Citrix NetScaler Networking Guide. Citrix NetScaler 9.0

Transcription

1 Citrix NetScaler Networking Guide Citrix NetScaler 9.0

2 Copyright and Trademark Notice CITRIX SYSTEMS, INC., ALL RIGHTS RESERVED. NO PART OF THIS DOCUMENT MAY BE REPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS OR USED TO MAKE DERIVATIVE WORK (SUCH AS TRANSLATION, TRANSFORMATION, OR ADAPTATION) WITHOUT THE EXPRESS WRITTEN PERMISSION OF CITRIX SYSTEMS, INC. ALTHOUGH THE MATERIAL PRESENTED IN THIS DOCUMENT IS BELIEVED TO BE ACCURATE, IT IS PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE ALL RESPONSIBILITY FOR THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS MANUAL. CITRIX SYSTEMS, INC. OR ITS SUPPLIERS DO NOT ASSUME ANY LIABILITY THAT MAY OCCUR DUE TO THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS DOCUMENT. INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. COMPANIES, NAMES, AND DATA USED IN EXAMPLES ARE FICTITIOUS UNLESS OTHERWISE NOTED. The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radiofrequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. Modifying the equipment without Citrix' written authorization may result in the equipment no longer complying with FCC requirements for Class A digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense. You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the NetScaler Request Switch 9000 Series equipment. If the NetScaler equipment causes interference, try to correct the interference by using one or more of the following measures: Move the NetScaler equipment to one side or the other of your equipment. Move the NetScaler equipment farther away from your equipment. Plug the NetScaler equipment into an outlet on a different circuit from your equipment. (Make sure the NetScaler equipment and your equipment are on circuits controlled by different circuit breakers or fuses.) Modifications to this product not authorized by Citrix Systems, Inc., could void the FCC approval and negate your authority to operate the product. BroadCom is a registered trademark of BroadCom Corporation. Fast Ramp, NetScaler, WANScaler, Citrix XenApp, and NetScaler Request Switch are trademarks of Citrix Systems, Inc. Linux is a registered trademark of Linus Torvalds. Internet Explorer, Microsoft, PowerPoint, Windows and Windows product names such as Windows NT are trademarks or registered trademarks of the Microsoft Corporation. NetScape is a registered trademark of Netscape Communications Corporation. Red Hat is a trademark of Red Hat, Inc. Sun and Sun Microsystems are registered trademarks of Sun Microsystems, Inc. Other brand and product names may be registered trademarks or trademarks of their respective holders. Software covered by the following third party copyrights may be included with this product and will also be subject to the software license agreement: Copyright 1998 Carnegie Mellon University. All rights reserved. Copyright David L. Mills 1993, Copyright 1992, 1993, 1994, 1997 Henry Spencer. Copyright Jean-loup Gailly and Mark Adler. Copyright 1999, 2000 by Jef Poskanzer. All rights reserved. Copyright Markus Friedl, Theo de Raadt, Niels Provos, Dug Song, Aaron Campbell, Damien Miller, Kevin Steves. All rights reserved. Copyright 1982, 1985, 1986, , 1993 Regents of the University of California. All rights reserved. Copyright 1995 Tatu Ylonen, Espoo, Finland. All rights reserved. Copyright UNIX System Laboratories, Inc. Copyright 2001 Mark R V Murray. Copyright Eric Young. Copyright 1995,1996,1997,1998. Lars Fenneberg. Copyright Livingston Enterprises, Inc. Copyright 1992, 1993, 1994, The Regents of the University of Michigan and Merit Network, Inc. Copyright , RSA Data Security, Inc. Created Copyright 1998 Juniper Networks, Inc. All rights reserved. Copyright 2001, 2002 Networks Associates Technology, Inc. All rights reserved. Copyright (c) 2002 Networks Associates Technology, Inc. Copyright The Open LDAP Foundation. All Rights Reserved. Copyright 1999 Andrzej Bialecki. All rights reserved. Copyright 2000 The Apache Software Foundation. All rights reserved. Copyright (C) Robert A. van Engelen, Genivia inc. All Rights Reserved. Copyright (c) University of Cambridge. All rights reserved. Copyright (c) David Greenman. Copyright (c) 2001 Jonathan Lemon. All rights reserved. Copyright (c) 1997, 1998, Bill Paul. All rights reserved. Copyright (c) Matt Thomas. All rights reserved. Copyright 2000 Jason L. Wright. Copyright 2000 Theo de Raadt. Copyright 2001 Patrik Lindergren. All rights reserved. Last Updated: April 2009

