Citrix NetScaler Networking Guide. Citrix NetScaler 9.0

Transcription

1 Citrix NetScaler Networking Guide Citrix NetScaler 9.0

2 Copyright and Trademark Notice CITRIX SYSTEMS, INC., ALL RIGHTS RESERVED. NO PART OF THIS DOCUMENT MAY BE REPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS OR USED TO MAKE DERIVATIVE WORK (SUCH AS TRANSLATION, TRANSFORMATION, OR ADAPTATION) WITHOUT THE EXPRESS WRITTEN PERMISSION OF CITRIX SYSTEMS, INC. ALTHOUGH THE MATERIAL PRESENTED IN THIS DOCUMENT IS BELIEVED TO BE ACCURATE, IT IS PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE ALL RESPONSIBILITY FOR THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS MANUAL. CITRIX SYSTEMS, INC. OR ITS SUPPLIERS DO NOT ASSUME ANY LIABILITY THAT MAY OCCUR DUE TO THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS DOCUMENT. INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. COMPANIES, NAMES, AND DATA USED IN EXAMPLES ARE FICTITIOUS UNLESS OTHERWISE NOTED. The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radiofrequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. Modifying the equipment without Citrix' written authorization may result in the equipment no longer complying with FCC requirements for Class A digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense. You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the NetScaler Request Switch 9000 Series equipment. If the NetScaler equipment causes interference, try to correct the interference by using one or more of the following measures: Move the NetScaler equipment to one side or the other of your equipment. Move the NetScaler equipment farther away from your equipment. Plug the NetScaler equipment into an outlet on a different circuit from your equipment. (Make sure the NetScaler equipment and your equipment are on circuits controlled by different circuit breakers or fuses.) Modifications to this product not authorized by Citrix Systems, Inc., could void the FCC approval and negate your authority to operate the product. BroadCom is a registered trademark of BroadCom Corporation. Fast Ramp, NetScaler, WANScaler, Citrix XenApp, and NetScaler Request Switch are trademarks of Citrix Systems, Inc. Linux is a registered trademark of Linus Torvalds. Internet Explorer, Microsoft, PowerPoint, Windows and Windows product names such as Windows NT are trademarks or registered trademarks of the Microsoft Corporation. NetScape is a registered trademark of Netscape Communications Corporation. Red Hat is a trademark of Red Hat, Inc. Sun and Sun Microsystems are registered trademarks of Sun Microsystems, Inc. Other brand and product names may be registered trademarks or trademarks of their respective holders. Software covered by the following third party copyrights may be included with this product and will also be subject to the software license agreement: Copyright 1998 Carnegie Mellon University. All rights reserved. Copyright David L. Mills 1993, Copyright 1992, 1993, 1994, 1997 Henry Spencer. Copyright Jean-loup Gailly and Mark Adler. Copyright 1999, 2000 by Jef Poskanzer. All rights reserved. Copyright Markus Friedl, Theo de Raadt, Niels Provos, Dug Song, Aaron Campbell, Damien Miller, Kevin Steves. All rights reserved. Copyright 1982, 1985, 1986, , 1993 Regents of the University of California. All rights reserved. Copyright 1995 Tatu Ylonen, Espoo, Finland. All rights reserved. Copyright UNIX System Laboratories, Inc. Copyright 2001 Mark R V Murray. Copyright Eric Young. Copyright 1995,1996,1997,1998. Lars Fenneberg. Copyright Livingston Enterprises, Inc. Copyright 1992, 1993, 1994, The Regents of the University of Michigan and Merit Network, Inc. Copyright , RSA Data Security, Inc. Created Copyright 1998 Juniper Networks, Inc. All rights reserved. Copyright 2001, 2002 Networks Associates Technology, Inc. All rights reserved. Copyright (c) 2002 Networks Associates Technology, Inc. Copyright The Open LDAP Foundation. All Rights Reserved. Copyright 1999 Andrzej Bialecki. All rights reserved. Copyright 2000 The Apache Software Foundation. All rights reserved. Copyright (C) Robert A. van Engelen, Genivia inc. All Rights Reserved. Copyright (c) University of Cambridge. All rights reserved. Copyright (c) David Greenman. Copyright (c) 2001 Jonathan Lemon. All rights reserved. Copyright (c) 1997, 1998, Bill Paul. All rights reserved. Copyright (c) Matt Thomas. All rights reserved. Copyright 2000 Jason L. Wright. Copyright 2000 Theo de Raadt. Copyright 2001 Patrik Lindergren. All rights reserved. Last Updated: April 2009

3 CONTENTS Preface Chapter 1 Chapter 2 About This Guide vii New in This Release viii Audience ix Formatting Conventions x Related Documentation x Getting Service and Support xi Knowledge Center xi Education and Training xii Documentation Feedback xii IP Addressing Configuring NetScaler-Owned IP Addresses NetScaler IP Address (NSIP) Virtual IP Address (VIP) Subnet IP Address (SNIP) Mapped IP Address (MIP) GSLB Site IP Address (GSLBIP) Creating NetScaler-Owned IP Addresses Proxying Connections Selecting the Destination IP Address Selecting the Source IP Address Enabling the Use Source IP Mode Configuring Modes of Packet Forwarding Enabling and Disabling Modes Network Address Translation Inbound Network Address Translation Reverse Network Address Translation Configuring Static ARP Interfaces MAC-Based Forwarding Enabling and Disabling MAC-based Forwarding Configuring Network Interfaces Managing Network Interfaces Configuring VLANs Applying Rules to Classify Frames VLANs and Packet Forwarding on the NetScaler

4 iv Citrix NetScaler Networking Guide Configuring Link Aggregation Configuring Link Aggregation Manually Configuring the Link Aggregate Channel Protocol Verifying the Configuration Configuring VMAC Configuring the Bridge Table Path MTU Behavior Chapter 3 Chapter 4 Access Control Lists (ACLs) ACL Precedence Configuring Simple ACLs Creating Simple ACLs Removing Simple ACLs Verifying or Troubleshooting the Configuration Monitoring Simple ACLs Configuring Extended ACLs Creating a Basic Extended ACL Applying an ACL Removing Extended ACLs Enabling and Disabling ACLs Renumbering ACL Modifying Extended ACLs Configuring Access Control List (ACL) Logging Verifying the Configuration Monitoring the Extended ACL Configuring RNAT by Using Extended ACLs Configuring ACL6s IP Routing Configuring Dynamic Routes Interfaces for Configuring Dynamic Routing Using RIP Using OSPF Using BGP Configuring Route Health Injection Enabling RHI Limiting Host Route Advertising for VIPs Advertising Networks Displaying Routes Learned Through Dynamic Routing Protocols

5 Contents v Configuring Static Routes Monitored Static Routes Weighted Static Routes Null Routes Customizing a Static Route Removing a Static Route Gathering Information to Troubleshoot Generic Routing Issues Learning Troubleshooting Procedures Troubleshooting OSPF Specific Issues Configuring IPv6 Static Routes Chapter 5 IP version 6 IPv6 Features Implementing IPv6 Support Enabling or Disabling IPv Adding an IPv6 Address Customizing SNIP and NSIP IPv6 Addresses Customizing VIP IPv6 Addresses Verifying the Configuration Monitoring the Configuration Configuring Neighbor Discovery and Router Learning Neighbor Discovery Router Learning Adding IPv6 Support to NetScaler Features Adding an IPv6 Vserver VLAN Support Simple Deployment Scenario Host Header Modification VIP Insertion Chapter 6 High Availability How High Availability Works Considerations for a High Availability Setup Configuring High Availability Configuring a Basic High Availability Setup Modifying an Existing HA Setup

6 vi Citrix NetScaler Networking Guide Customizing a High Availability Setup Configuring the Communication Intervals Configuring Synchronization Configuring Command Propagation Forcing a Node to Fail Over Configuring Virtual MAC Addresses Configuring IPv4 VMACs Configuring IPv6 VMACs Improving the Reliability of a High Availability Setup Configuring High Availability Nodes in Different Subnets Configuring Link Redundancy Configuring Route Monitors High Availability Health Check Computation Configuring the State of a Node Forcing the Secondary Node to Stay Secondary Forcing the Primary Node to Stay Primary Troubleshooting High Availability Issues

7 PREFACE Preface About This Guide Before you begin to configure the networking features, take a few minutes to review this chapter and learn about related documentation, other support options, and ways to send us feedback. In This Preface About This Guide New in This Release Audience Formatting Conventions Related Documentation Getting Service and Support Documentation Feedback The Citrix NetScaler Networking Guide describes how to configure the various networking components on the NetScaler. This guide provides the following information: Chapter 1, IP Addressing. This chapter discusses the NetScaler-owned IP addresses and how to create, customize, and remove them. Chapter 2, Interfaces. This chapter discusses some of the basic network configurations that must be done to get started. Chapter 3, Access Control Lists (ACLs). This chapter discusses the different types of Access Control Lists and how to create, customize, and remove them. Chapter 4, IP Routing. This chapter discusses the routing functionality of the NetScaler, both static and dynamic. It also discusses Route Health Injection.

8 viii Citrix NetScaler Networking Guide New in This Release Chapter 5, IP version 6. This chapter discusses how NetScaler supports IPv6. Chapter 6 High Availability. This chapter describes how High Availability (HA) works in a NetScaler deployment to ensure uninterrupted operation in any transaction. Following is a list of the new features and enhancements in the 9.0 of Citrix NetScaler. Note: The documentation has been reorganized. The information in this guide, Citrix NetScaler Networking Guide, was formerly located in the now obsolete Citrix Installation and Configuration Guide (ICG). Both Volume 1 and Volume 2 of the ICG have been divided into eight new guides. This breakdown into smaller guides was based on audience and task analysis and provides more efficient access to information. For more information about the documentation, see Related Documentation, on page xi. End-to-end IPv6. The NetScaler extends its IPv6 support for server-side implementation. The enhanced support enables using of IPv6 addresses for SNIPs, vservers, services, and servers. You can create access control lists (ACLs) specifically for IPv6 packets, add IPv6 Neighbors, and bind IPv6 addresses to VLANs. You can also use IPv6 management utilities such as Ping6 and Traceroute6. You can configure static routes using IPv6 addresses to any destination, assign values for distance and cost, and enable advertising of static routes to IPv6 routing protocols. IPv6 support also extends to OSPFv3. For more information, see IP version 6, on page 131. ACL Logging. You can configure the NetScaler to log details for packets that match an ACL. In addition to the ACL name, the logged details include packet-specific information such as the source and destination IP addresses. The information is stored either in the syslog file or in the nslog file, depending on the type of global logging (syslog or nslog) enabled. For more information, see Configuring ACL6s, on page 88. In-bound Network Address Translation. You can configure the NetScaler NAT functionality to also handle inbound traffic. When you configure In-bound Network Address Translation, a client in the public address space can send a packet to a private address space. The packet is initially sent to the public Destination IP Address which is the NetScaler owned Virtual IP Address (VIP). The NetScaler translates the initial destination address to the private IP address of the server and forwards the

9 Preface ix data packet. Similarly, when a packet is sent from the server in the private address space to the client in the public address space, the NetScaler handles the address translation also. To provide security, features like tcpproxy and ftp are also provided for the NetScaler when INAT is configured. For more information, see Inbound Network Address Translation, on page 20. Host Route Advertisement. If a VIP represents primary and backup vservers, the state of the VIP depends on the effective state of the vservers it represents. By default, a host route associated with a VIP is not advertised if the effective state of the vservers is either DOWN or DISABLED. The effective state of the vservers depends on the state of the primary vserver and the state of the backup vserver. Monitored Static Routes. NetScaler supports monitoring of static routes. You can configure the NetScaler to monitor a static route either by creating a new PING or ARP monitor or by using existing PING or ARP monitors. Monitoring a route enables the NetScaler to send packets using back-up routes which would otherwise not be activated. For configuration instructions on how to monitor static routes, see NetScaler Networking Guide. For more information, see Monitored Static Routes, on page 116. Weighted Static Routes. NetScaler supports assigning weights to Equal Cost Multi-Path (ECMP) routes to enable balancing of load.weights are user configurable values that help NetScaler load balance and choose a preferred route. For more information, see Weighted Static Routes, on page 116. Black Hole Avoidance Mechanism. After failover in a High Availability Setup, the new primary node injects all its VIP routes into the upstream router. However, that router retains routes injected by the old primary for 180 seconds. Because the router is not aware of the failover, it attempts to load balance traffic between the two nodes. During the 180 seconds before the old routes expire, the router sends half the traffic to the old, inactive primary node, which is, in effect, a black hole. To prevent this, the new primary node, when injecting a route, assigns it a metric that is slightly lower than the one specified by the old primary node. If the route's metric is already lower than its old counterpart, the new primary does not change it. For more information, see Black Hole Avoidance Mechanism, on page 99. Audience This guide is intended for the following audience: Hardware Technicians

10 x Citrix NetScaler Networking Guide System and Network Administrators The concepts and tasks described in this guide require you to have a basic understanding of networking concepts such as Layer2 and Layer 3 modes, routing, and interfaces. Formatting Conventions This documentation uses the following formatting conventions. Formatting Conventions Convention Boldface Italics Monospace Meaning Information that you type exactly as shown (user input); elements in the user interface. Placeholders for information or parameters that you provide. For example, FileName in a command means you type the actual name of a file. Also, new terms, and words referred to as words (which would otherwise be enclosed in quotation marks). System output or characters in a command line. User input and placeholders also are formatted using monspace text. [ brackets ] Optional items in command statements. For example, in the following command, [-range positiveinteger] means that you have the option of entering a range, but it is not required: add lb vserver name servicetype IPAddress port [-range positiveinteger] Do not type the brackets themselves. (vertical bar) A separator between options in braces or brackets in command statements. For example, the following indicates that you choose one of the following load balancing methods: lbmethod = ( ROUNDROBIN LEASTCONNECTION LEASTRESPONSETIME URLHASH DOMAINHASH DESTINATIONIPHASH SOURCEIPHASH SRCIPDESTIPHASH LEASTBANDWIDTH LEASTPACKETS TOKEN SRCIPSRCPORTHASH LRTM CALLIDHASH CUSTOMLOAD ) Related Documentation A complete set of documentation is available on the Documentation tab of your NetScaler and from (Most of the documents require Adobe Reader, available at

11 Preface xi To view the documentation 1. From a Web browser, log on to the NetScaler. 2. Click the Documentation tab. 3. To view a short description of each document, hover your cursor over the title. To open a document, click the title. Getting Service and Support Citrix provides technical support primarily through the Citrix Solutions Network (CSN). Our CSN partners are trained and authorized to provide a high level of support to our customers. Contact your supplier for first-line support, or check for your nearest CSN partner at You can also get support from Citrix Customer Service at On the Support menu, click Customer Service. Knowledge Center The Knowledge Center offers a variety of self-service, Web-based technical support tools at Knowledge Center features include: A knowledge base containing thousands of technical solutions to support your Citrix environment An online product documentation library Interactive support forums for every Citrix product Access to the latest hotfixes and service packs Knowledge Center Alerts that notify you when a topic is updated Note: To set up an alert, sign in at and, under Products, select a specific product. In the upper-right section of the screen, under Tools, click Add to your Hotfix Alerts. To remove an alert, go to the Knowledge Center product and, under Tools, click Remove from your Hotfix Alerts. Security bulletins Online problem reporting and tracking (for organizations with valid support contracts)

12 xii Citrix NetScaler Networking Guide Education and Training Citrix offers a variety of instructor-led and Web-based training solutions. Instructor-led courses are offered through Citrix Authorized Learning Centers (CALCs). CALCs provide high-quality classroom learning using professional courseware developed by Citrix. Many of these courses lead to certification. Web-based training courses are available through CALCs, resellers, and from the Citrix Web site. Information about programs and courseware for Citrix training and certification is available at Documentation Feedback You are encouraged to provide feedback and suggestions so that we can enhance the documentation. You can send to the following alias or aliases, as appropriate. In the subject line, specify Documentation Feedback. Be sure to include the document name, page number, and product release version. For NetScaler documentation, send to [email protected]. For Command Center documentation, send to [email protected]. For Access Gateway documentation, send to [email protected]. You can also provide feedback from the Knowledge Center at support.citrix.com/. To provide feedback from the Knowledge Center home page 1. Go to the Knowledge Center home page at 2. On the Knowledge Center home page, under Products, expand NetScaler Application Delivery, and click NetScaler Application Delivery Software On the Documentation tab, click the guide name, and then click Article Feedback. 4. On the Documentation Feedback page, complete the form and click Submit.

