(SUCH AS TRANSLATION, TRANSFORMATION, OR ADAPTATION) WITHOUT THE EXPRESS WRITTEN PERMISSION OF CITRIX SYSTEMS, INC.
ALTHOUGH THE MATERIAL PRESENTED IN THIS DOCUMENT IS BELIEVED TO BE ACCURATE, IT IS PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE ALL RESPONSIBILITY FOR THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS MANUAL. CITRIX SYSTEMS, INC. OR ITS SUPPLIERS DO NOT ASSUME ANY LIABILITY THAT MAY OCCUR DUE TO THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS DOCUMENT. INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. COMPANIES, NAMES, AND DATA USED IN EXAMPLES ARE FICTITIOUS UNLESS OTHERWISE NOTED.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.
Modifying the equipment without Citrix’ written authorization may result in the equipment no longer complying with FCC requirements for Class A digital devices. In that event, your right to use the equipment may be limited by FCC
regulations, and you may be required to correct any interference to radio or television communications at your own expense.
You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the NetScaler appliance. If the NetScaler equipment causes interference, try to correct the interference by using one or more of the following measures:
Move the NetScaler equipment to one side or the other of your equipment. Move the NetScaler equipment farther away from your equipment.
Plug the NetScaler equipment into an outlet on a different circuit from your equipment. (Make sure the NetScaler equipment and your equipment are on circuits controlled by different circuit breakers or fuses.)
Modifications to this product not authorized by Citrix Systems, Inc., could void the FCC approval and negate your authority to operate the product.
BroadCom is a registered trademark of BroadCom Corporation. Fast Ramp, NetScaler, and NetScaler Request Switch are trademarks of Citrix Systems, Inc. Linux is a registered trademark of Linus Torvalds. Internet Explorer, Microsoft, PowerPoint, Windows and Windows product names such as Windows NT are trademarks or registered trademarks of the Microsoft Corporation. Netscape is a registered trademark of Netscape Communications Corporation. Red Hat is a trademark of Red Hat, Inc. Sun and Sun Microsystems are registered trademarks of Sun Microsystems, Inc. Other brand and product names may be registered trademarks or trademarks of their respective holders.
Software covered by the following third party copyrights may be included with this product and will also be subject to the software license agreement: Copyright 1998 © Carnegie Mellon University. All rights reserved. Copyright © David L.
Mills 1993, 1994. Copyright © 1992, 1993, 1994, 1997 Henry Spencer. Copyright © Jean-loup Gailly and Mark Adler.
Copyright © 1999, 2000 by Jeff Poskanzer. All rights reserved. Copyright © Markus Friedl, Theo de Raadt, Niels Provos,
Dug Song, Aaron Campbell, Damien Miller, Kevin Steves. All rights reserved. Copyright © 1982, 1985, 1986,
1988-1991, 1993 Regents of the University of California. All rights reserved. Copyright © 1995 Tatu Ylonen, Espoo,
Finland. All rights reserved. Copyright © UNIX System Laboratories, Inc. Copyright © 2001 Mark R V Murray. Copyright
1995-1998 © Eric Young. Copyright © 1995,1996,1997,1998. Lars Fenneberg. Copyright © 1992. Livingston
Enterprises, Inc. Copyright © 1992, 1993, 1994, 1995. The Regents of the University of Michigan and Merit Network,
Inc. Copyright © 1991-2, RSA Data Security, Inc. Created 1991. Copyright © 1998 Juniper Networks, Inc. All rights
reserved. Copyright © 2001, 2002 Networks Associates Technology, Inc. All rights reserved. Copyright (c) 2002
Networks Associates Technology, Inc. Copyright 1999-2001 © The Open LDAP Foundation. All Rights Reserved.
Copyright © 1999 Andrzej Bialecki. All rights reserved. Copyright © 2000 The Apache Software Foundation. All rights
reserved. Copyright(C) 2001-2003 Robert A. van Engelen, Genivia inc. All Rights Reserved. Copyright (c) 1997-2004 University of Cambridge. All rights reserved. Copyright (c) 1995. David Greenman Copyright (c) 2001 Jonathan Lemon. All rights reserved. Copyright (c) 1997, 1998, 1999. Bill Paul. All rights reserved. Copyright (c) 1994-1997 Matt Thomas. All rights reserved. Copyright © 2000 Jason L. Wright. Copyright © 2000 Theo de Raadt. Copyright © 2001 Patrik
Lindergren. All rights reserved.
Preface... 17
Formatting Conventions for NetScaler Documentation . . . .17
Documentation Available on the NetScaler Appliance . . . 18
Getting Service and Support . . . 19
NetScaler Documentation Feedback . . . .19
1 IP Addressing...21
Configuring NetScaler-Owned IP Addresses . . . 22
Configuring the NetScaler IP Address (NSIP) . . . 22
To create the NetScaler IP address by using the NetScaler command line. . . 22
Parameters for configuring the NSIP address. . . 23
To configure the NetScaler IP address by using the configuration utility. . . .23
Configuring and Managing Virtual IP Addresses (VIPs) . . . 23
To create a VIP address by using the NetScaler command line . . . .24
To create a range of VIP addresses by using the NetScaler command line . . . . 24
Parameters for configuring VIP addresses. . . .25
To configure a VIP address by using the configuration utility . . . 26
To create a range of VIP addresses by using the configuration utility. . . .27
To enable or disable an IPv4 VIP address by using the NetScaler command line. . . .28
To enable or disable a VIP address by using the configuration utility. . . 29
Configuring ARP response Suppression for Virtual IP addresses (VIPs). . . 29
To configure ARP response suppression by using the NetScaler command line . . . 32
Parameter for configuring ARP response suppression. . . 32
To configure ARP response suppression by using the configuration utility . . . 33
Configuring Subnet IP Addresses (SNIPs) . . . 33
To configure a SNIP address by using the NetScaler command line . . . .34
To create a range of SNIP addresses by using the NetScaler command line . . .35
Parameters for configuring SNIP addresses . . . 36
To configure a SNIP address by using the configuration utility . . . 36
To enable or disable USNIP mode by using the NetScaler command line. . . .37
To enable or disable USNIP mode by using the configuration utility. . . 37
Configuring Mapped IP Addresses (MIPs) . . . 37
To create a MIP address by using the NetScaler command line . . . 38
To create a range of MIP addresses by using the NetScaler command line . . . . 39
Parameters for configuring MIP addresses. . . 40
To configure a MIP address by using the configuration utility . . . .40
To create a range of MIP addresses by using the configuration utility. . . 40
Configuring GSLB Site IP Addresses (GSLBIP) . . . .41
Removing a NetScaler-Owned IP Address . . . 41
To remove an IP address by using the NetScaler command line. . . 42
To remove an IP address by using the configuration utility. . . 42
Configuring Application Access Controls . . . 42
To configure management access for an IP address by using the NetScaler command line. . . 44
Parameters for customizing a SNIP or MIP address . . . .44
To enable management access for an IP address by using the configuration utility. . . 45
How the NetScaler Proxies Connections . . . 45
How the Destination IP Address Is Selected . . . 45
How the Source IP Address Is Selected . . . .46
Enabling Use Source IP Mode . . . 46
Recommended Usage. . . 48
To globally enable or disable USIP mode by using the NetScaler command line. . . . .49
To enable USIP mode for a service by using the NetScaler command line. . . 49
To globally enable or disable USIP mode by using the configuration utility. . . 49
To enable USIP mode for a service by using the configuration utility. . . 49
Configuring Network Address Translation . . . 50
Configuring INAT. . . 50
To create an INAT entry by using the NetScaler command line. . . 51
To modify an INAT entry by using the NetScaler command line . . . 51
Basic parameters for configuring INAT . . . 52