3 CONTENTS Preface Chapter 1 Chapter 2 About This Guide vii New in This Release viii Audience ix Formatting Conventions x Related Documentation x Getting Service and Support xi Knowledge Center xi Education and Training xii Documentation Feedback xii IP Addressing Configuring NetScaler-Owned IP Addresses NetScaler IP Address (NSIP) Virtual IP Address (VIP) Subnet IP Address (SNIP) Mapped IP Address (MIP) GSLB Site IP Address (GSLBIP) Creating NetScaler-Owned IP Addresses Proxying Connections Selecting the Destination IP Address Selecting the Source IP Address Enabling the Use Source IP Mode Configuring Modes of Packet Forwarding Enabling and Disabling Modes Network Address Translation Inbound Network Address Translation Reverse Network Address Translation Configuring Static ARP Interfaces MAC-Based Forwarding Enabling and Disabling MAC-based Forwarding Configuring Network Interfaces Managing Network Interfaces Configuring VLANs Applying Rules to Classify Frames VLANs and Packet Forwarding on the NetScaler

4 iv Citrix NetScaler Networking Guide Configuring Link Aggregation Configuring Link Aggregation Manually Configuring the Link Aggregate Channel Protocol Verifying the Configuration Configuring VMAC Configuring the Bridge Table Path MTU Behavior Chapter 3 Chapter 4 Access Control Lists (ACLs) ACL Precedence Configuring Simple ACLs Creating Simple ACLs Removing Simple ACLs Verifying or Troubleshooting the Configuration Monitoring Simple ACLs Configuring Extended ACLs Creating a Basic Extended ACL Applying an ACL Removing Extended ACLs Enabling and Disabling ACLs Renumbering ACL Modifying Extended ACLs Configuring Access Control List (ACL) Logging Verifying the Configuration Monitoring the Extended ACL Configuring RNAT by Using Extended ACLs Configuring ACL6s IP Routing Configuring Dynamic Routes Interfaces for Configuring Dynamic Routing Using RIP Using OSPF Using BGP Configuring Route Health Injection Enabling RHI Limiting Host Route Advertising for VIPs Advertising Networks Displaying Routes Learned Through Dynamic Routing Protocols

5 Contents v Configuring Static Routes Monitored Static Routes Weighted Static Routes Null Routes Customizing a Static Route Removing a Static Route Gathering Information to Troubleshoot Generic Routing Issues Learning Troubleshooting Procedures Troubleshooting OSPF Specific Issues Configuring IPv6 Static Routes Chapter 5 IP version 6 IPv6 Features Implementing IPv6 Support Enabling or Disabling IPv Adding an IPv6 Address Customizing SNIP and NSIP IPv6 Addresses Customizing VIP IPv6 Addresses Verifying the Configuration Monitoring the Configuration Configuring Neighbor Discovery and Router Learning Neighbor Discovery Router Learning Adding IPv6 Support to NetScaler Features Adding an IPv6 Vserver VLAN Support Simple Deployment Scenario Host Header Modification VIP Insertion Chapter 6 High Availability How High Availability Works Considerations for a High Availability Setup Configuring High Availability Configuring a Basic High Availability Setup Modifying an Existing HA Setup

6 vi Citrix NetScaler Networking Guide Customizing a High Availability Setup Configuring the Communication Intervals Configuring Synchronization Configuring Command Propagation Forcing a Node to Fail Over Configuring Virtual MAC Addresses Configuring IPv4 VMACs Configuring IPv6 VMACs Improving the Reliability of a High Availability Setup Configuring High Availability Nodes in Different Subnets Configuring Link Redundancy Configuring Route Monitors High Availability Health Check Computation Configuring the State of a Node Forcing the Secondary Node to Stay Secondary Forcing the Primary Node to Stay Primary Troubleshooting High Availability Issues

7 PREFACE Preface About This Guide Before you begin to configure the networking features, take a few minutes to review this chapter and learn about related documentation, other support options, and ways to send us feedback. In This Preface About This Guide New in This Release Audience Formatting Conventions Related Documentation Getting Service and Support Documentation Feedback The Citrix NetScaler Networking Guide describes how to configure the various networking components on the NetScaler. This guide provides the following information: Chapter 1, IP Addressing. This chapter discusses the NetScaler-owned IP addresses and how to create, customize, and remove them. Chapter 2, Interfaces. This chapter discusses some of the basic network configurations that must be done to get started. Chapter 3, Access Control Lists (ACLs). This chapter discusses the different types of Access Control Lists and how to create, customize, and remove them. Chapter 4, IP Routing. This chapter discusses the routing functionality of the NetScaler, both static and dynamic. It also discusses Route Health Injection.