13 CHAPTER 1 IP Addressing Before you can configure the NetScaler, you must assign the NetScaler IP Address (NSIP), also known as the Management IP address. You can also create other NetScaler-owned IP addresses for abstracting servers and establishing connections with the servers. In this type of configuration, the NetScaler serves as a proxy for the abstracted servers. You can also proxy connections by using network address translations (INAT and RNAT). When proxying connections, the NetScaler can behave either as a bridging (Layer 2) device or as a packet forwarding (Layer 3) device. To make packet forwarding more efficient, you can configure static ARP entries. In This Chapter Configuring NetScaler-Owned IP Addresses Proxying Connections Configuring Modes of Packet Forwarding Network Address Translation Configuring Static ARP Configuring NetScaler-Owned IP Addresses The NetScaler-owned IP Addresses NetScaler IP Address (NSIP), Virtual IP Addresses (VIPs), Subnet IP Addresses (SNIPs), Mapped IP Addresses (MIPs), and Global Server Load Balancing Site IP Addresses (GSLBIPs) exist only on the NetScaler. The NSIP uniquely identifies the NetScaler on your network, and it provides access to the appliance. A VIP is a public IP address to which a client sends requests. The NetScaler terminates the client connection at the VIP and initiates a connection with a server. This new connection uses a SNIP or a MIP as the source IP address for packets forwarded to the server. If you have multiple data centers that are geographically distributed, each data center can be identified by a unique GSLBIP.

14 2 Citrix NetScaler Networking Guide NetScaler IP Address (NSIP) The NetScaler IP (NSIP) address is the IP address at which you access the NetScaler for management purposes. The NetScaler can have only one NSIP, which is also called the Management IP address. You must add this IP address when you configure the NetScaler for the first time. If you modify this address, you must reboot the NetScaler. You cannot remove an NSIP address. For Security reasons, NSIP should be a non-routable IP address on your organization's LAN. Note: Configuring the NetScaler IP address is mandatory. Creating the NetScaler IP Address (NSIP) Use either of the following procedures to set the NSIP. To configure the NetScaler IP address using the configuration utility 1. In the navigation pane, click NetScaler. 2. On the System Overview page, click Setup Wizard. 3. In the Setup Wizard dialog box, click Next. 4. On the IP Addresses page, under System IP Address Configuration, in the IP Address, Netmask, and Host Name text boxes, type the IP address, subnet mask, and the host name, respectively (for example, , , and NS170). 5. Follow the instructions in the Setup Wizard to complete the configuration. To configure the NetScaler IP address using the NetScaler command line set ns config -ipaddress IPAddress -netmask Subnetmask set ns config -ipaddress netmask Note: With an IPV6 address configured as NSIP in NetScaler running on 8.1 release, when upgrading from release 8.1 to 9.0 the NSIP changes to SNIP.

15 Chapter 1 IP Addressing 3 Virtual IP Address (VIP) Configuration of a Virtual Server IP address (VIP) is not mandatory during initial configuration of the NetScaler. When you configure load balancing, you assign VIPs to virtual servers. For more information about configuring the load balancing setup, see the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing. In some situations, you need to customize VIP attributes or enable/disable a VIP. You can host the same vserver on multiple NetScalers residing on the same broadcast domain by using ARP and ICMP attributes. Customizing the Attributes of a VIP A VIP is usually associated with a vserver, and some of the attributes of the VIP are customized to meet the requirements of the vserver. After you add a VIP (or any IP address), the NetScaler sends, then responds to, ARP requests. To control the response of a NetScaler to a PING request on a NetScaler-owned IP address, you must control the ICMP attribute of a VIP. The following table describes the parameters that can be customized for a VIP. Parameters for Customizing a VIP Parameter ARP (arp) ICMP (icmp) Virtual Server (vserver) State (state) Host Route (hostroute) Gateway IP (hostrtgw) Specifies Use Address Resolution Protocol (ARP) to map IP addresses to the corresponding hardware addresses. Possible values: Enabled and Disabled. Default: Enabled. Send Internet Control Message Protocol (ICMP) messages. The user network applications that use ICMP are PING and TRACEROUTE. Possible values: Enabled and Disabled. Default Enabled. Apply the vserver attribute to this IP entity. Possible values: Enabled and Disabled. Default: Enabled. State of the VIP. Possible values: Enabled and Disabled. Default: Enabled. Advertise a route for this IP address. Possible values: Enabled and Disabled. Default: Disabled. IP address of the network advertised as the gateway to connect to external networks such as the Internet.

16 4 Citrix NetScaler Networking Guide Parameters for Customizing a VIP Parameter Metric (metric) V Server RHI Level (vserverrhilevel) OSPF LSA Type (ospflsatype) Area (ospfarea) Specifies Value used by routing algorithms to compare performance of this route to others. Route with lowest metric is the preferred route. Default value depends on the routing protocol. To change default, set this parameter. Possible values: to When the host route associated with the VIP is advertised. Possible values: ONE_VSERVER, ALL_VSERVERS, and NONE. Default: ONE_SERVER. Type of Link State Advertisement (LSA) used by OSPF protocol to discover and maintain neighbor relationships. Possible values: Type 1 or Type 5. Default: Disabled. Logical collection of OSPF networks, routers, and links is an Area. Areas are identified by an Area ID. Possible values: 0 to Default: -1. To enable or disable ARP using the configuration utility 1. In the navigation pane, expand Network and click IPs. 2. In the details pane, on the IPv4s tab, select the IP address that you want to modify (for example, ), and then click Open. 3. In the Configure IP dialog box, under Options, do one of the following: To disable ARP, clear the ARP check box. To enable ARP, check the ARP check box. 4. Click OK. To enable or disable ARP using the NetScaler command line set ns ip IPAddres -ARP Value s set ns ip ARP disable set ns ip ARP enable Enabling and Disabling a VIP VIPs are the only NetScaler-owned IP addresses that can be disabled. When a VIP is disabled, the virtual server using it goes down and does not respond to ARP, ICMP, and L4 service requests. Use either of the following procedures to disable an IP address of type virtual IP (VIP).

17 Chapter 1 IP Addressing 5 To enable or disable an IP address using the configuration utility 1. In the navigation pane, expand Network and click IPs. 2. In the details pane, on the IPv4s tab, select the IP address (for example, ) and do one of the following: To enable the selected IP address, click Enable. To disable the selected IP address, click Disable. To enable or disable an IP address using the NetScaler command line enable ns ip IPAddress disable ns ip IPAddress enable ns ip disable ns ip Subnet IP Address (SNIP) A subnet IP address (SNIP) is used in connection management and server monitoring. It is not mandatory to specify a SNIP when you initially configure the NetScaler. In a multiple-subnet scenario, the NSIP, the mapped IP address (MIP), and the IP address of a server can exist on different subnets. To eliminate the need to configure additional routes on devices such as servers, you can configure subnet IP addresses (SNIPs) on the NetScaler. In Use SNIP (USNIP) mode, a SNIP is the source IP address of a packet sent from the NetScaler to the server, and the SNIP is the IP address that the server uses to access the NetScaler. This mode is enabled by default When you add a SNIP, a route corresponding to the SNIP is added to the routing table. The NetScaler determines the next hop for a service from the routing table, and if the IP address of the hop is within the range of a SNIP, the NetScaler uses the SNIP to source traffic to the service. When multiple SNIPs cover the IP addresses of the next hops, the SNIPs are used in round robin manner.

18 6 Citrix NetScaler Networking Guide The following diagram illustrates USNIP mode. SNIP mode Use the following procedure to enable or disable the use SNIP mode. To enable or disable USNIP using the configuration utility 1. In the navigation pane, expand System and click Settings. 2. In the details pane, in the Modes and Features group, click Change modes. 3. In the Configure Modes dialog box, do one of the following: To enable USNIP, select the Use Subnet IP check box. To disable USNIP, clear the Use Subnet IP check box. 4. Click OK. 5. In the Enable/Disable Feature(s)? dialog box, click Yes. To enable or disable use SNIP using the NetScaler command line enable ns mode mode disable ns mode mode enable ns mode usnip disable ns mode usnip

19 Chapter 1 IP Addressing 7 Mapped IP Address (MIP) Mapped IP addresses (MIP) are used for external connections from the NetScaler. A MIP can be considered a default Subnet IP address (SNIP) when a SNIP cannot be used. MIPs and SNIPs are used for external connections from the NetScaler. But MIPs are used for server-side connections when the use subnet IP address option is globally disabled on the NetScaler. If the mapped IP address is the first in the subnet, the NetScaler adds a route entry, with this IP address as the gateway to reach the subnet. You can create or delete a MIP during runtime without rebooting the NetScaler. GSLB Site IP Address (GSLBIP) The GSLB site IP address is the IP address associated with a GSLB site. It is not mandatory to specify this IP address when you initially configure the NetScaler. It can be used only when you create a GSLB site. For more information on creating a GSLB site IP address, see the Citrix NetScaler Traffic Management Guide, Chapter 8, Global Server Load Balancing. Creating NetScaler-Owned IP Addresses Most users create VIPs, SNIPs, and MIPs by setting only the required parameters, and later complete their configuration by modifying the characteristics of these addresses. The following table describes the parameters used to create an IP address. Basic Parameters for creating an IP Address Parameter IP Address Netmask Type (type) Specifies Unique identification used to represent an entity. This is a mandatory parameter. Subnet mask associated with the IP address. This is a mandatory parameter. Type of the IP address. Possible values: SNIP, VIP, MIP, and GSLBsiteIP. Default: SNIP. You cannot use this procedure to configure the NSIP. For the procedure to configure the NSIP, see Creating the NetScaler IP Address (NSIP), on page 2. Use either of the following procedures to create a NetScaler-owned IP address. To configure an IP address using the configuration utility 1. In the navigation pane, expand Network and click IPs.

20 8 Citrix NetScaler Networking Guide 2. In the details pane, click Add. 3. In the Create IP dialog box, in the IP Address and Netmask text boxes, type the IP address and subnet mask, respectively (for example, and ). 4. Under IP Type, select the type of IP address to be created. 5. Click Create and click Close. The subnet IP address you created appears in the IPs page. To add an IP address using the NetScaler command line add ns ip IPaddress Subnetmask -type Type add ns ip type SNIP Removing an IP Address You can remove any IP address except the NSIP. The following table provides information on the processes you must follow to remove the various types of IP addresses. Removing an IP Address IP address type Subnet IP address (SNIP) Mapped IP address (MIP) Virtual Server IP address (VIP) GSLB-Site-IP address Implications If IP address being removed is the last IP address in the subnet, the associated route from the route table is deleted. If IP address being removed is the gateway in the corresponding route entry, the gateway for that subnet route is changed to another NetScaler-owned IP address. If a SNIP exists, you can remove the MIPs. NetScaler uses NSIP and SNIPs to communicate with the servers when the MIP is removed. Therefore, you must also enable Use SNIP. For information on enabling and disabling Use SNIP, see To configure an IP address using the configuration utility, on page 8. Before removing a VIP, you must first remove the vserver associated with it. For information on removing the vserver, see the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing. Before removing a GSLB site IP address, you must remove the site associated with it. For information on removing the site, see the Citrix NetScaler Traffic Management Guide, Chapter 8, Global Server Load Balancing.

21 Chapter 1 IP Addressing 9 Use either of the following procedures to remove a MIP, GSLBIP, SNIP, or VIP. (Before removing a VIP, remove the associated virtual server.) To remove an IP address using the configuration utility 1. In the navigation pane, expand Network and click IPs. 2. On the IPs page, on the IPv4s tab, select the IP address that you want to remove (for example, ), and then click Remove. 3. In the Remove dialog box, click Yes. To remove an IP address using the NetScaler command line rm ns ip IPaddress rm ns ip Customizing Access to IP Addresses Application Access Controls, also known as Management Access control, form a unified mechanism for managing user authentication and implementing rules that determine user access to applications and data. You can configure management access to MIPs and SNIPs. Management access for the NSIP is enabled by default and cannot be disabled. You can, however, control it by using ACLs. For information about using ACLs, see Chapter 3, Access Control Lists (ACLs). The NetScaler does not support management access to VIPs. The following table provides a summary of the interaction between management access and specific service settings for Telnet. Management access Telnet (state configured on the NetScaler) Telnet (effective state at the IP level) Enable Enable Enable Enable Disable Disable Disable Enable Disable Disable Disable Disable

22 10 Citrix NetScaler Networking Guide The following table provides an overview of the IP addresses used as source IP addresses in outbound traffic. Application/ IP NSIP MIP SNIP VIP ARP Yes Yes Yes No Server side traffic No Yes Yes No RNAT No Yes Yes Yes ICMP PING Yes Yes Yes No Dynamic Routing Yes No Yes Yes The following table provides an overview of the applications available on these IP addresses. Application/ IP NSIP MIP SNIP VIP SNMP Yes Yes Yes No System Access Yes Yes Yes No You can access and manage the NetScaler by using applications such as Telnet, SSH, GUI, and FTP. Note: Telnet and FTP are disabled on the NetScaler for security reasons. To enable them, contact the customer support. After the applications are enabled, you can apply the controls at the IP level. The following table lists and describes the parameters used for customizing the SNIP and MIP addresses on your NetScaler. Parameters for customizing a SNIP and MIP Address Parameter Telnet (telnet) FTP (ftp) GUI (gui) Specifies Allow Telnet access to the IP address. Possible values: ENABLED and DISABLED. Default: ENABLED. Allow File Transfer Protocol (FTP) access to the IP address. Possible values: ENABLED and DISABLED. Default: ENABLED. Allow Graphical User Interface (GUI) access to the IP address. Possible values: ENABLED, SECUREONLY, and DISABLED. Default: ENABLED.

23 Chapter 1 IP Addressing 11 Parameters for customizing a SNIP and MIP Address Parameter SSH (ssh) SNMP (snmp) Management Access (mgmtaccess) Dynamic Routing (dynamicrouting ) Specifies Allow Secure Shell (SSH) access to the IP address. Possible values: ENABLED and DISABLED. Default: ENABLED. Allow Simple Network Management Protocol (SNMP) access to the IP address. Possible values: ENABLED and DISABLED. Default: ENABLED. Allow external access to the IP address. Possible values: ENABLED or DISABLED. Default: DISABLED. Allow dynamic routing on the IP address. Specific to SNIP. Possible values: Enabled or Disabled. Default: Disabled. To configure the NetScaler to respond to these applications using a specific IP address, you need to enable the specific management applications. If you disable management access for an IP address, existing connections that use the IP address are not terminated. However, if you close the session, you cannot initiate a connection. Use either of the following procedures to enable management access for an IP address. To enable management access for an IP address using the configuration utility 1. In the navigation pane, expand Network and click IPs. 2. On the IPs page, select the IP address that you want to modify (for example, ), and then click Open. 3. In the Configure IP dialog box, under Application Access Control, select the Enable Management Access control to support the below listed applications check box. 4. Select the application or applications that you want to enable and click OK. To customize an IP address using the NetScaler command line set ns ip IPAddress -mgmtaccess value -telnet value -ftp value -gui value -ssh value -snmp value set ns ip mgmtaccess enabled

24 12 Citrix NetScaler Networking Guide Verifying the Configuration You can display IP address properties to troubleshoot any fault in the configuration. You can display some of the properties in a list of all the IP addresses, and you can display details of individual addresses. Displaying properties in a list of IP addresses To display a list of your configured IP addresses, with some of their properties, use either of the following procedures. To display all the configured IP addresses using the configuration utility In the navigation pane, expand Network and click IPs. The IPs page appears in the details pane, listing the available IP addresses and some of their properties. To display all the IP addresses using the NetScaler command line sh ns ip Displaying details of an individual IP Address To display detailed information about an individual IP address, use either of the following procedures. To display detailed properties of an IP address using the configuration utility 1. In the navigation pane, expand Network and click IPs. 2. On the IPs page, verify that the configured IP address (for example, ) appears. 3. Select the IP address. Information about the address appears in the details pane. To view the IP addresses using the NetScaler command line sh ns ip Proxying Connections When a client initiates a connection, the NetScaler terminates the client connection, initiates a connection to an appropriate server, and sends the packet to the server. The NetScaler does not perform this action for service type UDP or ANY. For more information about service types, see the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing.

25 Chapter 1 IP Addressing 13 You can configure the NetScaler to process the packet before initiating the connection with a server. The default behavior of the NetScaler is to change the source and destination IP addresses of a packet before sending the packet to the server. You can configure the NetScaler to retain the source IP address of the packets by enabling Use Source IP mode. Selecting the Destination IP Address Traffic arriving at the NetScaler can be bound to a virtual server (vserver) or to a service. The NetScaler handles traffic to vservers and services differently. The NetScaler terminates traffic bound to vservers and changes the vserver IP address (VIP) to the IP address of the server before forwarding the traffic to the server, as shown in the following diagram.. Proxying Connections to VIPs Packets bound to a service are sent directly to the appropriate server, and the NetScaler does not modify the destination IP addresses.