To configure an INAT entry by using the configuration utility . . . 52
To remove an INAT configuration by using the configuration utility. . . 53
Coexistence of INAT and Virtual Servers . . . 53
Configuring RNAT. . . 54
Creating an RNAT Entry . . . 56
Monitoring RNAT . . . 58
RNAT in USIP, USNIP, and LLB Modes . . . 59
To add a static ARP entry by using the NetScaler command line. . . 60
To remove a static ARP entry by using the NetScaler command line. . . 60
Parameters for adding a static ARP entry . . . 60
To add a static ARP entry by using the configuration utility. . . .61
Setting the Timeout for Dynamic ARP Entries. . . .61
To set the time-out for dynamic ARP entries by using the NetScaler command line. . . 61
Example . . . 61
To set the time-out for dynamic ARP entries to its default value by using the NetScaler command line. . . 62
Example. . . 62
To set the time-out for dynamic ARP entries by using the configuration utility . . . 62
Configuring Neighbor Discovery . . . 62
Adding IPv6 Neighbors . . . 63
To add an IPv6 neighbor by using the NetScaler command line. . . 63
Neighbor Discovery Parameters . . . .64
To add an IPv6 neighbor by using the configuration utility. . . .64
Removing IPv6 Neighbors . . . 64
To remove a neighbor discovery entry by using the NetScaler command line. . .64
To remove all neighbor discovery entries by using the NetScaler command line. . . .65
To remove a neighbor discovery entry by using the configuration utility. . . 65
To remove all neighbor discovery entries by using the configuration utility. . . 65
Configuring IP Tunnels. . . 65
NetScaler as an Encapsulator (Load Balancing with DSR Mode). . . .65
NetScaler as a Decapsulator. . . 66
Creating IP Tunnels. . . 66
To create an IP tunnel by using the NetScaler command line. . . 66
To remove an IP tunnel by using the NetScaler command line. . . 66
Parameters for creating an IP tunnel. . . 66
To create an IP Tunnel by using the configuration utility. . . .67
Customizing IP Tunnels Globally. . . 67
To globally customize IP tunnels by using the NetScaler command line. . . .67
Parameters for customizing IP tunnels globally. . . .68
To globally customize IP tunnels by using the configuration utility. . . 68
2 Interfaces... 69
Configuring MAC-Based Forwarding. . . 70
To enable or disable MAC-based forwarding by using the NetScaler command line. . . 71
To enable or disable MAC-based forwarding by using the configuration
utility . . . 71
Configuring Network Interfaces. . . 72
Setting the Network Interface Parameters. . . 72
To set the network interface parameters by using the NetScaler command line. . . .72
Parameters for setting a Network Interface. . . 73
To set the network interface parameters by using the configuration utility. . . 74
Enabling and Disabling Network Interfaces. . . 75
To enable or disable a network interface by using the NetScaler command line. . . .75
To enable or disable a network interface by using the configuration utility. . . .75
Resetting Network Interfaces. . . 76
To reset a network interface by using the NetScaler command line. . . 76
To reset a network interface by using the configuration utility. . . 76
Monitoring a Network Interface. . . 77
To display the statistics of the network interfaces by using the NetScaler command line. . . 77
To display the statistics of an Interface by using the configuration utility. . . .78
To clear a network interface’s statistics by using the NetScaler command line. . . .78
To clear a network interface’s statistics by using the configuration utility. . . 79
Understanding VLANs. . . .79
Applying Rules to Classify Frames. . . 80
VLANs and Packet Forwarding on the NetScaler. . . .81
Configuring a VLAN. . . 81
Creating or Modifying a VLAN. . . 82
To create a VLAN by using the NetScaler command line. . . 82
To bind an interface to a VLAN by using the NetScaler command line. . . 82
To bind an IP address to a VLAN by using the NetScaler command line. . . 83
To remove a VLAN by using the NetScaler command line. . . 83
Parameters for configuring a VLAN. . . 83
To configure a VLAN by using the configuration utility. . . .84
Monitoring VLANS. . . 84
To view the statistics of a VLAN by using the NetScaler command line. . . 84
To view the statistics of a VLAN by using the configuration utility. . . 85
Configuring VLANs in an HA Setup . . . .85
Configuring VLANs on a Single Subnet . . . 85
Configuring VLANs on Multiple Subnets . . . .86
Configuring Multiple VLANs with 802.1q Tagging. . . 87
Configuring Bridge Groups. . . .89
To add a bridge group and bind VLANs by using the NetScaler command line. . . 89
To remove a bridge group by using the NetScaler command line. . . 90
Parameters for configuring bridge groups . . . 90
To configure a bridge group by using the configuration utility . . . .90
Configuring VMACs. . . 91
Configuring Link Aggregation. . . 91
Configuring Link Aggregation Manually. . . 92
To create a link aggregation channel by using the NetScaler command line. . . . 92
To bind an interface to or unbind an interface from an existing link aggregation channel by using the NetScaler command line. . . 92
To modify a link aggregation channel by using the NetScaler command line. . . .93
Parameters for configuring a link aggregation channel. . . 93
To configure a link aggregation channel by using the configuration utility. . . 94
To remove a link aggregation channel by using the NetScaler command line. . .94
To remove a link aggregation channel by using the configuration utility. . . 95
Configuring Link Aggregation by Using the Link Aggregation Control Protocol. . . .95
Creating Link Aggregation Channels. . . .95
Modifying Link aggregation Channels. . . 96
Removing a Link Aggregation Channel. . . 98
Binding an SNIP address to an Interface. . . 99
To configure the example settings. . . .100
Monitoring the Bridge Table and Changing the Aging time. . . 103
To display the bridge table by using NetScaler command line. . . 103
To display the bridge table by using the configuration utility. . . 104
To change the aging time by using the NetScaler command line. . . 104
Parameter for changing the aging time . . . .104
To change the aging time by using the configuration utility. . . .105
To view the statistics of a bridge table by using the NetScaler command line. . . .105
To view the statistics of a bridge table by using the configuration utility. . . 105
Understanding NetScaler Appliances in Active-Active Mode Using VRRP. . . 105
Health Tracking. . . 107
Preemption. . . .108
Sharing. . . 108
Configuring Active-Active Mode. . . 108
Adding a VMAC. . . 109
To add a VMAC by using the NetScaler command line. . . 109
Parameters for configuring a VMAC. . . 109
To bind a VMAC by using the NetScaler command line. . . 110
To bind a VMAC to a VIP by using the NetScaler configuration utility. . . 110
Configuring Send to Master. . . 110
To enable send to master by using the NetScaler command line. . . 111
Parameter for enabling send to master. . . 112
To enable send to master by using the configuration utility. . . 112
An Active-Active Deployment Scenario. . . 112
Using the Network Visualizer. . . 113
To open the Network Visualizer. . . .114
To locate a VLAN or bridge group in the Visualizer. . . 114
To view the configuration details of an entity by using the Visualizer. . . 115
To modify the network settings of the appliance by using the Visualizer. . . .115
To add a channel by using the Visualizer. . . 115
To add a VLAN by using the Visualizer. . . .115
To add a bridge group by using the Visualizer. . . 115
To modify the settings of an interface or channel by using the Visualizer. . . .116
To enable or disable an interface or channel by using the Visualizer. . . 116
To remove a configured channel, VLAN, or bridge group by using the Visualizer. . . 116
To view statistics for a node, channel, interface, or VLAN by using the Visualizer. . 116
To set up an HA deployment by using the Visualizer. . . 116
To view the high availability details of a node by using the Visualizer. . . .117
