Citrix NetScaler Networking Guide. Citrix NetScaler 9.0

(1)

Citrix

®

NetScaler

®

9.0 Networking Guide

(2)

TRANSFORMATION, OR ADAPTATION) WITHOUT THE EXPRESS WRITTEN PERMISSION OF CITRIX SYSTEMS, INC. ALTHOUGH THE MATERIAL PRESENTED IN THIS DOCUMENT IS BELIEVED TO BE ACCURATE, IT IS PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE ALL RESPONSIBILITY FOR THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS MANUAL.

CITRIX SYSTEMS, INC. OR ITS SUPPLIERS DO NOT ASSUME ANY LIABILITY THAT MAY OCCUR DUE TO THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS DOCUMENT. INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. COMPANIES, NAMES, AND DATA USED IN EXAMPLES ARE FICTITIOUS UNLESS OTHERWISE NOTED.

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.

Modifying the equipment without Citrix' written authorization may result in the equipment no longer complying with FCC requirements for Class A digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense.

You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the NetScaler Request Switch™ 9000 Series equipment. If the NetScaler equipment causes interference, try to correct the interference by using one or more of the following measures:

Move the NetScaler equipment to one side or the other of your equipment. Move the NetScaler equipment farther away from your equipment.

Plug the NetScaler equipment into an outlet on a different circuit from your equipment. (Make sure the NetScaler equipment and your equipment are on circuits controlled by different circuit breakers or fuses.)

Modifications to this product not authorized by Citrix Systems, Inc., could void the FCC approval and negate your authority to operate the product.

BroadCom is a registered trademark of BroadCom Corporation. Fast Ramp, NetScaler, WANScaler, Citrix XenApp, and NetScaler Request Switch are trademarks of Citrix Systems, Inc. Linux is a registered trademark of Linus Torvalds. Internet Explorer, Microsoft, PowerPoint, Windows and Windows product names such as Windows NT are trademarks or registered trademarks of the Microsoft Corporation. NetScape is a registered trademark of Netscape Communications Corporation. Red Hat is a trademark of Red Hat, Inc. Sun and Sun Microsystems are registered trademarks of Sun Microsystems, Inc. Other brand and product names may be registered trademarks or trademarks of their respective holders.

Software covered by the following third party copyrights may be included with this product and will also be subject to the software license agreement: Copyright 1998 © Carnegie Mellon University. All rights reserved. Copyright © David L. Mills 1993, 1994. Copyright © 1992, 1993, 1994, 1997 Henry Spencer. Copyright © Jean-loup Gailly and Mark Adler. Copyright © 1999, 2000 by Jef Poskanzer. All rights reserved. Copyright © Markus Friedl, Theo de Raadt, Niels Provos, Dug Song, Aaron Campbell, Damien Miller, Kevin Steves. All rights reserved. Copyright © 1982, 1985, 1986, 1988-1991, 1993 Regents of the University of California. All rights reserved. Copyright © 1995 Tatu Ylonen, Espoo, Finland. All rights reserved. Copyright © UNIX System Laboratories, Inc. Copyright © 2001 Mark R V Murray. Copyright 1995-1998 © Eric Young. Copyright © 1995,1996,1997,1998. Lars Fenneberg. Copyright © 1992. Livingston Enterprises, Inc. Copyright © 1992, 1993, 1994, 1995. The Regents of the University of Michigan and Merit Network, Inc. Copyright © 1991-2, RSA Data Security, Inc. Created 1991. Copyright © 1998 Juniper Networks, Inc. All rights reserved. Copyright © 2001, 2002 Networks Associates Technology, Inc. All rights reserved. Copyright (c) 2002 Networks Associates Technology, Inc. Copyright 1999-2001© The Open LDAP Foundation. All Rights Reserved. Copyright © 1999 Andrzej Bialecki. All rights reserved. Copyright © 2000 The Apache Software Foundation. All rights reserved. Copyright (C) 2001-2003 Robert A. van Engelen, Genivia inc. All Rights Reserved. Copyright (c) 1997-2004 University of Cambridge. All rights reserved. Copyright (c) 1995. David Greenman. Copyright (c) 2001 Jonathan Lemon. All rights reserved. Copyright (c) 1997, 1998, 1999. Bill Paul. All rights reserved. Copyright (c) 1994-1997 Matt Thomas. All rights reserved. Copyright © 2000 Jason L. Wright. Copyright © 2000 Theo de Raadt. Copyright © 2001 Patrik Lindergren. All rights reserved.

(3)

Preface

About This Guide . . . vii

New in This Release . . . viii

Audience . . . ix

Formatting Conventions . . . .x

Chapter 1 IP Addressing

Configuring NetScaler-Owned IP Addresses. . . .1

NetScaler IP Address (NSIP) . . . .2

Virtual IP Address (VIP). . . .3

Subnet IP Address (SNIP). . . .5

Mapped IP Address (MIP) . . . .7

GSLB Site IP Address (GSLBIP) . . . .7

Creating NetScaler-Owned IP Addresses . . . .7

Proxying Connections. . . .12

Selecting the Destination IP Address . . . .13

Selecting the Source IP Address . . . .14

Enabling the Use Source IP Mode . . . .14

Configuring Modes of Packet Forwarding. . . .16

Enabling and Disabling Modes . . . .17

Network Address Translation. . . .18

Inbound Network Address Translation. . . .19

Reverse Network Address Translation . . . .24

Configuring Static ARP . . . .31

Chapter 2 Interfaces

MAC-Based Forwarding . . . .35

Enabling and Disabling MAC-based Forwarding . . . .36

Configuring Network Interfaces. . . .38

Managing Network Interfaces. . . .40

Configuring VLANs . . . .43

Applying Rules to Classify Frames . . . .45

(4)

Configuring Link Aggregation . . . .57

Configuring Link Aggregation Manually . . . .57

Configuring the Link Aggregate Channel Protocol . . . .62

Verifying the Configuration . . . .63

Configuring VMAC . . . .64

Configuring the Bridge Table. . . .65

Path MTU Behavior . . . .66

Chapter 3 Access Control Lists (ACLs)

ACL Precedence . . . .70

Configuring Simple ACLs . . . .70

Creating Simple ACLs . . . .71

Removing Simple ACLs . . . .72

Verifying or Troubleshooting the Configuration . . . .73

Monitoring Simple ACLs . . . .73

Configuring Extended ACLs . . . .74

Creating a Basic Extended ACL . . . .75

Applying an ACL . . . .76

Removing Extended ACLs . . . .76

Enabling and Disabling ACLs . . . .77

Renumbering ACL . . . .78

Modifying Extended ACLs . . . .78

Configuring Access Control List (ACL) Logging . . . .80

Monitoring the Extended ACL . . . .82

Configuring RNAT by Using Extended ACLs. . . .83

Configuring ACL6s . . . .86

Chapter 4 IP Routing

Configuring Dynamic Routes . . . .95

Interfaces for Configuring Dynamic Routing. . . .98

Using RIP. . . .98

Using OSPF . . . .102

Using BGP. . . .106

Configuring Route Health Injection . . . .110

Enabling RHI. . . .110

Limiting Host Route Advertising for VIPs. . . .111

Advertising Networks . . . .112

(5)