26 14 Citrix NetScaler Networking Guide Selecting the Source IP Address The mapped IP address (MIP), source IP address (SIP), or subnet IP address (SNIP) will be used as the source IP address to establish a connection with a server. By default, the NetScaler terminates traffic bound to vservers and configured services. Then, it changes the source IP address of the packet to the MIP or SNIP and sends the packet to the appropriate server. This default behavior is illustrated in the diagram Proxying Connections to VIPs, on page 14. Enabling the Use Source IP Mode Many e-commerce applications that use web server logging require that the original client IP addresses be recorded in the Web server logs. The NetScaler can forward the source IP address of the client to the server without masking it, to ensure that the client IP address appears in the logs. The Use Source IP mode (USIP) accommodates such applications. If you enable USIP mode, the NetScaler forwards each packet to the appropriate server without changing the source IP address, as shown in the following diagram. USIP Mode

27 Chapter 1 IP Addressing 15 When USIP mode is enabled for HTTP protocols, the NetScaler provides limited connection reuse, WAN latency, and denial of service (SYN) attack prevention benefits. When USIP mode is disabled, the NetScaler uses mapped IP addresses and subnet IP addresses to establish server-side connections. USIP mode has the following restrictions: One-arm installations. You should not enable USIP mode if you install the NetScaler in a logical one-arm configuration, because in a one-arm configuration the NetScaler cannot bypass its own processing and send responses directly to the client. If the IP address of the default gateway for a service is one of the NetScaler-owned IP addresses, the traffic continues to flow through the NetScaler and the response is also processed correctly. Concurrent HTTP connection limit. For HTTP protocols, USIP mode supports up to 64,000 concurrent connections. If concurrent HTTP connections between the NetScaler and servers are expected to exceed 64,000, you must disable USIP or contact customer support for the method to override this behavior. The concurrent connection limit applies only to HTTP. It does not affect other services types, for example, TCP, UDP, and FTP. Delay when disabling USIP. Disabling USIP mode does not affect the existing connections. This delay avoids outages on long-lived connections. Performance Impact on HTTP traffic. USIP mode prevents use of the same HTTP connection for multiple clients, and therefore can result in a large number of connections to the server. Furthermore, idle server connections can block connections for other clients. Therefore, you need to carefully set limits on the number of connections to services. Citrix suggests that you set the HTTP server time-out values on your services to a value lower than the default, so that idle client connections are cleared quickly on the server side. For more information about setting an idle timeout value, see the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing. Also, with USIP enabled, you must configure persistence (for example, source IP persistence) to ensure repeated selection of the same server and reuse of the client connection. Because TCP handles the traffic on a one-to-one basis, the USIP option does not affect TCP services. Note: USIP. Citrix does not recommend the use of Surge Protection (SP) with

28 16 Citrix NetScaler Networking Guide By default, USIP mode is disabled. You can enable or disable it globally or for a specific service. The setting for a specific service overrides the global setting. A newly created service inherits the global setting by default. To enable or disable USIP mode for a specific service, see the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing. To enable or disable USIP mode globally, use either of the following procedures. To globally enable or disable USIP mode using the configuration utility 1. In the navigation pane, expand System and click Settings. 2. On the Settings page, under Modes and Features, click Change modes. 3. In the Configure Modes dialog box, do one of the following: To enable Use Source IP mode, select the Use Source IP check box. To disable Use Source IP mode, clear the Use Source IP check box. 4. Click OK. 5. In the Enable/Disable Feature(s)? dialog box, click Yes. To globally enable or disable USIP mode using the NetScaler command line At the NetScaler command prompt, type one of the following commands: enable ns mode mode disable ns mode mode s enable ns mode USIP disable ns mode USIP Note: Services that are created before you enable USIP mode globally do not inherit the global settings. For these services, you need to enable the USIP mode at the service level. To enable or disable USIP mode for a specific service, see the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing. Configuring Modes of Packet Forwarding You can enable Layer 2 mode to bridge packets that are not destined for the MAC address of the NetScaler. Layer 3 mode routes packets that are not destined for NetScaler-owned IP addresses, unless you disable it.

29 Chapter 1 IP Addressing 17 With Layer 2 mode enabled, packets that are not destined for the NetScaler MAC address are bridged or processed, as shown in the following diagram:. Interaction between the Layer 2 and Layer 3 modes By default, Layer 2 mode is disabled causing the NetScaler to drop packets that are not destined for its MAC address. If another Layer 2 device is installed in parallel with the NetScaler, Layer 2 mode must be disabled to prevent bridging (Layer 2) loops. By default, Layer 3 mode is enabled. The NetScaler performs a route table lookup and forwards packets that are not destined to any NetScaler-owned IP address. If you disable Layer 3 mode, the NetScaler drops received packets if they are not destined for a NetScaler-owned IP address, as shown in the diagram, Interaction between the Layer 2 and Layer 3 modes, on page 18. To enable or disable the Layer 2 mode or Layer 3 mode, use either of the following procedures. Enabling and Disabling Modes To enable or disable the Layer 2 mode or Layer 3 mode using the configuration utility 1. In the navigation pane, expand System and click Settings. 2. On the Settings page, under Modes and Features, click Change modes. 3. In the Configure Modes dialog box, do one of the following: To enable Layer 2 mode, select the Layer 2 Mode check box.

30 18 Citrix NetScaler Networking Guide To disable Layer 2 mode, clear the Layer 2 Mode check box. To enable Layer 3 mode, select the Layer 3 Mode check box. To disable Layer 3 mode, clear the Layer 3 Mode check box. 4. Click OK. 5. In the Enable/Disable Mode(s)? dialog box, click Yes. To enable or disable the Layer 2 mode or Layer 3 mode using the NetScaler command line At the NetScaler command prompt, type one of the following commands: enable ns mode mode disable ns mode mode s enable ns mode l2 disable ns mode l2 enable ns mode l3 disable ns mode l3 Network Address Translation Network address translation (NAT) involves modification of the source and/or destination IP address and/or the TCP/UDP port numbers of IP packets that pass through the NetScaler. Enabling NAT on the NetScaler enhances security of your private network and protects it from a public network such as the Internet by modifying the source IP address of your system when data passes through the NetScaler. Also, with the help of NAT entries, your entire private network can be represented using a few shared public IP addresses. The NetScaler supports the following two types of network address translation: Inbound NAT (INAT), in which the NetScaler replaces the destination IP address in the packets generated by the client with the private IP address of the server. Reverse NAT (RNAT), in which the NetScaler replaces the source IP address in the packets generated by the servers with the public NAT IP addresses.

31 Chapter 1 IP Addressing 19 Inbound Network Address Translation When a client sends a packet to a NetScaler that is configured for INAT, the NetScaler translates the packet s public destination IP Address to a private destination IP Address and forwards the packet to the server at that address. This section provides information on the following aspects of INAT: Configuring Inbound NAT Address Translation Customizing the INAT Configuration Removing an INAT Configuration Coexistence of INAT and Vservers Configuring Inbound NAT Address Translation This section describes how to configure a basic INAT that is functional and also how to modify it to add provide protection to the NetScaler from DOS attacks by enabling TCP Proxy and/or FTP. By default, the NetScaler selects the source IP Address based on the mode that you select. If you select the Use Subnet IP (USNIP) Address mode, assignment of the source IP address is based on the state of the USNIP mode. For instance: If USNIP is off, the NetScaler uses the Mapped IP Address (MIP) as the source IP Address If USNIP is on, the NetScaler uses the Subnet IP Address (SNIP) as the source IP Address If you select the Use Source IP Address (USIP) mode, the Client IP address (CIP) is selected as the source IP address. However, if you have selected both USIP and USNIP modes, USIP mode takes precedence over USNIP. You can also configure the NetScaler to use a unique IP address as the source IP address, by using the ProxyIP parameter. For additional information on how to configure the NetScaler to use a unique IP address, see Customizing the INAT Configuration, on page 22. Note: If the modes have not been selected and the unique IP has also not been specified, an attempt is made to send the packet using Mapped IP Address (MIP). If both USIP and USNIP modes have been selected and the unique IP has also been specified, the order of precedence used is as follows: USIP --- unique IP--- USNIP --- MIP --- Error.

32 20 Citrix NetScaler Networking Guide The following table describes the parameters used to configure a basic INAT for incoming packets. In-bound NAT Basic Parameters Parameter Name Public IP Address Private IP Address USIP (usip) USNIP (usnip) ProxyIP (proxyip) Specifies Name of the Inbound NAT configuration being added. Mandatory parameter. Public destination IP address of packets received on the NetScaler. Mandatory parameter. Possible values: NetScaler owned VIPs. Private destination IP address of the server to which the packet is sent by the NetScaler. Mandatory parameter. Possible values: IP addresses of the servers. Use Source IP mode. Possible values: Enabled and Disabled. Default: Enabled. Use Subnet IP mode is enabled. Possible values: Enabled and Disabled. Default: Enabled. A unique IP address that is represented as the source IP address for the server. The following procedure includes examples for creating an INAT configuration in which the NetScaler replaces the public VIP of with , the private IP address of a physical server. To configure INAT with a VIP as the destination IP address using the configuration utility 1. In the navigation pane, expand Network, expand Routing, and click Routes. 2. On the Routes page, click the INAT tab, and then click Add. 3. In the Create INAT dialog box, in the Name textbox, type the name of the INAT (for example, MyNAT). 4. In the Public IP Address textbox, type a public VIP address owned by the NetScaler (for example, ). 5. In the Private IP Address textbox, type the private IP address of the server (for example, ). 6. Click Create, and then click Close. To configure INAT with a VIP as the destination IP address using the NetScaler command line

33 Chapter 1 IP Addressing 21 add inat Name PublicIPAddress PrivateIPAddress add inat MyNAT Customizing the INAT Configuration The following procedure sets the source IP address to a unique IP address. In the example, MyNAT1 replaces the destination IP address of a packet generated by the client from (Public destination IP address) to (private destination IP address). Also, INAT1 replaces the source IP address of the packet to a unique IP address. To assign a unique IP address as the INAT Source IP address using the configuration utility 1. In the navigation pane, expand Network, expand Routing, and click Routes. 2. On the Routes page, click the INAT tab, select the INAT and then click Open. 3. In the Configure INAT dialog box, from the Proxy IP Address drop-down menu, select an IP address that the NetScaler will use as the client IP address (for example, ). 4. Click Create and then click Close. To assign a unique IP address as the INAT source IP Address using the NetScaler command line set inat NameofINAT proxyip Value add inat MyNAT1 proxyip You can configure INAT to provide protection to the NetScaler from DOS attacks by enabling TCP Proxy and/or FTP. However, if other protection mechanisms are used in your network, you may want to disable these features. The following table lists and describes the parameters used to configure an existing INAT with the FTP and TCPProxy features. Customizing INAT Configuration Parameter TCPProxy (tcpproxy) Specifies Allow TCP traffic. Possible values: Enabled and Disabled. Default: Disabled.

34 22 Citrix NetScaler Networking Guide Customizing INAT Configuration Parameter FTP (ftp) Specifies Allow Active FTP. Possible values: Enabled and Disabled. Default: Disabled. Use either of the following procedures to enable or disable TCP traffic on an existing INAT. In the example, MyNAT1 is the existing INAT. To enable or disable TCPProxy on the INAT using the configuration utility 1. In the navigation pane, expand Network, expand Routing, and then click Routes. 2. On the Routes page, click the INAT tab, select the name of the INAT that you want to modify (for example, MyNAT1) and then click Open. 3. In the Configure INAT dialog box, do one of the following: To enable TCPProxy, select the TCP Proxy Mode checkbox. To disable TCPProxy, clear the TCP Proxy Mode checkbox. 4. Click Ok and then click Close. To enable or disable TCP Proxy mode on the INAT using the NetScaler command line set inat NameofINAT tcpproxy Value set inat TestINAT tcpproxy enabled set inat TestINAT tcpproxy disabled Removing an INAT Configuration Use either of the following procedures to remove an INAT configuration. To remove an INAT configuration using the Configuration Utility 1. In the navigation pane, expand Network, expand Routing, and click Routes. 2. On the Routes page, click the INAT tab. 3. In the details pane, select the name of the INAT configuration that you want to remove (for example, MyNAT).

35 Chapter 1 IP Addressing Click Remove, and then click Close. To remove an INAT configuration using the NetScaler command line rm inat Name rm inat MyNAT Coexistence of INAT and Vservers If both INAT and RNAT are configured, the INAT rule takes precedence over the RNAT rule. If RNAT is configured with a network address translation IP (NAT IP) address, the NAT IP address is selected as the source IP address for that RNAT client. The default public destination IP in an INAT configuration is the virtual IP (VIP) of the NetScaler device. Vservers also use VIPs. When both INAT and a Vserver use the same IP address, the Vserver configuration overrides the INAT configuration. Following are a few sample configuration setup scenarios and their effects. Case You have configured a vserver and a service to send all data packets received on a specific NetScaler port to the server directly. You have also configured INAT and enabled TCP. Configuring INAT in this manner sends all data packets received through a TCP engine before sending them to the server. You have configured a vserver and a service to send all data packets of service type TCP, that are received on a specific port on the NetScaler, to the server after passing through the TCP engine. You have also configured INAT and disabled TCP. Configuring INAT in this manner sends the data packets received directly to the server. You have configured a vserver and a service to send all data packets received to either of two servers. You are attempting to configure INAT to send all data packets received to a different server. You have configured INAT to send all data packets received directly to a server. You are attempting to configure a vserver and a service to send all data packets received to two different servers. Result All packets received on the NetScaler, except those received on the specific port, will pass through the TCP engine. Only packets received on the specific port will pass through the TCP engine. The INAT configuration is not allowed. The vserver configuration is not allowed.

36 24 Citrix NetScaler Networking Guide Reverse Network Address Translation In Reverse Network Address Translation (RNAT), the NetScaler replaces the source IP addresses in the packets generated by the servers with public, NAT IP addresses. By default, the NetScaler uses a Mapped IP address (MIP) as the NAT IP address. You can also configure the NetScaler to use a unique NAT IP address for each subnet. You can also configure RNAT by using Access Control Lists (ACLs). Use Source IP (USIP), Use Subnet IP (USNIP), and Link Load Balancing (LLB) modes affect the operation of RNAT. You can display statistics to monitor RNAT. Configuring RNAT to Use a MIP as the NAT IP Address When using a MIP as the NAT IP address, the NetScaler replaces the source IP addresses of server-generated packets with the MIP. Therefore, the MIP address must be a public IP address. If Use Subnet IP (USNIP) mode is enabled, the NetScaler uses the subnet IP address (SNIP) as the NAT IP address. The following table describes the parameters for using a MIP as the NAT IP address. Parameters for configuring MIP as the NAT IP Parameter Network Netmask Specifies Network or subnet from which the traffic is flowing. Subnet mask of the network. The following procedure enables RNAT with the NAT IP set to a MIP. In the example, RNAT is enabled for the network and subnet mask The NetScaler changes the source IP addresses of packets originating from the network and sent to the MIP. To enable RNAT when the NAT IP is set to a MIP using the configuration utility 1. In the navigation pane, expand Network, expand Routing, and click Routes. 2. On the Routes page, on the RNAT tab, click Configure RNAT. 3. In the Configure RNAT dialog box, in the Network and Netmask text boxes, type the network and subnet mask for which you want to enable RNAT (for example, and ). 4. Click Create, and then click Close.

37 Chapter 1 IP Addressing 25 To enable RNAT when the NAT IP is set to a MIP using the NetScaler command line At a NetScaler command prompt, type: set rnat IPAddress Subnetmask set rnat Configuring RNAT by Using a Unique IP Address as the NAT IP Address When using a unique IP address as the NAT IP address, the NetScaler replaces the source IP addresses of server-generated packets with the unique IP address specified. The unique IP address must be a public NetScaler-owned IP address. This is illustrated in the following diagram. Using a Unique NAT IP Address for a Subnet

38 26 Citrix NetScaler Networking Guide The following table describes the parameter used to set a unique NAT IP address. Assigning a Unique NAT IP Parameter Available NAT IP (s) (natip) Specifies NAT IP(s) assigned to a source IP or NetScaler IP. The following procedures include examples in which the NetScaler is configured to use two unique IP addresses, MIP1 and MIP2, for two subnets. The NetScaler replaces the source IP addresses of packets originating from the and subnets to (MIP1) and (MIP2), respectively. To enable RNAT when the NAT IP is set to a unique IP address using the configuration utility 1. In the navigation pane, expand Network, expand Routing, and click Routes. 2. On the Routes page, on the RNAT tab, select the RNAT network for which you want to configure the NAT IP address (for example, ). 3. Click Configure RNAT. 4. In the Configure RNAT dialog box, in the Available NAT IP (s) list box, select the NAT IP address that you want to configure (for example, select ). 5. Click Add. The NAT IP you selected in Step 4 appears in the Configured NAT IP (s) list box. 6. Click OK. 7. Repeat steps 2-6 if you want to configure another RNAT network (for example, to configure the NAT IP address for to ). To enable RNAT when the NAT IP is set to a unique IP address using the NetScaler command line At a NetScaler command prompt, type: set rnat IPAddress Subnetmask -natip NATIPAddress set rnat IPAddress Subnetmask -natip NATIPAddress set rnat natip set rnat natip

39 Chapter 1 IP Addressing 27 Note: If multiple NAT IP addresses are configured for a subnet, NAT IP selection uses the round robin algorithm. Configuring RNAT by Using ACLs You can configure the NetScaler to use a unique IP address for traffic that matches an ACL. The configuration requires three tasks: 1. Configure the ACL. 2. Configure RNAT to change the source IP address and Destination Port. 3. Apply the ACL. Note: ACL-based RNAT is not applied to traffic originating from the NetScaler. For more information on ACLs, see Chapter 3, Access Control Lists (ACLs).. The following diagram illustrates RNAT configured with an ACL. Changing Source IP Address and Port Configuring an ACL The following procedure creates a new ACL. Alternatively, you can open and modify an existing ACL. This procedure includes examples for creating an ACL named acl1, which allows TCP traffic originating from a server with IP address to an external client at

40 28 Citrix NetScaler Networking Guide To configure an ACL using the configuration utility 1. In the navigation pane, expand Network and click ACLs. 2. On the ACLs page, click the Extended ACL tab, and then click Add. 3. In the Add ACL dialog box, in the Name text box, type the name of the ACL (for example, acl1). 4. In the Action, Operator, and Protocol drop-down lists, select the action, operator, and the protocol that you want to configure (for example, ALLOW, =, and TCP). 5. Under Source, in the Low and High text boxes, type the IP addresses (for example, and ). 6. Under Destination, in the Low and High text boxes, type the IP addresses (for example, and ). 7. Click Create, and click Close. To configure an ACL using the NetScaler command line add acl Name allow -srcip SourceIPAddress -destip DestinationIPAddress -protocol Protocoltype add acl acl1 allow -srcip destip protocol TCP Configuring RNAT to change the source IP address and Destination Port The following procedure includes examples for configuring RNAT to replace the source IP address of packets matching acl1 with NAT IP address , and to change the destination port to To set RNAT to change the Source IP address and Destination Port using the configuration utility 1. In the navigation pane, expand Network, expand Routing, and click Routes. 2. On the Routes page, click the RNAT tab and click Configure RNAT. 3. In the Configure RNAT dialog box, click the ACL radio button. 4. In the ACL Name drop-down list box, select the ACL that you want to configure (for example, acl1).