8 viii Citrix NetScaler Networking Guide New in This Release Chapter 5, IP version 6. This chapter discusses how NetScaler supports IPv6. Chapter 6 High Availability. This chapter describes how High Availability (HA) works in a NetScaler deployment to ensure uninterrupted operation in any transaction. Following is a list of the new features and enhancements in the 9.0 of Citrix NetScaler. Note: The documentation has been reorganized. The information in this guide, Citrix NetScaler Networking Guide, was formerly located in the now obsolete Citrix Installation and Configuration Guide (ICG). Both Volume 1 and Volume 2 of the ICG have been divided into eight new guides. This breakdown into smaller guides was based on audience and task analysis and provides more efficient access to information. For more information about the documentation, see Related Documentation, on page xi. End-to-end IPv6. The NetScaler extends its IPv6 support for server-side implementation. The enhanced support enables using of IPv6 addresses for SNIPs, vservers, services, and servers. You can create access control lists (ACLs) specifically for IPv6 packets, add IPv6 Neighbors, and bind IPv6 addresses to VLANs. You can also use IPv6 management utilities such as Ping6 and Traceroute6. You can configure static routes using IPv6 addresses to any destination, assign values for distance and cost, and enable advertising of static routes to IPv6 routing protocols. IPv6 support also extends to OSPFv3. For more information, see IP version 6, on page 131. ACL Logging. You can configure the NetScaler to log details for packets that match an ACL. In addition to the ACL name, the logged details include packet-specific information such as the source and destination IP addresses. The information is stored either in the syslog file or in the nslog file, depending on the type of global logging (syslog or nslog) enabled. For more information, see Configuring ACL6s, on page 88. In-bound Network Address Translation. You can configure the NetScaler NAT functionality to also handle inbound traffic. When you configure In-bound Network Address Translation, a client in the public address space can send a packet to a private address space. The packet is initially sent to the public Destination IP Address which is the NetScaler owned Virtual IP Address (VIP). The NetScaler translates the initial destination address to the private IP address of the server and forwards the

9 Preface ix data packet. Similarly, when a packet is sent from the server in the private address space to the client in the public address space, the NetScaler handles the address translation also. To provide security, features like tcpproxy and ftp are also provided for the NetScaler when INAT is configured. For more information, see Inbound Network Address Translation, on page 20. Host Route Advertisement. If a VIP represents primary and backup vservers, the state of the VIP depends on the effective state of the vservers it represents. By default, a host route associated with a VIP is not advertised if the effective state of the vservers is either DOWN or DISABLED. The effective state of the vservers depends on the state of the primary vserver and the state of the backup vserver. Monitored Static Routes. NetScaler supports monitoring of static routes. You can configure the NetScaler to monitor a static route either by creating a new PING or ARP monitor or by using existing PING or ARP monitors. Monitoring a route enables the NetScaler to send packets using back-up routes which would otherwise not be activated. For configuration instructions on how to monitor static routes, see NetScaler Networking Guide. For more information, see Monitored Static Routes, on page 116. Weighted Static Routes. NetScaler supports assigning weights to Equal Cost Multi-Path (ECMP) routes to enable balancing of load.weights are user configurable values that help NetScaler load balance and choose a preferred route. For more information, see Weighted Static Routes, on page 116. Black Hole Avoidance Mechanism. After failover in a High Availability Setup, the new primary node injects all its VIP routes into the upstream router. However, that router retains routes injected by the old primary for 180 seconds. Because the router is not aware of the failover, it attempts to load balance traffic between the two nodes. During the 180 seconds before the old routes expire, the router sends half the traffic to the old, inactive primary node, which is, in effect, a black hole. To prevent this, the new primary node, when injecting a route, assigns it a metric that is slightly lower than the one specified by the old primary node. If the route's metric is already lower than its old counterpart, the new primary does not change it. For more information, see Black Hole Avoidance Mechanism, on page 99. Audience This guide is intended for the following audience: Hardware Technicians

10 x Citrix NetScaler Networking Guide System and Network Administrators The concepts and tasks described in this guide require you to have a basic understanding of networking concepts such as Layer2 and Layer 3 modes, routing, and interfaces. Formatting Conventions This documentation uses the following formatting conventions. Formatting Conventions Convention Boldface Italics Monospace Meaning Information that you type exactly as shown (user input); elements in the user interface. Placeholders for information or parameters that you provide. For example, FileName in a command means you type the actual name of a file. Also, new terms, and words referred to as words (which would otherwise be enclosed in quotation marks). System output or characters in a command line. User input and placeholders also are formatted using monspace text. [ brackets ] Optional items in command statements. For example, in the following command, [-range positiveinteger] means that you have the option of entering a range, but it is not required: add lb vserver name servicetype IPAddress port [-range positiveinteger] Do not type the brackets themselves. (vertical bar) A separator between options in braces or brackets in command statements. For example, the following indicates that you choose one of the following load balancing methods: lbmethod = ( ROUNDROBIN LEASTCONNECTION LEASTRESPONSETIME URLHASH DOMAINHASH DESTINATIONIPHASH SOURCEIPHASH SRCIPDESTIPHASH LEASTBANDWIDTH LEASTPACKETS TOKEN SRCIPSRCPORTHASH LRTM CALLIDHASH CUSTOMLOAD ) Related Documentation A complete set of documentation is available on the Documentation tab of your NetScaler and from (Most of the documents require Adobe Reader, available at