Configuring Static Routes. . . .113

Monitored Static Routes . . . .114

Weighted Static Routes . . . .114

Null Routes . . . .114

Customizing a Static Route . . . .117

Removing a Static Route. . . .118

Gathering Information to Troubleshoot Generic Routing Issues. . . .119

Learning Troubleshooting Procedures . . . .119

Troubleshooting OSPF Specific Issues. . . .124

Configuring IPv6 Static Routes . . . .125

Chapter 5 IP version 6

IPv6 Features. . . .129

Implementing IPv6 Support . . . .130

Enabling or Disabling IPv6 . . . .130

Adding an IPv6 Address . . . .131

Customizing SNIP and NSIP IPv6 Addresses . . . .133

Customizing VIP IPv6 Addresses. . . .134

Monitoring the Configuration . . . .136

Configuring Neighbor Discovery and Router Learning . . . .137

Neighbor Discovery. . . .137

Router Learning. . . .140

Adding IPv6 Support to NetScaler Features . . . .141

Adding an IPv6 Vserver . . . .141

VLAN Support . . . .142

Simple Deployment Scenario . . . .142

Host Header Modification. . . .146

VIP Insertion . . . .147

Chapter 6 High Availability

How High Availability Works . . . .149

Considerations for a High Availability Setup . . . .150

Configuring High Availability . . . .151

Configuring a Basic High Availability Setup . . . .152

(6)

Customizing a High Availability Setup . . . .156

Configuring the Communication Intervals . . . .156

Configuring Synchronization . . . .157

Configuring Command Propagation . . . .159

Forcing a Node to Fail Over . . . .160

Configuring Virtual MAC Addresses. . . .162

Configuring IPv4 VMACs . . . .162

Configuring IPv6 VMACs . . . .166

Improving the Reliability of a High Availability Setup. . . .169

Configuring High Availability Nodes in Different Subnets. . . .170

Configuring Link Redundancy. . . .173

Configuring Route Monitors . . . .176

High Availability Health Check Computation . . . .179

Configuring the State of a Node . . . .179

Forcing the Secondary Node to Stay Secondary . . . .179

Forcing the Primary Node to Stay Primary. . . .180

(7)

Preface

Before you begin to configure the networking features, take a few minutes to review this chapter and learn about related documentation, other support options, and ways to send us feedback.

In This Preface

About This Guide New in This Release Audience

Formatting Conventions Related Documentation Getting Service and Support Documentation Feedback

About This Guide

The Citrix NetScaler Networking Guide describes how to configure the various networking components on the NetScaler.

This guide provides the following information:

• Chapter 1, “IP Addressing.” This chapter discusses the NetScaler-owned IP addresses and how to create, customize, and remove them.

• Chapter 2, “Interfaces.” This chapter discusses some of the basic network configurations that must be done to get started.

• Chapter 3, “Access Control Lists (ACLs).” This chapter discusses the different types of Access Control Lists and how to create, customize, and remove them.

• Chapter 4, “IP Routing.” This chapter discusses the routing functionality of the NetScaler, both static and dynamic. It also discusses Route Health Injection.

(8)

• Chapter 5, “IP version 6.” This chapter discusses how NetScaler supports IPv6.

• Chapter 6 “High Availability.” This chapter describes how High

Availability (HA) works in a NetScaler deployment to ensure uninterrupted operation in any transaction.

New in This Release

Following is a list of the new features and enhancements in the 9.0 of Citrix NetScaler.

Note: The documentation has been reorganized. The information in this guide, “Citrix NetScaler Networking Guide,” was formerly located in the now obsolete Citrix Installation and Configuration Guide (ICG). Both Volume 1 and Volume 2 of the ICG have been divided into eight new guides. This breakdown into smaller guides was based on audience and task analysis and provides more efficient access to information. For more information about the documentation, see “Related Documentation,” on page xi.

• End-to-end IPv6. The NetScaler extends its IPv6 support for server-side implementation. The enhanced support enables using of IPv6 addresses for SNIPs, vservers, services, and servers. You can create access control lists (ACLs) specifically for IPv6 packets, add IPv6 Neighbors, and bind IPv6 addresses to VLANs. You can also use IPv6 management utilities such as Ping6 and Traceroute6. You can configure static routes using IPv6

addresses to any destination, assign values for distance and cost, and enable advertising of static routes to IPv6 routing protocols. IPv6 support also extends to OSPFv3. For more information, see “IP version 6,” on page 131. • ACL Logging. You can configure the NetScaler to log details for packets

that match an ACL. In addition to the ACL name, the logged details include packet-specific information such as the source and destination IP addresses. The information is stored either in the syslog file or in the nslog file, depending on the type of global logging (syslog or nslog) enabled. For more information, see “Configuring ACL6s,” on page 88.

• In-bound Network Address Translation. You can configure the NetScaler NAT functionality to also handle inbound traffic. When you configure In-bound Network Address Translation, a client in the public address space can send a packet to a private address space. The packet is initially sent to the public Destination IP Address which is the NetScaler owned Virtual IP Address (VIP). The NetScaler translates the initial destination address to the private IP address of the server and forwards the

(9)

data packet. Similarly, when a packet is sent from the server in the private address space to the client in the public address space, the NetScaler handles the address translation also. To provide security, features like tcpproxy and ftp are also provided for the NetScaler when INAT is configured. For more information, see “Inbound Network Address Translation,” on page 20.

• Host Route Advertisement. If a VIP represents primary and backup vservers, the state of the VIP depends on the effective state of the vservers it represents. By default, a host route associated with a VIP is not advertised if the effective state of the vservers is either DOWN or DISABLED. The effective state of the vservers depends on the state of the primary vserver and the state of the backup vserver.

• Monitored Static Routes. NetScaler supports monitoring of static routes. You can configure the NetScaler to monitor a static route either by creating a new PING or ARP monitor or by using existing PING or ARP monitors. Monitoring a route enables the NetScaler to send packets using back-up routes which would otherwise not be activated. For configuration instructions on how to monitor static routes, see NetScaler Networking Guide. For more information, see “Monitored Static Routes,” on page 116. • Weighted Static Routes. NetScaler supports assigning weights to Equal

Cost Multi-Path (ECMP) routes to enable balancing of load .Weights are user configurable values that help NetScaler load balance and choose a preferred route. For more information, see “Weighted Static Routes,” on page 116.

• Black Hole Avoidance Mechanism. After failover in a High Availability Setup, the new primary node injects all its VIP routes into the upstream router. However, that router retains routes injected by the old primary for 180 seconds. Because the router is not aware of the failover, it attempts to load balance traffic between the two nodes. During the 180 seconds before the old routes expire, the router sends half the traffic to the old, inactive primary node, which is, in effect, a black hole. To prevent this, the new primary node, when injecting a route, assigns it a metric that is slightly lower than the one specified by the old primary node. If the route's metric is already lower than its old counterpart, the new primary does not change it. For more information, see “Black Hole Avoidance Mechanism,” on page 99.

