integer value. When you create a PBR without specifying a priority, the NetScaler automatically assigns a priority that is a multiple of 10. If a packet matches the condition defined by the PBR, the NetScaler performs an action. If the packet does not match the condition defined by the PBR, the NetScaler compares the packet against the PBR with the next-highest priority. To modify the PBR, use the parameters described in the following table. Parameters for customizing a PBR
(srcPort)
Specifies The port address of the source machine. You can specify either a range or a specific port address. The IP address of the destination machine. You can specify a range or a specific address. You can also specify an IP address with a value of 0.0.0.0. The port address of the destination machine. You can specify either a range or a specific port address. You can also specify a port address with a value of 0. The MAC address of the source machine. Only the last 32 bits are considered during a lookup. Protocol field in the IP header. Possible values: ICMP, IGMP, TCP, EGP, IGP, ARGUS, UDP, RDP, RSVP, EIGRP, L2TP, and ISIS. The IP protocol number (decimal). The minimum value is 1 and the maximum value is 255. The VLAN ID present in the VLAN tag of the packet. The minimum value is 1 and the maximum value is 255.

(destIP)
Destination PORT
(destPort)
Source MAC Address

(srcMac)
Protocol
(protocol)
Protocol Number
(protocolNumber)
VLAN ID
(vlan)
160
Parameters for customizing a PBR

Parameter Interface
(interface)
Specifies The network interface on which the packet arrived. The state of the PBR. Possible Values: ENABLED, DISABLED. Default: ENABLED The priority of the PBR. Minimum value: 0. Maximum value: 10240
State
(state)
Priority
(priority)
Consider the following example. Two PBRs, p1 and p2, are configured on the NetScaler and automatically assigned priorities 20 and 30. You need to add a third PBR, p3, to be evaluated immediately after the first PBR, p1. The new PBR, p3, must have a priority between 20 and 30. In this case, you can specify the priority as 25.
To modify the priority of a PBR by using the configuration utility
1. 2. 3. 4. 5.
In the navigation pane, expand Network, and then click PBRs. In details pane, select the PBR that you want to modify (for example, p1). Click Open. In the Modify PBR dialog box, in the Priority text box, type the priority that you want to configure on the PBR (for example, 20). Click OK.
To modify the priority of a PBR by using the NetScaler command line

set PBR PBRname -priority Value
Example
set PBR p1 -priority 20
Renumbering PBRs
You can automatically renumber the PBRs to set their priorities to multiples of 10.
To renumber PBRs by using the configuration utility
1. 2.
In the navigation pane, expand Network, and then click PBRs. In the details pane, click Renumber Priority (s).
Chapter 4
IP Routing
161
3.
In the Renumber Priority(s) PBR(s) dialog box, click Yes.
To renumber PBR by using the NetScaler command line

renumber ns PBRs
Troubleshooting Routing Issues

To make your troubleshooting process as efficient as possible, begin by gathering information about your network and learning how to perform troubleshooting procedures. You need to obtain the following information about the NetScaler and other systems in the Network: Complete Topology diagram, including interface connectivity and intermediate switch details. Running Configuration. You can use the show running command to get the running configuration for ns.conf and ZebOS.conf. Output of the History command, to determine whether any configuration changes were made when the issue arose. Output of the Top and ps -ax commands, to determine whether any routing daemon is overutilizing the CPU or is misbehaving. Any routing related core files in /var/core - nsm, bgpd, ospfd, or ripd. Check the timestamp to see if they are relevant. dr_error.log and dr_info.log files from /var/log. Output of the date command and time details for all relevant systems. Print dates across all devices one after another, so that the times on the log messages can be correlated with various events. Relevant ns.log, newnslog files. Configuration files, log files and command history details from upstream and downstream routers.
Generic Routing FAQs

Users typically have the following questions about how to troubleshoot generic routing issues: How do I enable Health Monitoring for CS vservers?
162
By default, the states of content switching vservers are not updated. Therefore, these servers always remain up, which prevents RHI from working effectively for cs vservers. Use the nsapimgr knob to enable updating CS vserver states.
root@ns# nsapimgr -y -s csw_state_update=1
How do I save the config files? The write command from VTYSH saves only ZebOS.conf. Run the save config command from nscli to save both ns.conf and ZebOS.conf files.
If I have configured both a static default route and a dynamically learned default route, which is the preferred default route? The dynamically learned route is the preferred default route. This behavior is unique to default routes. However, in case of the Network Services Module (NSM), unless the administrative distances are modified, a statically configured route in the RIB is preferred over a dynamic route. The route that is downloaded to the NSM FIB is the static route.
How do I block the advertisement of default routes? After release 7.0, the default route is not injected into ZebOS. However, if you are working with 7.0 or an earlier release, you must apply a suitable route map in the redistribute kernel command for each protocol to block default route advertisement. For example:
ns(config)#access-list 1 deny 0.0.0.0 ns(config)#access-list 2 permit any ns(config)#route-map redist-kernel permit 5 ns(config-route-map)#match ip address 1 ns(config)#route-map redist-kernel permit 10 ns(config-route-map)#match ip address 2 ns(config-route-map)#q ns(config)#router ospf 1 ns(config-router)#redistribute kernel route-map redist-kernel ns(config-router)#q ns(config)#q ns#show route-map route-map redist-kernel, permit, sequence 5 Match clauses: ip address 1
Chapter 4
IP Routing
163
Set clauses: route-map redist-kernel, permit, sequence 10 Match clauses: ip address 2 Set clauses: ns#show access-list Standard IP access list 1 deny 0.0.0.0 Standard IP access list 2 permit any ns#
How do I view the debug output of networking daemons? You can write debugging output from networking daemons to a file by entering the following log file command from the global configuration view in VTYSH:
ns(config)#log file /var/ZebOS.log
With release 8.1, you can direct debug output to the console by entering the terminal monitor command from VTYSH user view.
ns#terminal monitor
How do I collect cores of running daemons? You can use the gcore utility to collect cores of running daemons for processing by gdb. This might be helpful in debugging misbehaving daemons without bringing the whole routing operation to a standstill.
gcore [-s] [-c core] [executable] pid
The -s option temporarily stops the daemon while gathering the core image. This is a recommended option because it guarantees that the resulting image shows the core in a consistent state.
root@ns#gcore -s -c nsm.core /netscaler/nsm 342
How do I reload ZebOS.conf without rebooting the NetScaler? The recommended method is to reload the configuration on the NetScaler through a reboot. Do not reload the ZebOS.conf file without rebooting the NetScaler except in unavoidable circumstances. To reload the ZebOS.conf file, you must: A. Kill all routing protocol daemons, such as nsm, ospfd, ripd, and bgpd.
164
B. C.
Edit the ZebOS.conf file or copy the ZebOS.conf file, and create a new one. Restart each daemon with the new config file.
How do I run a batch of ZebOS commands? You can run a batch of ZebOS commands from a file by entering the VTYSH -f <file-name> command. This does not replace the running configuration, but appends to it. However, by including commands to delete the existing configuration in the batch file and then add those for the new, desired configuration, you can use this mechanism to replace a specific configuration.
! router bgp 234 network 1.1.1.1 255.255.255.0 ! route-map bgp-out2 permit 10 set metric 9900 set community 8602:300 !
Troubleshooting OSPF Specific Issues

Before you start debugging any OSPF specific issue, you must collect information from the NetScaler and all systems in the affected LAN, including upstream and downstream routers. To begin, enter the following commands: 1. 2. 3. 4. 5. 6. show interface from both nscli and VTYSH show ip ospf interface show ip ospf neighbor detail show ip route show ip ospf route show ip ospf database summary A. If there are only few LSAs in the database, then enter show ip ospf database router, show ip ospf database network, show ip ospf database external, and other commands to get the full details of LSAs. If there are a large number of LSAs in the database, then enter the show ip ospf database self-originated command.
B. 7.
show ip ospf
Chapter 4
IP Routing
165
8. 9.
show ns ip This ensures that the details of all VIPs of interest are included. Get the logs from peering devices and run the following command:
gcore -s -c xyz.core /netscaler/ospfd <pid>
Note: The gcore command is non-disruptive. Collect additional information from the NetScaler as follows: 1. Enable logging of error messages by entering the following command from the global configuration view in VTYSH:
ns(config)#log file /var/ospf.log
2. 3.
Get the details of:

./nsconmsg -g ospf
For adjacency related defects, run the following command:

./nsapimgr -B "call nsospf_print_area"
Note: This command is not supported in NetScaler 9.2 nCore. 4. Enable debugging ospf events ifsm nfsm route and log them using the following command:
ns(config)#log file /var/ospf.log
Enable debug ospf lsa packet only if the number of LSAs in the database is relatively small (< 500).
166
C HAPTER 5
IP version 6
The NetScaler supports most, but not all, features of IPv6. You have to license the IPv6 feature before you can implement it. After setting up your basic configuration, you can configure neighbor discovery and router learning, and you can apply IPv6 support to various NetScaler features. In This Chapter IPv6 Features Implementing IPv6 Support Configuring Neighbor Discovery and Router Learning Adding IPv6 Support to NetScaler Features
IPv6 Features
The NetScaler supports both server-side and client-side IPv6. This means that the NetScaler can function as an IPv6 node. It can accept connections from IPv6 nodes (both hosts and routers) and from IPv4 nodes. Depending on the configuration of your servers, the NetScaler can perform Protocol Translation (RFC 2765) before sending traffic to the services. The following table shows which IPv6 features the NetScaler supports. Supported and Unsupported IPv6 Features
Features IPv6 addresses for SNIPs (NSIP6, VIP6, and SNIP6) Neighbor Discovery (Address Resolution, Duplicated Address Detection, Neighbor Unreachability Detection, Router Discovery, PD) Management Applications (ping6, telnet6, ssh6) Static Routing and Dynamic routing (OSPF) Port Based VLANs Access Control Lists for IPv6 addresses (ACL6) IPv6 Protocols (TCP6, UDP6, ICMP6, FTP6) Supported on NetScaler Yes Yes Yes Yes Yes Yes Yes
168
Supported and Unsupported IPv6 Features