11 Preface xi To view the documentation 1. From a Web browser, log on to the NetScaler. 2. Click the Documentation tab. 3. To view a short description of each document, hover your cursor over the title. To open a document, click the title. Getting Service and Support Citrix provides technical support primarily through the Citrix Solutions Network (CSN). Our CSN partners are trained and authorized to provide a high level of support to our customers. Contact your supplier for first-line support, or check for your nearest CSN partner at You can also get support from Citrix Customer Service at On the Support menu, click Customer Service. Knowledge Center The Knowledge Center offers a variety of self-service, Web-based technical support tools at Knowledge Center features include: A knowledge base containing thousands of technical solutions to support your Citrix environment An online product documentation library Interactive support forums for every Citrix product Access to the latest hotfixes and service packs Knowledge Center Alerts that notify you when a topic is updated Note: To set up an alert, sign in at and, under Products, select a specific product. In the upper-right section of the screen, under Tools, click Add to your Hotfix Alerts. To remove an alert, go to the Knowledge Center product and, under Tools, click Remove from your Hotfix Alerts. Security bulletins Online problem reporting and tracking (for organizations with valid support contracts)

12 xii Citrix NetScaler Networking Guide Education and Training Citrix offers a variety of instructor-led and Web-based training solutions. Instructor-led courses are offered through Citrix Authorized Learning Centers (CALCs). CALCs provide high-quality classroom learning using professional courseware developed by Citrix. Many of these courses lead to certification. Web-based training courses are available through CALCs, resellers, and from the Citrix Web site. Information about programs and courseware for Citrix training and certification is available at Documentation Feedback You are encouraged to provide feedback and suggestions so that we can enhance the documentation. You can send to the following alias or aliases, as appropriate. In the subject line, specify Documentation Feedback. Be sure to include the document name, page number, and product release version. For NetScaler documentation, send to nsdocs_feedback@citrix.com. For Command Center documentation, send to ccdocs_feedback@citrix.com. For Access Gateway documentation, send to agdocs_feedback@citrix.com. You can also provide feedback from the Knowledge Center at support.citrix.com/. To provide feedback from the Knowledge Center home page 1. Go to the Knowledge Center home page at 2. On the Knowledge Center home page, under Products, expand NetScaler Application Delivery, and click NetScaler Application Delivery Software On the Documentation tab, click the guide name, and then click Article Feedback. 4. On the Documentation Feedback page, complete the form and click Submit.

13 CHAPTER 1 IP Addressing Before you can configure the NetScaler, you must assign the NetScaler IP Address (NSIP), also known as the Management IP address. You can also create other NetScaler-owned IP addresses for abstracting servers and establishing connections with the servers. In this type of configuration, the NetScaler serves as a proxy for the abstracted servers. You can also proxy connections by using network address translations (INAT and RNAT). When proxying connections, the NetScaler can behave either as a bridging (Layer 2) device or as a packet forwarding (Layer 3) device. To make packet forwarding more efficient, you can configure static ARP entries. In This Chapter Configuring NetScaler-Owned IP Addresses Proxying Connections Configuring Modes of Packet Forwarding Network Address Translation Configuring Static ARP Configuring NetScaler-Owned IP Addresses The NetScaler-owned IP Addresses NetScaler IP Address (NSIP), Virtual IP Addresses (VIPs), Subnet IP Addresses (SNIPs), Mapped IP Addresses (MIPs), and Global Server Load Balancing Site IP Addresses (GSLBIPs) exist only on the NetScaler. The NSIP uniquely identifies the NetScaler on your network, and it provides access to the appliance. A VIP is a public IP address to which a client sends requests. The NetScaler terminates the client connection at the VIP and initiates a connection with a server. This new connection uses a SNIP or a MIP as the source IP address for packets forwarded to the server. If you have multiple data centers that are geographically distributed, each data center can be identified by a unique GSLBIP.

14 2 Citrix NetScaler Networking Guide NetScaler IP Address (NSIP) The NetScaler IP (NSIP) address is the IP address at which you access the NetScaler for management purposes. The NetScaler can have only one NSIP, which is also called the Management IP address. You must add this IP address when you configure the NetScaler for the first time. If you modify this address, you must reboot the NetScaler. You cannot remove an NSIP address. For Security reasons, NSIP should be a non-routable IP address on your organization's LAN. Note: Configuring the NetScaler IP address is mandatory. Creating the NetScaler IP Address (NSIP) Use either of the following procedures to set the NSIP. To configure the NetScaler IP address using the configuration utility 1. In the navigation pane, click NetScaler. 2. On the System Overview page, click Setup Wizard. 3. In the Setup Wizard dialog box, click Next. 4. On the IP Addresses page, under System IP Address Configuration, in the IP Address, Netmask, and Host Name text boxes, type the IP address, subnet mask, and the host name, respectively (for example, , , and NS170). 5. Follow the instructions in the Setup Wizard to complete the configuration. To configure the NetScaler IP address using the NetScaler command line set ns config -ipaddress IPAddress -netmask Subnetmask set ns config -ipaddress netmask Note: With an IPV6 address configured as NSIP in NetScaler running on 8.1 release, when upgrading from release 8.1 to 9.0 the NSIP changes to SNIP.