To force the secondary node to take over as the primary by using the Visualizer. . . 117
To synchronize the secondary node's configuration with the primary node by using the Visualizer. . . 117
To remove the peer node from the HA configuration. . . 117
To copy the properties of a node or network entity by using the Visualizer. . . 117
3 Access Control Lists... 119
ACL Precedence . . . 121
Configuring Simple ACLs . . . 121
Creating Simple ACLs . . . 121
To create a simple ACL by using the NetScaler command line. . . 122
Parameters for configuring a Simple ACL . . . .122
To create a simple ACL by using the configuration utility. . . 123
Monitoring Simple ACLs . . . 123
To view simple ACL statistics by using the NetScaler command line . . . 123
To display simple ACL statistics by using the configuration utility . . . .124
Removing Simple ACLs . . . .124
To remove a single simple ACL by using the NetScaler command line . . . .124
To remove a single simple ACL by using the configuration utility . . . 124
To remove all simple ACLs by using the configuration utility . . . 125
Configuring Extended ACLs . . . 125
Creating and Modifying an Extended ACL . . . 125
To create an extended ACL by using the NetScaler command line . . . 126
Parameters for configuring an extended ACL . . . .126
To create an extended ACL by using the configuration utility . . . 128
Applying an Extended ACL . . . 129
To apply an ACL by using the NetScaler command line . . . .129
To apply an ACL by using the configuration utility . . . 129
Disabling and Enabling Extended ACLs . . . .129
To disable or enable an extended ACL by using the NetScaler command line . . . .130
To disable or enable an extended ACL by using the configuration utility . . . 131
Renumbering the priority of Extended ACLs . . . 131
To renumber the ACLs by using the NetScaler command line . . . 131
To renumber the ACLs by using the configuration utility . . . .132
Configuring Extended ACL Logging . . . 132
To configure ACL Logging by using the NetScaler command line . . . 132
Logging parameters of an extended ACL . . . 133
To configure ACL Logging by using the configuration utility . . . 133
Monitoring the Extended ACL . . . 134
To display the statistics of an extended ACL by using the NetScaler command line . . . 134
To display the statistics of an extended ACL by using the configuration utility . . . 135
Removing Extended ACLs . . . .135
To remove a single extended ACL by using the NetScaler command line . . . . .135
To remove all extended ACLs by using the NetScaler command line . . . 135
To remove a single extended ACL by using the configuration utility . . . 135
To remove all extended ACLs by using the configuration utility . . . 136
Configuring Simple ACL6s. . . .136
Creating Simple ACL6s. . . .136
To create a simple ACL6 by using the NetScaler command line. . . .136
Parameters for configuring a simple ACL6. . . 137
To create a simple ACL6 by using the configuration utility. . . 137
To remove a single simple ACL6 by using the NetScaler command line. . . 138
To remove all simple ACL6s by using the NetScaler command line. . . 138
To remove one or all simple ACL6s by using the configuration utility. . . .138
To display simple ACL6 statistics by using the NetScaler command line. . . .139
To display simple ACL6 statistics by using the configuration utility. . . 139
Configuring ACL6s . . . 139
Creating and Modifying ACL6s . . . 139
To create an ACL6 by using the NetScaler command line . . . 140
To modify or remove an ACL6 by using the NetScaler command line. . . .140
Parameters for configuring an ACL6 . . . 140
To create an ACL6 by using the configuration utility . . . .142
Applying ACL6s . . . 143
To apply ACL6s by using the NetScaler command line . . . 143
To apply ACL6s by using the configuration utility . . . 144
Enabling and Disabling ACL6s . . . 144
To disable or enable an ACL6 by using the NetScaler command line . . . 144
To disable or enable an ACL6 by using the configuration utility . . . 145
Renumbering the Priority of ACL6s . . . .145
To renumber the priorities of the ACL6s by using the NetScaler command line . . . .146
To renumber the priority of ACL6s by using the configuration utility . . . 146
Monitoring ACL6s . . . 146
To display the statistics for an ACL6s by using the NetScaler command line . 146 To display the statistics for an ACL6 by using the configuration utility . . . 147
Removing ACL6s . . . 147
To remove an extended ACL6 by using the NetScaler command line . . . 147
To remove all extended ACL6s by using the NetScaler command line . . . 148
To remove an extended ACL6 by using the configuration utility . . . .148
To remove all extended ACLs by using the configuration utility . . . 148
Terminating Established Connections. . . 148
To terminate all established IPv4 connections that match any of your configured simple ACLs by using the NetScaler command line. . . 149
To terminate all established IPv4 connections that match any of your configured simple ACLs by using the configuration utility. . . 149
To terminate all established IPv6 connections that match any of your configured simple ACL6s by using the NetScaler command line. . . 149
To terminate all established IPv6 connections that match any of your configured simple ACL6s by using the configuration utility. . . 149
4 IP Routing... 151
Configuring Dynamic Routes . . . 152
Routing Tables in the NetScaler. . . .152
FreeBSD Routing Table. . . 152
Network Services Module (NSM) FIB. . . .153
High Availability Setup. . . 153
Non-Stop Forwarding. . . .153
Black Hole Avoidance Mechanism. . . 154
Interfaces for Configuring Dynamic Routing. . . 154
Configuring RIP . . . 154
Enabling and Disabling RIP . . . 154
Advertising Routes . . . .155
Limiting RIP Propagations . . . 155
Verifying the RIP Configuration . . . .156
Configuring OSPF . . . .157
Enabling and Disabling OSPF . . . .157
Advertising OSPF Routes. . . 158
Limiting OSPF Propagations . . . 159
Verifying the OSPF Configuration . . . 159
Configuring BGP . . . 160
Prerequisites for IPv6 BGP . . . 160
Enabling and Disabling BGP . . . 160
Advertising IPv4 Routes . . . 161
Advertising IPv6 BGP Routes. . . 162
Verifying the BGP Configuration . . . .163
Configuring IPv6 RIP . . . .163
Prerequisites for IPv6 RIP . . . 163
Enabling IPv6 RIP . . . 163
Advertising IPv6 RIP Routes. . . 164
Limiting IPv6 RIP Propagations . . . 165
Verifying the IPv6 RIP Configuration . . . 165
Configuring IPv6 OSPF . . . 166
Prerequisites for IPv6 OSPF . . . 166
Enabling IPv6 OSPF . . . .166
Advertising IPv6 Routes . . . 167
Limiting IPv6 OSPF Propagations . . . .168
Verifying the IPv6 OSPF Configuration . . . 168
Installing Routes to the NetScaler Routing Table . . . 169
To install various routes to the internal routing table by using the VTYSH command line. . . .169
Configuring Static Routes . . . 170
Monitored Static Routes. . . 170
Null Routes. . . .172
Configuring IPv4 Static Routes . . . 172
To create a static route by using the NetScaler command line. . . 172
To create a monitored static route by using the NetScaler command line. . . .173
To create a null route by using the NetScaler command line. . . 173
To remove a static route by using the NetScaler command line. . . 174
Parameters for configuring static routes . . . 174
To configure a static route by using the configuration utility. . . .175
To remove a route by using the configuration utility. . . 176
Configuring IPv6 Static Routes . . . 176
To create an IPv6 route by using the NetScaler command line. . . 176
To create a monitored IPv6 static route by using the NetScaler command line. . . 177
To remove an IPv6 route by using the NetScaler command line. . . .177
Parameters for configuring IPv6 static routes . . . .177
To configure an IPv6 route by using the configuration utility . . . 178
To remove an IPv6 route by using the configuration utility . . . 179
Configuring Policy-Based Routes . . . .179
Creating or Modifying a PBR . . . 179
To create a PBR by using the NetScaler command line. . . 180