Features Server Side Support (IPv6 addresses for vservers, services) Tools Support (Packet capture, nserrinject, nstxtest, nsapimgr, nsconmsg) USIP (Use source IP) and DSR (Direct Server Return) for IPv6 SNMP and CVPN for IPv6 HA with native IPv6 node address IPv6 addresses for MIPs Path-MTU discovery for IPv6 Supported on NetScaler Yes Yes Yes Yes No No No
Implementing IPv6 Support

IPv6 support is a licensed feature, which you have to enable before you can use or configure it. The next step is to add your IPv6 addresses. For most users, adding the addresses and customizing them are separate procedures, followed by verifying the configuration. You can display IPv6 statistics to monitor your configuration.
Enabling or Disabling IPv6

If IPv6 is disabled, the NetScaler does not process IPv6 packets. It displays the following warning when you run an unsupported command: "Warning: Feature(s) not enabled [IPv6PT]" The following message appears if you attempt to run IPv6 commands without the appropriate license: "ERROR: Feature(s) not licensed" After licensing the feature, use either of the following procedures to enable or disable IPv6.
To enable or disable IPv6 using the configuration utility
1. 2. 3.
In the navigation pane, expand System and click Settings. In the Settings page, under the Modes & Features group, click change advanced features. In the Configure Advanced Features dialog box, do one of the following: To enable IPv6, select the IPv6 Protocol Translation check box.
Chapter 5
IP version 6
169
4. 5.
To disable IPv6, clear the IPv6 Protocol Translation check box.
To enable or disable IPv6 using the NetScaler command line

enable ns feature Value disable ns feature Value
Example
enable ns feature ipv6pt disable ns feature ipv6pt
Adding an IPv6 Address

You can configure one global NSIP IPv6 address at run time. If you create a new global IPv6 NSIP, the old one is overwritten. The NetScaler is configured with one link local address that can be modified. Both of these addresses respond to ping, telnet, and ssh. You can configure NSIPs and SNIPs for management access. Management access is enabled by default for NSIP. However, it is disabled by default for SNIP. The NetScaler does not support MIPs with IPv6 addresses. If default routes are not configured, packets that do not belong to the NSIP subnet are dropped. The following table lists and describes the parameters required for adding a basic IPv6 address. IPv6 Basic Parameters
Parameters IPv6Address Scope
(scope)
Specifies Unique identification used to represent the NetScaler. IPv6 address. Mandatory parameter. Scope of the IPV6 address. Possible values: global and link-local. Default: global. Type of IPV6 address. Possible values: NSIP, SNIP, and VIP. Default: SNIP. Mapped IPV4 address for IPV6. All incoming requests are translated into a form that is acceptable to the servers by modifying the host header information.
Type
(type)
Mapped IP
(map)
The following procedure includes an example for adding fe80::2c0:95ff:fec5:d9b8 as a link-local IPv6 address.
170
Citrix NetScaler Networking Guide To add an IPv6 address using the configuration utility
1. 2. 3. 4. 5.
In the navigation pane, expand Network and click IPs. In the IPs page, on the IPV6s tab, click Add. In the Create IP6 dialog box, in the IPv6 Address text box, type the IPv6 address that you want to configure (for example, fe80::2c0:95ff:fec5:d9b8). In the Scope drop-down list box, select the scope of the IPv6 address (for example, link-local). Click Create and click Close.
To add an IPv6 address using the NetScaler command line

add nsip6 IPv6Address -scope Value
Example
add nsip6 fe80::2c0:95ff:fec5:d9b8 -scope link-local
The following procedure includes examples for adding a global IPv6 address (2002::50) with a specified prefix length (64). Note: You can configure only one link-local IPv6 address. The default linklocal IPv6 address type is SNIP.
To add an IPv6 address with prefix length using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click IPs. In the IPs page, click the IPV6s tab and click Add. In the Create IP6 dialog box, in the IPv6 Address text box, type the IPv6 address and prefix length that you want to configure (for example, 2002::50/64). In the Scope drop-down list box, select the scope of the IPv6 address (for example, global). In the Type drop-down list box, select the type of the IPv6 address (for example, NSIP). Click Create and click Close.
4. 5. 6.
To add an IPv6 address with prefix length using the NetScaler command line

add nsip6 IPv6Address/Prefixlen -scope Value -type Value
Chapter 5 Example
add nsip6 2002::50/64 -scope global -type NSIP
IP version 6
171
Customizing SNIP and NSIP IPv6 Addresses

You can access and manage the NetScaler through services such as Telnet, SSH, GUI, and FTP. These services can provide access to the NetScaler IP address (NSIP) and to Subnet IP addresses (SNIPs). The following table describes the parameters used to customize the SNIP and NSIP addresses. Customizable Parameters of SNIP and NSIP IPv6 Address
Parameter Telnet
(telnet)
Specifies Telnet access to the IPv6 address. Possible values: Enabled and Disabled. Default: Enabled. File Transfer Protocol (FTP) access to the IPv6 address. Possible values: Enabled and Disabled. Default: Enabled. Graphical User Interface (GUI) access to the IPv6 address. Possible values: Enabled, SECUREONLY, and Disabled. Default: Enabled. Secure Shell (SSH) access to the IPv6 address. Possible values: Enabled and Disabled. Default: Enabled. Simple Network Management Protocol (SNMP) access to the IPv6 address. Possible values: Enabled and Disabled. Default: Enabled. External access to the IPv6 address. Possible values: Enabled and Disabled. Default: Disabled. Enable dynamic routing on the IPv6 address. Possible values: Enabled and Disabled. Default: Disabled.
FTP
(ftp)
GUI
(gui)
SSH
(ssh)
SNMP
(snmp)
Management Access
(mgmtAccess)
Enable Dynamic Routing

(dynamicRouting)
The following procedures include examples for modifying IPv6 address 2008:0:0:0:0:0:0:13/128 to enable management access control. These procedures do not affect the existing connections.
To modify a SNIP or NSIP IPv6 address using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click IPs. In the IPs page, click the IPV6s tab and select the IP address that you want to modify (for example, 2008:0:0:0:0:0:0:13/64). Click Open.
172
4.
In the Configure IPV6 dialog box, select the parameter or parameters to enable (for example, under Application Access Controls, select the Enable Management Access control to support the below listed applications check box, and then select the application(s) to enable. Click OK.
5.
To modify an IPv6 address using the NetScaler command line

set ns ip6 IPAddress -Parameter value
Example
set ns ip6 2008:0:0:0:0:0:0:13/64 -mgmtAccess enabled
Customizing VIP IPv6 Addresses

The virtual server IPv6 address (VIP) is the IP address associated with a vserver. Specifying a VIP is not mandatory when you initially configure the NetScaler. You can host the same vserver on multiple NetScalers residing on the same broadcast domain by using ICMP attributes. The following table describes the parameters used to customize an IPv6 VIP address. Parameters of VIP IPv6 Address
Parameter ICMP
(icmp)
Specifies Use Internet Control Message Protocol (ICMP) to send error messages. The user network applications that use ICMP are ping and traceroute. Possible values: Enabled and Disabled. Default: Enabled. Vserver attribute of the IPv6 address. Possible values: Enabled and Disabled. Default: Enabled. Send neighbor discovery responses from this IPv6 address. Possible values: Enabled and Disabled. Default: Enabled. Advertising a route to this address. Possible values: Enabled and Disabled. Default: Disabled. IPv6 address of the network that is advertised as the route to connect the network to external networks such as the Internet. Default: 0 Value used by routing algorithms to compare performance of the route. The route with lowest metric is the preferred route. Based on the routing protocol selected, a default value is assigned to the route. To change the default value, assign a value to this parameter. Possible values: +a to -z.
Virtual Server
(virtualServer)
ND Responses
(nd)
Host Route
(hostRoute)
Host Route Gateway

(ip6hostRtGw)
metric
(metric)
Chapter 5
IP version 6
173
Parameters of VIP IPv6 Address

Parameter VIP RHI Controls
(vserverRHILevel)
Specifies Advertise the host route associated with the VIP when the specified vservers are UP. Possible values: ONE_VSERVER, ALL_VSERVERS, and NONE. Default: ONE_VSERVER. Route Advertisement type used by the OSPF6 protocol to discover and maintain neighbor relationships.Possible values: Intra_Area, External. Default: External. Logical collection of OSPF networks, routers, and links that are identified by an Area ID. Possible values: 0.
OSPF6 Route Adv Type

(ospf6LSAtype)
OSPF Area ID
(ospfArea)
If Host Route is disabled, this route is not advertised. The following procedure includes example for modifying VIP IPv6 address 2002:0:0:0:0:0:0:45/128 by enabling host route advertising and specifying OSPF advertising.
To modify a VIP IPv6 address using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network and click IPs. In the IPs page, click the IPV6s tab and select the VIP IPv6 address that you want to modify (for example, 2002:0:0:0:0:0:0:45/64). Click Open. In the Configure IPV6 dialog box, select or enter values for the parameters you want to set. For example, in the Host Route, VIP RHI Controls, and OSPF6 Route Adv Type list boxes, select the host route, VIP RHI controls, and OSPF6 route advertisement type (for example, enabled, ONE_VSERVER, External). Click OK.
5.
To modify an IPv6 address using the NetScaler command line

set ns ip6 IPAddress -Parameter value
Example
set ns ip6 2002:0:0:0:0:0:0:45/64 -mgmtAccess enabled