15 Chapter 1 IP Addressing 3 Virtual IP Address (VIP) Configuration of a Virtual Server IP address (VIP) is not mandatory during initial configuration of the NetScaler. When you configure load balancing, you assign VIPs to virtual servers. For more information about configuring the load balancing setup, see the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing. In some situations, you need to customize VIP attributes or enable/disable a VIP. You can host the same vserver on multiple NetScalers residing on the same broadcast domain by using ARP and ICMP attributes. Customizing the Attributes of a VIP A VIP is usually associated with a vserver, and some of the attributes of the VIP are customized to meet the requirements of the vserver. After you add a VIP (or any IP address), the NetScaler sends, then responds to, ARP requests. To control the response of a NetScaler to a PING request on a NetScaler-owned IP address, you must control the ICMP attribute of a VIP. The following table describes the parameters that can be customized for a VIP. Parameters for Customizing a VIP Parameter ARP (arp) ICMP (icmp) Virtual Server (vserver) State (state) Host Route (hostroute) Gateway IP (hostrtgw) Specifies Use Address Resolution Protocol (ARP) to map IP addresses to the corresponding hardware addresses. Possible values: Enabled and Disabled. Default: Enabled. Send Internet Control Message Protocol (ICMP) messages. The user network applications that use ICMP are PING and TRACEROUTE. Possible values: Enabled and Disabled. Default Enabled. Apply the vserver attribute to this IP entity. Possible values: Enabled and Disabled. Default: Enabled. State of the VIP. Possible values: Enabled and Disabled. Default: Enabled. Advertise a route for this IP address. Possible values: Enabled and Disabled. Default: Disabled. IP address of the network advertised as the gateway to connect to external networks such as the Internet.

16 4 Citrix NetScaler Networking Guide Parameters for Customizing a VIP Parameter Metric (metric) V Server RHI Level (vserverrhilevel) OSPF LSA Type (ospflsatype) Area (ospfarea) Specifies Value used by routing algorithms to compare performance of this route to others. Route with lowest metric is the preferred route. Default value depends on the routing protocol. To change default, set this parameter. Possible values: to When the host route associated with the VIP is advertised. Possible values: ONE_VSERVER, ALL_VSERVERS, and NONE. Default: ONE_SERVER. Type of Link State Advertisement (LSA) used by OSPF protocol to discover and maintain neighbor relationships. Possible values: Type 1 or Type 5. Default: Disabled. Logical collection of OSPF networks, routers, and links is an Area. Areas are identified by an Area ID. Possible values: 0 to Default: -1. To enable or disable ARP using the configuration utility 1. In the navigation pane, expand Network and click IPs. 2. In the details pane, on the IPv4s tab, select the IP address that you want to modify (for example, ), and then click Open. 3. In the Configure IP dialog box, under Options, do one of the following: To disable ARP, clear the ARP check box. To enable ARP, check the ARP check box. 4. Click OK. To enable or disable ARP using the NetScaler command line set ns ip IPAddres -ARP Value s set ns ip ARP disable set ns ip ARP enable Enabling and Disabling a VIP VIPs are the only NetScaler-owned IP addresses that can be disabled. When a VIP is disabled, the virtual server using it goes down and does not respond to ARP, ICMP, and L4 service requests. Use either of the following procedures to disable an IP address of type virtual IP (VIP).

17 Chapter 1 IP Addressing 5 To enable or disable an IP address using the configuration utility 1. In the navigation pane, expand Network and click IPs. 2. In the details pane, on the IPv4s tab, select the IP address (for example, ) and do one of the following: To enable the selected IP address, click Enable. To disable the selected IP address, click Disable. To enable or disable an IP address using the NetScaler command line enable ns ip IPAddress disable ns ip IPAddress enable ns ip disable ns ip Subnet IP Address (SNIP) A subnet IP address (SNIP) is used in connection management and server monitoring. It is not mandatory to specify a SNIP when you initially configure the NetScaler. In a multiple-subnet scenario, the NSIP, the mapped IP address (MIP), and the IP address of a server can exist on different subnets. To eliminate the need to configure additional routes on devices such as servers, you can configure subnet IP addresses (SNIPs) on the NetScaler. In Use SNIP (USNIP) mode, a SNIP is the source IP address of a packet sent from the NetScaler to the server, and the SNIP is the IP address that the server uses to access the NetScaler. This mode is enabled by default When you add a SNIP, a route corresponding to the SNIP is added to the routing table. The NetScaler determines the next hop for a service from the routing table, and if the IP address of the hop is within the range of a SNIP, the NetScaler uses the SNIP to source traffic to the service. When multiple SNIPs cover the IP addresses of the next hops, the SNIPs are used in round robin manner.