Audience

This guide is intended for the following audience: • Hardware Technicians

(10)

• System and Network Administrators

The concepts and tasks described in this guide require you to have a basic understanding of networking concepts such as Layer2 and Layer 3 modes, routing, and interfaces.

Formatting Conventions

This documentation uses the following formatting conventions.

Getting Service and Support

Citrix provides technical support primarily through the Citrix Solutions Network (CSN). Our CSN partners are trained and authorized to provide a high level of support to our customers. Contact your supplier for first-line support, or check for your nearest CSN partner at http://support.citrix.com/.

You can also get support from Citrix Customer Service at http://citrix.com/. On the Support menu, click Customer Service.

Knowledge Center

The Knowledge Center offers a variety of self-service, Web-based technical support tools at http://support.citrix.com/.

Knowledge Center features include:

• A knowledge base containing thousands of technical solutions to support your Citrix environment

• An online product documentation library

• Interactive support forums for every Citrix product

• Access to the latest hotfixes and service packs

• Knowledge Center Alerts that notify you when a topic is updated

Note: To set up an alert, sign in at http://support.citrix.com/ and, under

Products, select a specific product. In the upper-right section of the screen, under Tools, click Add to your Hotfix Alerts. To remove an alert, go to the Knowledge Center product and, under Tools, click Remove from your Hotfix Alerts.

• Security bulletins

• Online problem reporting and tracking (for organizations with valid support contracts)

(12)

Education and Training

Citrix offers a variety of instructor-led and Web-based training solutions. Instructor-led courses are offered through Citrix Authorized Learning Centers (CALCs). CALCs provide high-quality classroom learning using professional courseware developed by Citrix. Many of these courses lead to certification. Web-based training courses are available through CALCs, resellers, and from the Citrix Web site.

Information about programs and courseware for Citrix training and certification is available at http://www.citrixtraining.com.

Documentation Feedback

You are encouraged to provide feedback and suggestions so that we can enhance the documentation. You can send email to the following alias or aliases, as appropriate. In the subject line, specify “Documentation Feedback.” Be sure to include the document name, page number, and product release version.

• For NetScaler documentation, send email to [email protected]. • For Command Center documentation, send email to

[email protected].

• For Access Gateway documentation, send email to [email protected].

You can also provide feedback from the Knowledge Center at http:// support.citrix.com/.

To provide feedback from the Knowledge Center home page

1. Go to the Knowledge Center home page at http://support.citrix.com/. 2. On the Knowledge Center home page, under Products, expand NetScaler

Application Delivery, and click NetScaler Application Delivery Software 9.0.

3. On the Documentation tab, click the guide name, and then click Article Feedback.

4. On the Documentation Feedback page, complete the form and click

(13)

IP Addressing

Before you can configure the NetScaler, you must assign the NetScaler IP Address (NSIP), also known as the Management IP address. You can also create other NetScaler-owned IP addresses for abstracting servers and establishing connections with the servers. In this type of configuration, the NetScaler serves as a proxy for the abstracted servers. You can also proxy connections by using network address translations (INAT and RNAT). When proxying connections, the NetScaler can behave either as a bridging (Layer 2) device or as a packet forwarding (Layer 3) device. To make packet forwarding more efficient, you can configure static ARP entries.

In This Chapter

Configuring NetScaler-Owned IP Addresses Proxying Connections

Configuring Modes of Packet Forwarding Network Address Translation

Configuring Static ARP

Configuring NetScaler-Owned IP Addresses

The NetScaler-owned IP Addresses—NetScaler IP Address (NSIP), Virtual IP Addresses (VIPs), Subnet IP Addresses (SNIPs), Mapped IP Addresses (MIPs), and Global Server Load Balancing Site IP Addresses (GSLBIPs)—exist only on the NetScaler. The NSIP uniquely identifies the NetScaler on your network, and it provides access to the appliance. A VIP is a public IP address to which a client sends requests. The NetScaler terminates the client connection at the VIP and initiates a connection with a server. This new connection uses a SNIP or a MIP as the source IP address for packets forwarded to the server. If you have multiple data centers that are geographically distributed, each data center can be identified by a unique GSLBIP.

(14)

NetScaler IP Address (NSIP)

The NetScaler IP (NSIP) address is the IP address at which you access the NetScaler for management purposes. The NetScaler can have only one NSIP, which is also called the Management IP address. You must add this IP address when you configure the NetScaler for the first time. If you modify this address, you must reboot the NetScaler. You cannot remove an NSIP address. For Security reasons, NSIP should be a non-routable IP address on your organization's LAN.

Note: Configuring the NetScaler IP address is mandatory.

Creating the NetScaler IP Address (NSIP)

Use either of the following procedures to set the NSIP.

To configure the NetScaler IP address using the configuration utility 1. In the navigation pane, click NetScaler.

2. On the System Overview page, click Setup Wizard. 3. In the Setup Wizard dialog box, click Next.

4. On the IP Addresses page, under System IP AddressConfiguration, in the IP Address, Netmask, and Host Name text boxes, type the IP address, subnet mask, and the host name, respectively (for example, 10.102.29.170,

255.255.255.0, and NS170).

5. Follow the instructions in the Setup Wizard to complete the configuration. To configure the NetScaler IP address using the NetScaler command line At the NetScaler command prompt, type:

set ns config -ipaddress IPAddress -netmask Subnetmask

Example

set ns config -ipaddress 10.102.29.170 -netmask 255.255.255.0

Note: With an IPV6 address configured as NSIP in NetScaler running on 8.1 release, when upgrading from release 8.1 to 9.0 the NSIP changes to SNIP.

(15)

Virtual IP Address (VIP)

Configuration of a Virtual Server IP address (VIP) is not mandatory during initial configuration of the NetScaler. When you configure load balancing, you assign VIPs to virtual servers. For more information about configuring the load balancing setup, see the Citrix NetScalerTraffic Management Guide, Chapter 1, “Load Balancing.” In some situations, you need to customize VIP attributes or enable/disable a VIP.

You can host the same vserver on multiple NetScalers residing on the same broadcast domain by using ARP and ICMP attributes.

Customizing the Attributes of a VIP

A VIP is usually associated with a vserver, and some of the attributes of the VIP are customized to meet the requirements of the vserver.

After you add a VIP (or any IP address), the NetScaler sends, then responds to, ARP requests.

To control the response of a NetScaler to a PING request on a NetScaler-owned IP address, you must control the ICMP attribute of a VIP.

The following table describes the parameters that can be customized for a VIP.

Parameters for Customizing a VIP Parameter Specifies ARP

(arp)

Use Address Resolution Protocol (ARP) to map IP addresses to the corresponding hardware addresses. Possible values: Enabled and Disabled. Default: Enabled.