41 Chapter 1 IP Addressing In the Redirect Port text box, type the port (for example, 8080). 6. In the Available NAT IP (s) list box, select the NAT IP address that you want to configure (for example, ). 7. Click Add. The NAT IP you selected appears in the Configured NAT IP (s) list box. 8. Click Create, and click Close. To set RNAT to change the Source IP address and Destination Port using the NetScaler command line set rnat ACLname -natip NATIPAddress -redirectport Value set rnat acl1 -natip redirectport 8080 Applying the ACL An ACL does not function until you apply it. For instructions on how to apply an ACL using the configuration utility, see Chapter 3, Configuring Extended ACLs. To apply an ACL using the NetScaler command line apply ns acls Note: The NetScaler uses ports 1024 to for mapped IP addresses and subnet IP addresses. RNAT in USIP, USNIP, and LLB Modes When RNAT and Use Source IP (USIP) are both configured, RNAT takes precedence. When RNAT and USNIP are configured, selection of the source IP address is based on the state of USNIP as follows: If USNIP is off, the NetScaler uses the mapped IP addresses. If USNIP is on, the NetScaler uses SNIP as the NAT IP address. This behavior does not apply when a unique NAT IP address is used.

42 30 Citrix NetScaler Networking Guide In a topology where the NetScaler performs both Link Load Balancing (LLB) and RNAT for traffic originating from the server, the NetScaler selects the source IP address based on the router. The LLB configuration determines selection of the router. Note: For more information about LLB, see the Citrix NetScaler Traffic Management Guide, Chapter 9, Link Load Balancing. Monitoring RNAT You can display RNAT statistics to troubleshoot issues related to IP address translation. The following tables describes the statistics associated with RNAT and RNAT IP. RNAT Statistics Statistic Bytes received Bytes sent Packets received Packets sent Syn sent Current sessions Description Bytes received during RNAT sessions. Bytes sent during RNAT sessions. Packets received during RNAT sessions. Packets sent during RNAT sessions. Requests for connections sent during RNAT sessions. Currently active RNAT sessions. RNAT IP Statistics Statistic Bytes received Bytes sent Packets received Packets sent Syn sent Current sessions Description Bytes received on this IP address during RNAT sessions. Bytes sent from this IP address during RNAT sessions. Packets received on this IP address during RNAT sessions. Packets sent from this IP address during RNAT sessions. Requests for connections sent from this IP address during RNAT sessions. Currently active RNAT sessions started from this IP address. Displaying RNAT Statistics Use either of the following procedures to display RNAT summary statistics.

43 Chapter 1 IP Addressing 31 To display RNAT statistics using the configuration utility 1. In the navigation pane, expand Network, expand Routing, and click Routes. 2. In the details pane, on the RNAT tab, click Statistics. To view RNAT statistics using the NetScaler command line stat rnat Displaying RNAT IP Statistics Use either of the following procedures to display RNAT IP statistics. To view RNAT IP statistics using the configuration utility 1. In the navigation pane, expand Network, expand Routing, and click Routes. 2. In the details pane, on the RNAT tab, select the NATIP whose statistics you want to view. 3. Click Statistics. To view RNAT IP statistics using the NetScaler command line stat rnatip NATIPAddress stat rnatip Configuring Static ARP You can add static ARP entries to and remove static ARP entries from the ARP table. After adding an entry, you should verify the configuration. Note: If the IP address, port, or MAC address changes after you create a static ARP entry, you must remove or manually adjust the static entry. Therefore, creating static ARP entries is not recommended unless necessary.

44 32 Citrix NetScaler Networking Guide Adding Static ARP Entries The following table describes the parameters you set to add an entry to the ARP table. Parameters used to create an ARP Entry Parameters IP Address (IPAddress) MAC Address (mac) Interface Number (ifnum) Specifies The IP address of the server. The MAC address of the server. Type the MAC address with colons (:) as shown in the example below. The physical interface for the ARP entry. Use the show interface command to view the valid interface names. Use either of the following procedures to add a static ARP entry to an ARP table. To create an ARP entry using the configuration utility 1. In the navigation pane, expand Network and click ARP Table. 2. On the ARP Table page, click Add. 3. In the Add ARP entry dialog box, in the IP Address, MAC Address, and Interface Number text boxes, respectively, type the IP address, MAC address and network interface number that you want to add to the ARP table (for example, , 00:aa:10:12:13:ef, and 1/8). 4. Click Create and click Close. The ARP entries you added appear in the ARP Table page, as shown in the following figure. ARP Table page

45 Chapter 1 IP Addressing 33 To create an ARP entry using the NetScaler command line add arp -IPAddress IPAddress -mac MACAddress -ifnum Interface add arp -IPAddress mac 00:aa:10:12:13:ef -ifnum 1/8 Removing Static ARP Entries The following example describes the procedure to remove the IP address from an ARP table. To remove an ARP entry using the configuration utility 1. In the navigation pane, expand Network and click ARP Table. 2. On the ARP Table page, select the ARP entry that you want to remove (for example, ). 3. Click Remove. 4. In the Remove dialog box, click Yes. To remove an ARP entry using the NetScaler command line rm arp ARPentry rm arp Verifying the Configuration You can display the properties of the ARP entries, such as IP address, MAC address, interface, VLAN, and origin, and use this information to troubleshoot any fault in the configuration. To verify the ARP entries of IP addresses using the configuration utility 1. In the navigation pane, expand Network and click ARP Table. The ARP Table page appears in the details pane, showing the details of the available ARP entries. 2. Verify that the configured ARP entry (for example, ) appears. 3. Select the IP address (for example, ) and, in the details section, verify that the parameters are configured as intended.

46 34 Citrix NetScaler Networking Guide To view the ARP entries using the NetScaler command line sh arp

47 CHAPTER 2 Interfaces Before you begin configuring interfaces, decide whether your configuration can use MAC-based forwarding mode, and either enable or disable this system setting accordingly. The number of interfaces you have depends on the NetScaler that you own. In addition to configuring individual interfaces, you can logically group interfaces, using VLANs to restrict data flow within a set of interfaces, and you can aggregate links into channels. In a high availability setup, you may configure a virtual MAC (VMAC) address if necessary. If you use L2 mode, you might want to modify the ageing of the bridge table. When your configuration is complete, decide whether you should enable the system setting for path MTU discovery. In This Chapter MAC-Based Forwarding Configuring Network Interfaces Configuring VLANs Configuring Link Aggregation Configuring VMAC Configuring the Bridge Table Path MTU Behavior MAC-Based Forwarding Using MAC-based forwarding, when a request reaches the NetScaler, it remembers the source MAC address of the frame, and uses that MAC address as the destination MAC address for the resulting replies. In this way, MAC-based forwarding can be used to avoid multiple-route/arp lookups and to avoid asymmetrical packet flows. MAC-based forwarding may be required when the NetScaler is connected to multiple stateful devices, such as VPN or firewalls, as it ensures that the return traffic is sent to the same device that the initial traffic came from.

48 36 Citrix NetScaler Networking Guide MAC-based forwarding is useful when you use VPN devices, because it guarantees that all traffic flowing through a VPN passes back through the same VPN device. The following topology diagram illustrates the process of MAC-based forwarding. Working of MAC-based forwarding mode Enabling and Disabling MAC-based Forwarding When MAC-based forwarding (MBF) is enabled, the NetScaler caches the MAC address of: The source (a transmitting device such as router, firewall, or VPN device) of the inbound connection. The server that responds to the requests. When a server replies through the NetScaler, the NetScaler sets the destination MAC address of the response packet to the cached address, ensuring that the traffic flows in a symmetric manner, and then forwards the response to the client. The process bypasses the route table lookup and ARP lookup functions. However, when the NetScaler initiates a connection, it uses the route and ARP tables for the lookup function. When you need to use a direct server return configuration, you must enable MAC-based forwarding. For more information about direct server return configurations, see the Citrix NetScaler Traffic Management Guide, Chapter 1, Load Balancing.

49 Chapter 2 Interfaces 37 Some deployment topologies may require the incoming and outgoing paths to flow through different routers. In these situations, MAC-based forwarding breaks this topology design. MBF should be disabled in the following situations: When you configure link load balancing. In this case, asymmetric traffic flows are desirable because of link costs. When a server uses network interface card (NIC) teaming without using LACP (802.1ad Link Aggregation). To enable MAC-based forwarding in this situation, you must use a layer 3 device between the NetScaler and server. Note: MBF can be enabled when the server uses NIC teaming with LACP, because the virtual interface uses one MAC address. When firewall clustering is used. Firewall clustering assumes that ARP is used to resolve the MAC address for inbound traffic. Sometimes the inbound MAC address can be a non-clustered MAC address and should not be used for inbound packet processing. When MBF is disabled, the NetScaler uses L2 or L3 connectivity to forward the responses from servers to the clients. Thus, depending on the route table, the routers used for outgoing connection and incoming connection can be different. In the case of reverse traffic (response from the server): If the source and destination are on different IP subnets, the NetScaler uses the route lookup to locate the destination. If the source is on the same subnet as the destination, the NetScaler looks up the ARP table to locate the network interface and forwards the traffic to it. If the ARP table does not exist, the NetScaler requests the ARP entries. To enable or disable MAC-based forwarding using the configuration utility 1. In the navigation pane, expand System and click Settings. 2. In the details pane, in the Modes and Features group, click Change modes. 3. In the Configure Modes dialog box, do one of the following: To enable MAC-based forwarding, select the MAC Based Forwarding check box. To disable MAC-based forwarding, clear the MAC Based Forwarding check box.

50 38 Citrix NetScaler Networking Guide 4. Click OK. 5. In the Enable/Disable Feature(s)? dialog box, click Yes. To enable or disable MAC-based forwarding using the NetScaler command line enable ns mode Value disable ns mode Value s enable ns mode mbf disable ns mode mbf Configuring Network Interfaces Network interfaces in the NetScaler are numbered in <slot>/<port> notation. After you customize the interface settings for your network interfaces or perform general interface-management tasks, you should verify your configuration. To modify the network interfaces, use the parameters listed in the following table. Parameters for modifying Network Interfaces Parameter ID (id) Speed (speed) Duplex (duplex) Specifies The number assigned to the interface. Ethernet speed for the interface. Possible values: AUTO, 10, 100, 1000, and Mbps. Default: AUTO. A setting other than AUTO requires the same configuration for device at the other end of the link. Mismatched speed (or duplex) configurations can cause link errors, packet losses, and other errors. Some network interfaces do not support certain speeds. An attempt to set an unsupported speed is reported as an error. Duplex mode for the interface. Possible values: AUTO, HALF, and FULL. Default: AUTO. AUTO is recommended. If you force HALF or FULL mode, you must manually configure the same mode and identical speed on both sides of the link.

51 Chapter 2 Interfaces 39 Parameters for modifying Network Interfaces Parameter Flow Control (flowcontrol) Auto Negotiate (autoneg) HA Monitor (hamonitor) Trunk (trunk) LACP Mode (lacpmode) LACP Key (lacpkey) LACP Priority (lacppriority) LACP Time-out (lacptimeout) Alias (ifalias) Throughput (throughput) Specifies Apply 802.3x flow control to the interface. Possible values: OFF, RX, TX, RXTX, and ON (forced RXTX). Default: OFF. Real flow control status depends on the auto-negotiation results. Link parameter mismatches must be checked for and avoided because, for example, they can cause the NetScaler to drop packets, or the link may not be accessible. Use auto negotiation on the interface. Possible values: DISABLED and ENABLED. Monitor the interface for failure events. Possible values: ON and OFF. Default: ON. When ON in an HA configuration, failover occurs when a network interface fails. If a network interface is not being used, or if failover is not required, select OFF. (Also, if the network interface is not used in the configuration, you must disable it.) Trunk port functionality for the interface. Possible values: ON and OFF. Default: OFF. With the ON setting, traffic is tagged for the VLANs bound to this network interface, including the default VLAN. If you require 802.1q behavior with backward compatibility, you must set this parameter to OFF. LACP mode. Possible values: DISABLED, ACTIVE, and PASSIVE. Default: DISABLED LACP key for the interface. Possible values: 1 to 4. LACP port priority. Possible values: 1 to Default: LACP timeout setting. Possible values: LONG and SHORT. Default: LONG. Alias name for the interface. Minimum required throughput for the interface. Note: For more information about Link Aggregate Control Protocol (LACP), see Configuring the Link Aggregate Channel Protocol, on page 62.

52 40 Citrix NetScaler Networking Guide Use either of the following procedures to modify the duplex setting of a network interface. To modify the duplex setting of a network interface using the configuration utility 1. In the navigation pane, expand Network and click Interfaces. 2. On the Interfaces page, select the network interface that you want to modify (for example, 1/8). 3. Click Open. 4. In the Modify Interface dialog box, select or enter a new value. (For example, from the Duplex drop-down list, select FULL.) 5. Click OK. To modify the duplex setting of a network interface using the NetScaler command line set interface Value -Argument Value set interface 1/8 -duplex full Note: The network interface configuration is neither synchronized nor propagated. For an HA pair, you must perform the configuration on each unit independently. Managing Network Interfaces To manage the network interfaces, you might have to enable some interfaces and disable others. You can reset an interface to renegotiate its settings. You can clear the accumulated statistics for an interface. To verify the configuration, you can display the interface settings. Enabling and Disabling Network Interfaces By default, the network interfaces are enabled. You must disable any network interface that is not connected to the network, so that it cannot send or receive packets. Disabling a network interface that is connected to the network in a high availability setup can cause failover. For more information about high availability, see the Chapter 6, How High Availability Works. Use either of the following procedures to enable or disable a network interface.

53 Chapter 2 Interfaces 41 To enable or disable a network interface using the configuration utility 1. In the navigation pane, expand Network and click Interfaces. 2. On the Interfaces page, select the network interface that you want to disable (for example, 1/8). 3. Do one of the following: To enable a network interface, click Enable. To disable a network interface, click Disable. To enable or disable a network interface using the NetScaler command line enable interface Value disable interface Value s enable interface 1/8 disable interface 1/8 Resetting Network Interfaces Network interface settings control properties such as duplex and speed. To renegotiate the settings of a network interface, you must reset it. Use either of the following procedures. To reset a network interface using the configuration utility 1. In the navigation pane, expand Network and click Interfaces. 2. On the Interfaces page, select the network interface that must be reset (for example, 1/8). 3. Click Reset Interface. To reset a network interface using the NetScaler command line reset interface Value reset interface 1/8

54 42 Citrix NetScaler Networking Guide Removing the Statistics of a Network Interface You can use network interface statistics to monitor parameters such as packets sent and packets received. You can clear the statistics of a network interface to monitor its statistics from the time the statistics are cleared. Use either of the following procedures. To clear a network interface s statistics using the configuration utility 1. In the navigation pane, expand Network and click Interfaces. 2. On the Interfaces page, select the network interface whose statistics you want to clear (for example, 1/8). 3. Click Clear Statistics. To clear a network interface s statistics using the NetScaler command line clear interface Value clear interface 1/8 Verifying and Monitoring the Configuration When your interfaces are configured, you should display the interfaces and their settings to verify the configuration. You can also display this information to troubleshoot a problem in the configuration. You can display the statistics for an interface to evaluate its health. Displaying Network Interfaces Use either of the following procedures to display the properties of the network interfaces, including the loopback interface. To display the network interfaces using the configuration utility 1. In the navigation pane, expand Network and click Interfaces. 2. On the Interfaces page, verify that your configured interface appears. 3. Highlight the interface by selecting it, and verify that the parameters are configured as intended. To display the properties of the network interfaces using the NetScaler command line show interface

55 Chapter 2 Interfaces 43 Displaying the Statistics for a Network Interface You can display network interface statistics such as throughput, types of packets, Link Aggregate Control Protocol (LACP) data units, and errors, and use the information to check the health of the network interface. Use either of the following procedures. To view the statistics of an Interface using the configuration utility 1. In the navigation pane, expand Network and click Interfaces. 2. On the Interfaces page, select the network interface whose statistics you want to view (for example, 1/8). 3. Click Statistics. To view the statistics of the network interfaces using the NetScaler command line stat interface Value stat interface 1/8 Configuring VLANs The NetScaler supports (Layer 2) port and IEEE802.1Q tagged VLANs. VLAN configurations are useful when you need to restrict traffic to certain groups of stations. You can configure a network interface as a part of multiple VLANs using IEEE 802.1q tagging. You can configure VLANs and bind them to IP subnets. The NetScaler then performs IP forwarding between these VLANs (if it is configured as the default router for the hosts on these subnets). The NetScaler supports the following types of VLANs. Port-Based VLANs Default VLAN Tagged VLANs Port-Based VLANs The membership of a port-based VLAN is defined by a set of network interfaces that share a common exclusive Layer 2 broadcast domain. You can configure multiple port-based VLANs. By default, all network interfaces on the NetScaler are members of VLAN 1.