18 6 Citrix NetScaler Networking Guide The following diagram illustrates USNIP mode. SNIP mode Use the following procedure to enable or disable the use SNIP mode. To enable or disable USNIP using the configuration utility 1. In the navigation pane, expand System and click Settings. 2. In the details pane, in the Modes and Features group, click Change modes. 3. In the Configure Modes dialog box, do one of the following: To enable USNIP, select the Use Subnet IP check box. To disable USNIP, clear the Use Subnet IP check box. 4. Click OK. 5. In the Enable/Disable Feature(s)? dialog box, click Yes. To enable or disable use SNIP using the NetScaler command line enable ns mode mode disable ns mode mode enable ns mode usnip disable ns mode usnip

19 Chapter 1 IP Addressing 7 Mapped IP Address (MIP) Mapped IP addresses (MIP) are used for external connections from the NetScaler. A MIP can be considered a default Subnet IP address (SNIP) when a SNIP cannot be used. MIPs and SNIPs are used for external connections from the NetScaler. But MIPs are used for server-side connections when the use subnet IP address option is globally disabled on the NetScaler. If the mapped IP address is the first in the subnet, the NetScaler adds a route entry, with this IP address as the gateway to reach the subnet. You can create or delete a MIP during runtime without rebooting the NetScaler. GSLB Site IP Address (GSLBIP) The GSLB site IP address is the IP address associated with a GSLB site. It is not mandatory to specify this IP address when you initially configure the NetScaler. It can be used only when you create a GSLB site. For more information on creating a GSLB site IP address, see the Citrix NetScaler Traffic Management Guide, Chapter 8, Global Server Load Balancing. Creating NetScaler-Owned IP Addresses Most users create VIPs, SNIPs, and MIPs by setting only the required parameters, and later complete their configuration by modifying the characteristics of these addresses. The following table describes the parameters used to create an IP address. Basic Parameters for creating an IP Address Parameter IP Address Netmask Type (type) Specifies Unique identification used to represent an entity. This is a mandatory parameter. Subnet mask associated with the IP address. This is a mandatory parameter. Type of the IP address. Possible values: SNIP, VIP, MIP, and GSLBsiteIP. Default: SNIP. You cannot use this procedure to configure the NSIP. For the procedure to configure the NSIP, see Creating the NetScaler IP Address (NSIP), on page 2. Use either of the following procedures to create a NetScaler-owned IP address. To configure an IP address using the configuration utility 1. In the navigation pane, expand Network and click IPs.

20 8 Citrix NetScaler Networking Guide 2. In the details pane, click Add. 3. In the Create IP dialog box, in the IP Address and Netmask text boxes, type the IP address and subnet mask, respectively (for example, and ). 4. Under IP Type, select the type of IP address to be created. 5. Click Create and click Close. The subnet IP address you created appears in the IPs page. To add an IP address using the NetScaler command line add ns ip IPaddress Subnetmask -type Type add ns ip type SNIP Removing an IP Address You can remove any IP address except the NSIP. The following table provides information on the processes you must follow to remove the various types of IP addresses. Removing an IP Address IP address type Subnet IP address (SNIP) Mapped IP address (MIP) Virtual Server IP address (VIP) GSLB-Site-IP address Implications If IP address being removed is the last IP address in the subnet, the associated route from the route table is deleted. If IP address being removed is the gateway in the corresponding route entry, the gateway for that subnet route is changed to another NetScaler-owned IP address. If a SNIP exists, you can remove the MIPs. NetScaler uses NSIP and SNIPs to communicate with the servers when the MIP is removed. Therefore, you must also enable Use SNIP. For information on enabling and disabling Use SNIP, see To configure an IP address using the configuration utility, on page 8. Before removing a VIP, you must first remove the vserver associated with it. For information on removing the vserver, see the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing. Before removing a GSLB site IP address, you must remove the site associated with it. For information on removing the site, see the Citrix NetScaler Traffic Management Guide, Chapter 8, Global Server Load Balancing.