When your configuration is complete, display the IPv6 parameters to verify their settings.
174
Citrix NetScaler Networking Guide To display a configured IPv6 address using the configuration utility
In the navigation pane, expand Networks and click IPs. The IPs page appears in the details pane. Click the IPV6s tab. The IPs page displays the configured the IPv6 addresses, and for each address shows the state, scope, type, and mapped IP address. (To set a mapped IP address, see Host Header Modification, on page 184.)
To display a configured IPv6 address using the NetScaler command line

show ns ip6
Monitoring the Configuration

To monitor your configuration, you can display statistics for an IPv6 address. The following table describes the statistics associated with IPv6. IPv6 Statistics
Statistic IPv6 packets received IPv6 bytes received IPv6 packets transmitted IPv6 bytes transmitted IPv6 Fragments received TCP Fragments reassembled UDP Fragments reassembled IPv6 Fragments processed without reassembly IPv6 Fragments bridged IPv6 error hdr packets IPv6 unsupported next header Description IPv6 packets received Bytes of IPv6 data received IPv6 packets transmitted Bytes of IPv6 data transmitted IPv6 fragments received TCP fragments processed after reassembly TCP fragments processed after reassembly IPv6 fragments processed without reassembly IPv6 fragments forwarded to the client or server without reassembly Packets received that contain an error in one or more components of the IPv6 header. Packets received that contain an unsupported next header. The supported next headers are TCP, ICMP, UDP, OSPF, and FRAGMENT. Land-attack packets received. The source and destination addresses are the same. If not dropped, these packets can lock up the appliance. Packets received for which the reassembled data exceeds the Ethernet packet data length of 1500 bytes.
IPv6 Land-attacks
Reassembled data too big
Chapter 5
IP version 6
175
IPv6 Statistics
Statistic Zero fragment length received Description Packets received with a fragment length of 0 bytes.
Use either of the following procedures to display IPv6 statistics, such as the number of IPv6 packets transmitted and received and the number of IPv6 bytes transmitted and received.
To display the IPv6 statistics using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click IPs. In the IPs page, click the IPV6s tab and select the IPv6 address for which you want to view statistics. Click Statistics.
To view the IPv6 statistics using the NetScaler command line

stat protocol ipv6
Configuring Neighbor Discovery and Router Learning

The NetScaler supports neighbor discovery (ND) for IPv6. When the state of a vserver changes from DOWN to UP, the NetScaler sends gratuitous NA or unsolicited NA messages. The NetScaler also supports and router learning.
Neighbor Discovery
Neighbor discovery (ND) is one of the most important protocols of IPv6. It is a message-based protocol that combines the functionality of the Address Resolution Protocol (ARP), Internet Control Message Protocol (ICMP), and Router Discovery. ND allows nodes to advertise their link layer addresses and obtain the MAC addresses or link layer addresses of the neighboring nodes.This process is performed by the Neighbor Discovery protocol (ND6). Neighbor discovery can perform the following functions:
Router Discovery. Enables a host to discover the local routers on an attached link and automatically configure a default router. Prefix Discovery. Enables the host to discover the network prefixes for local destinations.
176
Note: Currently, the NetScaler does not support Prefix Discovery.

Parameter Discovery. Enables a host to discover additional operating parameters, such as MTU and the default hop limit for outbound traffic. Address Autoconfiguration. Enables hosts to automatically configure IP addresses for interfaces both with and without stateful address configuration services such as DHCPv6. The NetScaler does not support Address Autoconfiguration for Global IPv6 addresses. Address Resolution. Equivalent to ARP in IPv4, enables a node to resolve a neighboring node's IPv6 address to its link-layer address. Neighbor Unreachability Detection. Enables a node to determine the reachability state of a neighbor. Duplicate Address Detection. Enables a node to determine whether an NSIP address is already in use by a neighboring node. Redirect. Equivalent to the IPv4 ICMP Redirect message, enables a router to redirect the host to a better first-hop IPv6 address to reach a destination.
Note: The NetScaler does not support IPv6 Redirect. To enable neighbor discovery, you must create entries for the neighbors.
Adding IPv6 Neighbors

The following table describes the parameters required for adding an IPv6 neighbor. Neighbor Discovery Parameters
Parameter Neighbor
(neighbor)
Specifies IPv6 neighbor entry. Mandatory. Unique address assigned to identify the network appliance. Mandatory. The interface on which the MAC resides. Mandatory. Virtual LAN (VLAN) that the neighbor is part of.
MAC Address
(mac)
Interface
(ifnum)
VLAN
(vlan)
To add an IPv6 neighbor using the configuration utility
1.
In the navigation pane, expand Network and click IPv6 Neighbors.
Chapter 5
IP version 6
177
2. 3.
In the IPv6 Neighbors page, click Add. In the Create IPv6 Neighbor dialog box, in the Neighbor and MAC Address text boxes, respectively, type IPv6 address and MAC Address of the neighbour (for example, 3ffe:100:100::1, 00:d0:68:0b:58:da). If the neighbor is part of a VLAN, in the and VLAN field, type the VLAN ID (for example, 1). In the Interface list box, select the interface of the neighbour (for example, LO/1). Click Create, and click Close.
4. 5. 6.
To add an IPv6 neighbor using the NetScaler command line

add nd6 Neighbor MACAddress IFnum [-vlan Value]
Example
add nd6 3ffe:100:100::1 00:d0:68:0b:58:da 1/3 -vlan 1
Removing IPv6 Neighbors

Use either of the following procedures to remove a single Neighbor Discovery (ND6) entry from the NetScaler.
To remove a neighbor discovery entry using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click IPv6 Neighbor. In the IPv6 Neighbors page, select the neighbour entry that you want to remove (for example,3ffe:100:100::1). Click Remove.
To remove a neighbor discovery entry using the NetScaler command line

rm nd6 Neighbour -vlan Value
Example
rm nd6 3ffe:100:100::1 -vlan 1
Use either of the following procedures to clear the Neighbor Discovery (ND6) entries from the NetScaler.
To remove neighbor discovery entries using the configuration utility
1.
In the navigation pane, expand Network and click IPv6 Neighbor.
178
2.
In the IPv6 Neighbors page, click Clear.
To remove neighbor discovery entries using the NetScaler command line

clear nd6
Displaying Discovered Neighbors

Use either of the following procedures to display information about the neighbors configured for discovery.
To view discovered neighbors using the configuration utility
In the navigation pane, expand Network and click IPv6 Neighbor. The IPv6 Neighbors page appears in the details pane, displaying information about the Neighbors, MAC Address, VLAN, Interface, State, and Time parameters.
To view discovered neighbors using the NetScaler command line

show nd6
Router Learning
The NetScaler can learn default routers from RA and RS messages. However, the NetScaler ignores other properties in RA messages, such as prefix list and MTU. Use either of the following procedures to enable router advertisement learning.
To enable router discovery learning using the configuration utility
1. 2. 3. 4.
In the navigation pane, click Network. In the Network page, click the Router Advertisement Learning link. In the Configure RA Learning dialog box, select the Enable Router Advertisement Learning check box. Click OK.
To enable router discovery learning using the NetScaler command line

set ipv6 -ralearning Value
Example
set ipv6 -ralearning enabled
Chapter 5
IP version 6
179
Adding IPv6 Support to NetScaler Features

A number of NetScaler components use IPv6 addresses or support the use of IPv6 addresses. The following table lists components that support IPv6 addresses and the sections that document them. Components that support using of IPv6 addresses
NetScaler Component Network SSL Offload SSL Offload SSL Offload Load Balancing Load Balancing Load Balancing DNS Section that documents IPv6 support Adding, Customizing, Removing, Removing all, and Viewing routes. Creating IPv6 vservers for SSL Offload Specifying IPv6 SSL Offload Monitors Creating IPv6 SSL Offload Servers Creating IPv6 vservers for Load Balancing Specifying IPv6 Load Balancing Monitors Creating IPv6 Load Balancing Servers Creating AAAA Records Document Title
Citrix NetScaler Networking Guide Citrix NetScaler Traffic Management Guide Citrix NetScaler Traffic Management Guide Citrix NetScaler Traffic Management Guide Citrix NetScaler Traffic Management Guide Citrix NetScaler Traffic Management Guide Citrix NetScaler Traffic Management Guide Citrix NetScaler Traffic Management Guide
You can also configure LB, CS, and CR vservers with IPv6 addresses, and you can create IPv6 VLANs. You can configure host header modification to send IPv6 requests to servers with IPv4 addresses, and VIP insertion to enable the servers to identify IPv6 vservers that send requests.
Adding an IPv6 Vserver

The following procedures include examples for adding a vserver named VS1 of type HTTP with global IPv6 address 2002::45. The procedure fails if the IPv6 address of a vserver is not a global address.
To add an IPv6 vserver using the configuration utility
1. 2.
In the navigation pane, expand Load Balancing and click Virtual Servers. In the Load Balancing Virtual Servers page, click Add. The Create Virtual Servers (Load Balancing) dialog box appears.
180
3. 4. 5. 6.
Select the IPv6 check box. In the Name, Port, and IP Address text boxes, type the name, port, and IP address of the vserver (for example, vserver-LB-6, 80, and 2002::45/64). In the Protocol drop-down list box, select the type of the vserver, for example, HTTP. Click Create and click Close.
To add an IPv6 vserver using the NetScaler command line

add lb vserver Vservername Protocol IPv6Address Port
Example
add lb vserver vserver-LB-6 HTTP 2002::45/64 80
VLAN Support
If you need to send broadcast or multicast packets without identifying the VLAN (for example, during DAD for NSIP, or ND6 for the next hop of the route), you can configure the NetScaler to send the packet on all the interfaces with appropriate tagging. The VLAN is identified by ND6, and a data packet is sent only on the VLAN. For more information on ND6 and VLANs, see Adding IPv6 Neighbors. Port-based VLANs are common for IPv4 and IPv6. Prefix-based VLANs are supported for IPv6.
Simple Deployment Scenario