ICMP

(icmp)

Send Internet Control Message Protocol (ICMP) messages. The user network applications that use ICMP are PING and TRACEROUTE. Possible values: Enabled and Disabled. Default Enabled.

Virtual Server

(vServer)

Apply the vserver attribute to this IP entity. Possible values: Enabled and Disabled. Default: Enabled.

State (state)

State of the VIP. Possible values: Enabled and Disabled. Default: Enabled.

Host Route (hostRoute)

Advertise a route for this IP address. Possible values: Enabled and Disabled. Default: Disabled.

Gateway IP

(hostRtGw)

IP address of the network advertised as the gateway to connect to external networks such as the Internet.

(16)

To enable or disable ARP using the configuration utility 1. In the navigation pane, expand Network and click IPs.

2. In the details pane, on the IPv4s tab, select the IP address that you want to modify (for example, 10.102.29.5), and then click Open.

3. In the Configure IP dialog box, under Options, do one of the following: • To disable ARP, clear the ARP check box.

• To enable ARP, check the ARP check box. 4. Click OK.

To enable or disable ARP using the NetScaler command line At the NetScaler command prompt, type:

set ns ip IPAddres -ARP Value

Examples

set ns ip 10.102.29.54 -ARP disable

set ns ip 10.102.29.54 -ARP enable

Enabling and Disabling a VIP

VIPs are the only NetScaler-owned IP addresses that can be disabled. When a VIP is disabled, the virtual server using it goes down and does not respond to ARP, ICMP, and L4 service requests. Use either of the following procedures to disable an IP address of type virtual IP (VIP).

Metric

(metric)

Value used by routing algorithms to compare performance of this route to others. Route with lowest metric is the preferred route. Default value depends on the routing protocol. To change default, set this parameter. Possible values: -16777215 to 2147483647.

V Server RHI Level (vserverRHILevel)

When the host route associated with the VIP is advertised. Possible values: ONE_VSERVER, ALL_VSERVERS, and NONE. Default: ONE_SERVER.

OSPF LSA Type

(ospfLSAType)

Type of Link State Advertisement (LSA) used by OSPF protocol to discover and maintain neighbor relationships. Possible values: Type 1 or Type 5. Default: Disabled. Area

(ospfArea)

Logical collection of OSPF networks, routers, and links is an Area. Areas are identified by an Area ID. Possible values: 0 to 4294967295. Default: -1.

Parameters for Customizing a VIP Parameter Specifies

(17)

To enable or disable an IP address using the configuration utility 1. In the navigation pane, expand Network and click IPs.

2. In the details pane, on the IPv4s tab, select the IP address (for example,

10.102.29.5) and do one of the following:

• To enable the selected IP address, click Enable.

• To disable the selected IP address, click Disable.

To enable or disable an IP address using the NetScaler command line At the NetScaler command prompt, type:

enable ns ip IPAddress

disable ns ip IPAddress

Example

enable ns ip 10.102.29.5

disable ns ip 10.102.29.5

Subnet IP Address (SNIP)

A subnet IP address (SNIP) is used in connection management and server monitoring. It is not mandatory to specify a SNIP when you initially configure the NetScaler. In a multiple-subnet scenario, the NSIP, the mapped IP address (MIP), and the IP address of a server can exist on different subnets. To eliminate the need to configure additional routes on devices such as servers, you can configure subnet IP addresses (SNIPs) on the NetScaler. In Use SNIP (USNIP) mode, a SNIP is the source IP address of a packet sent from the NetScaler to the server, and the SNIP is the IP address that the server uses to access the NetScaler. This mode is enabled by default

When you add a SNIP, a route corresponding to the SNIP is added to the routing table. The NetScaler determines the next hop for a service from the routing table, and if the IP address of the hop is within the range of a SNIP, the NetScaler uses the SNIP to source traffic to the service. When multiple SNIPs cover the IP addresses of the next hops, the SNIPs are used in round robin manner.

(18)

The following diagram illustrates USNIP mode.

SNIP mode

Use the following procedure to enable or disable the use SNIP mode.

To enable or disable USNIP using the configuration utility 1. In the navigation pane, expand System and click Settings.

2. In the details pane, in the Modes and Features group, click Change modes.

3. In the Configure Modes dialog box, do one of the following: • To enable USNIP, select the Use Subnet IP check box. • To disable USNIP, clear the Use Subnet IP check box. 4. Click OK.

5. In the Enable/Disable Feature(s)? dialog box, click Yes. To enable or disable use SNIP using the NetScaler command line At the NetScaler command prompt, type:

enable ns mode mode

disable ns mode mode

Example

enable ns mode usnip

(19)

Mapped IP Address (MIP)

Mapped IP addresses (MIP) are used for external connections from the NetScaler. A MIP can be considered a default Subnet IP address (SNIP) when a SNIP cannot be used.

MIPs and SNIPs are used for external connections from the NetScaler. But MIPs are used for server-side connections when the use subnet IP address option is globally disabled on the NetScaler.

If the mapped IP address is the first in the subnet, the NetScaler adds a route entry, with this IP address as the gateway to reach the subnet. You can create or delete a MIP during runtime without rebooting the NetScaler.

GSLB Site IP Address (GSLBIP)

The GSLB site IP address is the IP address associated with a GSLB site. It is not mandatory to specify this IP address when you initially configure the NetScaler. It can be used only when you create a GSLB site. For more information on creating a GSLB site IP address, see the Citrix NetScaler Traffic Management Guide, Chapter 8, “Global Server Load Balancing.”

Creating NetScaler-Owned IP Addresses

Most users create VIPs, SNIPs, and MIPs by setting only the required parameters, and later complete their configuration by modifying the characteristics of these addresses.

The following table describes the parameters used to create an IP address.

Use either of the following procedures to create a NetScaler-owned IP address.

To configure an IP address using the configuration utility 1. In the navigation pane, expand Network and click IPs.

Basic Parameters for creating an IP Address Parameter Specifies

IP Address Unique identification used to represent an entity. This is a mandatory parameter.

Netmask Subnet mask associated with the IP address. This is a mandatory parameter.

Type

(type)

Type of the IP address. Possible values: SNIP, VIP, MIP, and GSLBsiteIP. Default: SNIP.

You cannot use this procedure to configure the NSIP. For the procedure to configure the NSIP, see “Creating the NetScaler IP Address (NSIP),” on page 2.

(20)

2. In the details pane, click Add.

3. In the Create IP dialog box, in the IP Address and Netmask text boxes, type the IP address and subnet mask, respectively (for example,

10.102.29.54 and 255.255.255.0).

4. Under IP Type, select the type of IP address to be created.

5. Click Create and click Close. The subnet IP address you created appears in the IPs page.

To add an IP address using the NetScaler command line At the NetScaler command prompt, type:

add ns ip IPaddress Subnetmask -type Type

Example

add ns ip 10.102.29.54 255.255.255.0 -type SNIP

Removing an IP Address

You can remove any IP address except the NSIP. The following table provides information on the processes you must follow to remove the various types of IP addresses.