21 Chapter 1 IP Addressing 9 Use either of the following procedures to remove a MIP, GSLBIP, SNIP, or VIP. (Before removing a VIP, remove the associated virtual server.) To remove an IP address using the configuration utility 1. In the navigation pane, expand Network and click IPs. 2. On the IPs page, on the IPv4s tab, select the IP address that you want to remove (for example, ), and then click Remove. 3. In the Remove dialog box, click Yes. To remove an IP address using the NetScaler command line rm ns ip IPaddress rm ns ip Customizing Access to IP Addresses Application Access Controls, also known as Management Access control, form a unified mechanism for managing user authentication and implementing rules that determine user access to applications and data. You can configure management access to MIPs and SNIPs. Management access for the NSIP is enabled by default and cannot be disabled. You can, however, control it by using ACLs. For information about using ACLs, see Chapter 3, Access Control Lists (ACLs). The NetScaler does not support management access to VIPs. The following table provides a summary of the interaction between management access and specific service settings for Telnet. Management access Telnet (state configured on the NetScaler) Telnet (effective state at the IP level) Enable Enable Enable Enable Disable Disable Disable Enable Disable Disable Disable Disable

22 10 Citrix NetScaler Networking Guide The following table provides an overview of the IP addresses used as source IP addresses in outbound traffic. Application/ IP NSIP MIP SNIP VIP ARP Yes Yes Yes No Server side traffic No Yes Yes No RNAT No Yes Yes Yes ICMP PING Yes Yes Yes No Dynamic Routing Yes No Yes Yes The following table provides an overview of the applications available on these IP addresses. Application/ IP NSIP MIP SNIP VIP SNMP Yes Yes Yes No System Access Yes Yes Yes No You can access and manage the NetScaler by using applications such as Telnet, SSH, GUI, and FTP. Note: Telnet and FTP are disabled on the NetScaler for security reasons. To enable them, contact the customer support. After the applications are enabled, you can apply the controls at the IP level. The following table lists and describes the parameters used for customizing the SNIP and MIP addresses on your NetScaler. Parameters for customizing a SNIP and MIP Address Parameter Telnet (telnet) FTP (ftp) GUI (gui) Specifies Allow Telnet access to the IP address. Possible values: ENABLED and DISABLED. Default: ENABLED. Allow File Transfer Protocol (FTP) access to the IP address. Possible values: ENABLED and DISABLED. Default: ENABLED. Allow Graphical User Interface (GUI) access to the IP address. Possible values: ENABLED, SECUREONLY, and DISABLED. Default: ENABLED.

23 Chapter 1 IP Addressing 11 Parameters for customizing a SNIP and MIP Address Parameter SSH (ssh) SNMP (snmp) Management Access (mgmtaccess) Dynamic Routing (dynamicrouting ) Specifies Allow Secure Shell (SSH) access to the IP address. Possible values: ENABLED and DISABLED. Default: ENABLED. Allow Simple Network Management Protocol (SNMP) access to the IP address. Possible values: ENABLED and DISABLED. Default: ENABLED. Allow external access to the IP address. Possible values: ENABLED or DISABLED. Default: DISABLED. Allow dynamic routing on the IP address. Specific to SNIP. Possible values: Enabled or Disabled. Default: Disabled. To configure the NetScaler to respond to these applications using a specific IP address, you need to enable the specific management applications. If you disable management access for an IP address, existing connections that use the IP address are not terminated. However, if you close the session, you cannot initiate a connection. Use either of the following procedures to enable management access for an IP address. To enable management access for an IP address using the configuration utility 1. In the navigation pane, expand Network and click IPs. 2. On the IPs page, select the IP address that you want to modify (for example, ), and then click Open. 3. In the Configure IP dialog box, under Application Access Control, select the Enable Management Access control to support the below listed applications check box. 4. Select the application or applications that you want to enable and click OK. To customize an IP address using the NetScaler command line set ns ip IPAddress -mgmtaccess value -telnet value -ftp value -gui value -ssh value -snmp value set ns ip mgmtaccess enabled

24 12 Citrix NetScaler Networking Guide Verifying the Configuration You can display IP address properties to troubleshoot any fault in the configuration. You can display some of the properties in a list of all the IP addresses, and you can display details of individual addresses. Displaying properties in a list of IP addresses To display a list of your configured IP addresses, with some of their properties, use either of the following procedures. To display all the configured IP addresses using the configuration utility In the navigation pane, expand Network and click IPs. The IPs page appears in the details pane, listing the available IP addresses and some of their properties. To display all the IP addresses using the NetScaler command line sh ns ip Displaying details of an individual IP Address To display detailed information about an individual IP address, use either of the following procedures. To display detailed properties of an IP address using the configuration utility 1. In the navigation pane, expand Network and click IPs. 2. On the IPs page, verify that the configured IP address (for example, ) appears. 3. Select the IP address. Information about the address appears in the details pane. To view the IP addresses using the NetScaler command line sh ns ip Proxying Connections When a client initiates a connection, the NetScaler terminates the client connection, initiates a connection to an appropriate server, and sends the packet to the server. The NetScaler does not perform this action for service type UDP or ANY. For more information about service types, see the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing.