To modify the priority of a PBR by using the NetScaler command line. . . 180
To remove one or all PBRs by using the NetScaler command line. . . 181
Parameters for configuring a PBR . . . 181
To create a PBR by using the configuration utility. . . 183
To remove one or all PBRs by using the configuration utility. . . .184
Applying a PBR . . . 184
To apply a PBR by using the NetScaler command line. . . 184
To apply a PBR by using the configuration utility. . . 184
Enabling or Disabling PBRs. . . 184
To enable or disable a PBR by using the NetScaler command line. . . .185
To enable or disable a PBR by using the configuration utility. . . 185
Renumbering PBRs . . . 186
To renumber PBRs by using the NetScaler command line. . . .186
To renumber PBRs by using the configuration utility. . . 186
Troubleshooting Routing Issues . . . 186
Generic Routing FAQs . . . 187
Troubleshooting OSPF-Specific Issues . . . 189
5 Internet Protocol version 6 (IPv6)... 191
To enable or disable IPv6 by using the NetScaler command line. . . 193
To enable or disable IPv6 by using the configuration utility. . . 193
VLAN Support. . . 193
Simple Deployment Scenario. . . .194
To create IPv4 services by using the NetScaler command line. . . 195
To create IPv4 services by using the configuration utility. . . .196
To create IPv6 vserver by using the NetScaler command line. . . 196
To create IPv6 vserver by using the configuration utility. . . .196
To bind a service to an LB vserver by using the NetScaler command line. . . 197
To bind a service to an LB vserver by using the configuration utility. . . 197
Host Header Modification. . . 197
To change the IPv6 address in the host header to an IPv4 address by using the NetScaler command line. . . 197
To change the IPv6 address in the host header to an IPv4 address by using the configuration utility. . . 198
VIP Insertion. . . .198
To configure a mapped IPv6 address by using the NetScaler command line. . . 198
To configure a mapped IPv6 address by using the configuration utility. . . 198
To enable VIP insertion by using the NetScaler command line. . . 199
To enable VIP insertion by using the configuration utility. . . .199
6 High Availability...201
Considerations for a High Availability Setup. . . 203
Configuring High Availability. . . 204
Adding a Remote Node. . . .205
To add a node by using the NetScaler command line. . . 205
To disable an HA monitor by using the NetScaler command line. . . 206
Parameters for adding a remote node. . . 206
To add a remote node by using the configuration utility. . . 207
Disabling or Enabling a Node. . . 207
To disable or enable a node by using the NetScaler command line. . . 207
To disable or enable a node by using the configuration utility. . . .207
Removing a Node. . . .208
To remove a node by using the NetScaler command line. . . .208
To remove a node by using the configuration utility. . . 208
Configuring the Communication Intervals. . . 208
To set the hello and dead intervals by using the NetScaler command line. . . 208
Parameters for setting the hello and dead intervals. . . 209
To set the hello and dead intervals by using the configuration utility. . . .209
Disabling or Enabling Synchronization. . . .209
To disable or enable automatic synchronization by using the NetScaler command line. . . .210
To disable or enable synchronization by using the configuration utility. . . 210
Forcing the Secondary Node to Synchronize with the Primary Node. . . 210
To force synchronization by using the NetScaler command line. . . 210
To force synchronization by using the configuration utility. . . 211
Configuring Command Propagation. . . 211
To disable or enable command propagation by using the NetScaler command line. . . .211
To disable or enable command propagation by using the configuration utility. . . 211
Configuring Fail-Safe Mode. . . .212
To enable fail-safe mode by using the NetScaler command line. . . .213
To enable fail-safe mode by using the configuration utility. . . 213
Configuring Virtual MAC Addresses. . . .213
Configuring IPv4 VMACs. . . 214
Creating or Modifying an IPv4 VMAC. . . .214
Removing an IPv4 VMAC. . . 215
Configuring IPv6 VMAC6s. . . .216
Creating or Modifying a VMAC6. . . 216
Removing a VMAC6. . . .217
Configuring High Availability Nodes in Different Subnets. . . .218
Adding a Remote Node. . . .220
To add a node by using the NetScaler command line. . . 220
To disable an HA monitor by using the NetScaler command line. . . 220
Parameters for adding a remote node. . . 221
To add a remote node by using the configuration utility. . . 221
Removing a Node. . . .222
To remove a node by using the NetScaler command line. . . .222
To remove a node by using the configuration utility. . . 222
Configuring Route Monitors. . . .222
Adding a Route Monitor to a High Availability Node. . . 224
To add a route monitor by using the NetScaler command line. . . .224
Parameters for adding a route monitor. . . 225
To add a route monitor by using the configuration utility. . . 225
Removing Route Monitors. . . 225
To remove a route monitor by using the NetScaler command line. . . .225
To remove a route monitor by using the configuration utility. . . 226
Configuring FIS. . . 226
To add an FIS and bind interfaces to it by using the NetScaler command line 226
To unbind an interface from an FIS by using the NetScaler command line. . . . .227
Parameters for configuring an FIS. . . 227
To configure an FIS by using the configuration utility. . . .227
Removing an FIS. . . 227
To remove an FIS by using the NetScaler command line. . . 228
To remove an FIS by using the configuration utility. . . 228
Understanding the Causes of Failover. . . 228
Forcing a Node to Fail Over. . . 229
Forcing Failover on the Primary Node. . . 229
To force failover on the primary node by using the NetScaler command line. . 230
To force failover on the primary node by using the configuration utility. . . 230
Forcing Failover on the Secondary Node. . . 230
To force failover on the secondary node by using the NetScaler command line. . . 230
To force failover on the secondary node by using the configuration utility. . . .230
Forcing Failover When Nodes Are in Listen Mode. . . 230
To force failover when nodes are in listen mode by using the NetScaler command line. . . .231
To force failover when nodes are in listen mode by using the configuration utility. . . .231
Forcing the Secondary Node to Stay Secondary. . . 231
To force the secondary node to stay secondary by using the NetScaler command line. . . 231
To force the secondary node to stay secondary by using the configuration utility. . . 232
Forcing the Primary Node to Stay Primary. . . 232
To force the primary node to stay primary by using the NetScaler command line. . .232
To force the primary node to stay primary by using the configuration utility. . . 232
Understanding the High Availability Health Check Computation. . . 232
Troubleshooting High Availability Issues. . . 233
To retrieve the current system configuration. . . 233
Learn about the Citrix® NetScaler® collection of documentation, including information
about support options and ways to send us feedback. In This Preface:
w Formatting Conventions for NetScaler Documentation w Documentation Available on the NetScaler Appliance w Getting Service and Support
w NetScaler Documentation Feedback
Formatting Conventions for NetScaler
Documentation
The NetScaler documentation uses the following formatting conventions. Table 1. Formatting Conventions
Convention Meaning
Boldface In text paragraphs or steps in a
procedure, information that you type exactly as shown (user input), or an element in the user interface.
Monospace Text that appears in a command-line
interface. Used for examples of
command-line procedures. Also used to distinguish interface terms, such as names of directories and files, from ordinary text.
<angle brackets> A term enclosed in angle brackets is a variable placeholder, to be replaced with an appropriate value. Do not enter the angle brackets.