Following is an example of a simple load balancing set-up consisting of an IPv6 vserver and IPv4 services, as illustrated in the following topology diagram.
Chapter 5
IP version 6
181
IPv6 sample topology The following table summarizes the names and values of the entities that must be configured on the NetScaler. Entity values to be configured on the NetScaler
Entity Type LB Vserver Services Name VS1_IPv6 SVC1 SVC2 Value 2002::9 10.102.29.1 10.102.29.2
182
The following figure shows the entities and values of the parameters to be configured on the NetScaler.
IPv6 Entity Diagram To configure this deployment scenario, you need to do the following: 1. 2. 3. Create an IPv6 service Create an IPv6 LB vserver Bind the services to the vserver
The following procedure describes the steps to add two services, SVC1 and SVC2, of type HTTP.
To create the IPv4 services using the configuration utility
1. 2. 3.
In the navigation pane, expand Load Balancing and click Services. On the Services page, click Add. In the Create Service dialog box, in the Service Name, Server, and Port text boxes, type the name, IP address, and port of the service (for example, SVC1, 10.102.29.1, and 80). In the Protocol drop-down list box, select the type of the service (for example, HTTP). Click Create and click Close.
4. 5.
Chapter 5
IP version 6
183
6.
Repeat Steps 1-5 to create a service SVC2 with IP address 10.102.29.2 and port 80.
To create the IPv4 services using the NetScaler command line

add service Name IPAddress Protocol Port add service Name IPAddress Protocol Port
Example
add service SVC1 10.102.29.1 HTTP 80 add service SVC2 10.102.29.2 HTTP 80
You can use either of the following procedures to add an IPv6 vserver named VS1_IPv6 of type HTTP, with an IP address of 2002::9.
To create the IPv6 vserver using the configuration utility
1. 2. 3. 4. 5.
In the navigation pane, expand Load Balancing and click Virtual Servers. In the Load Balancing Virtual Servers page, click Add. In the Create Virtual Servers (Load Balancing) dialog box, select the IPv6 check box. In the Name, Port, and IP Addresses text boxes, type the name, port, and IP address of the vserver (for example, VS1_IPv6, 80, and 2002::9). Click Create and click Close.
To create the IPv6 vserver using the NetScaler command line

add lb vserver Name Protocol IPv6Address Port
Example
add lb vserver VS1_IPv6 HTTP 2002::9 80
Use either of the following procedures to bind the services to the vserver.
To bind a service to an LB vserver using the configuration utility
1. 2. 3.
In the navigation pane, expand Load Balancing and click Virtual Servers. In the Load Balancing Virtual Servers page, select the vserver for which you want to bind the service (for example, VS1_IPv6). Click Open.
184
4.
In the Configure Virtual Server (Load Balancing) dialog box, on the Services tab, select the Active check box corresponding to the service that you want to bind to the vserver (for example, SVC1). Click OK. Repeat Steps 1-4 to bind the service (for example, SVC2 to the vserver).
5. 6.
To bind a service to an LB vserver using the NetScaler command line

bind lb vserver Name service
Example
bind lb vserver VS1_IPv6 SVC1
The vservers receive IPv6 packets and the NetScaler performs Protocol Translation (RFC 2765) before sending traffic to the IPv4-based services.
Host Header Modification

When an HTTP request has an IPv6 address in the host header, and the server does not understand the IPv6 address, you must map the IPv6 address to an IPv4 address. The IPv4 address is then used in the host header of the HTTP request sent to the vserver. The following procedures include examples for mapping the IPv4 address 200.200.200.200 to the VIP 2002::9.
To change the IPv6 address in the host header to an IPv4 address using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Networks and click IPs. In the IPs page, click the IPV6s tab and select the IP address for which you want to configure a mapped IP address, for example, 2002:0:0:0:0:0:0:9. Click Open. In the Configure IP6 dialog box, in the Mapped IP text box, type the mapped IP address that you want to configure, for example, 200.200.200.200. Click OK.
5.
To change the IPv6 address in the host header to an IPv4 address using the NetScaler command line

set ns ip6 IPv6Address -map IPAddress
Chapter 5 Example
set ns ip6 2002::9 -map 200.200.200.200
IP version 6
185
VIP Insertion
If an IPv6 address is sent to an IPv4-based server, the server may not understand the IP address in the HTTP header, and may generate an error. To avoid this, you can map an IPv4 address to the IPv6 VIP and enable VIP insertion The following procedures include examples for mapping IPv4 address 200.200.200.200 to VIP 2002::9.
To configure a mapped IPv6 address using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Networks and click IPs. In the IPs page, click the IPV6s tab and select the IP address for which you want to configure a mapped IP address (for example, 2002:0:0:0:0:0:0:9). Click Open. In the Configure IP6 dialog box, in the Mapped IP text box, type the mapped IP address that you want to configure (for example, 200.200.200.200). Click OK.
5.
To configure a mapped IPv6 address using the NetScaler command line

set ns ip6 IPv6Address -map IPAddress
Example
set ns ip6 2002::9 -map 200.200.200.200
Use either of the following procedures to enable insertion of an Ipv4 VIP address and port number in the HTTP requests sent to the servers.
To enable VIP insertion using the configuration utility
1. 2.
In the navigation pane, expand Load Balancing and click Virtual Servers. In the Load Balancing Virtual Servers page, in the Load Balancing Virtual Servers page, select the vserver that you want to enable port insertion (for example, VS1_IPv6). Click Open. In the Configure Virtual Server (Load Balancing) dialog box, click the Advanced tab.
3. 4.
186
5. 6.
In the Vserver IP Port Insertion drop-down list box, select VIPADDR. In the Vserver IP Port Insertion text box, type the vip header.
To enable VIP insertion using the NetScaler command line

set lb vserver Name -insertVserverIPPort Value
Example
set lb vserver VS1_IPv6 -insertVserverIPPort ON
C HAPTER 6
High Availability
This chapter describes how High Availability (HA) works in a NetScaler deployment to ensure uninterrupted operation in any transaction. It tells you about the prerequisites of an HA setup, and also how to configure an HA setup in NetScaler and later customize it. You can also improve the reliability of an HA setup by configuring virtual MAC addresses, link redundancy, and route monitors. You can configure the state of a node such that the primary is forced to stay as primary or the secondary is forced to stay as a secondary. Also, learn how to troubleshoot HA issues that you may encounter after setting up the NetScaler HA pair. In This Chapter How High Availability Works Considerations for a High Availability Setup Configuring High Availability Customizing a High Availability Setup Configuring Virtual MAC Addresses Improving the Reliability of a High Availability Setup Configuring the State of a Node Troubleshooting High Availability Issues
How High Availability Works

If you have two NetScaler appliances, you can deploy them in a high availability configuration, with one NetScaler as the primary node and the other NetScaler as the secondary node. The primary node accepts connections and manages servers while the secondary node monitors the primary. If, for any reason, the primary node is unable to accept connections, the secondary node takes over. A high availability configuration prevents downtime and ensures uninterrupted service when an appliance ceases to function.
188
The secondary node monitors the primary by sending periodic messages (often called heartbeat messages or health checks) to determine whether the primary node is accepting connections. If a health check fails, the secondary node retries the connection for a specified period, after which it determines that the primary node is not functioning normally. The secondary node then takes over for the primary (a process called failover). After a failover, all clients must reestablish their connections to the managed servers, but the session persistence rules are maintained as they were before the failover. With Web server logging persistence enabled, no log data is lost due to the failover. For logging persistence to be enabled, the log server configuration must carry entries for both systems in the log.conf file. The following figure shows a network configuration with an HA pair.
NetScaler Appliances in a High Availability Configuration
Considerations for a High Availability Setup

Note the following requirements for configuring systems in an HA setup: In an HA configuration, the primary and secondary NetScaler appliances should be of the same model. Different NetScaler models are not supported in an HA pair (for example, you cannot configure a 10010 model and a 7000 model as an HA pair). Entries in the configuration file (ns.conf) on both the primary and the secondary system must match, with the following exceptions:
Chapter 6
High Availability
189
The primary and the secondary systems must each be configured with their own unique NetScaler IPs (NSIPs.) In an HA pair, the node ID and associated IP address of one node must point to the other node. For example, if you have nodes, NS1 and NS2, you must configure NS1 with a the unique node ID and the IP address of NS2, and you must configure NS2 with a unique node ID and the IP address of NS1.
If you create a configuration file on either node using a method other than the direct GUI or the CLI (for example, SSL certificates, or changes to startup scripts), you must copy the configuration file to the other node or create an identical file on that node. Initially, all NetScaler appliances are configured with the same RPC node password. RPC nodes are internal system entities used for system-tosystem communication of configuration and session information. For security, you should change the default RPC node passwords. One RPC node exists on each NetScaler. This node stores the password, which is checked against the password provided by the contacting system. In order to communicate with other systems, each NetScaler requires knowledge of those systems, including how to authenticate on those systems. RPC nodes maintain this information, which includes the IP addresses of the other systems, and the passwords they require for authentication. RPC nodes are implicitly created when adding a node or adding a Global Server Load Balancing (GSLB) site. You cannot create or delete RPC nodes manually. Note: If the NetScaler appliances in a high availability setup are configured in one-arm mode, you must disable all system interfaces except the one connected to the switch or hub.
To configure a NetScaler HA pair over IPv6: Install the IPv6PT license on both NetScaler appliances for supporting IPv6. After installing IPv6PT license, enable IPv6 feature by using the configuration utility or NetScaler command line. Both the NetScaler appliances require a global NSIP IPv6 address. In addition, network entities (for example, switches and routers) between the two nodes need to support IPv6 for proper configuration.
190
Configuring High Availability

This section describes how to configure a basic high availability setup. The following topics are covered: Configuring a Basic High Availability Setup Modifying an Existing High Availability Setup
Configuring a Basic High Availability Setup