25 Chapter 1 IP Addressing 13 You can configure the NetScaler to process the packet before initiating the connection with a server. The default behavior of the NetScaler is to change the source and destination IP addresses of a packet before sending the packet to the server. You can configure the NetScaler to retain the source IP address of the packets by enabling Use Source IP mode. Selecting the Destination IP Address Traffic arriving at the NetScaler can be bound to a virtual server (vserver) or to a service. The NetScaler handles traffic to vservers and services differently. The NetScaler terminates traffic bound to vservers and changes the vserver IP address (VIP) to the IP address of the server before forwarding the traffic to the server, as shown in the following diagram.. Proxying Connections to VIPs Packets bound to a service are sent directly to the appropriate server, and the NetScaler does not modify the destination IP addresses.

26 14 Citrix NetScaler Networking Guide Selecting the Source IP Address The mapped IP address (MIP), source IP address (SIP), or subnet IP address (SNIP) will be used as the source IP address to establish a connection with a server. By default, the NetScaler terminates traffic bound to vservers and configured services. Then, it changes the source IP address of the packet to the MIP or SNIP and sends the packet to the appropriate server. This default behavior is illustrated in the diagram Proxying Connections to VIPs, on page 14. Enabling the Use Source IP Mode Many e-commerce applications that use web server logging require that the original client IP addresses be recorded in the Web server logs. The NetScaler can forward the source IP address of the client to the server without masking it, to ensure that the client IP address appears in the logs. The Use Source IP mode (USIP) accommodates such applications. If you enable USIP mode, the NetScaler forwards each packet to the appropriate server without changing the source IP address, as shown in the following diagram. USIP Mode

27 Chapter 1 IP Addressing 15 When USIP mode is enabled for HTTP protocols, the NetScaler provides limited connection reuse, WAN latency, and denial of service (SYN) attack prevention benefits. When USIP mode is disabled, the NetScaler uses mapped IP addresses and subnet IP addresses to establish server-side connections. USIP mode has the following restrictions: One-arm installations. You should not enable USIP mode if you install the NetScaler in a logical one-arm configuration, because in a one-arm configuration the NetScaler cannot bypass its own processing and send responses directly to the client. If the IP address of the default gateway for a service is one of the NetScaler-owned IP addresses, the traffic continues to flow through the NetScaler and the response is also processed correctly. Concurrent HTTP connection limit. For HTTP protocols, USIP mode supports up to 64,000 concurrent connections. If concurrent HTTP connections between the NetScaler and servers are expected to exceed 64,000, you must disable USIP or contact customer support for the method to override this behavior. The concurrent connection limit applies only to HTTP. It does not affect other services types, for example, TCP, UDP, and FTP. Delay when disabling USIP. Disabling USIP mode does not affect the existing connections. This delay avoids outages on long-lived connections. Performance Impact on HTTP traffic. USIP mode prevents use of the same HTTP connection for multiple clients, and therefore can result in a large number of connections to the server. Furthermore, idle server connections can block connections for other clients. Therefore, you need to carefully set limits on the number of connections to services. Citrix suggests that you set the HTTP server time-out values on your services to a value lower than the default, so that idle client connections are cleared quickly on the server side. For more information about setting an idle timeout value, see the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing. Also, with USIP enabled, you must configure persistence (for example, source IP persistence) to ensure repeated selection of the same server and reuse of the client connection. Because TCP handles the traffic on a one-to-one basis, the USIP option does not affect TCP services. Note: USIP. Citrix does not recommend the use of Surge Protection (SP) with

28 16 Citrix NetScaler Networking Guide By default, USIP mode is disabled. You can enable or disable it globally or for a specific service. The setting for a specific service overrides the global setting. A newly created service inherits the global setting by default. To enable or disable USIP mode for a specific service, see the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing. To enable or disable USIP mode globally, use either of the following procedures. To globally enable or disable USIP mode using the configuration utility 1. In the navigation pane, expand System and click Settings. 2. On the Settings page, under Modes and Features, click Change modes. 3. In the Configure Modes dialog box, do one of the following: To enable Use Source IP mode, select the Use Source IP check box. To disable Use Source IP mode, clear the Use Source IP check box. 4. Click OK. 5. In the Enable/Disable Feature(s)? dialog box, click Yes. To globally enable or disable USIP mode using the NetScaler command line At the NetScaler command prompt, type one of the following commands: enable ns mode mode disable ns mode mode s enable ns mode USIP disable ns mode USIP Note: Services that are created before you enable USIP mode globally do not inherit the global settings. For these services, you need to enable the USIP mode at the service level. To enable or disable USIP mode for a specific service, see the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing. Configuring Modes of Packet Forwarding You can enable Layer 2 mode to bridge packets that are not destined for the MAC address of the NetScaler. Layer 3 mode routes packets that are not destined for NetScaler-owned IP addresses, unless you disable it.