[ brackets ] Optional items in command statements. For example, in the following command, [ -range <positiveInteger> ] means that
Convention Meaning
you have the option of entering a range, but it is not required:
add lb vserver <name> <serviceType> <IPAddress> <port> [ -range
<positiveInteger>]
Do not type the brackets themselves. | (vertical bar) A separator between options in braces or
brackets in command statements. For example, the following indicates that you choose one of the following load
balancing methods: <lbMethod> = ( ROUNDROBIN | LEASTCONNECTION | LEASTRESPONSETIME | URLHASH | DOMAINHASH | DESTINATIONIPHASH | SOURCEIPHASH | SRCIPDESTIPHASH | LEASTBANDWIDTH | LEASTPACKETS | TOKEN | SRCIPSRCPORTHASH | LRTM | CALLIDHASH | CUSTOMLOAD )
… (ellipsis) You can repeat the previous item or items in command statements. For example, /route:<DeviceName>[ ,…] means you can type additional
<DeviceNames> separated by commas.
Documentation Available on the NetScaler
Appliance
A complete set of Citrix® NetScaler® documentation is available on the Documentation
tab of your NetScaler appliance and at http://support.citrix.com/ (PDF version), and at
http://edocs.citrix.com (HTML version). (The PDF version of the documents require Adobe Reader, available at http://adobe.com/.)
To view the documentation
1. From a Web browser, log on to the NetScaler Appliance. 2. Click the Documentation tab.
3. To view a short description of each document, hover the mouse pointer over the title. To open a document, click the title.
Getting Service and Support
Citrix® offers a variety of resources for support with your Citrix environment, including
the following:
w The Knowledge Center is a self-service, Web-based technical support database that contains thousands of technical solutions, including access to the latest hotfixes, service packs, and security bulletins.
w Technical Support Programs for both software support and appliance maintenance are available at a variety of support levels.
w The Subscription Advantage program is a one-year membership that gives you an easy way to stay current with the latest product version upgrades and
enhancements.
w Citrix Education provides official training and certification programs on virtually all Citrix products and technologies.
For more information about Citrix services and support, see the Citrix Systems Support Web site at http://www.citrix.com/lang/English/support.asp.
You can also participate in and follow technical discussions offered by the experts on various Citrix products at the following sites:
w http://community.citrix.com
w http://twitter.com/citrixsupport
w http://forums.citrix.com/support
NetScaler Documentation Feedback
You are encouraged to provide feedback and suggestions so that we can enhance the documentation. You can send an email to [email protected]. In the subject line, specify "Documentation Feedback." Please include the title of the guide and the page number in the email message.
You can also provide feedback through the Knowledge Center at http:// support.citrix.com/.
To provide feedback at the Knowledge Center home page
1. Go to the Knowledge Center home page at http://support.citrix.com/.
2. On the Knowledge Center home page, under Products, expand NetScaler, and then click the NetScaler release for which you want to provide feedback.
3. On the Documentation tab, click the guide name, and then click Article Feedback.
IP Addressing
Topics:
• Configuring NetScaler-Owned IP Addresses
• How the NetScaler Proxies Connections
• Enabling Use Source IP Mode
• Configuring Network Address Translation
• Configuring Static ARP
• Setting the Timeout for Dynamic ARP Entries
• Configuring Neighbor Discovery
• Configuring IP Tunnels
Before you can configure the NetScaler® appliance, you must
assign the NetScaler IP Address (NSIP), also known as the Management IP address. You can also create other NetScaler-owned IP addresses for abstracting servers and establishing connections with the servers. In this type of configuration, the appliance serves as a proxy for the abstracted servers. You can also proxy connections by using network address
translations (INAT and RNAT). When proxying connections, the appliance can behave either as a bridging (Layer 2) device or as a packet forwarding (Layer 3) device. To make packet forwarding more efficient, you can configure static ARP entries. For IPv6, you can configure neighbor discovery (ND).
Configuring NetScaler-Owned IP Addresses
The NetScaler-owned IP Addresses—NetScaler IP Address (NSIP), Virtual IP Addresses (VIPs), Subnet IP Addresses (SNIPs), Mapped IP Addresses (MIPs), and Global Server Load Balancing Site IP Addresses (GSLBIPs)—exist only on the NetScaler appliance. The NSIP uniquely identifies the NetScaler on your network, and it provides access to the appliance. A VIP is a public IP address to which a client sends requests. The NetScaler terminates the client connection at the VIP and initiates a connection with a server. This new connection uses a SNIP or a MIP as the source IP address for packets forwarded to the server. If you have multiple data centers that are geographically distributed, each data center can be identified by a unique GSLBIP.You can configure some NetScaler-owned IP addresses to provide access for management applications.
Configuring the NetScaler IP Address (NSIP)
The NetScaler IP (NSIP) address is the IP address at which you access the NetScaler for management purposes. The NetScaler can have only one NSIP, which is also called the Management IP address. You must add this IP address when you configure the NetScaler for the first time. If you modify this address, you must reboot the NetScaler. You cannot remove an NSIP address. For security reasons, NSIP should be a non-routable IP address on your organization's LAN.
Note: Configuring the NetScaler IP address is mandatory.
To create the NetScaler IP address by using the NetScaler
command line
At the NetScaler command prompt, type:
w set ns config [-IPAddress <ip_addr> -netmask <netmask>] w show ns config
Example
> set ns config -ipaddress 10.102.29.170 -netmask 255.255.255.0
Done
> show ns config
NetScaler IP: 10.102.29.170 (mask: 255.255.255.0)
Number of MappedIP(s): 1 Node: Standalone
Global configuration settings:
HTTP port(s): (none) Max connections: 0
Max requests per connection: 0
Client IP insertion: DISABLED Cookie version: 0
Persistence Cookie Secure Flag: ENABLED Min Path MTU: 576 Path MTU entry timeout: 10 FTP Port Range: 0
Timezone: GMT-11:00-SST-Pacific/Pago_Pago
Done
Parameters for configuring the NSIP address
IPAddress
Unique identification used to represent an entity. This is a mandatory parameter. netmask
Subnet mask associated with the IP address. This is a mandatory parameter.
To configure the NetScaler IP address by using the
configuration utility
1. In the navigation pane, click NetScaler.
2. On the System Overview page, click Setup Wizard. 3. In the Setup Wizard dialog box, click Next.
4. Under System Configuration, specify values for the following parameters, which correspond to parameters described in "Parameters for configuring the NetScaler IP address" as shown:
• IP Address*—IPAddress • Netmask*—netmask * A required parameter
5. Follow the instructions in the Setup Wizard to complete the configuration.
Configuring and Managing Virtual IP Addresses
(VIPs)
Configuration of a virtual server IP address (VIP) is not mandatory during initial configuration of the NetScaler. When you configure load balancing, you assign VIPs to virtual servers.
For more information about configuring the load balancing setup, see the "Load Balancing" chapter of the Citrix NetScaler Traffic Management Guide at http:// support.citrix.com/article/CTX123869.
In some situations, you need to customize VIP attributes or enable or disable a VIP. A VIP is usually associated with a virtual server, and some of the attributes of the VIP are
customized to meet the requirements of the virtual server. You can host the same virtual server on multiple NetScaler appliances residing on the same broadcast domain, by using ARP and ICMP attributes. After you add a VIP (or any IP address), the NetScaler sends, and then responds to, ARP requests. VIPs are the only NetScaler-owned IP addresses that can be disabled. When a VIP is disabled, the virtual server using it goes down and does not respond to ARP, ICMP, or L4 service requests.