This section describes procedures to configure two NetScaler appliances in a high availability setup, as illustrated in the following figure.
Two NetScaler connected in an High Availability configuration In the figure, nodes NS1 and NS2 are on the same subnet. To configure high availability, you must configure one NetScaler as the primary and the other as the secondary node. You need to perform the following procedures: Add a node Disable HA monitoring for unused interfaces Verify the configuration
Adding a Node
This section describes how to add a node in an HA setup. The new node is identified by a unique ID and its NSIP. The maximum number of node IDs for systems in a high availability setup is 64.
Chapter 6
High Availability
191
Note: To ensure that each node in the High Availability configuration has the same settings, you should synchronize your SSL certificates, startup scripts, and other configuration files with those on the primary node. To add a node, use the parameters described in the following table.
Parameter Node ID IP Address Specifies Unique number that identifies the node to be added. Possible values: 1 to 64. IP Address of the node to be added.
To add a node using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Nodes tab. Click Add. In the High Availability Setup dialog box, in the Remote Node IP Address text box, type an IP Address (for example, 10.102.29.170). If you want to configure HA over IPv6, select the IPv6 check box and enter the NSIP IPv6 address of the peer node (for example, 1000:0000:0000:0000:0005:0600:700a:888b). Select or clear the Configure remote system to participate in High Availability setup check box based on whether you want to add the local node to the peer node. By default, this check box is selected. Select the Turn off HA monitor on interfaces/channels that are down check box to disable the HA monitor on interfaces that are down. By default, this check box is selected. Click Ok and click Close.
5.
6.
7.
To add a node using the NetScaler command line

add HA node id [IPAddress |IPv6 address]
Example
Example add HA node 3 10.102.29.170 add HA node 3 1000:0000:0000:0000:0005:0600:700a:888b
192
Disabling the High Availability Monitor for Unused Interfaces

If you configure HA from the NetScaler command line, you must disable the HA monitor for each interface that is not connected or not being used for traffic.This step is not required if you configure HA through the configuration utility. To disable an HA monitor, use the parameters described in the following table.
Parameter id HA monitor Specifies Interface number, in the slot/port notation. Option used for a High Availability configuration to specify which interfaces to monitor for failing events. Possible values: ON and OFF. Default: ON
To disable HA monitor using the NetScaler command line

set interface id -haMonitor Value
Example
set interface 1/3 -haMonitor OFF

To verify your configuration, you can display the node and check its status in the local system. One node will be primary and other will be secondary.
To display the configuration using the configuration utility
1. 2.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Nodes tab. The Nodes page displays the primary and the secondary nodes.
To display the configuration using the NetScaler command line

sh ha node
Modifying an Existing HA Setup

This section describes the procedures to modify an existing high availability configuration. The following topics are covered: Disabling a Node Enabling a Node
Chapter 6
High Availability
193
Removing a Node
Disabling a Node
You can disable only a secondary node. When you disable a secondary node, it stops sending heartbeat messages to the primary node, and therefore the primary node therefore can no longer check the status of the secondary.
To disable a node using the configuration utility
1. 2. 3. 4. 5.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Nodes tab. On Nodes page, select the secondary node and click Open. In the Configure Node dialog box, under High Availability Status, select the DISABLED (Do not participate in HA) option. Click OK.
To disable a node using the NetScaler command line

set HA node -hastatus Value
Example
set HA node -hastatus DISABLED
Enabling a Node
When you enable a node, the node takes part in the high availability configuration. You can enable only a secondary node.
To enable a node using the configuration utility
1. 2. 3. 4. 5.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Nodes tab. On the Nodes page, select the secondary node and click Open. In the Configure Node dialog box, under High Availability Status, select the ENABLED (Actively participates in HA) option. Click OK, and click Close.
To enable a node using the NetScaler command line

set HA node -hastatus Value
194

set ha node -hastatus ENABLED
Removing a Node
If you remove a node, the nodes are no longer in high availability configuration.
To remove a node using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Nodes tab. On the Nodes page, select the node that you want to remove. On the Remove dialog box, click Yes.
To remove a node using the NetScaler command line

rm ha node id
Example
rm ha node 3
Note: You can use the Network Visualizer to view the NetScaler appliances that are configured as a high availability (HA) pair and perform high availability configuration tasks. For more information, see Network Visualizer, on page 86.
Customizing a High Availability Setup

This section describes the steps to customize a high availability setup. The following topics are covered: Configuring the Communication Intervals Configuring Synchronization Configuring Command Propagation Forcing a Node to Fail Over Configuring Fail Safe
Chapter 6
High Availability
195
Configuring the Communication Intervals

This section describes the procedure to configure the communication intervals in a high availability configuration. The hello interval is the interval at which the heartbeat messages are sent to the peer node. The dead interval is the time interval after which the peer node is marked DOWN if heartbeat packets are not received. The heartbeat messages are UDP packets sent to port 3003 of the other node in an HA pair. To set the hello and the dead intervals, use the parameters listed in the following table.
Parameter Hello Interval Specifies Interval between successive heartbeat messages, in milliseconds. Possible values: 200 to 1000. Default: 200. Number of seconds after which a node is marked DOWN if there is no response to heartbeat messages. Possible values: 3 to 60. Default: 3.
Dead Interval
To set the hello and dead intervals using the configuration utility
1. 2. 3. 4. 5. 6.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Nodes tab. On the Nodes page, select the node for which you want to change the hello interval and click Open. In the Configure dialog box, under Intervals, in the Hello Interval (msecs), type the interval (for example, 400). In the Dead Interval (secs), type the interval (for example, 6). Click OK.
To set the hello and dead intervals using the NetScaler command line

set HA node -helloInterval msecs -deadInterval secs
Example
set HA node -helloInterval 400 -deadInterval 6
196
Configuring Synchronization
Synchronization is a process of duplicating the configuration of the primary node on the secondary node. The purpose of synchronization is to ensure that there is no loss of configuration information between the primary and the secondary nodes, regardless of the number of failovers that occur. Synchronization uses port 3010. Synchronization is triggered by the following circumstances: The secondary node in an HA setup comes up after a restart. The primary node becomes secondary after a failover.
Disabling or Enabling Synchronization

HA synchronization is enabled by default in each node in an HA pair. You can enable or disable HA synchronization on either node in an HA pair.
To disable or enable automatic synchronization using the configuration utility
1. 2. 3. 4. 5.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Nodes tab. On Nodes page, select the local node and click Open. In the Configure dialog box, under HA Synchronization, clear the Secondary node will fetch the configuration from Primary option. Click OK and then click Close.
Note: To enable HA synchronization, in step 4 above, you must select Secondary node will fetch the configuration from Primary.
To disable or enable automatic synchronization using the NetScaler command line

set HA node -haSync Value
Example
set HA node -haSync ENABLED set HA node -haSync DISABLED
Chapter 6
High Availability
197
Forcing the Secondary Node to Synchronize with the Primary Node

In addition to automatic synchronization, the NetScaler supports forced synchronization. You can force the synchronization from either the primary or the secondary node. When you force synchronization from the secondary node, it starts synchronizing its configuration with the primary node. However, if synchronization is already in progress, forced synchronization fails and the system displays a warning. Forced synchronization also fails in the following circumstances: You force synchronization on a standalone system. The secondary node is disabled. HA synchronization is disabled on the secondary node.
To force synchronization using the configuration utility
1. 2. 3.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Nodes tab. On the Nodes page, click Force Synchronization.
To force synchronization using the NetScaler command line

force HA sync
Configuring Command Propagation

In an HA setup, any command issued on the primary node propagates automatically to, and is executed on, the secondary before it is executed on the primary. If command propagation fails, or if command execution fails on the secondary, the primary node executes the command and logs an error. Command propagation uses port 3011. In an HA pair configuration, command propagation is enabled by default on both the primary and secondary nodes. You can enable or disable command propagation on either node in an HA pair. If you disable command propagation on the primary node, commands are not propagated to the secondary node. If you disable command propagation on the secondary node, commands propagated from the primary are not executed on the secondary node. Note: After reenabling propagation, remember to force synchronization
198
If synchronization occurs while you are disabling propagation, any configurationrelated changes that you make before the disabling of propagation takes effect are synchronized with the secondary node. This is also true for cases where propagation is disabled while synchronization is in progress.
To disable or enable command propagation using the configuration utility
1. 2. 3. 4. 5.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Nodes tab. On the Nodes page, select the local node and click Open. In the Configure Node dialog box, under HA Propagation, clear the Primary node will propagate configuration to the Secondary option. Click OK.
Note: To enable HA synchronization, in Step 4 you must select the Primary node will propagate configuration to the Secondary.
To disable or enable command propagation using the NetScaler command line

set HA node -haProp Value
Example
set HA node -haProp ENABLED set HA node -haProp DISABLED
Forcing a Node to Fail Over

You might want to force a failover if, for example, you need to replace or upgrade the primary node. You can force failover from either the primary or the secondary node. A forced failover is not propagated or synchronized. To view the synchronization status after a forced failover, you can view the status of the node. A forced failover fails in the following circumstances: You force failover on a standalone system. The secondary node is disabled. The secondary node is configured to remain secondary.
Chapter 6
High Availability
199
Forcing the Primary Node to Fail Over