56 44 Citrix NetScaler Networking Guide If you apply 802.1q tagging to the port, the network interface belongs to a portbased VLAN. Layer 2 traffic is bridged within a port-based VLAN, and Layer 2 broadcasts are sent to all members of the VLAN if Layer 2 mode is enabled. When you add an untagged network interface as a member of a new VLAN, it is removed from its current VLAN. Default VLAN By default, the network interfaces on the NetScaler are included in a single, portbased VLAN as untagged network interfaces. This VLAN is the default VLAN. It has a VLAN ID (VID) of 1. This VLAN exists permanently. It cannot be deleted, and its VID cannot be changed. When you add a network interface to a VLAN as an untagged member, the network interface is automatically removed from the default VLAN and added to this VLAN. If you unbind a network interface from its current port-based VLAN, it is added to the default VLAN again. Tagged VLAN support for the NetScaler IP Subnet 802.1q tagging (defined in the IEEE 802.1q standard) allows a networking device (such as the NetScaler) to add information to a frame at Layer 2 to identify the VLAN membership of the frame. Tagging allows network environments to have VLANs that span multiple devices. A device that receives the packet reads the tag and recognizes the VLAN to which the frame belongs. Some network devices do not support receiving both tagged and untagged packets on the same network interface, in particular, Force10 switches. In such cases, you need to contact customer support for assistance. The network interface can be a tagged or untagged member of a VLAN. Each network interface is an untagged member of one VLAN only (its native VLAN). This network interface transmits the frames for the native VLAN as untagged frames. A network interface can be a part of more than one VLAN if the other VLANs are tagged. When you configure tagging, be sure to match the configuration of the VLAN on both ends of the link. The port to which the NetScaler connects must be on the same VLAN as the NetScaler network interface. You can use the configuration utility to define a tagged VLAN that can have any ports bound as tagged members. Configuring this VLAN requires a reboot of the NetScaler, and therefore must be done during initial network configuration. Note: This VLAN configuration is neither synchronized nor propagated, therefore you must perform the configuration on each unit in an HA pair independently. The best practice is to set the VLAN ID for each NSIP to 1.

57 Chapter 2 Interfaces 45 Applying Rules to Classify Frames VLANs have two types of rules for classifying frames Ingress rules Egress rules Ingress rules Ingress rules classify each frame as belonging only to a single VLAN. When a frame is received on a network interface, the following rules are applied to classify the frame: If the frame is untagged, or has a tag value equal to 0, the VID of the frame is set to the port VID (PVID) of the receiving interface, which is classified as belonging to the native VLAN. (PVIDs are defined in the IEEE 802.1q standard.) If the frame has a tag value equal to FFF, the frame is dropped. If the VID of the frame specifies a VLAN of which the receiving network interface is not a member, the frame is dropped. For example, if a packet is sent from a subnet associated with VLAN ID 12 to a subnet associated with VLAN ID 10, the packet is dropped. If an untagged packet with VID 9 is sent from the subnet associated with VLAN ID 10 to a network interface PVID 9, the packet is dropped. Egress Rules The following egress rules are applied: If the VID of the frame specifies a VLAN of which the transmission network interface is not a member, the frame is discarded. During the learning process (per the IEEE 802.1q standard), the Src MAC and VID are used to update the bridge lookup table of the NetScaler. A frame is discarded if its VID specifies a VLAN that does not have any members. You can the define members that are the network interfaces configured in the VLAN. VLANs and Packet Forwarding on the NetScaler The forwarding process on the NetScaler is similar to that on any standard switch. However, the NetScaler performs forwarding only when Layer 2 mode is on. The key features of the forwarding process are: Topology restrictions are enforced. Enforcement involves selecting each network interface in the VLAN as a transmission port, based on the state of

58 46 Citrix NetScaler Networking Guide the network interface, bridging restrictions (do not forward on the receiving network interface), MTU restrictions, and so on. Frames are filtered based on the bridge table lookup in the forwarding database (FDB) table of the NetScaler. The bridge table lookup is based on the destination MAC and the VID. Packets addressed to the MAC address of the NetScaler are processed at the upper layers. All broadcast and multicast frames are forwarded to each network interface that is a member of the VLAN, but forwarding occurs only if L2 mode is enabled. If L2 mode is disabled, the broadcast and multicast packets are dropped. This is also true for MAC addresses that are not currently in the bridging table. A VLAN entry has a list of member network interfaces that are part of its untagged member set. When forwarding frames to these network interfaces, a tag is not inserted in the frame. If the network interface is a tagged member of this VLAN, the tag is inserted in the frame when the frame is forwarded. When a user sends any broadcast or multicast packets without the VLAN being identified, that is, during Duplicate Address Detection (DAD) for NSIP or ND6 for the next hop of the route, the packet is sent out on all the network interfaces with appropriate tagging based on either the Ingress and Egress rules. ND6 usually identifies a VLAN, and a data packet is sent on this VLAN only. Portbased VLANs are common to IPv4 and IPv6. For IPv6, the NetScaler supports prefix-based VLANs. Creating a VLAN You can implement VLANs in the following environments: Single subnet Multiple subnets Single LAN VLANs (no tagging) VLANs (802.1q tagging)

59 Chapter 2 Interfaces 47 When you create VLANs that have only untagged network interfaces as their members, the total number of possible VLANs is limited to the number of network interfaces available in the NetScaler. If more IP subnets are required with a VLAN configuration, 802.1q tagging must be used. To create a VLAN, use the VLAN ID parameter described in the following table. Basic Parameter for creating a VLAN Parameter VLAN Identifiers (VIDs) (id) Specifies An integer from 1 to 4094 that uniquely identifies the VLAN to which a particular frame belongs. (The NetScaler supports a maximum of 4094 VLANs.) VID 1 is reserved for the default VLAN. Use either of the following procedures to create a VLAN. To create a VLAN using the configuration utility 1. In the navigation pane, expand Network and click VLANs. 2. On the VLANs page, click Add. 3. In the Create VLAN dialog box, in the VLAN Id text box, type the ID of the VLAN (for example, 2). 4. Click Create and click Close. The VLAN you added appears in the VLANs page. To create a VLAN using the NetScaler command line add vlan Value add vlan 2 Configuring VLANs in an HA Setup VLAN configuration requires the NetScalers in a high-availability setup to have the same hardware configuration, and the VLANs configured on them must be mirror images. This happens automatically when the configuration is synchronized between NetScalers. The result is identical actions on all the NetScalers. For example, adding network interface 0/1 to VLAN2 adds this network interface to VLAN 2 on all the participating NetScalers in the high-availability setup.

60 48 Citrix NetScaler Networking Guide Note: If you use network interface-specific commands in an HA setup, the configurations you perform are not propagated to the other NetScaler. You must perform these commands on each NetScaler in an HA pair to ensure that the configuration of the two NetScalers in the HA pair remains synchronized. Configuring VLANs on a Single Subnet Before configuring a VLAN on a single subnet, make sure that Layer 2 Mode is enabled. The following figure shows a single subnet environment VLAN on a Single Subnet In the above figure: 1. The default router for the NetScaler and the servers is Router Layer 2 mode must be enabled on the NetScaler for the NetScaler to have direct access to the servers. For the procedure to enable Layer 2 mode, see Configuring Modes of Packet Forwarding, on page For this subnet, a virtual server can be configured for load balancing on the NetScaler. To configure a VLAN on a single subnet, follow the procedure described in Creating a VLAN, on page 46. VLAN configuration parameters are not required, because the network interfaces are members of this VLAN.

61 Chapter 2 Interfaces 49 Configuring VLANs on Multiple Subnets To configure a single VLAN across multiple subnets, you must add a VIP for the VLAN and configure the routing appropriately. The following figure shows a single VLAN configured across multiple subnets. Multiple Subnets in a Single VLAN To configure a single VLAN across multiple subnets, perform the following tasks: 1. Disable Layer 2 mode. For the procedure to disable Layer 2 mode, see Configuring Modes of Packet Forwarding, on page Add a VIP. For the procedure to add a VIP, see Virtual IP Address (VIP), on page Configure RNAT ID. For the procedure to configure the RNAT ID, see Reverse Network Address Translation, on page 24. Note: The NetScaler supports only the procedure described in Adding a Static Route, on page 115, to add multiple IP subnets in single-subnet VLAN configurations.

62 50 Citrix NetScaler Networking Guide Configuring Multiple Untagged VLANS across Multiple Subnets In environments with multiple untagged VLANs across multiple subnets, a VLAN is configured for each IP subnet. A network interface is bound to one VLAN only. The following figure shows this configuration. Multiple Subnets with VLANs - No Tagging To implement the configuration shown in the above figure, perform the following tasks: 1. Add VLAN 2. For the procedure to create a VLAN, see Creating a VLAN, on page Bind the 1/2 network interface of the NetScaler to VLAN 2 as an untagged network interface. For the procedure to bind a network interface to a VLAN, see Binding a Network Interface to a VLAN, on page Bind the IP address and netmask to VLAN 2. For the procedure to bind an IP address to a VLAN, see Binding an IP Address to a VLAN, on page 52.

63 Chapter 2 Interfaces 51 Configuring Multiple VLANs with 802.1q Tagging For multiple VLANs with 802.1q tagging, each VLAN is configured with a different IP subnet. Each network interface is in one VLAN. One of the VLANs is set up as tagged. The following figure shows this configuration. Multiple VLANs with IEEE 802.1q Tagging To implement the configuration shown in the above figure, perform the following tasks: 1. Add VLAN 2. For the procedure to create a VLAN, see Creating a VLAN, on page Bind the 1/2 network interface of the NetScaler to VLAN 2 as an untagged network interface. For the procedure to bind a network interface to a VLAN, see Binding a Network Interface to a VLAN, on page Bind the IP address and netmask to VLAN 2. For the procedure to bind an IP address to a VLAN, see Binding an IP Address to a VLAN, on page Add VLAN 3. For the procedure to create a VLAN, see Creating a VLAN, on page Bind the 1/2 network interface of the NetScaler to VLAN 3 as a tagged network interface. For the procedure to bind a network interface to a VLAN, see Binding a Network Interface to a VLAN, on page 52. For the

64 52 Citrix NetScaler Networking Guide procedure to bind a tagged network interface, see Modifying a VLAN, on page Bind the IP address and netmask to VLAN 3. For the procedure to bind an IP address to a VLAN, see Binding an IP Address to a VLAN, on page 52. Binding a Network Interface to a VLAN When you bind a network interface to a VLAN, the network interface is moved from the default VLAN. If the network interfaces need to be a part of more than one VLAN, you can bind the network interfaces to the VLANs as tagged members. To bind a network interface to a VLAN using the configuration utility 1. In the navigation pane, expand Network and click VLANs. 2. On the VLANs page, select the VLAN to which you want to bind the network interface (for example, 2), and then click Open. 3. In the Modify VLAN dialog box, under Interfaces, select the Active check box corresponding to the interface that you want to bind to the VLAN (for example, 1/8). 4. Click OK. To bind an interface to a VLAN using the NetScaler command line bind vlan Value -ifnum Value bind vlan 2 -ifnum 1/8 Binding an IP Address to a VLAN You can configure the NetScaler to forward traffic between VLANs at Layer 3. In this case, a VLAN is associated with a single IP subnet. The hosts in a VLAN that belong to a single subnet use the same subnet mask and one or more default gateways connected to that subnet. Configuring Layer 3 for a VLAN is optional. Layer 3 is used for IP forwarding (inter-vlan routing). Each VLAN has a unique IP address and subnet mask that define an IP subnet for the VLAN. In an HA configuration, this IP address is shared with the other NetScalers. The NetScaler forwards packets between configured IP subnets (VLANs).

65 Chapter 2 Interfaces 53 Note: When you configure the NetScaler, you must not create overlapping IP subnets. Doing so impedes Layer 3 functionality. Each VLAN is a unique Layer 2 broadcast domain. Two VLANs, each bound to separate IP subnets, cannot be combined into a single broadcast domain. Forwarding traffic between two VLANs requires a Layer 3 forwarding (routing) device, such as the NetScaler. For a VLAN, a route added to the route table defines the IP subnet for the VLAN. A route is added for the gateway, which is a SNIP. When you bind an IP address to a VLAN, the NetScaler need not use the bound IP address to proxy the traffic to the VLAN, and can select a SNIP or a MIP. Note: For a VIP, you must assign a subnet mask to the VIP address before binding it to a VLAN, or the binding procedure fails. To assign a subnet mask to a VIP, use one of procedures described in Configuring NetScaler-Owned IP Addresses, on page 1. Use either of the following procedures to bind an IP address to a VLAN. To bind an IP address to a VLAN using the configuration utility 1. In the navigation pane, expand Network and click VLANs. 2. On the VLANs page, select the VLAN for which you want to bind the IP address (for example, 2). 3. Click Open. 4. In the Modify VLAN dialog box, under IPs, select the Active check box corresponding to the IP address that you want to bind to the VLAN (for example, ). 5. Click OK. To bind an IP address to a VLAN using the NetScaler command line bind vlan Value -IPAddress IPAddress Subnetmask bind vlan 2 -IPAddress Modifying a VLAN Use either of the following procedures to modify a VLAN.

66 54 Citrix NetScaler Networking Guide To modify a VLAN using the configuration utility 1. In the navigation pane, expand Network and click VLANs. 2. On the VLANs page, select the VLAN that you want to modify (for example, 2). 3. Click Open. 4. In the Modify VLAN dialog box, Modify one or more settings. (For example, to tag an interface, under Interfaces, select the Tagged check box next to the name of the network interface that you want to tag.) 5. Click OK. Note: To make a network interface a tagged member of a VLAN using the NetScaler command line, you must first unbind the network interface from the VLAN, then bind it as a tagged member as shown in the following procedure. For more information about unbinding a network interface from a VLAN, see Unbinding a Network Interface from a VLAN, on page 54. To modify a VLAN using the NetScaler command line Command vlan Value -ifnum Value [Argument] s unbind vlan 2 -ifnum 1/8 bind vlan 2 -ifnum 1/8 -tagged Managing VLANs To manage VLANs, you can unbind network interfaces or IP addresses from VLANs, or remove VLANs. Unbinding a Network Interface from a VLAN Use either of the following procedures to unbind a network interface from a VLAN. To unbind a network interface from a VLAN using the configuration utility 1. In the navigation pane, expand Network and click VLANs. 2. In the details pane, select the VLAN from which you want to unbind the network interface (for example, 2). 3. Click Open. The Modify VLAN dialog box appears.

67 Chapter 2 Interfaces Under Interfaces, clear the Active check box corresponding to the interface that you want to unbind from the VLAN (for example, 1/8). 5. Click OK. To unbind an interface to a VLAN using the NetScaler command line unbind vlan VID -ifnum Value unbind vlan 2 -ifnum 1/8 Unbinding an IP Address from a VLAN Use either of the following procedures to unbind an IP address from a VLAN. To unbind an IP address from a VLAN using the configuration utility 1. In the navigation pane, expand Network and click VLANs. 2. In the details pane, select the VLAN from which you want to unbind the IP address (for example, 2), and then click Open. 3. In the Modify VLAN dialog box, under IPs, clear the Active check box corresponding to the IP address that you want to unbind from the VLAN (for example, ). 4. Click OK. To unbind an IP address to a VLAN using the NetScaler command line unbind vlan VID -IPAddress Address Mask unbind vlan 2 -IPAddress Removing a VLAN When you remove a VLAN, the network interfaces are bound to the default VLAN. Use either of the following procedures. To remove a VLAN using the configuration utility 1. In the navigation pane, expand Network and click VLANs. 2. On the VLANs page, select the VLAN that you want to remove (for example, 2), and then click Remove.