As an alternative to creating VIPs one at a time, you can specify a consecutive range of VIPs.
To create a VIP address by using the NetScaler command
line
At the NetScaler command prompt, type:
w add ns ip <IPAddress> <netmask> -type <type> w show ns ip <IPAddress>
Example
> add ns ip 10.102.29.59 255.255.255.0 -type VIP Done > show ns ip 10.102.29.59 IP: 10.102.29.59 Netmask: 255.255.255.0 Type: VIP state: Enabled arp: Enabled icmp: Enabled vserver: Enabled
management access: Disabled telnet: Disabled
ftp: Disabled ssh: Disabled gui: Disabled snmp: Enabled
Restrict access: Disabled dynamic routing: Disabled hostroute: Disabled
Warning: management access is disabled Done
To create a range of VIP addresses by using the NetScaler
command line
At the NetScaler command prompt, type:
w add ns ip <IPAddress> <netmask> -type <type> w show ns ip <IPAddress>
Example > add ns ip 10.102.29.[60-64] 255.255.255.0 -type VIP ip "10.102.29.60" added ip "10.102.29.61" added ip "10.102.29.62" added ip "10.102.29.63" added ip "10.102.29.64" added Done > show ip
Ipaddress Type Mode Arp Icmp Vserver State
--- ---- ---- --- ---- -
---1) 10.102.29.170 NetScaler IP Active Enabled Enabled NA Enabled
2) 10.102.29.171 MIP Active Enabled Enabled NA Enabled
. .
46) 10.102.29.60 VIP Active Enabled Enabled Enabled Enabled
47) 10.102.29.61 VIP Active Enabled Enabled Enabled Enabled
48) 10.102.29.62 VIP Active Enabled Enabled Enabled Enabled
49) 10.102.29.63 VIP Active Enabled Enabled Enabled Enabled
50) 10.102.29.64 VIP Active Enabled Enabled Enabled Enabled
Done
Parameters for configuring VIP addresses
ipAddress (IP Address)
Unique identification used to represent an entity. This is a required parameter. netmask (Netmask)
Subnet mask associated with the IP address. This is a required parameter. type (Type)
Type of the IP address. Specify VIP. arp (ARP)
Use Address Resolution Protocol (ARP) to map IP addresses to the corresponding hardware addresses. Possible values: Enabled, Disabled. Default: Enabled. icmpresponse (ICMP Response)
NetScaler sends ICMP responses to PING requests according to this value. The user network applications that use ICMP are PING and TRACEROUTE. This parameter can
be set only if type is set as VIP. Possible values: NONE, ONE_VSERVER, ALL_VSERVERS, and VSVR_CNTRLD. Default value: NONE.
w When you select NONE, NetScaler always responds (even when the virtual server is DOWN).
w When you select ONE_VSERVER, NetScaler responds if at least one virtual server on this IP address is UP.
w When you select ALL_VSERVERS, NetScaler responds only if all the virtual servers on this IP address are UP.
w When you select VSVR_CNTRLD, the behavior depends on the ICMP VSERVER RESPONSE setting on the virtual server.
The following settings can be made on a virtual server:
w When you set ICMP VSERVER RESPONSE to PASSIVE on all virtual servers, NetScaler always responds.
w When you set ICMP VSERVER RESPONSE to ACTIVE on all virtual servers, NetScaler responds even if one virtual server is UP.
w When you set ICMP VSERVER RESPONSE to ACTIVE on some and PASSIVE on others, NetScaler responds even if one virtual server set to ACTIVE is UP.
arpresponse (ARP Response)
NetScaler appliance sends ARP responses according to this value. This parameter can be set only if type is set as VIP. Possible values: NONE, ONE_VSERVER. Default value: NONE.
w When you select NONE, NetScaler always responds (even when the virtual server is DOWN).
w When you select ONE_VSERVER, NetScaler responds if at least one virtual server on this IP address is UP.
w When you select ALL_VSERVERS, NetScaler responds only if all the virtual servers on this IP address are UP.
vServer (Virtual Server)
Apply the vserver attribute to this IP address. Possible values: Enabled, Disabled. Default: Enabled.
state (State)
State of the VIP. Possible values: Enabled, Disabled. Default: Enabled.
To configure a VIP address by using the configuration
utility
1. In the navigation pane, expand Network, and then click IPs. 2. In the details pane, do one of the following:
• To modify an existing IP, select the IP, and then click Open.
3. In the Create IP or Configure IP dialog box, set the following parameters: • IP Address*
• Netmask*
• IP Type: Select VIP. • ARP Response • ICMP Response • ARP • Virtual Server • Dynamic Routing • Host Route • Gateway IP* • Metric
• V Server RHI Level • OSPF LSA Type • Area
*A required parameter
4. Click Create or OK, and then click Close. The IP address that you configured appears in the details pane.
To create a range of VIP addresses by using the
configuration utility
1. In the navigation pane, expand Network, and then click IPs. 2. In the details pane, click Add Range.
3. In the Create IP – Range dialog box, set the following parameters: • IP Address*
• Netmask*
• Type—type. Select VIP. • IP Type
• ARP
• ICMP Response • Virtual Server • Dynamic Routing
• Host Route • Gateway IP* • Metric
• V Server RHI Level • OSPF LSA Type • Area
*A required parameter
4. Click Create, and then click Close. The range of IP addresses that you created appears in the details pane.
To enable or disable an IPv4 VIP address by using the
NetScaler command line
At the NetScaler command prompt, type one of the following sets of commands to enable or disable a VIP and verify the configuration:
w enable ns ip <IPAddress> w show ns ip <IPAddress> w disable ns ip <IPAddress> w show ns ip <IPAddress> Example > enable ns ip 10.102.29.79 Done > show ns ip 10.102.29.79 IP: 10.102.29.79 Netmask: 255.255.255.255 Type: VIP state: Enabled arp: Enabled icmp: Enabled vserver: Enabled
management access: Disabled telnet: Disabled
ftp: Disabled ssh: Disabled gui: Disabled snmp: Disabled
Restrict access: Disabled dynamic routing: Disabled hostroute: Disabled
Done
> disable ns ip 10.102.29.79 Done
IP: 10.102.29.79 Netmask: 255.255.255.255 Type: VIP state: Disabled arp: Enabled icmp: Enabled vserver: Enabled
management access: Disabled telnet: Disabled
ftp: Disabled ssh: Disabled gui: Disabled snmp: Disabled
Restrict access: Disabled dynamic routing: Disabled hostroute: Disabled
Done
To enable or disable a VIP address by using the
configuration utility
1. In the navigation pane, expand Network, and then click IPs.
2. In the details pane, on the IPv4s tab, select the VIP address and do one of the following:
• To enable the selected IP address, click Enable. • To disable the selected IP address, click Disable.
3. In the details pane, verify that the VIP address is enabled or disabled, as appropriate.
Configuring ARP response Suppression for Virtual
IP addresses (VIPs)
You can configure the NetScaler appliance to respond or not respond to ARP requests for a Virtual IP (VIP) address on the basis of the state of the virtual servers associated with that VIP.
For example, if virtual servers V1, of type HTTP, and V2, of type HTTPs, share VIP address 10.102.29.45 on a NetScaler appliance, you can configure the appliance to not respond to any ARP request for VIP 10.102.29.45 if both V1 and V2 are in the DOWN state.