If you force failover on the primary node, the primary becomes the secondary and the secondary becomes the primary. Forced failover is possible only when the primary node can determine that the secondary node is UP. If the secondary node is DOWN, the Force Failover command returns the error message Operation not possible due to invalid peer state. Rectify and retry. If the secondary system is in the claiming state or inactive, it returns the message Operation not possible now. Please wait for system to stabilize before retrying.
To force the primary node to fail over using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Nodes tab. Click Force Failover. In the Warning dialog box, click Yes.
To force the primary node to fail over using the NetScaler command line

force HA failover
Forcing the Secondary Node to Fail Over

If you execute the force failover command from the secondary node, the secondary node becomes primary and the primary node becomes secondary. A force failover can occur only if the secondary nodes health is good and it is not configured to stay secondary. If the secondary node cannot become the primary node, or if secondary node was configured to stay secondary (using the STAYSECONDARY option), the node displays the message Operation not possible as my state is invalid. View the node for more information. To force the secondary node to failover, use either of the following procedures:
To force the secondary node to fail over using the configuration utility
1. 2. 3. 4.
200
Citrix NetScaler Networking Guide To force the secondary node to fail over using the NetScaler command line

force HA failover
Forcing Failover When Nodes are in Listen Mode

When the two nodes of an HA pair are running different versions of the system software, the node running the higher version switches to the listen mode. In this mode, neither command propagation nor synchronization works. Before upgrading the system software on both nodes, you should test the new version on one of the nodes. To do this, you need to force a failover on the system that has already been upgraded. The upgraded system then takes over as the primary node, but neither command propagation or synchronization occurs. Also, all connections need to be re-established. To force failover when nodes are in listen mode, use either of the following procedures:
To force fail over when nodes are in listen mode using the configuration utility
1. 2. 3. 4.
To force failover when nodes are in listen mode using the NetScaler command line

force HA failover
Configuring Fail-Safe Mode

In an HA configuration, fail-safe mode ensures that one node will always be primary when both nodes fail the health check. This is to ensure that when a node is only partially available, backup methods are enabled to handle traffic as best as possible. The HA fail-safe mode is configured independently on each node.
Chapter 6
High Availability
201
The following table shows some of the fail-safe cases. The NOT_UP state means that the node failed the health check yet it is partially available. The UP state means that the node passed the health check. Fail-safe mode cases
Node A Node B (Secondary) (Primary) Health Health State State NOT_UP (failed last) NOT_UP (failed first) Default HA Behavior A (Secondary), B (Secondary) A(S), B(S) Fail-Safe Enabled HA Behavior A (Primary), B (Secondary) A(S),B(P) Description
If both nodes fail, one after the other, the node that was the last primary remains primary. If both nodes fail, one after the other, the node that was the last primary remains primary. If both nodes pass the health check, no change in behavior with fail-safe enabled. If only the secondary node fails, no change in behavior with fail-safe enabled. If only the primary fails, no change in behavior with fail-safe enabled. If the secondary is configured as STAYSECONDARY, the primary remains primary even if it fails.
NOT_UP (failed first)
NOT_UP (failed last)
UP
UP
A (Primary), B (Secondary)
A(P), B(S)
UP
NOT_UP
A(P), B(S)
A(P), B(S)
NOT_UP
UP
A(S), B(P)
A(S), B(P)
NOT_UP
UP (STAYSECONDARY)
A(S), B(S)
A(P),B(S)
To enable fail-safe mode by using the NetScaler command line

set ha node -failsafe ON|OFF
Example
set ha node -failsafe ON
To enable fail-safe mode by using the configuration utility
1. 2.
In the navigation pane, expand System, and then click High Availability. In the details pane, on the Nodes tab, select the local node, and then click Open.
202
3.
In the Configure Node dialog box, under Fail-Safe Mode, select the Maintain one Primary node even when both nodes are unhealthy check box. Click OK.
4.
Configuring Virtual MAC Addresses

The Virtual MAC address (VMAC) is a floating entity shared by the primary and the secondary nodes in an HA setup. In an HA setup, the primary node owns all of the floating IP addresses, such as the MIPs, SNIPs, and VIPs. The primary node responds to Address Resolution Protocol (ARP) requests for these IP addresses with its own MAC address. As a result, the ARP table of an external device (for example, an upstream router) is updated with the floating IP address and the primary node's MAC address. When a failover occurs, the secondary node takes over as the new primary node. It then uses the Gratuitous ARP (GARP) to advertise the floating IP addresses that it acquired from the primary. However, the MAC address that the new primary advertises is the MAC address of its own interface. Some devices (notably a few routers) do not accept GARP messages generated by the Citrix NetScaler system. As a result, some external devices retain the old IP to MAC mapping advertised by the old primary node. This can result in a site going down. You can overcome this problem by configuring a VMAC on both nodes of an HA pair. When you do this, both nodes possess identical MAC addresses. Therefore, when failover occurs, the MAC address of the secondary node remains unchanged, and the ARP tables on the external devices do not need to be updated. To create a VMAC, you need to first create a Virtual Router ID (VRID) and bind it to an interface. (In an HA setup, you need to bind the VRID to the interfaces on both nodes.) Once the VRID is bound to an interface, the system generates a VMAC with the VRID as the last octet.
Configuring IPv4 VMACs

When you create a IPv4 VMAC address and bind it a interface, any IPv4 packet going out of this interface uses the VMAC address bound to that interface. If there is no IPv4 VMAC bound to an interface, it uses the physical MAC address of this interface. The generic VMAC is of the form 00:00:5e:00:01:<VRID>. For example, if you create a VRID with a value of 60 and bind it to an interface, the resulting VMAC is 00:00:5e:00:01:3c, where 3c is the hex representation of the VRID. You can create 255 VRIDs with values from 1 to 254.
Chapter 6
High Availability
203
This section covers the following procedures: Adding a Virtual MAC Addresses Binding Interfaces to the VMAC Verifying the VMAC Configuration Managing VMACs
Adding a VMAC
The scenario described in this section illustrates the configuration of a VMAC on a standalone system with a VRID value of 100. To add a virtual MAC, use the parameters in the following table.
Parameter Virtual Router ID Interface Number. Specifies The VRID that identifies the VMAC. Possible values: 1 to 255. The interface number (slot/port notation) to be bound to the VMAC.
To add a VMAC using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network and click VMAC. On the VMAC page, click Add. In the Add VMAC dialog box, in Virtual Router ID text box, type a number (for example, 100). Click Create.
To add a VMAC using the NetScaler command line

add vrID id
Example
add vrID 100
Binding Interfaces to the VMAC

The following procedure illustrates the steps to bind the VRID to interface 1/1. You cannot bind multiple VRIDs to an interface.
204
To bind an interface to a VMAC, use the parameters listed in the following table.
Parameter Virtual Router ID. Interface Name Specifies The VRID that identifies the VMAC. Possible values: 1 to 255. The interface number (slot/port notation) to be bound to the VMAC.
To bind interfaces to the VMAC using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network and click VMAC. On the VMAC page, click Open. In the Configure VMAC dialog box, select the desired interfaces from the Available Interfaces table and click Add (for example, 1/1, 1/2, and 1/3). Click OK.
To bind interfaces to the VMAC using the NetScaler command line

bind vrid id -ifnum interface_name ...
Example
bind vrid 100 -ifnum 1/1 1/2 1/3
Verifying the VMAC Configuration

To verify the VMAC configuration, you should display and examine the VMACs and the interfaces bound to the VMACs.
To verify VMACs using the configuration utility
1. 2.
In the navigation pane, expand Network and click VMAC. Examine the settings on the VMAC page.
To verify VMACs using the NetScaler command line

sh vrID
To verify the interfaces bound to the VMAC using the configuration utility
1. 2.
In the navigation pane, expand Network and click VMAC. On the VMAC page, select a virtual router id (for example, 100) and examine the settings displayed at the bottom of the page.
Chapter 6
High Availability
205
To view the interfaces bound to the VMAC using the NetScaler command line
At the NetScaler command prompt, type the following command and examine the output:
sh vrID id
Example
sh vrID 100
Managing VMACs
This section describes procedures for unbinding the interfaces from a VMAC and deleting the created VMAC from the system.
To unbind interfaces from a VMAC using the configuration utility
1. 2. 3.
In the navigation pane, expand Network and click VMAC. On the VMAC page, select a virtual router id (for example, 100), and click Open. In the Modify VMAC dialog box, under Configured Interfaces, select interfaces that you want to unbind from the VMAC (for example, 1/2 and 1/3). Click Remove. Click OK.
4. 5.
To unbind interfaces from a VMAC using the NetScaler command line

unbind vrid id -ifnum interface_name ...
Example
unbind vrID 100 1/2 1/3
To remove a VMAC using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network and click VMAC. On the VMAC page, select the virtual router id that you want to remove (for example, 100). Click Remove. In the Remove dialog box, click Yes.
206
Citrix NetScaler Networking Guide To remove a VMAC using the NetScaler command line

rm vrid id
Example
rm vrid 100
Configuring IPv6 VMACs

The NetScaler supports VMAC6 for IPv6 packets. You can bind any interface to VMAC6 regardless of whether IPv4 VMAC is bound to the interface or not. Any IPv6 packet going out of this interface uses the VMAC6 bound to that interface. If there is no VMAC6 bound to an interface, it uses the physical MAC. This section covers the following procedures: Adding a Virtual MAC Addresses6 Binding Interfaces to the VMAC6 Verifying the VMAC6 Configuration Managing VMAC6s
Adding a VMAC6
The scenario described in this section illustrates the configuration of a VMAC6 on a standalone NetScaler with a VRID value of 100. To add a virtual MAC, use the parameters in the following table.
Parameter Virtual Router ID Interface Number Specifies The VRID that identifies the VMAC6. Possible values: 1 to 255. The interface number (slot/port notation) to be bound to the VMAC6.
To add a VMAC6 using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand Network, and then click VMAC. On the VMAC6 tab, click Add. In the Add VMAC6 dialog box, in Virtual Router ID text box, type a number (for example, 100). Click Create.
Chapter 6 To add a VMAC6 using the NetScaler command line
High Availability
207

add vrID6 id
Example
add vrID6 100
Binding Interfaces to the VMAC6

The following procedure illustrates the steps to bind the VRID to interface 1/1. You cannot bind multiple VRIDs to an interface. To bind an interface to a VMAC6, use the parameters listed in the following table.
Parameter Virtual Router ID Interface Name Specifies The VRID that identifies the VMAC6. Possible values: 1 to 255. The interface number (slot/port notation) to be bound to the VMAC6.
To bind interfaces to the VMAC6 using the configuration utility
1. 2. 3.
In the navigation pane, expand Network, and then click VMAC. In the details pane, on the VMAC6 tab, click virtual router ID that you want to bind to an interface, and then click Open. In the Configure VMAC6 dialog box, select the desired interfaces from the Available Interfaces table, and then click Add (for example, 1/1, 1/2, and 1/3). Click OK.
4.
To bind interfaces to the VMAC6 using the NetScaler command line

bind vrid6 id -ifnum interface_name ...
Example
bind vrid 100 -ifnum 1/1 1/2 1/3
Verifying the VMAC6 Configuration