68 56 Citrix NetScaler Networking Guide 3. In the Remove dialog box, click Yes. To remove a VLAN using the NetScaler command line rm vlan Value rm vlan 2 Verifying and Monitoring the Configuration To verify your configuration, you can display properties such as VLAN ID, members, and tagging of the configured VLANs. This information can also be useful for troubleshooting. You can also display VLAN statistics to monitor the health of your configuration. Displaying VLANs Use either of the following procedures to display the properties of the VLANs. To display VLAN properties using the configuration utility 1. In the navigation pane, expand Network and click VLANs. 2. On the VLANs page, select a VLAN and verify that the settings are configured as intended. To display VLAN properties using the NetScaler command line sh vlan Viewing the Statistics of a VLAN You can view VLAN statistics such as packets received, bytes received, packets sent, and bytes sent, and use the information to identify anomalies and or debug a VLAN. Use either of the following procedures. To view the statistics of a VLAN using the configuration utility 1. In the navigation pane, expand Network and click VLANs. 2. On the VLANs page, select the VLAN whose statistics you want to view (for example, 2). 3. Click Statistics.

69 Chapter 2 Interfaces 57 To view the statistics of a VLAN using the NetScaler command line stat vlan Value stat vlan 2 Configuring Link Aggregation Link aggregation combines data coming from multiple ports into a single highspeed link. Configuring link aggregation increases the capacity and availability of the communication channel between the NetScaler and other connected devices. An aggregated link is also referred to as a channel. You can configure the channels manually, or you can use Link Aggregate Control Protocol (LACP). You cannot apply LACP to a manually configured channel, nor can you manually configure a channel created by LACP. Configuring Link Aggregation Manually When you create a link aggregate channel, its state is DOWN until you bind it to an active interface. You can modify a channel at any time. You can remove channels, or you can enable/disable them. Creating Link Aggregate Channels To create a link aggregate channel, use the parameter described in the following table. Basic Parameter for Creating a Channel Parameter Channel ID (id) Specifies LA channel name, in form LA/* (* An ID number for this channel) Use either of the following procedures to create a link aggregate channel. To create a link aggregate channel using the configuration utility 1. In the navigation pane, expand Network and click Channels. 2. On the Channels page, click Add. 3. In the Add Channel dialog box, in the Channel ID drop-down list, select the link aggregate ID that you want to add (for example, LA/1).

70 58 Citrix NetScaler Networking Guide Note: Adding a channel without binding it to a network interface can cause a failover. To avoid this possibility, include the next step in this procedure. For more information about binding a link aggregate channel to an interface, see Binding a Network Interface to a Link Aggregate Channel, on page On the Bind/Unbind tab, select an interface to be bound (for example, 1/8). 5. Click Create and click Close. The link aggregate channel you added appears in the Channel page. To create a link aggregate channel using the NetScaler command line add channel Value -ifnum Value add channel LA/1 -ifnum 1/8 Binding a Network Interface to a Link Aggregate Channel When a network interface is bound to a channel, the channel parameters have precedence over the network interface parameters. (That is, the network interface parameters are ignored.) A network interface can be bound only to one channel. When a network interface is bound to a channel, it drops its VLAN configuration. When network interfaces are bound to a channel, either manually or by LACP, they are removed from the VLANs that they originally belonged to and added to the default VLAN. However, you can bind the channel back to the old VLAN, or to a new one. For example, if you bind the network interfaces 1/2 and 1/3 to a VLAN with ID 2, and then bind them to a channel LA/1, the network interfaces are moved to the default VLAN, but you can bind them back to VLAN 2. Use either of the following procedures to bind a network interface to a link aggregate channel. To bind a link aggregate channel using the configuration utility 1. In the navigation pane, expand Network and click Channels. 2. In the details pane, select the channel that you want to bind to a network interface (for example, LA/1). 3. Click Open.

71 Chapter 2 Interfaces In the Modify Channel dialog box, in the Available Interface list box, select the network interface (for example, 1/8). 5. Click Add. The network interface you selected appears in the Configured list. 6. Click OK. To bind a link aggregate channel using the NetScaler command line bind channel ChannelValue InterfaceValue bind channel LA/1 1/8 Modifying Link Aggregate Channels To modify a link aggregate channel, use the parameters described in the following table. Parameters for modifying an LAChannel Parameter State (state) Mode (Mode) Connection Distribution (conndistr) MAC Distribution (macdistr) Speed (speed) Flow Control (flowcontrol) HA Monitor (hamonitor) Trunk (trunk) Specifies Initial state for the channel. Possible values: ENABLED and DISABLED. Default: ENABLED. Initial mode for the channel. Possible values: MANUAL, AUTO, and DESIRED. Connection distribution mode for the channel. Possible values: DISABLED and ENABLED. MAC distribution mode for the channel. Possible values: SOURCE, DESTINATION, and BOTH. Speed for the channel. Possible values: AUTO, 10, 100, and Flow control for the channel. Possible values: OFF, RX, TX, and RXTX. HA-monitoring control for the channel. Possible values: ON and OFF. Make this port a trunk port. Possible values: ON and OFF. Default: OFF. When ON, port membership in all VLANs is tagged. If 802.1q behavior with native VLAN is required, use the OFF setting.

72 60 Citrix NetScaler Networking Guide Parameters for modifying an LAChannel Parameter Alias (ifalias) Throughput (throughput) Specifies Alias name for the channel. Minimum required throughput for the network interface. Use either of the following procedures to modify a link aggregate channel. To modify a link aggregate channel using the configuration utility 1. In the navigation pane, expand Network and click Channels. 2. In the details pane, select the channel that you want to modify (for example, LA/1), and then click Open. 3. In the Modify Channel dialog box, select or enter a new value. (For example, click the Settings tab and, in the Speed drop-down list box, select a speed, such as 100.) 4. Click OK. To modify a link aggregate channel using the NetScaler command line set channel Value -speed Value set channel LA/1 -speed 100 Unbinding a Network Interface from a Link Aggregate Channel Use either of the following procedures to unbind a Link Aggregate Channel. To unbind a link aggregate channel using the configuration utility 1. In the navigation pane, expand Network and click Channels. 2. In the details pane, select the channel from which you want to unbind a network interface (for example, LA/1), and then click Open. 3. In the Modify Channel dialog box, in the Configured list box, select the network interface (for example, 1/8), and then click Remove. The channel that you selected appears in the Available Interface list.

73 Chapter 2 Interfaces Click OK. To unbind a link aggregate channel using the NetScaler command line unbind channel Value Value unbind channel LA/1 1/8 Removing Link Aggregate Channels When a channel is removed, the network interfaces bound to it induce network loops that decrease network performance. You must disable the network interfaces before you remove the channel. For information on disabling a network interface, see Enabling and Disabling Network Interfaces, on page 40. The following example describes the procedure to remove the channel, LA/1. To remove a link aggregate channel using the configuration utility 1. In the navigation pane, expand Network and click Channels. 2. In the details pane, select the channel that you want to remove (for example, LA/1), and click Remove. 3. In the Remove dialog box, click Yes. To remove a link aggregate channel using the NetScaler command line rm channel Value rm channel LA/1

74 62 Citrix NetScaler Networking Guide Configuring the Link Aggregate Channel Protocol The Link Aggregation Control Protocol (LACP) enables network devices to exchange link aggregation information, by exchanging LACP Data Units (LACPDUs). To configure the link aggregate channel protocol, use the parameter described in the following table. This parameter sets the priority of the NetScaler globally. Parameter System priority (syspriority) Specifies The LACP system priority. Possible values: 1 to Default: Also, you can configure the following LACP parameters when you configure the network interface: LACP mode LACP time-out Port key Port priority For more information about these parameters, see Configuring Network Interfaces, on page 38. Note: LACP configurations are neither propagated nor synchronized. By default, LACP is disabled on all network interfaces. You cannot use LACP to modify channels that you created manually. Therefore, you cannot enable LACP on network interfaces that are members of a channel that you created manually. If LACP creates a channel dynamically, you cannot create, bind, unbind, or remove operations on that channel. However, you can configure parameters such as distribution mode. LACP dynamically creates a channel, which is deleted when LACP is disabled on all its member network interfaces. To enable LACP on a network interface, you can use the procedure to modify the network interface, which is described in Managing Network Interfaces, on page 40. When you enable LACP on a network interface, the NetScaler creates channels dynamically. The NetScaler currently supports two channels, LA/1 and LA/2, based on the LACP Key values. Therefore, if you enable LACP on a network interface and set the LACP Key to 1, the network interface is automatically bound to the channel LA/1.

75 Chapter 2 Interfaces 63 Note: While enabling LACP on a network interface, you must simultaneously specify the LACP Key. The following example describes the procedure to configure the link aggregate channel protocol with a system priority of 12. To configure a link aggregate channel protocol using the configuration utility 1. In the navigation pane, expand Network and click Interfaces. 2. On the Interfaces page, click Set LACP. 3. In the Configure LACP dialog box, in the System Priority text box, type the priority you want to configure (for example, 12). 4. Click OK. To configure a link aggregate channel protocol using the NetScaler command line set lacp -syspriority Value set lacp -syspriority 12 Verifying the Configuration To verify or troubleshoot your Link Aggregate Channel configuration, you can display channel properties and LACP properties. Displaying Link Aggregate Channels You can display properties such as channel ID, description, uptime, and VRID of the configured channels. Use either of the following procedures. To display the link aggregate channels using the configuration utility 1. In the navigation pane, expand Network and click Channels. 2. On the Channels page, verify that your configured channels appear. 3. Select a channel (for example, LA/1) and verify that the parameters displayed are configured as intended.

76 64 Citrix NetScaler Networking Guide To view link aggregate channels using the NetScaler command line show channels Displaying LACP Properties You can display properties such as system priority and system MAC of the configured channels and use the information for troubleshooting. Use either of the following procedures. To view LACP properties using the configuration utility 1. In the navigation pane, expand Network and click Interfaces. 2. On the Interfaces page, click View LACP Details. 3. In the View LACP Details dialog box, click Close. To view LACP properties using the NetScaler command line show lacp Configuring VMAC The primary and secondary nodes in a high availability (HA) setup share the floating entity, Virtual MAC address (VMAC). The primary node owns the floating IP addresses (such as MIP, SNIP, and VIP) and responds to ARP requests for these IP addresses with its own MAC address. Therefore, the ARP table of an external device, such as an upstream router, is updated with the floating IP address and the MAC address of the primary node. When a failover occurs, the secondary node takes over as the new primary node. The former secondary node uses GARP to advertise the floating IP addresses that had learned from the old primary node. The MAC address that the new primary node advertises is the MAC address of its own network interface. Some devices (a few routers) do not accept these GARP messages. Therefore, these external devices retain the IP address-to-mac address mapping that the old primary node had advertised. This can result in a GSLB site going down. Therefore, you must configure a VMAC on both nodes of an HA pair. This means that both nodes have identical MAC addresses. When a failover occurs, the MAC address of the secondary node remains unchanged, and the ARP tables on the external devices do not need to be updated. For the procedures to configure a VMAC, see Chapter 6, High Availability.

77 Chapter 2 Interfaces 65 Configuring the Bridge Table The NetScaler bridges frames based on bridge table lookup of the destination MAC address and the VLAN ID. However, the NetScaler performs forwarding only when Layer 2 mode is enabled. For more information about enabling Layer 2 mode, see Configuring Modes of Packet Forwarding, on page 16. The bridge table is dynamically generated, but you can display it, modify the parameter shown in the following table, and view bridging statistics. Parameter for Modifying the Bridge Table Parameter Bridge Age (bridgeage) Specifies The bridge ageing time in seconds. Default: 300. Minimum value: 60. Maximum value: 300. To display the bridge table, use either of the following procedures. To display the bridge table using the configuration utility 1. In the navigation pane, expand Network and click Bridge Table. 2. On the Bridge Table page, optionally select an entry to display its properties at the bottom of the screen. To view the bridge table using the NetScaler command line show bridgetable To change the ageing time for all bridge table entries, use either of the following procedures. To modify the bridge table using the configuration utility 1. On the Bridge Table page, click Change Ageing Time. 2. In the Change Ageing Time dialog box, in the Ageing Time (seconds) text box, type the ageing time (for example, 70).

78 66 Citrix NetScaler Networking Guide 3. Click OK. All the MAC entries in the bridge table are updated with the ageing time. The following figure shows an example. Bridge Table Page To modify the bridge table using the NetScaler command line set bridgetable -bridgeage Value set bridgetable -bridgeage 70 Use either of the following procedures to view the bridging statistics. To view the statistics of a bridge table using the configuration utility 1. On the Bridge Table page, select the MAC address for which you want to view the statistics (for example, 00:12:01:0a:5f:46). 2. Click Statistics. To view the statistics of a bridge table using the NetScaler command line stat bridge Path MTU Behavior Depending on the installation type and configuration, the NetScaler can have some limitations in how it handles Path Maximum Transmission Unit Discovery. Therefore, you may have to change your configuration. Use either of the following procedures to enable or disable Path MTU discovery.

79 Chapter 2 Interfaces 67 To enable or disable Path MTU discovery using the configuration utility 1. In the navigation pane, expand System and click Settings. 2. In the details pane, under the Modes and Features group, click Change modes. 3. In the Configure Modes dialog box, do one of the following: To enable Path MTU Discovery, select the Path MTU Discovery check box. To disable Path MTU Discovery, clear the Path MTU Discovery check box. 4. Click OK. 5. At the Enable/Disable Feature(s)? message, click Yes. To enable or disable Path MTU discovery using the NetScaler command line At the NetScaler command prompt, type one of the following: enable ns mode pmtud disable ns mode pmtud

80 68 Citrix NetScaler Networking Guide

81 CHAPTER 3 Access Control Lists (ACLs) Access Control Lists (ACLs) are a means of filtering IP traffic and securing your network from unauthorized access. An ACL consists of a set of conditions or criteria that the NetScaler uses to allow or deny access. Consider a small organization that consists of 3 departments, Finance, HR, and Documentation, where no department wants another to access its data. The administrator of the organization can configure ACLs on the NetScaler to allow or deny access. When the NetScaler receives a data packet, it compares the information in the data packet with the conditions specified in the ACL and allows or denies access. The NetScaler supports simple ACLs, extended ACLs, and IPv6 ACLs. In This Chapter ACL Precedence Configuring Simple ACLs Configuring Extended ACLs Configuring ACL6s

82 70 Citrix NetScaler Networking Guide ACL Precedence A packet that matches the conditions specified in a simple ACL is dropped. If no simple ACL matches the packet, the NetScaler compares the packet s characteristics to those specified in any configured extended ACLs. If the packet matches an extended ACL, the NetScaler applies the action specified in the extended ACL, as shown in the following diagram. Simple and Extended ACLs Flow Sequence Configuring Simple ACLs Simple ACLs filter packets based only on their source IP address and, optionally, their destination port and/or their protocol. Any packet that has the characteristics specified in the ACL is dropped. A simple ACL, which uses few parameters, cannot be modified once created. When creating a simple ACL, you can specify a time to live (TTL), which expires the ACL after the specified number of seconds. ACLs with TTLs are not saved when you save the configuration. You can also remove a simple ACL manually. You can display simple ACLs to verify their configuration, and you can display statistics to monitor their performance.

83 Chapter 3 Access Control Lists (ACLs) 71 Creating Simple ACLs To create a simple ACL, use the parameters described in the following table. All the parameters except Name and TTL specify packet characteristics for matching packets to the ACL. Basic Parameters for configuring a SimpleACL Parameter Name Action Protocol (protocol) Source IP Address (subnet or host) (srcip) Destination Port TTL (TTL) Specifies Alphanumeric name of the ACL. What to do with matching packets. Possible value: DENY. Protocol in which packets arrive. Possible values: TCP and UDP. Default: either. IP address of the source machine. You can also specify a range of addresses. A destination port on the NetScaler. If you do not specify a port, you create an all-ports ACL, which matches any port. In that case, you cannot create another ACL specifying a specific port and the same source IP address. The time in which to expire this ACL, in seconds. Possible values: 1 to 0x7FFFFFFF. Default: ACL does not expire. Use either of the following procedures to create a simple ACL. To create a simple ACL using the configuration utility 1. In the navigation pane, expand Network and click ACLs. 2. In the details pane, on the Simple ACLs tab, click Add. 3. In the Add Simple ACL dialog box, in the Name text box, type a name for the ACL (for example, rule1). 4. Optionally, from the Protocol drop-down list, select a protocol. 5. In the Source IP Address text box, type the IP address on which to filter (for example, ). 6. In the Destination Port text box, type the destination port on which to filter, or leave the text box blank to create an all-ports ACL. 7. Optionally, in the TTL text box, type the number of seconds in which the ACL is to expire. 8. Click Create and click Close.