The following three options are available for configuring ARP-response suppression for a virtual IP address.
w NONE. The NetScaler appliance responds to any ARP request for the VIP address, irrespective of the state of the virtual servers associated with the address.
w ONE VSERVER. The NetScaler appliance responds to any ARP request for the VIP address if at least one of the associated virtual servers is in UP state.
w ALL VSERVER. The NetScaler appliance responds to any ARP request for the VIP address if all of the associated virtual servers are in UP state.
Following table shows the sample behavior of NetScaler appliance for a VIP configured with two virtual servers:
Associated virtual servers for a VIP
STATE 1 STATE 2 STATE 3 STATE 4
NONE
V1 UP UP DOWN DOWN
V2 UP DOWN UP DOWN
Respond to an ARP request for this VIP?
Yes Yes Yes Yes
ONE VSERVER
V1 UP UP DOWN DOWN
V2 UP DOWN UP DOWN
Respond to an ARP request for this VIP?
Yes Yes Yes No
ALL VSERVER
V1 UP UP DOWN DOWN
V2 UP DOWN UP DOWN
Respond to an ARP request for this VIP?
Yes No No No
Consider an example where you want to test the performance of two virtual servers, V1 and V2, which have the same VIP address but are of different types and are each configured on NetScaler appliances NS1 and NS2. Let's call the shared VIP address VIP1. V1 load balances servers S1, S2, and S3. V2 load balances servers S4 and S5.
On both NS1 and NS2, for VIP1, the ARP suppression parameter is set to ALL_VSERVER. If you want to test the performance of V1 and V2 on NS1, you must manually disable V1 and V2 on NS2, so that NS2 does not respond to any ARP request for VIP1.
Figure 1-1.
The execution flow is as follows:
1. Client C1 sends a request to V1. The request reaches R1.
2. R1 does not have an APR entry for the IP address (VIP1) of V1, so R1 broadcasts an ARP request for VIP1.
3. NS1 replies with source MAC address MAC1 and source IP address VIP1. NS2 does not reply to the ARP request.
4. SW1 learns the port for VIP1 from the ARP reply and updates its bridge table, and R1 updates the ARP entry with MAC1 and VIP1.
5. R1 forwards the packet to address VIP1 on NS1.
6. NS1's load balancing algorithm selects server S2, and NS1 opens a connection between one of its SNIP or MIP addresses and S2. When S2 sends a response to the client, the response returns by the same path.
7. Now you want to test the performance of V1 and V2 on NS2, so you enable V1 and V2 on NS2 and disable them on NS1. NS2 now broadcasts an ARP message for VIP1. In the message, MAC2 is the source MAC address and VIP1 is the source IP address. 8. SW1 learns the port number for reaching MAC2 from the ARP broadcast and
updates its bridge table to send subsequent client requests for VIP1 to NS2. R1 updates its ARP table.
9. Now suppose the ARP entry for VIP1 times out in the ARP table of R1, and client C1 sends a request for V1. Because R1 does not have an APR entry for VIP1, it
10. NS2 replies with a source MAC address and VIP1 as the source IP address. NS1 does not reply to the ARP request.
To configure ARP response suppression by using the
NetScaler command line
At the NetScaler command prompt, type: w set ns ip -arpResponse <arpResponse>] w show ns ip <IPAddress>
Example
> set ns ip 10.102.29.96 -arpResponse ALL_VSERVERS Done > show ns ip 10.102.29.96 IP: 10.102.29.96 Netmask: 255.255.255.255 Type: VIP state: Enabled arp: Enabled arpResponse: ALL_VSERVERS icmp: Enabled icmpResponse: NONE vserver: Enabled management access: Disabled
telnet: Disabled ftp: Disabled ssh: Disabled gui: Disabled snmp: Enabled
Restrict access: Disabled dynamic routing: Disabled hostroute: Disabled
Warning: management access is disabled Done
Parameter for configuring ARP response suppression
arpresponse (ARP Response)
NetScaler appliance sends ARP responses according to this value. This parameter can be set only if type is set as VIP. Possible values: NONE, ONE_VSERVER. Default value: NONE.
w When you select NONE, NetScaler always responds (even when the virtual server is DOWN).
w When you select ONE_VSERVER, NetScaler responds if at least one virtual server on this IP address is UP.
w When you select ALL_VSERVERS, NetScaler responds only if all the virtual servers on this IP address are UP.
To configure ARP response suppression by using the
configuration utility
1. In the navigation pane, expand Network, and then click IPs. 2. In the details pane, select the IP, and then click Open. 3. In the Configure IP dialog box, set the following parameter:
• ARP Response *A required parameter
4. Click OK, and then click Close.
Configuring Subnet IP Addresses (SNIPs)
A subnet IP (SNIP) address is used in connection management and server monitoring. It is not mandatory to specify a SNIP when you initially configure the NetScaler appliance. In a multiple-subnet scenario, the NetScaler IP (NSIP) address, the mapped IP (MIP) address, and the IP address of a server can exist on different subnets. To eliminate the need to configure additional routes on devices such as servers, you can configure subnet IP addresses (SNIPs) on the NetScaler. With Use SNIP (USNIP) mode enabled, a SNIP is the source IP address of a packet sent from the NetScaler to the server, and the SNIP is the IP address that the server uses to access the NetScaler. This mode is enabled by default.
The SNIP enables the NetScaler appliance to connect to the subnet, which is different than that of the MIP and NSIP addresses, similar to local network of the appliance. This functionality is very useful in the topology where backend servers are connected directly to the NetScaler appliance through an L2 switch and are in different subnets that that of MIP and NSIP addressed servers.
When you add a SNIP, a route corresponding to the SNIP is added to the routing table. The NetScaler determines the next hop for a service from the routing table, and if the IP address of the hop is within the range of a SNIP, the NetScaler uses the SNIP to source traffic to the service. When multiple SNIPs cover the IP addresses of the next hops, the SNIPs are used in round robin manner.
Figure 1-2. USNIP Mode
As an alternative to creating SNIPs one at a time, you can specify a consecutive range of SNIPs.
To configure a SNIP address by using the NetScaler
command line
At the NetScaler command prompt, type:
w add ns ip <IPAddress> <netmask> -type <type> w show ns ip <IPAddress>
Example
> add ns ip 10.102.29.203 255.255.255.0 -type SNIP Done > sh ns ip 10.102.29.103 IP: 10.102.29.103 Netmask: 255.255.255.0 Type: SNIP state: Enabled arp: Enabled icmp: Enabled vserver: NA
management access: Disabled telnet: Enabled
ftp: Enabled ssh: Enabled gui: Enabled snmp: Enabled
Restrict access: Disabled dynamic routing: Disabled
hostroute: Disabled # free ports: 1032111
Warning: management access is disabled Done
To create a range of SNIP addresses by using the NetScaler
command line
At the NetScaler command prompt, type:
w add ns ip <IPAddress> <netmask> -type <type> w show ns ip <IPAddress> Example > add ns ip 10.102.29.[205209] 255.255.255.0 -type SNIP ip "10.102.29.205" added ip "10.102.29.206" added ip "10.102.29.207" added ip "10.102.29.208" added ip "10.102.29.209" added Done > sh ns ip
Ipaddress Type Mode Arp Icmp Vserver State
--- ---- ---- --- ---- -
---1) 10.102.29.170 NetScaler IP Active Enabled Enabled NA Enabled
2) 10.102.29.171 MIP Active Enabled Enabled NA Enabled
. .