To verify the VMAC6 configuration, you should display and examine the VMAC6 and the interfaces bound to the VMAC6s.
208
Citrix NetScaler Networking Guide To verify VMAC6 configurations using the configuration utility
1. 2.
In the navigation pane, expand Network, and then click VMAC. In the details pane, on the VMAC6 tab, examine the settings.
To verify VMAC6s using the NetScaler command line

sh vrID6
To verify the interfaces bound to the VMAC6 using the configuration utility
1. 2.
In the navigation pane, expand Network, and then click VMAC. In the details pane, on the VMAC6 tab, select a virtual router ID (for example, 100), and then examine the settings displayed at the bottom of the page.
To verify the interfaces bound to the VMAC6 using the NetScaler command line

sh vrID6 id
Example
sh vrID6 100
Managing VMAC6 Configurations

This section describes procedures for unbinding the interfaces from a VMAC6 and deleting the VMAC6 from the appliance.
To unbind interfaces from a VMAC6 using the configuration utility
1. 2. 3.
In the navigation pane, expand Network, and then click VMAC. In the details pane, on the VMAC6 tab, select a virtual router id (for example, 100), and click Open. In the Modify VMAC6 dialog box, under Configured Interfaces, select interfaces that you want to unbind from the VMAC6 (for example, 1/2 and 1/3). Click Remove. Click OK.
4. 5.
To unbind interfaces from a VMAC6 using the NetScaler command line
Chapter 6
High Availability
209
unbind vrid6 id -ifnum interface_name ...
Example
unbind vrID6 100 1/2 1/3
To remove a VMAC6 using the configuration utility
1. 2.
In the navigation pane, expand Network, and then click VMAC. In the details pane, on the VMAC6 tab, select the virtual router ID that you want to remove (for example, 100), and then click Remove.
To remove a VMAC6 using the NetScaler command line

rm vrid6 id
Example
rm vrid6 100
Improving the Reliability of a High Availability Setup

This section describes link redundancy and route monitors, system functions that can be helpful in a cross-network HA configuration. This section also describes the health check process used by a system to ensure that its partner node is up and running. The section covers the following topics: Configuring High Availability for Nodes in Different Subnets Configuring Link Redundancy Configuring Route Monitors HA Health Check Computation
Configuring High Availability Nodes in Different Subnets

Configuring a Basic High Availability Setup, on page 190, covered a typical HA deployment where both systems in an HA pair reside on the same subnet. This section describes an HA pair configuration where the two systems reside on different subnets. The section provides sample configurations and lists differences between HA configurations within one subnet and those configured across networks.
210
The following figure shows an HA deployment with the two systems located in different subnets:
High Availability over a routed network In the figure, the systems NS1 and NS2 are connected to two separate routers, R3 and R4, on two different subnets. The systems exchange heartbeat packets through the routers. This configuration could be expanded to accommodate deployments involving any number of interfaces. Note: If you use static routing on your network, you must add static routes between all the systems to ensure that heartbeat packets are sent and received successfully. (If you use dynamic routing on your systems, static routes are unnecessary.) If the nodes in an HA pair reside on two separate networks, the secondary node must have an independent network configuration. This means that nodes on different networks cannot share entities such as MIPs, SNIPs, VLANs, and routes. This type of configuration, where the nodes in an HA pair have different configurable parameters, is known as Independent Network Configuration (INC) or Symmetric Network Configuration (SNC). The following table describes the parameters that you must set on each node in an INC.
Configurable Parameters IPs (NSIP/MIP/SNIPs) Behavior Node-specific. Active only on that unit.
Chapter 6
High Availability
211
Configurable Parameters VIP Vlans Routes ACLs Dynamic routing
Behavior Floating. Node-specific. Active only on that unit. Node-specific. Active only on that unit. LLB route is floating. Floating (Common). Active on both units. Node-specific. Active only on that unit. The secondary node should also run the routing protocols and peer with upstream routers. Floating (Common). Active on both units. Floating (Common). Active on both units. Node-specific. RNAT with VIP, because NATIP is floating.
L2 mode L3 mode Reverse NAT (RNAT)
When two nodes of an HA pair reside on different subnets, each node must have a different network configuration. Therefore, to configure two independent systems to function as an HA pair, you must specify an INC mode during the configuration process. To specify an INC mode, perform the following tasks: Add a node with the -inc option enabled. Disable HA monitoring for unused interfaces.
Adding a Node
This section describes the procedure to add a node in a different subnet than the local node, using the parameters listed in the following table.
Parameter Node ID IP Address Specifies Unique number that identifies the node to be added. Possible values: 1 to 64. IP Address of the node to be added.
To add a node using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Nodes tab. Click Add. In the High Availability Setup dialog box, in the Remote Node IP Address text box, type an IP Address (for example, 10.102.29.170).
212
5.
Select or clear the Configure remote system to participate in High Availability setup check box based on whether you want to add the local node to the peer node. By default, this check box is selected. Select the Turn off HA monitor on interfaces/channels that are down check box to disable the HA monitor on interfaces that are down. By default, this check box is selected. Select or clear the Turn off INC (Independent Network Configuration) mode on self mode check box based on whether your nodes are on the same subnet or different subnets. By default, this check box is not selected. Click Ok and click Close.
6.
7.
8.
To add a node using the NetScaler command line

add HA node id IPAddress -inc Value
Example
add HA node 3 10.102.29.170 - inc ENABLED
Disabling High Availability Monitor in Interfaces

If you configure HA from the NetScaler command line, you must disable the HA monitor for each interface that is not connected or not being used for traffic.This step is not required if you configure HA through configuration utility. To disable HA MON in the interfaces, use the interface number parameter, as described in the following table.
Parameter id HA monitor Specifies The interface number (represented in the <slot/port> notation) Option used for a High Availability configuration to specify which interfaces to monitor for failing events. Possible values: ON and OFF. Default: ON
To disable High Availability monitor using the NetScaler command line

set interface id -haMonitor Value
Example
set interface 1/3 -haMonitor OFF
Chapter 6
High Availability
213
Configuring Link Redundancy

Link redundancy is a way to prevent failover by grouping interfaces so that, when one interface fails, other functioning interfaces will still be available. Configuring High Availability Nodes in Different Subnets, on page 209, describes a scenario in which the first interface on the primary system, NS1, fails, triggering failover, even though it can still serve client requests through its second link. The link redundancy feature allows you to group the two interfaces into a failover interface set (FIS), which prevents the failure of a single link from causing failover to the secondary system unless all of the interfaces on the primary system are nonfunctional. Each interface in a FIS maintains independent bridge entries. HA MON interfaces that are not bound to a FIS are known as critical interfaces (CI) because if any of them fails, failover is triggered.
Adding a Failover Interface Set

This section describes the procedure to add a Failover Interface Set (FIS) in the system.
To add an FIS using the configuration utility
1. 2. 3. 4. 5.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Failover Interface Set tab. On the Failover Interface Set page, click Add. In the Create FIS dialog box, in Name text box, type a name for the FIS to be created (for example, FIS1). Click Create.
To add a FIS using the NetScaler command line

add fis name
Example
add fis FIS1
214
Binding the Interfaces to a FIS

To bind interfaces to the Failover Interface Set, use the parameters listed in the following table.
Parameter FIS Name Interface Number Specifies Name of the FIS to which interfaces are to be bound. Interface number (slot/port notation) to be bound to the FIS.
To bind interfaces to the FIS using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Failover Interface Set tab. On the Failover Interface Set page, select a FIS, and then click Open. In the Configure FIS dialog box, select interfaces under Available Interfaces and click Add.
To bind interfaces using the NetScaler command line

bind fis name interface names ...
Example
bind fis FIS1 1/1 1/2 1/3
Verifying the Created FIS

To verify a FIS, display its settings and examine them.
To display a FIS using the configuration utility
1. 2.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Failover Interface Set tab.
To display a FIS using the NetScaler command line

sh fis name
Example
sh fis FIS1
Chapter 6
High Availability
215
Managing Link Redundancy

This section describes how to unbind interfaces from a FIS and how to remove a FIS.
Unbinding an Interface from the FIS

This following procedure describes the steps to unbind interfaces from a FIS. An unbound interface becomes a critical interface (CI) if it is enabled and HA MON is on. To unbind interfaces from the Failover Interface Set, use the parameters in the following table.
Parameter FIS Name Interface Name Specifies Name of the FIS from which the interfaces are to be unbound. Interface name (slot/port notation.).
To unbind an interfaces from the FIS, use either of the following procedures.
To unbind an interface from a FIS using the configuration utility
1. 2. 3. 4. 5.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Failover Interface Set tab. On the Failover Interface Set page, select the FIS from which you want to unbind interfaces and click Open. In the Configure FIS dialog box, under Configured Interfaces table, select the interface you want to unbind from the FIS, and click Remove. Click OK.
To unbind an interface from a FIS using the NetScaler command line

unbind fis name interface names ...
Example
unbind fis FIS1 1/1 1/2
Removing a FIS
The following sample procedure describes the steps to remove a FIS that you have created. Once the FIS is removed, its interfaces become CIs.
216
To remove a Failover Interface Set, use the parameter in the following table.
Parameter FIS Name Specifies Name of the FIS that is to be removed.
To remove a FIS using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Failover Interface Set tab. On the Failover Interface Set page, select the FIS that you want to remove (for example, FIS1) and click Remove. In the Remove dialog box, click Yes.
To remove a FIS using the NetScaler command line

rm fis name
Example
rm fis FIS1
Configuring Route Monitors

You can make the HA state dependent of the internal routing table, whether or not dynamically learned routes or static routes are present. The procedure requires using route monitors. In an HA configuration, a route monitor on each node watches the internal routing table to make sure that a route entry for reaching a particular network is always present. If a route is present, the node can become primary. If no route is present, the node cannot become primary. Route monitors are especially important when using dynamic routes, because a router error can make an HA node appear to be down on the other node when it is not. When the nodes of an HA pair reside on different networks, the HA state of a node depends on its reachability. Route monitors are neither propagated by nodes nor exchanged during synchronization. You can add route monitors for IPv4 as well as IPv6 networks. When a NetScaler has only static routes for reaching a network, and you want to create a route monitor for the network, you must enable MSR on the static routes. This will ensure that an unreachable static route will be removed from the internal routing table. If MSR is disabled on static routes, an unreachable static route will always be present in the internal routing table. This will defeat the purpose of having the route monitor.
Chapter 6
High Availability
217
Binding a Route Monitor to a High Availability Node