Removing an IP Address

IP address type Implications

Subnet IP address (SNIP) If IP address being removed is the last IP address in the subnet, the associated route from the route table is deleted. If IP address being removed is the gateway in the corresponding route entry, the gateway for that subnet route is changed to another NetScaler-owned IP address. Mapped IP address (MIP) If a SNIP exists, you can remove the MIPs. NetScaler uses

NSIP and SNIPs to communicate with the servers when the MIP is removed. Therefore, you must also enable Use SNIP. For information on enabling and disabling Use SNIP, see “To configure an IP address using the configuration utility,” on page 8.

Virtual Server IP address (VIP)

Before removing a VIP, you must first remove the vserver associated with it. For information on removing the vserver, see the Citrix NetScaler Traffic Management Guide, Chapter 1, “Load Balancing.”

GSLB-Site-IP address Before removing a GSLB site IP address, you must remove the site associated with it. For information on removing the site, see the Citrix NetScaler Traffic Management Guide, Chapter 8, “Global Server Load Balancing.”

(21)

Use either of the following procedures to remove a MIP, GSLBIP, SNIP, or VIP. (Before removing a VIP, remove the associated virtual server.)

To remove an IP address using the configuration utility 1. In the navigation pane, expand Network and click IPs.

2. On the IPs page, on the IPv4s tab, select the IP address that you want to remove (for example, 10.102.29.54), and then click Remove.

3. In the Remove dialog box, click Yes.

To remove an IP address using the NetScaler command line At the NetScaler command prompt, type:

rm ns ip IPaddress

Example

rm ns ip 10.102.29.54

Customizing Access to IP Addresses

Application Access Controls, also known as Management Access control, form a unified mechanism for managing user authentication and implementing rules that determine user access to applications and data. You can configure management access to MIPs and SNIPs. Management access for the NSIP is enabled by default and cannot be disabled. You can, however, control it by using ACLs. For information about using ACLs, see Chapter 3, “Access Control Lists (ACLs).” The NetScaler does not support management access to VIPs.

The following table provides a summary of the interaction between management access and specific service settings for Telnet.

Management access Telnet (state configured on the NetScaler)

Telnet (effective state at the IP level)

Enable Enable Enable

Enable Disable Disable

Disable Enable Disable

(22)

The following table provides an overview of the IP addresses used as source IP addresses in outbound traffic.

The following table provides an overview of the applications available on these IP addresses.

You can access and manage the NetScaler by using applications such as Telnet, SSH, GUI, and FTP.

Note: Telnet and FTP are disabled on the NetScaler for security reasons. To enable them, contact the customer support. After the applications are enabled, you can apply the controls at the IP level.

The following table lists and describes the parameters used for customizing the SNIP and MIP addresses on your NetScaler.

Application/ IP NSIP MIP SNIP VIP

ARP Yes Yes Yes No

Server side traffic No Yes Yes No

RNAT No Yes Yes Yes

ICMP PING Yes Yes Yes No

Dynamic Routing Yes No Yes Yes

Application/ IP NSIP MIP SNIP VIP

SNMP Yes Yes Yes No

System Access Yes Yes Yes No

Parameters for customizing a SNIP and MIP Address Parameter Specifies

Telnet

(telnet)

Allow Telnet access to the IP address. Possible values: ENABLED and DISABLED. Default: ENABLED. FTP

(ftp)

Allow File Transfer Protocol (FTP) access to the IP address. Possible values: ENABLED and DISABLED. Default: ENABLED.

GUI

(gui)

Allow Graphical User Interface (GUI) access to the IP address. Possible values: ENABLED, SECUREONLY, and DISABLED. Default: ENABLED.

(23)

To configure the NetScaler to respond to these applications using a specific IP address, you need to enable the specific management applications. If you disable management access for an IP address, existing connections that use the IP address are not terminated. However, if you close the session, you cannot initiate a connection.

Use either of the following procedures to enable management access for an IP address.

To enable management access for an IP address using the configuration utility

1. In the navigation pane, expand Network and click IPs.

2. On the IPs page, select the IP address that you want to modify (for example, 10.102.29.54), and then click Open.

3. In the Configure IP dialog box, under Application Access Control, select the Enable Management Access control to support the below listed applications check box.

4. Select the application or applications that you want to enable and click OK. To customize an IP address using the NetScaler command line

At the NetScaler command prompt, type:

set ns ip IPAddress -mgmtAccess value -telnet value -ftp value -gui value -ssh value -snmp value

Example

set ns ip 10.102.29.54 -mgmtAccess enabled SSH

(ssh)

Allow Secure Shell (SSH) access to the IP address. Possible values: ENABLED and DISABLED. Default: ENABLED. SNMP

(snmp)

Allow Simple Network Management Protocol (SNMP) access to the IP address. Possible values: ENABLED and DISABLED. Default: ENABLED.

Management Access

(mgmtAccess)

Allow external access to the IP address. Possible values: ENABLED or DISABLED. Default: DISABLED. Dynamic Routing

(dynamicRouting )

Allow dynamic routing on the IP address. Specific to SNIP. Possible values: Enabled or Disabled. Default: Disabled. Parameters for customizing a SNIP and MIP Address

(24)

Verifying the Configuration

You can display IP address properties to troubleshoot any fault in the configuration. You can display some of the properties in a list of all the IP addresses, and you can display details of individual addresses.

Displaying properties in a list of IP addresses

To display a list of your configured IP addresses, with some of their properties, use either of the following procedures.

To display all the configured IP addresses using the configuration utility In the navigation pane, expand Network and click IPs. The IPs page appears in the details pane, listing the available IP addresses and some of their properties.

To display all the IP addresses using the NetScaler command line At the NetScaler command prompt, type:

sh ns ip

Displaying details of an individual IP Address

To display detailed information about an individual IP address, use either of the following procedures.

To display detailed properties of an IP address using the configuration utility

1. In the navigation pane, expand Network and click IPs.

2. On the IPs page, verify that the configured IP address (for example,

10.102.29.5) appears.

3. Select the IP address. Information about the address appears in the details pane.

To view the IP addresses using the NetScaler command line At the NetScaler command prompt, type:

sh ns ip 10.102.29.5

Proxying Connections

When a client initiates a connection, the NetScaler terminates the client

connection, initiates a connection to an appropriate server, and sends the packet to the server. The NetScaler does not perform this action for service type UDP or ANY. For more information about service types, see the Citrix NetScaler Traffic Management Guide, Chapter 1, “Load Balancing.”

(25)

You can configure the NetScaler to process the packet before initiating the connection with a server. The default behavior of the NetScaler is to change the source and destination IP addresses of a packet before sending the packet to the server. You can configure the NetScaler to retain the source IP address of the packets by enabling Use Source IP mode.

Selecting the Destination IP Address

Traffic arriving at the NetScaler can be bound to a virtual server (vserver) or to a service. The NetScaler handles traffic to vservers and services differently. The NetScaler terminates traffic bound to vservers and changes the vserver IP address (VIP) to the IP address of the server before forwarding the traffic to the server, as shown in the following diagram.