51) 10.102.29.205 SNIP Active Enabled Enabled NA Enabled
52) 10.102.29.206 SNIP Active Enabled Enabled NA Enabled
53) 10.102.29.207 SNIP Active Enabled Enabled NA Enabled
54) 10.102.29.208 SNIP Active Enabled Enabled NA Enabled
55) 10.102.29.209 SNIP Active Enabled Enabled NA Enabled
Parameters for configuring SNIP addresses
IPAddress
Unique identification used to represent an entity. This is a required parameter. netmask
Subnet mask associated with the IP address. This is a required parameter. type
Type of the IP address. Specify SNIP.
To configure a SNIP address by using the configuration
utility
1. In the navigation pane, expand Network, and then click IPs. 2. In the details pane, do one of the following:
• To create a new IP address, click Add.
• To modify an existing IP address, select the address, and then click Open. 3. In the Create IP or Configure IP dialog box, specify values for the following
parameters, which correspond to parameters described in “Parameters for configuring SNIP addresses” as shown:
• IP Address*—IPAddress • Netmask*—netmask • Type—type (Select SNIP.) *A required parameter
4. Click Create or OK, and then click Close. The IP address that you configured appears in the details pane.
To create a range of SNIP addresses by using the
configuration utility
1. In the navigation pane, expand Network, and then click IPs. 2. In the details pane, click Add Range.
3. In the Create IP – Range dialog box, specify values for the following parameters, which correspond to parameters described in “Parameters for configuring SNIP addresses” as shown:
• IP Address*—IPAddress • Netmask*—netmask • Type—type (Select SNIP.) *A required parameter
4. Click Create, and then click Close. The range of IP addresses that you created appears in the details pane.
To enable or disable USNIP mode by using the NetScaler
command line
At the NetScaler command prompt, type one of the following commands: w enable ns mode usnip
w disable ns mode usnip
To enable or disable USNIP mode by using the
configuration utility
1. In the navigation pane, expand System and click Settings.
2. In the details pane, in the Modes and Features group, click Change modes. 3. In the Configure Modes dialog box, do one of the following:
• To enable USNIP, select the Use Subnet IP check box. • To disable USNIP, clear the Use Subnet IP check box. 4. Click OK.
5. In the Enable/Disable Feature(s)? dialog box, click Yes.
Configuring Mapped IP Addresses (MIPs)
Mapped IP addresses (MIP) are used for server-side connections. A MIP can be considered a default Subnet IP (SNIP) address, because MIPs are used when a SNIP is not available or Use SNIP (USNIP) mode is disabled.
If the mapped IP address is the first in the subnet, the NetScaler appliance adds a route entry, with this IP address as the gateway to reach the subnet. You can create or delete a MIP during run time without rebooting the appliance.
As an alternative to creating MIPs one at a time, you can specify a consecutive range of MIPs.
The following diagram shows the use of the MIP and SNIP addresses in a NetScaler appliance that connects to the backend servers across the subnets.
Figure 1-3. MIP and SNIP addresses
In the setup, if the NetScaler appliance and the backend servers are in the 10.1.1.0/24 subnet, then the appliance uses the MIP address to communicate to the servers. However, if the setup has backend servers on additional subnets, such as 10.2.2.0/24, and there is no router between the NetScaler appliance and the subnet, then you can configure a SNIP address that has a range of 10.2.2.x/24, such as 10.2.2.9 in this case, to communicate to the additional subnet.
You can enable to NetScaler appliance to use MIP to communicate the additional subnet. However, if the setup has a Firewall application between the appliance and the server, then the Firewall might prevent the traffic other than 10.2.2.0/24. In such cases, you need a SNIP address to communicate to the servers.
To create a MIP address by using the NetScaler command
line
At the NetScaler command prompt, type:
w add ns ip <IPAddress> <netmask> -type <type> w show ns ip <IPAddress>
Example
> add ns ip 10.102.29.171 255.255.255.0 -type MIP Done
IP: 10.102.29.171 Netmask: 255.255.255.0 Type: MIP state: Enabled arp: Enabled icmp: Enabled vserver: NA
management access: Disabled telnet: Enabled
ftp: Enabled ssh: Enabled gui: Enabled snmp: Enabled
Restrict access: Disabled dynamic routing: Disabled hostroute: Disabled
# free ports: 1031960
Warning: management access is disabled Done
To create a range of MIP addresses by using the NetScaler
command line
At the NetScaler command prompt, type:
w add ns ip <IPAddress> <netmask> -type <type> w show ns ip <IPAddress> Example > add ns ip 10.102.29.[173175] 255.255.255.0 -type MIP ip "10.102.29.173" added ip "10.102.29.174" added ip "10.102.29.175" added Done > sh ns ip
Ipaddress Type Mode Arp Icmp Vserver State
--- ---- ---- --- ---- -
---1) 10.102.29.170 NetScaler IP Active Enabled Enabled NA Enabled
2) 10.102.29.171 MIP Active Enabled Enabled NA Enabled
. .
56) 10.102.29.173 MIP Active Enabled Enabled NA Enabled
57) 10.102.29.174 MIP Active Enabled Enabled NA Enabled
58) 10.102.29.175 MIP Active Enabled Enabled NA Enabled
Done
Parameters for configuring MIP addresses
IPAddress
Unique identification used to represent an entity. This is a required parameter. netmask
Subnet mask associated with the IP address. This is a required parameter. type
Type of the IP address. Specify MIP.
To configure a MIP address by using the configuration
utility
1. In the navigation pane, expand Network, and then click IPs. 2. In the details pane, do one of the following:
• To create a new IP address, click Add.
• To modify an existing IP address, select the address, and then click Open. 3. In the Create IP or Configure IP dialog box, specify values for the following
parameters, which correspond to parameters described in “Parameters for configuring MIP addresses” as shown:
• IP Address*—IPAddress • Netmask*—netmask • Type—type (Select MIP.) *A required parameter
4. Click Create or OK, and then click Close. The IP address that you configured appears in the details pane.
To create a range of MIP addresses by using the
configuration utility
1. In the navigation pane, expand Network, and then click IPs. 2. In the details pane, click Add Range.
3. In the Create IP – Range dialog box, specify values for the following parameters, which correspond to parameters described in “Parameters for configuring MIP addresses” as shown:
• IP Address*—IPAddress • Netmask*—netmask
• Type—type (Select MIP.) *A required parameter
4. Click Create, and then click Close. The range of IP addresses that you created appears in the details pane.
Configuring GSLB Site IP Addresses (GSLBIP)
A GSLB site IP (GSLBIP) address is an IP address associated with a GSLB site. It is not mandatory to specify a GSLBIP address when you initially configure the NetScaler appliance. A GSLBIP address is used only when you create a GSLB site.
For more information about creating a GSLB site IP address, see the "Load Balancing" chapter of the Citrix NetScaler Traffic Management Guide at http://
support.citrix.com/article/CTX123869.
Removing a NetScaler-Owned IP Address
You can remove any IP address except the NSIP. The following table provides information about the processes you must follow to remove the various types of IP addresses. Before removing a VIP, remove the associated virtual server.
Table 1-1. Implications of Removing a NetScaler-Owned IP Address
IP address type Implications
Subnet IP address (SNIP) If IP address being removed is the last IP address in the subnet, the associated route is deleted from the route table. If the IP address being removed is the gateway in the corresponding route entry, the gateway for that subnet route is changed to another NetScaler-owned IP address.
Mapped IP address (MIP) If a SNIP exists, you can remove the MIPs. The NetScaler uses NSIP and SNIPs to communicate with the servers when the MIP is removed. Therefore, you must also enable use SNIP (USNIP) mode.
For information about enabling and disabling USNIP mode, see Configuring Subnet IP Addresses (SNIPs).
Virtual Server IP address (VIP) Before removing a VIP, you must first remove the vserver associated with it.