84 72 Citrix NetScaler Networking Guide The ACL you created appears on the ACLs page. To create a simple ACL using the NetScaler command line add simpleacl deny -srcip SourceIPAddress [-TTL Value] s add simpleacl rule1 deny -srcip add simpleacl block_20 deny -srcip TTL 10 Removing Simple ACLs This section describes how to remove a single simple ACL and all simple ACLs. To remove a single simple ACL using the configuration utility 1. In the navigation pane, expand Network and click ACLs. 2. In the details pane, on the Simple ACLs tab, select the simple ACL that you want to remove (for example, rule1). 3. Click Remove. 4. In the Remove dialog box, click Yes. To remove a single simple ACL using the NetScaler command line remove simpleacl ACLname remove simpleacl rule1 To remove all simple ACLs using the configuration utility 1. In the navigation pane, expand Network and click ACLs. 2. In the details pane, on the Simple ACLs tab, click Clear. 3. In the Clear Simple ACL (s) dialog box, click Yes. To remove all simple ACLs using the NetScaler command line clear simpleacl

85 Chapter 3 Access Control Lists (ACLs) 73 Verifying or Troubleshooting the Configuration You can display the configured ACLs for verification or troubleshooting. Use either of the following procedures. To display simple ACLs using the configuration utility 1. In the navigation pane, expand Network and click ACLs. 2. On the ACLs page, click the Simple ACLs tab. 3. Optionally, select an ACL (for example, rule1) to display its properties at the bottom of the screen. To view a simple ACL using the NetScaler command line show simpleacl [ACLname] s show simpleacl show simpleacl rule1 Monitoring Simple ACLs The following table describes statistics you can display for simple ACLs. SimpleACL Statistics Statistic Deny SimpleACL hits SimpleACL hits SimpleACL misses SimpleACL count Specifies Packets dropped because they match deny simple ACL. Packets matching a simple ACL. Packets not matching any simple ACL. Number of simple ACLs configured. Use either of the following procedures to display the statistics. To display simple-acl statistics using the configuration utility 1. In the navigation pane, expand Network and click ACLs. 2. In the details pane, select the ACL whose statistics you want to view (for example, rule1). 3. Click Statistics.

86 74 Citrix NetScaler Networking Guide To view simple-acl statistics using the NetScaler command line stat simpleacl [ACLname] stat simpleacl rule1 stat simpleacl Configuring Extended ACLs Extended ACLs filter data packets based on various parameters, such as source IP address, source port, action, and protocol. An extended ACL defines the conditions that a packet must satisfy for the NetScaler to process the packet, bridge the packet, or drop the packet. These actions are known as processing modes. The processing modes are: ALLOW The NetScaler processes the packet. BRIDGE The NetScaler bridges the packet to the destination without processing it. DENY The NetScaler drops the packet. The NetScaler processes an IP packet directly when both of the following conditions exist: ACLs are configured on the NetScaler. The IP packet does not match any of the ACLs. The NetScaler does not apply ACLs for self originated packets. For example, you create an ACL that denies the packets from destination IP address When the NetScaler sends a ping request to , it is not evaluated by the blockping ACL, because the traffic originated from the NetScaler. Many users begin by creating basic extended ACLs and then modifying them. To activate a new ACL, you must apply it. To deactivate an ACL, you can either remove or disable it. You can change the priority number of an extended ACL to give it a higher or lower precedence. You can perform various other modifications, and you can configure ACL logging. You should verify your configuration, and you can monitor ACL statistics. You can also configure RNAT by using extended ACLs. For more information about using ACLs with RNAT, see Configuring RNAT by Using ACLs, on page 27. You cannot create two ACLs with the same parameters. If you attempt to create a duplicate, an error message appears.

87 Chapter 3 Access Control Lists (ACLs) 75 Note: If you configure both simple and extended ACLs, simple ACLs take precedence over the extended ACLs. Creating a Basic Extended ACL The following table describes the parameters you use to create a basic extended ACL. Basic Parameters for configuring an Extended ACL Parameter Name Source IP Address (subnet or host) (srcip) Action Operator Specifies Alphanumeric name of the ACL. IP address of the source machine. You can also specify a range of addresses. You can also specify an IP address with a value of The action associated with the ACL. The valid options for this parameter are BRIDGE, DENY, and ALLOW. You can use the following operators while creating ACLs: = and!=. The following example describes the procedure to create an ACL named rule1. The NetScaler drops the IP packets originating from the device when its source IP address is between and To create an extended ACL using the configuration utility 1. In the navigation pane, expand Network and click ACLs. 2. In the details pane, on the Extended ACLs tab, click Add. 3. In the Add ACL dialog box, in the Name text box, type the name of the ACL (for example, rule1). 4. In the Action and Operator list boxes, select the action and operator that you want to configure (for example, DENY and =). 5. Under Source, in the Low and High text boxes, type the IP addresses (for example, and ). 6. Click Create and click Close. The ACL you created appears on the ACLs page.

88 76 Citrix NetScaler Networking Guide To create a extended ACL using the NetScaler command line add ns acl ACLname ACLaction -srcip SourceIPAddressRange add ns acl rule1 deny -srcip Applying an ACL After you create an extended ACL, you must activate it using the following procedure. This procedure re-applies all the ACLs. For example, if you have created the ACLs rule1 through rule10, and then you create rule11 ACL, and apply it, all of the ACLs (rule1 through rule11) are freshly applied. If a session has a DENY ACL related to it, the session is destroyed. You must apply this procedure after every action you perform on an ACL. For example, you must follow this procedure after disabling an ACL. Note: Extended ACLs created on the NetScaler do not work until they are applied. To apply an ACL using the configuration utility 1. In the navigation pane, expand Network and click ACLs. 2. In the details pane, on the Extended ACLs tab, select the ACL that you want to apply (for example, rule1). 3. Click Commit. 4. In the Apply ACL(s) dialog box, click Yes. To apply an ACL using the NetScaler command line apply ns acls Removing Extended ACLs This section describes how to remove a single extended ACL and all extended ACLs. To remove a single extended ACL using the configuration utility 1. In the navigation pane, expand Network and click ACLs.

89 Chapter 3 Access Control Lists (ACLs) In the details pane, on the Extended ACLs tab, select the ACL that you want to remove (for example, rule1). 3. Click Remove. 4. In the Remove dialog box, click Yes. To remove a single extended ACL using the NetScaler command line rm ns acl ACLname rm ns acl rule1 To remove all extended ACLs using the configuration utility 1. In the navigation pane, expand Network and click ACLs. 2. In the details pane, on the Extended ACLs tab, click Clear. 3. In the Clear ACL (s) dialog box, click Yes. To remove all extended ACLs using the NetScaler command line clear ns acls Enabling and Disabling ACLs This section describes the procedures to enable or disable extended ACLs. By default, the ACLs are enabled. This means that when ACLs are applied, the NetScaler compares incoming packets against the configured ACLs. If an ACL is not required to be part of the lookup table, but needs to be retained in the configuration, it must be disabled before the ACLs are applied. After the ACLs are applied, the NetScaler does not compare incoming packets against disabled ACLs. To enable or disable an extended ACL using the configuration utility 1. In the navigation pane, expand Network and click ACLs. 2. In the details pane, on the Extended ACLs tab, select the ACL (for example, rule1) and do one of the following: To enable the extended ACL, click Enable. To disable the extended ACL, click Disable.

90 78 Citrix NetScaler Networking Guide To enable or disable an extended ACL using the NetScaler command line enable ns acl ACLname disable ns acl ACLname enable ns acl rule1 disable ns acl rule1 Renumbering ACL This section describes the procedure to renumber ACLs. This procedure resets the priorities of the ACLs to multiples of 10. For more information about priorities, see Modifying Extended ACLs, on page 78. To renumber ACLs using the configuration utility 1. In the navigation pane, expand Network, and then click ACLs. 2. In the details pane, on the Extended ACLs tab, click Renumber Priority (s) ACL(s). 3. In the Renumber Priority (s)) ACL(s) dialog box, click Yes. To renumber ACL using the NetScaler command line renumber ns acls Modifying Extended ACLs This section describes the procedure to modify extended ACLs. You can configure the priority of an ACL. The priority (an integer value) defines the order in which the NetScaler evaluates ACLs. All priorities are multiples of 10, unless you configure a specific priority to an integer value. When you create an ACL without specifying a priority, the NetScaler automatically assigns a priority that is a multiple of 10.

91 Chapter 3 Access Control Lists (ACLs) 79 If a packet matches the condition defined by the ACL, the NetScaler performs an action. If the packet does not match the condition defined by the ACL, the NetScaler compares the packet against the ACL with the next-highest priority. To modify the extended ACL, use the parameters listed in the following table. Parameters for customizing an Extended ACL Parameter Source PORT (srcport) Destination IP Address (subnet or host) (destip) Destination PORT (destport) Source MAC Address (srcmac) Protocol (protocol) Protocol Number (protocolnumber) VLAN ID (vlan) Interface (interface) ICMP Type (icmptype) ICMP Code (icmpcode) State (state) Priority (priority) Specifies The port address of the source system. You can specify a range or a specific port address. You can also specify a port address with a value of 0. The IP address of the destination system. You can specify a range or a specific address. You can also specify an IP address with a value of The port address of the destination system. You can specify either a range or a specific port address. You can also specify a port address with a value of 0. The MAC address of the source system. Only the last 32 bits are considered during a lookup. This is the protocol field in the IP header. Possible values: ICMP, IGMP, TCP, EGP, IGP, ARGUS, UDP, RDP, RSVP, EIGRP, L2TP, and ISIS. The IP protocol number (decimal). The minimum value is 1 and the maximum value is 255. The VLAN ID present in the VLAN tag of the packet. The minimum value is 1 and the maximum value is 255. This is the network interface on which the packet arrived. The ICMP message type. For example, to block DESTINATION UNREACHABLE messages, you must specify 3 as the ICMP type. For a complete list of ICMP types, see icmp-parameters. The minimum value is 0 and the maximum value is 255. The ICMP message code. For example, to block DESTINATION HOST UNREACHABLE messages, specify 3 as the ICMP type and 1 as the ICMP code. For a complete list of ICMP types, see assignments/icmp-parameters. The minimum value is 0 and the maximum value is 255. The state of the ACL. Possible Values: ENABLED and DISABLED. Default: Enabled. The priority of the ACL. The minimum value is 0 and the maximum value is

92 80 Citrix NetScaler Networking Guide Consider the following example. Two ACLs, rule 1 and rule 2, are configured on the NetScaler and automatically assigned priorities 20 and 30. You need to add a third ACL, rule 3, to be evaluated immediately after Rule 1. Rule 3 must have a priority between 20 and 30. In this case, you can specify the priority as 25. The following procedure describes the steps to set the priority of rule1 to 20. To modify the priority of an ACL using the configuration utility 1. In the navigation pane, expand Network and click ACLs. 2. In the ACLs page, on the Extended ACLs tab, select the ACL that you want to modify (for example, rule1). 3. Click Open. 4. In the Configure ACL(s) dialog box, in the Priority text box, type the priority that you want to configure on the ACL (for example, 20). 5. Click OK. To modify the priority of an ACL using the NetScaler command line set acl ACLname -priority Value set acl rule1 -priority 20 Configuring Access Control List (ACL) Logging You can configure the NetScaler to log details for packets that match an extended ACL. In addition to the ACL name, the logged details include packet-specific information such as the source and destination IP addresses. The information is stored either in the syslog file or in the nslog file, depending on the type of global logging (syslog or nslog) enabled. Logging can be enabled at both the global level and the ACL level. However, to enable logging at the ACL level, you must also enable it at the global level. The global setting takes precedence. For instructions on how to enable logging globally, see Configuring the Citrix NetScaler Audit Server Log. To optimize logging, when multiple packets from the same flow match an ACL, only the first packet s details are logged, and the counter is incremented for every other packet that belongs to the same flow. A flow is defined as a set of packets that have the same values for the following parameters: Source IP address Destination IP address

93 Chapter 3 Access Control Lists (ACLs) 81 Source port Destination port Protocol If the packet is not from the same flow, or if the time duration is beyond the mean time, a new flow is created. Mean time is the time during which packets of the same flow do not generate additional messages (although the counter is incremented). Note: The total number of different flows that can be logged at any given time is limited to 10,000. The following table describes the parameters with which you can configure ACL logging at the rule level for extended ACLs. Logging Parameters of an Extended ACL Parameter Logstate (logstate) RateLimit (ratelimit) Specifies State of the logging feature for the ACL. Possible Values: Enabled or Disabled. Default: Disabled. Number of log messages that a specific ACL can generate. Default: 100. Use either of the following procedures to configure logging for an ACL and specify the number of log messages that the rule can generate. To configure ACL Logging using the configuration utility 1. In the navigation pane, expand Network and click ACLs. 2. In the details pane, click the Extended ACLs tab, and then select the ACL for which you want to configure logging (for example, rule1). 3. Click Open. 4. In the Modify ACL dialog box, select the Log State checkbox. 5. In the Log Rate Limit text box, type the rate limit that you want to specify for the rule (for example, 200), and click OK. To configure ACL Logging using the NetScaler command line set acl NameOfRule logstate enabled ratelimit Value

94 82 Citrix NetScaler Networking Guide set acl rule1 logstate enabled ratelimit 200 Verifying the Configuration This section describes the procedure to verify the ACLs that you have configured. This can be useful for troubleshooting. You can view the properties such as name, action, and protocol of the configured ACLs. Use the following procedure to view the extended ACLs. To view extended ACLs using the configuration utility 1. In the navigation pane, expand Network and click ACLs. 2. In the details pane, click the Extended ACLs tab. The details of the available ACLs appear in this page. 3. Verify that the configured ACL, rule1, appears. 4. Select the ACL, rule1, and in the Details section, verify that the parameters displayed are as configured. To view extended ACLs using the NetScaler command line show ns acl Monitoring the Extended ACL This section describes the procedure to view the statistics of an extended ACL. The following table lists the statistics associated with extended ACLs and their descriptions. Extended ACL Statistics Statistic Allow ACL hits NAT ACL hits Deny ACL hits Bridge ACL hits ACL hits ACL misses Specifies Packets matching ACLs with processing mode set to ALLOW. NetScaler processes these packets. Packets matching a NAT ACL, resulting in a NAT session. Packets dropped because they match ACLs with processing mode set to DENY. Packets matching a bridge ACL, which in transparent mode bypasses service processing. Packets matching an ACL. Packets not matching any ACL.

95 Chapter 3 Access Control Lists (ACLs) 83 Use the following procedure to view the statistics of the extended ACLs, such as ACL Hits, NAT ACL Hits, Allow ACL Hits, Deny ACL Hits, Bridge ACL Hits, and ACL Misses. To view the statistics of an extended ACL using the configuration utility 1. In the navigation pane, expand Network and click ACLs. 2. In the details pane, on the Extended ACLs tab, select the ACL whose statistics you want to view (for example, rule1). 3. Click Statistics. To view the statistics of an extended ACL using the NetScaler command line stat ns acl ACLname stat ns acl rule1 Configuring RNAT by Using Extended ACLs You can configure the NetScaler to use a unique IP address for traffic that matches an extended ACL. The following section describes how to configure RNAT and then apply the extended ACL. This section provides the procedure to change the source IP and destination port information based on an ACL. Note: ACL-based RNAT is not applied to traffic originating from the NetScaler. Changing the Source IP and Destination Port Based on an ACL The steps to change the source IP and destination port based on an ACL are divided into the following tasks: 1. Configure the ACL. 2. Configure RNAT to change the source IP address and Destination Port. 3. Apply the ACL.