.

Proxying Connections to VIPs

Packets bound to a service are sent directly to the appropriate server, and the NetScaler does not modify the destination IP addresses.

(26)

Selecting the Source IP Address

The mapped IP address (MIP), source IP address (SIP), or subnet IP address (SNIP) will be used as the source IP address to establish a connection with a server. By default, the NetScaler terminates traffic bound to vservers and configured services. Then, it changes the source IP address of the packet to the MIP or SNIP and sends the packet to the appropriate server. This default behavior is illustrated in the diagram “Proxying Connections to VIPs,” on page 14.

Enabling the Use Source IP Mode

Many e-commerce applications that use web server logging require that the original client IP addresses be recorded in the Web server logs. The NetScaler can forward the source IP address of the client to the server without masking it, to ensure that the client IP address appears in the logs. The Use Source IP mode (USIP) accommodates such applications.

If you enable USIP mode, the NetScaler forwards each packet to the appropriate server without changing the source IP address, as shown in the following diagram.

(27)

When USIP mode is enabled for HTTP protocols, the NetScaler provides limited connection reuse, WAN latency, and denial of service (SYN) attack prevention benefits. When USIP mode is disabled, the NetScaler uses mapped IP addresses and subnet IP addresses to establish server-side connections. USIP mode has the following restrictions:

• One-arm installations. You should not enable USIP mode if you install the NetScaler in a logical one-arm configuration, because in a one-arm configuration the NetScaler cannot bypass its own processing and send responses directly to the client. If the IP address of the default gateway for a service is one of the NetScaler-owned IP addresses, the traffic continues to flow through the NetScaler and the response is also processed correctly. • Concurrent HTTP connection limit. For HTTP protocols, USIP mode

supports up to 64,000 concurrent connections. If concurrent HTTP connections between the NetScaler and servers are expected to exceed 64,000, you must disable USIP or contact customer support for the method to override this behavior. The concurrent connection limit applies only to HTTP. It does not affect other services types, for example, TCP, UDP, and FTP.

• Delay when disabling USIP. Disabling USIP mode does not affect the existing connections. This delay avoids outages on long-lived connections.

• Performance Impact on HTTP traffic. USIP mode prevents use of the same HTTP connection for multiple clients, and therefore can result in a large number of connections to the server. Furthermore, idle server connections can block connections for other clients. Therefore, you need to carefully set limits on the number of connections to services. Citrix suggests that you set the HTTP server time-out values on your services to a value lower than the default, so that idle client connections are cleared quickly on the server side. For more information about setting an idle time-out value, see the Citrix NetScaler Traffic Management Guide, Chapter 1, “Load Balancing.” Also, with USIP enabled, you must configure

persistence (for example, source IP persistence) to ensure repeated selection of the same server and reuse of the client connection. Because TCP handles the traffic on a one-to-one basis, the USIP option does not affect TCP services.

Note: Citrix does not recommend the use of Surge Protection (SP) with USIP.

(28)

By default, USIP mode is disabled. You can enable or disable it globally or for a specific service. The setting for a specific service overrides the global setting. A newly created service inherits the global setting by default. To enable or disable USIP mode for a specific service, see the Citrix NetScaler Traffic Management Guide, Chapter 1,“Load Balancing.” To enable or disable USIP mode globally, use either of the following procedures.

To globally enable or disable USIP mode using the configuration utility 1. In the navigation pane, expand System and click Settings.

2. On the Settings page, under Modes and Features, click Change modes. 3. In the Configure Modes dialog box, do one of the following:

• To enable Use Source IP mode, select the Use Source IP check box. • To disable Use Source IP mode, clear the Use Source IP check box. 4. Click OK.

5. In the Enable/Disable Feature(s)? dialog box, click Yes.

To globally enable or disable USIP mode using the NetScaler command line At the NetScaler command prompt, type one of the following commands: enable ns mode mode

Examples

enable ns mode USIP

disable ns mode USIP

Note:

Services that are created before you enable USIP mode globally

do not inherit the global settings. For these services, you need to enable

the USIP mode at the service level. To enable or disable USIP mode for a

specific service, see the Citrix NetScaler Traffic Management Guide, Chapter 1, “Load Balancing.”

Configuring Modes of Packet Forwarding

You can enable Layer 2 mode to bridge packets that are not destined for the MAC address of the NetScaler. Layer 3 mode routes packets that are not destined for NetScaler-owned IP addresses, unless you disable it.

(29)

With Layer 2 mode enabled, packets that are not destined for the NetScaler MAC address are bridged or processed, as shown in the following diagram:.

Interaction between the Layer 2 and Layer 3 modes

By default, Layer 2 mode is disabled causing the NetScaler to drop packets that are not destined for its MAC address. If another Layer 2 device is installed in parallel with the NetScaler, Layer 2 mode must be disabled to prevent bridging (Layer 2) loops.

By default, Layer 3 mode is enabled. The NetScaler performs a route table lookup and forwards packets that are not destined to any NetScaler-owned IP address. If you disable Layer 3 mode, the NetScaler drops received packets if they are not destined for a NetScaler-owned IP address, as shown in the diagram, “Interaction between the Layer 2 and Layer 3 modes,” on page 18.

To enable or disable the Layer 2 mode or Layer 3 mode, use either of the following procedures.

Enabling and Disabling Modes

To enable or disable the Layer 2 mode or Layer 3 mode using the configuration utility

1. In the navigation pane, expand System and click Settings.

2. On the Settings page, under Modes and Features, click Change modes. 3. In the Configure Modes dialog box, do one of the following:

(30)

• To disable Layer 2 mode, clear the Layer 2 Mode check box. • To enable Layer 3 mode, select the Layer 3 Mode check box. • To disable Layer 3 mode, clear the Layer 3 Mode check box. 4. Click OK.

5. In the Enable/Disable Mode(s)? dialog box, click Yes.

To enable or disable the Layer 2 mode or Layer 3 mode using the NetScaler command line

At the NetScaler command prompt, type one of the following commands: enable ns mode mode

Examples

enable ns mode l2

disable ns mode l2

enable ns mode l3

disable ns mode l3

Network Address Translation

Network address translation (NAT) involves modification of the source and/or destination IP address and/or the TCP/UDP port numbers of IP packets that pass through the NetScaler. Enabling NAT on the NetScaler enhances security of your private network and protects it from a public network such as the Internet by modifying the source IP address of your system when data passes through the NetScaler. Also, with the help of NAT entries, your entire private network can be represented using a few shared public IP addresses. The NetScaler supports the following two types of network address translation:

• Inbound NAT (INAT), in which the NetScaler replaces the destination IP address in the packets generated by the client with the private IP address of the server.

• Reverse NAT (RNAT), in which the NetScaler replaces the source IP address in the packets generated by the servers with the public NAT IP addresses.