This section describes how to add a route monitor. To add a route monitor, use the parameters in the following table.
Parameter Network Netmask Specifies Network prefix of the route to be monitored.
Subnet mask for the network
To add a route monitor by using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Route Monitors tab. On the Route Monitors page, click Configure. In Bind / Unbind Route Monitor(s) dialog box, in the Network text box, do one of the following: For a IPv4 network, type a IPv4 network address (for example, 10.102.29.30) and in the Netmask text box, type a subnet mask (for example, 255.255.255.0). For a IPv6 network, select the IPv6 check box and type a IPv6 network address (for example, 1000:0000:0000:0000:0005:0600:700a:888b).
5. 6.
Click Add. The Route Monitor is added and appears in the Configured Route Monitors table. Click OK.
Note: When a route monitor is not bound to a node, the HA state (primary or secondary) of the node is determined solely by the state of the interfaces.
To add a route monitor by using the NetScaler command line

bind HA node id -routeMonitor [IPv4 address netmask | IPv6 address] Example bind HA node 3 -routeMonitor 10.102.71.0 255.255.255.0 bind HA node 3 -routeMonitor 1000:0000:0000:0000:0005:0600:700a:888b
218
Verifying Route Monitors

To verify a route monitor, display its settings and examine them.
To display a route monitor using the configuration utility
1. 2.
In the navigation pane, expand System and click High Availability. On High Availability page, select the Route Monitors tab.
To display a route monitor using the NetScaler command line

sh HA node
Removing Route Monitors

To remove a route monitor, use either of the following procedures:
To remove a route monitor using the configuration utility
1. 2. 3. 4.
In the navigation pane, expand System and click High Availability. On High Availability page, select the Route Monitors tab. On the Route Monitors page, click Configure. In the Bind / Unbind Route Monitor(s) dialog box, under Configured Route Monitors, select a route monitor to remove and click Remove.
To remove a route monitor using the NetScaler command line

bind HA node id -routeMonitor [IPv4 address netmask | IPv6 address] Example unbind HA node 3 -routeMonitor 10.102.71.0 255.255.255.0 unbind HA node 3 -routeMonitor 1000:0000:0000:0000:0005:0600:700a:888b
High Availability Health Check Computation

The following table summarizes the factors examined in a health check computation: State of the CIs State of the FISs
Chapter 6
High Availability
219
State of the route monitors
The following table summarizes the health check computation.

FIS N Y Y CI Y Y Y Route Monitor N N Y Condition If the system has any CIs, all of those CIs must be UP. If the system has any FISs, all of those FISs must be UP. If the system has any route monitors configured, all monitored routes must be present in the FIS.
Configuring the State of a Node

This section describes how to configure the state of the secondary node to remain secondary and the state of the primary node to remain primary.
Forcing the Secondary Node to Stay Secondary

In an HA setup, the secondary node can be forced to stay secondary regardless of the state of the primary node. For example suppose the primary node needs to be upgraded and the process will take a few seconds. During the upgrade, the primary node may go down for a few seconds, but you do not want the secondary node to take over; you want it to remain the secondary node even if it detects a failure in the primary node. When you force the secondary node to stay secondary, it will remain secondary even if the primary node goes down. Also, when you force the status of a node in an HA pair to stay secondary, it does not participate in HA state machine transitions. The status of the node is displayed as STAYSECONDARY. Forcing the node to stay secondary works on both standalone and secondary nodes. On a standalone node, you must use this option before you can add a node to create an HA pair. When you add the new node, the existing node continues to function as the primary node, and the new node becomes the secondary node. Note: When you force a system to remain secondary, the forcing process is not propagated or synchronized. It affects only the node on which the command is executed.
To force the secondary node to stay secondary using the configuration utility
1.
In the navigation pane, expand System and click High Availability.
220
2. 3. 4. 5.
On the High Availability page, click the Nodes tab. On Nodes page, click Open. In the Configure Dialog box, under High Availability Status, select STAY SECONDARY. Click OK.
To force the secondary node to stay secondary using the NetScaler command line

set node -hastatus Value
Example
set node -hastatus STAYSECONDARY
Forcing the Primary Node to Stay Primary

In an HA setup, you can force the primary node to remain primary even after a failover. You can enable this option either on a primary node in an HA pair or on a standalone system. On a standalone system, you must execute this option before you can add a node to create an HA pair. When you add the new node, it becomes the primary node. The existing node stops processing traffic and becomes the secondary node in the HA pair.
To force the primary node to stay primary using the configuration utility
1. 2. 3. 4. 5.
In the navigation pane, expand System and click High Availability. On the High Availability page, select the Nodes tab. On Nodes page, select a node, and then click Open. In the Configure Node dialog box, under High Availability Status, select STAY PRIMARY. Click OK.
To force the secondary node to stay secondary using the NetScaler command line

set node -hastatus Value
Example
set node -hastatus STAYPRIMARY
Chapter 6
High Availability
221
Troubleshooting High Availability Issues

This section gives troubleshooting tips for the following issues in a high availability setup: Improper synchronization of VLAN configuration in high availability systems. In HA pairs, synchronization does not work properly if only one system has a VLAN configured. To prevent this problem, configure your VLANs after you configure your systems as an HA pair, and be sure to configure them both. Retrieving a lost configuration. If the primary system is unable to send the configuration to the secondary system due to a network error, the secondary system may not have an accurate configuration and may not behave correctly if a failover occurs. If this happens, you can retrieve the current configuration from the configuration backup on the hard disk of the primary system. The operating system saves the last four copies of the ns.conf file in the /nsconfig directory as ns.conf.0, ns.conf.1, ns.conf.2, and ns.conf.3. The ns.conf.0 file contains the current configuration.
To retrieve the current system configuration:
1.
Exit from the CLI to FreeBSD by typing the following command and pressing the Enter key:
> shell
The FreeBSD shell prompt appears, as shown below.

#
2.
Copy the latest backup file to /nsconfig/ns.conf, using the following command:
# cp ls -t /nsconfig/ns.conf.? | head -1` /nsconfig/ns.conf
If you perform a configuration using the NSConfig utility, it is not propagated. If you create a configuration using NSconfig, you must repeat the configuration steps separately for each node in an HA pair.
222

NS Networking Guide

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NS Networking Guide

Uploaded by

Copyright:

Available Formats

Citrix NetScaler Networking Guide

Citrix NetScaler 9.2.e

Citrix NetScaler Networking Guide

Access Control Lists (ACLs)

Citrix NetScaler Networking Guide

About This Guide

Citrix NetScaler Networking Guide

New in This Release

Citrix NetScaler Networking Guide

Getting Service and Support

Citrix NetScaler Networking Guide

Configuring NetScaler-Owned IP Addresses

Citrix NetScaler Networking Guide

NetScaler IP Address (NSIP)

Creating the NetScaler IP Address (NSIP)

To configure the NetScaler IP address using the NetScaler command line

At the NetScaler command prompt, type:

Virtual IP Address (VIP)

Customizing the Attributes of a VIP

State (state) Host Route (hostRoute) Gateway IP

Citrix NetScaler Networking Guide

Parameters for Customizing a VIP

V Server RHI Level

OSPF LSA Type

To enable or disable ARP using the configuration utility

To enable or disable ARP using the NetScaler command line

At the NetScaler command prompt, type:

Enabling and Disabling a VIP

To enable or disable an IP address using the configuration utility

To enable or disable an IP address using the NetScaler command line

At the NetScaler command prompt, type:

Subnet IP Address (SNIP)

Citrix NetScaler Networking Guide

The following diagram illustrates USNIP mode.

Click OK. In the Enable/Disable Feature(s)? dialog box, click Yes.

To enable or disable use SNIP using the NetScaler command line

At the NetScaler command prompt, type:

Mapped IP Address (MIP)

GSLB Site IP Address (GSLBIP)

Creating NetScaler-Owned IP Addresses

Use either of the following procedures to create a NetScaler-owned IP address.

In the navigation pane, expand Network and click IPs.

Citrix NetScaler Networking Guide

To add an IP address using the NetScaler command line

At the NetScaler command prompt, type:

Mapped IP address (MIP)

Virtual Server IP address (VIP)

To remove an IP address using the NetScaler command line

At the NetScaler command prompt, type:

Customizing Access to IP Addresses

Management access Enable Enable Disable Disable

Citrix NetScaler Networking Guide

NSIP Yes No No Yes Yes

MIP Yes Yes Yes Yes No

SNIP Yes Yes Yes Yes Yes

VIP No No Yes No Yes

Application/ IP SNMP System Access

NSIP Yes Yes

MIP Yes Yes

SNIP Yes Yes

Parameters for customizing a SNIP and MIP Address

Allow access only to management applications (restrictAccess)

Citrix NetScaler Networking Guide