(31)

Inbound Network Address Translation

When a client sends a packet to a NetScaler that is configured for INAT, the NetScaler translates the packet’s public destination IP Address to a private destination IP Address and forwards the packet to the server at that address. This section provides information on the following aspects of INAT:

• Configuring Inbound NAT Address Translation • Customizing the INAT Configuration

• Removing an INAT Configuration • Coexistence of INAT and Vservers

Configuring Inbound NAT Address Translation

This section describes how to configure a basic INAT that is functional and also how to modify it to add provide protection to the NetScaler from DOS attacks by enabling TCP Proxy and/or FTP.

By default, the NetScaler selects the source IP Address based on the mode that you select. If you select the Use Subnet IP (USNIP) Address mode, assignment of the source IP address is based on the state of the USNIP mode. For instance:

• If USNIP is off, the NetScaler uses the Mapped IP Address (MIP) as the source IP Address

• If USNIP is on, the NetScaler uses the Subnet IP Address (SNIP) as the source IP Address

If you select the Use Source IP Address (USIP) mode, the Client IP address (CIP) is selected as the source IP address.

However, if you have selected both USIP and USNIP modes, USIP mode takes precedence over USNIP.

You can also configure the NetScaler to use a unique IP address as the source IP address, by using the ProxyIP parameter. For additional information on how to configure the NetScaler to use a unique IP address, see “Customizing the INAT Configuration,” on page 22.

Note: If the modes have not been selected and the unique IP has also not been specified, an attempt is made to send the packet using Mapped IP Address (MIP). If both USIP and USNIP modes have been selected and the unique IP has also been specified, the order of precedence used is as follows:

(32)

The following table describes the parameters used to configure a basic INAT for incoming packets.

The following procedure includes examples for creating an INAT configuration in which the NetScaler replaces the public VIP of 10.102.29.55 with 192.168.1.0, the private IP address of a physical server.

To configure INAT with a VIP as the destination IP address using the configuration utility

1. In the navigation pane, expand Network, expand Routing, and click

Routes.

2. On the Routes page, click the INAT tab, and then click Add.

3. In the Create INAT dialog box, in the Name textbox, type the name of the INAT (for example, MyNAT).

4. In the Public IP Address textbox, type a public VIP address owned by the NetScaler (for example, 10.102.29.55).

5. In the Private IP Address textbox, type the private IP address of the server (for example, 192.168.1.0).

6. Click Create, and then click Close.

To configure INAT with a VIP as the destination IP address using the NetScaler command line

At the NetScaler command prompt, type:

In-bound NAT Basic Parameters Parameter Specifies

Name Name of the Inbound NAT configuration being added. Mandatory parameter.

Public IP Address Public destination IP address of packets received on the NetScaler. Mandatory parameter. Possible values: NetScaler owned VIPs. Private IP Address Private destination IP address of the server to which the packet is

sent by the NetScaler. Mandatory parameter. Possible values: IP addresses of the servers.

USIP

(usip)

Use Source IP mode. Possible values: Enabled and Disabled. Default: Enabled.

USNIP

(usnip)

Use Subnet IP mode is enabled. Possible values: Enabled and Disabled. Default: Enabled.

ProxyIP

(proxyIP)

A unique IP address that is represented as the source IP address for the server.

(33)

add inat Name PublicIPAddress PrivateIPAddress

Example

add inat MyNAT 10.102.29.55 192.168.1.0

Customizing the INAT Configuration

The following procedure sets the source IP address to a unique IP address. In the example, MyNAT1 replaces the destination IP address of a packet generated by the client from 10.102.29.55 (Public destination IP address) to 192.168.20.0 (private destination IP address). Also, INAT1 replaces the source IP address of the packet to a unique IP address.

To assign a unique IP address as the INAT Source IP address using the configuration utility

1. In the navigation pane, expand Network, expand Routing, and click

Routes.

2. On the Routes page, click the INAT tab, select the INAT and then click

Open.

3. In the Configure INAT dialog box, from the Proxy IP Address drop-down menu, select an IP address that the NetScaler will use as the client IP address (for example, 10.102.29.56).

4. Click Create and then click Close.

To assign a unique IP address as the INAT source IP Address using the NetScaler command line

At the NetScaler command prompt, type: set inat NameofINAT –proxyip Value

Example

add inat MyNAT1 –proxyip 10.102.29.56

You can configure INAT to provide protection to the NetScaler from DOS attacks by enabling TCP Proxy and/or FTP. However, if other protection mechanisms are used in your network, you may want to disable these features.

The following table lists and describes the parameters used to configure an existing INAT with the FTP and TCPProxy features.

Customizing INAT Configuration Parameter Specifies TCPProxy

(tcpproxy)

Allow TCP traffic. Possible values: Enabled and Disabled. Default: Disabled.

(34)

Use either of the following procedures to enable or disable TCP traffic on an existing INAT. In the example, MyNAT1 is the existing INAT.

To enable or disable TCPProxy on the INAT using the configuration utility 1. In the navigation pane, expand Network, expand Routing, and then click

Routes.

2. On the Routes page, click the INAT tab, select the name of the INAT that you want to modify (for example, MyNAT1) and then click Open. 3. In the Configure INAT dialog box, do one of the following: • To enable TCPProxy, select the TCP Proxy Mode checkbox. • To disable TCPProxy, clear the TCP Proxy Mode checkbox. 4. Click Ok and then click Close.

To enable or disable TCP Proxy mode on the INAT using the NetScaler command line

At the NetScaler command prompt, type: set inat NameofINAT –tcpproxy Value

Example

set inat TestINAT –tcpproxy enabled

set inat TestINAT –tcpproxy disabled

Removing an INAT Configuration

Use either of the following procedures to remove an INAT configuration.

To remove an INAT configuration using the Configuration Utility 1. In the navigation pane, expand Network, expand Routing, and click

Routes.

2. On the Routes page, click the INAT tab.

3. In the details pane, select the name of the INAT configuration that you want to remove (for example, MyNAT).

FTP

(ftp)

Allow Active FTP. Possible values: Enabled and Disabled. Default: Disabled.

Customizing INAT Configuration Parameter Specifies

(35)

4. Click Remove, and then click Close.

To remove an INAT configuration using the NetScaler command line At the NetScaler command prompt, type:

rm inat Name

Example rm inat MyNAT

Coexistence of INAT and Vservers

If both INAT and RNAT are configured, the INAT rule takes precedence over the RNAT rule. If RNAT is configured with a network address translation IP (NAT IP) address, the NAT IP address is selected as the source IP address for that RNAT client.

The default public destination IP in an INAT configuration is the virtual IP (VIP) of the NetScaler device. Vservers also use VIPs. When both INAT and a Vserver use the same IP address, the Vserver configuration overrides the INAT

configuration.

Following are a few sample configuration setup scenarios and their effects.

Case Result

You have configured a vserver and a service to send all data packets received on a specific NetScaler port to the server directly. You have also configured INAT and enabled TCP. Configuring INAT in this manner sends all data packets received through a TCP engine before sending them to the server.

All packets received on the NetScaler, except those received on the specific port, will pass through the TCP engine.

You have configured a vserver and a service to send all data packets of service type TCP, that are received on a specific port on the NetScaler, to the server after passing through the TCP engine. You have also configured INAT and disabled TCP. Configuring INAT in this manner sends the data packets received directly to the server.

Only packets received on the specific port will pass through the TCP engine.

You have configured a vserver and a service to send all data packets received to either of two servers. You are attempting to configure INAT to send all data packets received to a different server.

The INAT configuration is not allowed.

You have configured INAT to send all data packets received directly to a server. You are attempting to configure a vserver and a service to send all data packets received to two different servers.

The vserver configuration is not allowed.

(36)

Reverse Network Address Translation

In Reverse Network Address Translation (RNAT), the NetScaler replaces the source IP addresses in the packets generated by the servers with public, NAT IP addresses. By default, the NetScaler uses a Mapped IP address (MIP) as the NAT IP address. You can also configure the NetScaler to use a unique NAT IP address for each subnet. You can also configure RNAT by using Access Control Lists (ACLs).

Use Source IP (USIP), Use Subnet IP (USNIP), and Link Load Balancing (LLB) modes affect the operation of RNAT. You can display statistics to monitor RNAT.

Configuring RNAT to Use a MIP as the NAT IP Address

When using a MIP as the NAT IP address, the NetScaler replaces the source IP addresses of server-generated packets with the MIP. Therefore, the MIP address must be a public IP address. If Use Subnet IP (USNIP) mode is enabled, the NetScaler uses the subnet IP address (SNIP) as the NAT IP address.

The following table describes the parameters for using a MIP as the NAT IP address.

The following procedure enables RNAT with the NAT IP set to a MIP. In the example, RNAT is enabled for the network 192.168.1.0 and subnet mask 255.255.255.0. The NetScaler changes the source IP addresses of packets originating from the 192.168.1.0 network and sent to the MIP.

To enable RNAT when the NAT IP is set to a MIP using the configuration utility

1. In the navigation pane, expand Network, expand Routing, andclick

Routes.

2. On the Routes page, on the RNAT tab, click ConfigureRNAT. 3. In the ConfigureRNAT dialog box, in the Network and Netmask text

boxes, type the network and subnet mask for which you want to enable RNAT (for example, 192.168.1.0 and 255.255.255.0).

4. Click Create, and then click Close.

Parameters for configuring MIP as the NAT IP Parameter Specifies

Network Network or subnet from which the traffic is flowing. Netmask Subnet mask of the network.

(37)

To enable RNAT when the NAT IP is set to a MIP using the NetScaler command line

At a NetScaler command prompt, type: set rnat IPAddress Subnetmask

Example

set rnat 192.168.1.0 255.255.255.0

Configuring RNAT by Using a Unique IP Address as the

NAT IP Address

When using a unique IP address as the NAT IP address, the NetScaler replaces the source IP addresses of server-generated packets with the unique IP address specified. The unique IP address must be a public NetScaler-owned IP address. This is illustrated in the following diagram.

(38)

The following table describes the parameter used to set a unique NAT IP address.

The following procedures include examples in which the NetScaler is configured to use two unique IP addresses, MIP1 and MIP2, for two subnets. The NetScaler replaces the source IP addresses of packets originating from the 192.168.1.0 and 192.168.2.0 subnets to 10.102.29.50 (MIP1) and 10.102.29.60 (MIP2),

respectively.

To enable RNAT when the NAT IP is set to a unique IP address using the configuration utility

Routes.

2. On the Routes page, on the RNAT tab, select the RNAT network for which you want to configure the NAT IP address (for example, 192.168.1.0). 3. Click ConfigureRNAT.

4. In the ConfigureRNAT dialog box, in the AvailableNAT IP (s) list box, select the NAT IP address that you want to configure (for example, select

10.102.29.50).

5. Click Add. The NAT IP you selected in Step 4 appears in the Configured NAT IP (s) list box.

6. Click OK.

7. Repeat steps 2-6 if you want to configure another RNAT network (for example, to configure the NAT IP address for 192.168.2.0 to

10.102.29.60).

To enable RNAT when the NAT IP is set to a unique IP address using the NetScaler command line

At a NetScaler command prompt, type:

set rnat IPAddress Subnetmask -natip NATIPAddress set rnat IPAddress Subnetmask -natip NATIPAddress

Example

set rnat 192.168.1.0 255.255.255.0 -natip 10.102.29.50

set rnat 192.168.2.0 255.255.255.0 -natip 10.102.29.60 Assigning a Unique NAT IP

Parameter Specifies Available NAT IP (s)

(natip)

(39)

Note: If multiple NAT IP addresses are configured for a subnet, NAT IP selection uses the round robin algorithm.

Configuring RNAT by Using ACLs

You can configure the NetScaler to use a unique IP address for traffic that matches an ACL. The configuration requires three tasks:

1. Configure the ACL.

2. Configure RNAT to change the source IP address and Destination Port. 3. Apply the ACL.

Note: ACL-based RNAT is not applied to traffic originating from the NetScaler.

For more information on ACLs, see Chapter 3, “Access Control Lists (ACLs).”.

The following diagram illustrates RNAT configured with an ACL.

Changing Source IP Address and Port

Configuring an ACL

The following procedure creates a new ACL. Alternatively, you can open and modify an existing ACL. This procedure includes examples for creating an ACL named acl1, which allows TCP traffic originating from a server with IP address 10.102.29.40 to an external client at 209.165.202.11.

(40)

To configure an ACL using the configuration utility

1. In the navigation pane, expand Network and click ACLs.

2. On the ACLs page, click the Extended ACL tab, and then click Add. 3. In the Add ACL dialog box, in the Name text box, type the name of the

ACL (for example, acl1).

4. In the Action, Operator, and Protocol drop-down lists, select the action, operator, and the protocol that you want to configure (for example,

ALLOW, =, and TCP).

5. Under Source, in the Low and High text boxes, type the IP addresses (for example, 10.102.29.40 and 10.102.29.40).

6. Under Destination, in the Low and High text boxes, type the IP addresses (for example, 209.165.201.11 and 209.165.201.11).

7. Click Create, and click Close.

To configure an ACL using the NetScaler command line At the NetScaler command prompt, type:

add acl Name allow -srcip SourceIPAddress -destip

DestinationIPAddress -protocol Protocoltype

Example

add acl acl1 allow -srcip 10.102.29.40 -destip 209.165.201.11

-protocol TCP

Configuring RNAT to change the source IP address and

Destination Port

The following procedure includes examples for configuring RNAT to replace the source IP address of packets matching acl1 with NAT IP address

209.165.202.129, and to change the destination port to 8080.

To set RNAT to change the Source IP address and Destination Port using the configuration utility

Routes.

2. On the Routes page, click the RNAT tab and click ConfigureRNAT. 3. In the ConfigureRNAT dialog box, click the ACL radio button. 4. In the ACL Name drop-down list box, select the ACL that you want to