96 84 Citrix NetScaler Networking Guide This is illustrated in the following figure. Changing Source IP Address and Port In the following procedure, an acl, acl1, that allows traffic originating from a server with IP address to an external client is configured. The protocol is specified as TCP. To configure an ACL using the configuration utility 1. In the navigation pane, expand Network and click ACLs. 2. In the details pane, on the Extended ACLs tab, click Add. 3. In the Add ACL dialog box, in the Name text box, type the name of the ACL (for example, acl1). 4. In the Action, Operator, and Protocol drop-down lists, select the action, operator, and the protocol that you want to configure (for example, ALLOW, =, and TCP). 5. Under Source, in the Low and High text boxes, type the IP addresses (for example, and ). 6. Under Destination, in the Low and High text boxes, type the IP addresses (for example, and ). 7. Click Create and click Close. To configure an ACL using the NetScaler command line add acl ACLname ACLaction -srcip SourceIPAddress -destip DestinationIPAddress -protocol Value add acl acl1 allow -srcip destip

97 Chapter 3 Access Control Lists (ACLs) 85 -protocol TCP In the following procedure, an RNAT is configured to replace the source IP address of packets related to the example ACL, acl1, with the NAT IP address, The destination port is configured to To set RNAT to change the source IP address and destination port using the configuration utility 1. In the navigation pane, expand Network, expand Routing, and click Routes. 2. In the details pane, on the RNAT tab, click Configure RNAT. 3. In the Configure RNAT dialog box, click the ACL radio button. 4. In the ACL Name drop-down list box, select the ACL that you want to configure (for example, acl1). 5. In the Redirect Port text box, type the port (for example, 8080). 6. In the Available NAT IP (s) list box, select the NAT IP address which you want to configure (for example, ). 7. Click Add. The NAT IP you selected appears in the Configured NAT IP (s) list box. 8. Click Create, and click Close. To set RNAT to change the source IP address and destination port using the NetScaler command line set rnat ACLname -natip NATIPAddress -redirectport Value set rnat acl1 -natip redirectport 8080 To apply an ACL You must apply the ACL for the ACL to function. For instructions on how to apply an extended ACL using the configuration utility, see Applying an ACL, on page 76. To apply an ACL using the NetScaler command line apply ns acls

98 86 Citrix NetScaler Networking Guide Note: The NetScaler uses ports 1024 to for mapped IP addresses and subnet IP addresses. Configuring ACL6s ACL6s are ACLs created specifically for IPv6 addresses. ACL6s also filter packets based on the parameters of the packet, such as source IP address, source port, action, and so on. An ACL6 defines the condition that a packet must satisfy for the NetScaler to process the packet, bridge the packet, or drop the packet. These actions are known as processing modes. The processing modes are: ALLOW - The NetScaler processes the packet. BRIDGE The NetScaler bridges the packet to the destination without processing it. DENY The NetScaler drops the packet. The NetScaler processes an IP packet directly when both of the following conditions exist: ACL6s are configured on the NetScaler. The IP packet does not match any of the ACL6s. The NetScaler does not apply ACL6s for self-originated packets. Creating ACL6s You cannot create two ACL6s with the same parameters. If you attempt to create a duplicate, an error message appears. To create an ACL6, use the parameters described in the following table. Basic Parameters for configuring an ACL6 Parameter Name Source IP Address (subnet or host) (srcipv6) Action Operator Specifies The alphanumeric name of the ACL6. The IPv6 address of the source system. You can specify a range or a specific address. You can also specify an IP address with a value of The action associated with the ACL6. Possible values: BRIDGE, DENY, and ALLOW. You can use the following operators while creating ACL6s: = and!=.

99 Chapter 3 Access Control Lists (ACLs) 87 The following example describes the procedure to create an ACL named rule. The NetScaler drops the IP packets originating from the device when its source IP address is between and To create an ACL6 using the configuration utility 1. In the navigation pane, expand Network and click ACLs. 2. In the details pane, on the ACL6s tab, click Add. 3. In the Add ACL6 dialog box, in the Name text box, type the name of the ACL6 (for example, rule1). 4. In the Action and Operator list boxes, select the action and operator that you want to configure (for example, DENY and =). 5. Under Source, in the Low and High text boxes, type the IP addresses (for example, and ). 6. Click Create and click Close. The ACL you created appears in the ACL6s page. To create an ACL6 using the NetScaler command line add ns acl6 ACLname ACLaction -srcip SourceIPAddressRange add ns acl6 rule1 deny -srcip Applying ACL6s After you create an ACL6, you must activate it using the following procedure. This procedure re-applies all the ACL6s. For example, if you have created the ACL6s rule1 through rule10, and then you create rule11 ACL6, and apply it, all of the ACL6s (rule1 through rule11) are freshly applied. If a session has a DENY ACL related to it, the session is destroyed. You must apply this procedure after every action you perform on an ACL6. For example, you must follow this procedure after disabling an ACL6. Note: ACL6s created on the NetScaler do not work until they are applied.

100 88 Citrix NetScaler Networking Guide To apply an ACL6 using the configuration utility 1. In the navigation pane, expand Network and click ACLs. 2. In the details pane, on the ACL6s tab, select the ACL6 that you want to apply (for example, rule1). 3. Click Commit. 4. In the Apply ACL(s) dialog box, click Yes. To apply an ACL using the NetScaler command line apply ns acls6 Removing ACL6s This section describes the procedure to remove ACL6s. To remove an ACL6 using the configuration utility 1. In the navigation pane, expand Network and click ACLs. 2. In the details pane, on the ACL6s tab, select the ACL that you want to remove (for example, rule1). 3. Click Remove. 4. In the Remove dialog box, click Yes. To remove an Extended ACL using the NetScaler command line rm ns acl6 ACLname rm ns acl6 rule1 Removing all ACL6s This procedure provides instruction to remove all the configured extended ACLs. To remove all extended ACLs using the configuration utility 1. In the navigation pane, expand Network and click ACLs. 2. In the details pane, on the ACL6s tab, click Clear. 3. In the Clear ACL (s) dialog box, click Yes.

101 Chapter 3 Access Control Lists (ACLs) 89 To remove all extended ACLs using the NetScaler command line clear ns acls6 Enabling and Disabling ACL6 This section describes the procedures to enable or disable ACL6s. By default, ACL6s are enabled. This means that when ACL6s are applied, the NetScaler compares incoming packets against the configured ACL6s. If an ACL6 is not required to be part of the lookup table, but needs to be retained in the configuration, it must be disabled before the ACL6s are applied. After the ACL6s are applied, the NetScaler does not compare incoming packets against disabled ACL6s. To enable or disable an ACL6 using the configuration utility 1. In the navigation pane, expand Network and click ACLs. 2. In the details pane, on the ACL6s tab, select the ACL (for example, rule1) and do one of the following: To enable the ACL6, click Enable. To disable the ACL6, click Disable. To enable or disable an ACL6 using the NetScaler command line enable ns acl6 ACLname disable ns acl6 ACLname enable ns acl6 rule1 disable ns acl6 rule1 Renumbering ACL6s This section describes the procedure to renumber ACL6s. This procedure resets the priorities of the ACL6s to multiples of 10. For more information about priorities, see Modifying Extended ACLs, on page 78. To renumber ACL6s using the configuration utility 1. In the navigation pane, expand Network and click ACLs. 2. In the details pane, on the ACL6s tab, click Renumber Priority (s)) ACL(s).

102 90 Citrix NetScaler Networking Guide 3. In the Renumber Priority (s)) ACL(s) dialog box, click Yes. To renumber ACL6s using the NetScaler command line renumber ns acls6 Modifying ACL6s This section describes the procedure to modify ACL6s. You can configure the priority of an ACL. The priority (an integer value) defines the order in which the NetScaler evaluates ACL6s. All priorities are multiples of 10, unless you configure a specific priority to an integer value. When you create an ACL6 without specifying a priority, the NetScaler automatically assigns a priority that is a multiple of 10. If a packet matches the condition defined by the ACL6, the NetScaler performs an action. If the packet does not match the condition defined by the ACL6, the NetScaler compares the packet against the ACL6 with the next-highest priority. To modify the ACL6, use the parameters listed in the following table. Parameters for customizing an ACL6 Parameter Source PORT (srcport) Destination IP Address (subnet or host) (destipv6) Destination PORT (destport) Source MAC Address (srcmac) Protocol (protocol) Protocol Number (protocolnumber) VLAN ID (vlan) Interface (interface) Specifies The port address of the source system. You can specify a range or a specific port address. You can also specify a port address with a value of 0. The IP address of the destination system. You can specify a range or a specific address. You can also specify an IP address with a value of The port address of the destination system. You can specify either a range or a specific port address. You can also specify a port address with a value of 0. The MAC address of the source system. Only the last 32 bits are considered during a lookup. This is the protocol field in the IP header. The valid options for this parameter are ICMP, IGMP, TCP, EGP, IGP, ARGUS, UDP, RDP, RSVP, EIGRP, L2TP, and ISIS. The IP protocol number (decimal). The minimum value is 1 and the maximum value is 255. The VLAN ID present in the VLAN tag of the packet. The minimum value is 1 and the maximum value is 255. This is the network interface on which the packet arrived.

103 Chapter 3 Access Control Lists (ACLs) 91 Parameters for customizing an ACL6 Parameter ICMP Type (icmptype) ICMP Code (icmpcode) State (state) Priority (priority) Specifies The ICMP message type. For example, to block DESTINATION UNREACHABLE messages, you must specify 3 as the ICMP type. For a complete list of ICMP types, see icmp-parameters. The minimum value is 0 and the maximum value is 255. The ICMP message code. For example, to block DESTINATION HOST UNREACHABLE messages, specify 3 as the ICMP type and 1 as the ICMP code. For a complete list of ICMP types, see assignments/icmp-parameters. The minimum value is 0 and the maximum value is 255. The state of the ACL. Possible values: ENABLED and DISABLED. The priority of the ACL. The minimum value is 0 and the maximum value is Consider the following example. Two ACL6s, rule 1 and rule 2, are configured on the NetScaler and automatically assigned priorities 20 and 30. You have added a third ACL6, rule 3, with priority 40. However, you want rule3 to be evaluated immediately after Rule 1. Hence, rule 3 must have a priority between 20 and 30. You can modify the priority of rule3 to 25. The following procedure describes the steps to set the priority of rule3 to 25. To modify the priority of an ACL6 using the configuration utility 1. In the navigation pane, expand Network and click ACLs. 2. In the details pane, on the ACL6s tab, select the ACL that you want to modify (for example, rule3). 3. Click Open. 4. In the Configure ACL(s) dialog box, in the Priority text box, type the priority that you want to configure on the ACL (for example, 25). 5. Click OK. To modify the priority of an ACL using the NetScaler command line set acl ACLname -priority Value set acl rule3 -priority 25

104 92 Citrix NetScaler Networking Guide Verifying the Configuration This section describes the procedure to verify the ACL6s that you have configured. This can be useful for troubleshooting. You can view the properties such as name, action, and protocol of the configured ACL6s. Use the following procedure to view the ACL6s. To view ACL6s using the configuration utility 1. In the navigation pane, expand Network and click ACLs. 2. In the details pane, click the ACL6s tab. The details of the available ACL6s appear on this page. 3. Verify that the configured ACL6, rule1, appears. 4. Select the ACL6, rule1, and in the Details section, verify that the parameters displayed are as configured. To view ACL6s using the NetScaler command line show ns acl6 Monitoring ACL6s This section describes the procedure to view the statistics of an ACL6. The following table lists the statistics associated with ACL6s and their descriptions. ACL6 Statistics Statistic Allow ACL6 hits NAT ACL6 hits Deny ACL6 hits Bridge ACL6 hits ACL6 hits ACL6 misses Specifies Packets matching IPv6 ACLs with processing mode set to ALLOW. NetScaler processes these packets. Packets matching a NAT ACL6, resulting in a NAT session. Packets dropped because they match IPv6 ACLs with processing mode set to DENY. Packets matching a bridge IPv6 ACL, which in transparent mode bypasses service processing. Packets matching an IPv6 ACL. Packets not matching any IPv6 ACL. Viewing the Statistics of an ACL6 Use the following procedure to view the statistics of the ACL6s such as ACL6 Hits, NAT ACL6 Hits, Allow ACL6 Hits, and others.

105 Chapter 3 Access Control Lists (ACLs) 93 To view the statistics of an ACL6 using the configuration utility 1. In the navigation pane, expand Network and click ACLs. 2. In the details pane, on the ACL6s tab, select the ACL whose statistics you want to view (for example, rule1). 3. Click Statistics. To view the statistics of an extended ACL using the NetScaler command line stat ns acl6 ACLname stat ns acl6 rule1

106 94 Citrix NetScaler Networking Guide

107 CHAPTER 4 IP Routing The NetScaler supports both dynamic and static routing. Because simple routing is not the primary role of a NetScaler, the main objective of running dynamic routing protocols is to enable route health injection (RHI), so that an upstream router can choose the best among multiple routes to a topographically distributed virtual server. Most NetScaler implementations use some static routes to reduce routing overhead. You can create backup static routes and monitor routes to enable automatic switchover in the event that a static route goes down. You can also assign weights to facilitate load balancing among static routes, create null routes to prevent routing loops, and configure IPv6 static routes. In This Chapter Configuring Dynamic Routes Configuring Route Health Injection Configuring Static Routes Gathering Information to Troubleshoot Generic Routing Issues Configuring Dynamic Routes When a dynamic routing protocol is enabled, the corresponding routing process monitors route updates and advertises routes. Routing protocols enable an upstream router to use the Equal Cost Multipath technique to load balance traffic to identical vservers hosted on two standalone NetScalers. Dynamic routing on a NetScaler uses three routing tables. In a high-availability setup, the routing tables on the secondary NetScaler mirror those on the primary. The NetScaler supports the following protocols: Routing Information Protocol (RIP) version 2 as defined in RFC 2453 Open Shortest Path First (OSPF) version 2 as defined in RFC 2328 Border Gateway Protocol (BGP) as defined in RFC 1771 You can enable more than one protocol simultaneously.

108 96 Citrix NetScaler Networking Guide Routing Tables in the NetScaler In a NetScaler, the NetScaler kernel routing table, the FreeBSD kernel routing table, and the NSM FIB routing table each hold a different set of routes and serve a different purpose. They communicate with each other using UNIX routing sockets. Route updates are not automatically propagated from one routing table to another. You must configure propagation of route updates for each routing table. NS Kernel Routing Table The NS kernel routing table holds subnet routes corresponding to the NSIP and to each SNIP and MIP. Usually, no routes corresponding to VIPs are present in the NS kernel routing table. The exception is a VIP added by using the add ns ip command and configured with a netmask other than If there are multiple IP addresses belonging to the same subnet, they are abstracted as a single subnet route. In addition, this table holds a route to the loopback network ( ) and any static routes added through the NetScaler command line interface (nscli). The entries in this table are used by the NetScaler in packet forwarding. From the nscli, they can be inspected with the show route command. FreeBSD Routing Table The sole purpose of the FreeBSD routing table is to facilitate initiation and termination of management traffic (telnet, ssh, etc.). In a NetScaler, these applications are tightly coupled to FreeBSD, and it is imperative for FreeBSD to have the necessary information to handle traffic to and from these applications. This routing table contains a route to the NSIP subnet and a default route. In addition, FreeBSD adds routes of type WasCloned (W) when the NetScaler establishes connections to hosts on local networks. Because of the highly specialized utility of the entries in this routing table, all other route updates from NS kernel and NSM bypass the FreeBSD routing table. Do not modify it with the route command. The FreeBSD routing table can be inspected by using the netstat command from any UNIX shell. Network Services Module (NSM) FIB The NSM FIB routing table contains the advertisable routes that are distributed by the dynamic routing protocols to their peers in the network. It may contain: Connected routes. IP subnets that are directly reachable from the NetScaler. Typically, routes corresponding to the NSIP subnet and subnets over which routing protocols are enabled are present in NSM FIB as connected routes.

109 Chapter 4 IP Routing 97 Kernel routes. All the VIP addresses on which the -hostroute option is enabled are present in NSM FIB as kernel routes if they satisfy the required RHI Levels. In addition, NSM FIB contains any static routes configured on the nscli that have the -advertise option enabled. Alternatively, if the NetScaler is operating in Static Route Advertisement (SRADV) mode, all static routes configured on the nscli are present in NSM FIB. These static routes are marked as kernel routes in NSM FIB, because they actually belong to the NS kernel. Static routes. Normally, any static route configured in VTYSH is present in NSM FIB. If administrative distances of protocols are modified, this may not always be the case. An important point to note is that these routes can never get into the NS kernel. Learned routes. If the NetScaler is configured to learn routes dynamically, the NSM FIB contains routes learned by the various dynamic routing protocols. Routes learned by OSPF, however, need certain special processing. They are downloaded to FIB only if the fib-install option is enabled for the OSPF process. This can be done from the router-config view in VTYSH. High Availability Setup In a high availability setup, the primary node runs the routing process and propagates routing table updates to the secondary node. The routing table of the secondary node mirrors the routing table on the primary node. Non-stop Forwarding After failover, the secondary node takes some time to start the protocol, learn the routes, and update its routing table. But this does not affect routing, because the routing table on the secondary node is identical to the routing table on the primary node. This mode of operation is known as non-stop forwarding. Black Hole Avoidance Mechanism After failover, the new primary node injects all its VIP routes into the upstream router. However, that router retains the old primary node s routes for 180 seconds. Because the router is not aware of the failover, it attempts to load balance traffic between the two nodes. During the 180 seconds before the old routes expire, the router sends half the traffic to the old, inactive primary node, which is, in effect, a black hole. To prevent this, the new primary node, when injecting a route, assigns it a metric that is slightly lower than the one specified by the old primary node. If the route s metric is already lower than its old counterpart, the new primary does not change it.

110 98 Citrix NetScaler Networking Guide Interfaces for Configuring Dynamic Routing To configure dynamic routing, you can use either the configuration utility or a command line interface. The NetScaler supports two independent command-line interfaces: NetScaler Command Line Interface (NSCLI) and Virtual Teletype Shell (VTYSH). The NSCLI is the native shell of the NetScaler while VTYSH is exposed by ZebOS. The NetScaler routing suite is based on ZebOS, the commercial version of GNU Zebra. Note: Citrix recommends that you use VTYSH for all commands except those that can be configured only on NSCLI. Use of NSCLI should generally be limited to commands for enabling the routing protocols, configuring host route advertisement, and adding static routes for packet forwarding. Using RIP Routing Information Protocol (RIP) is a Distance Vector protocol. The NetScaler supports RIP as defined in RFC 1058 and RFC RIP can run on any subnet. In this section Enabling and Disabling RIP Configuring RIP Enabling and Disabling RIP You can enable or disable RIP using the configuration utility or the NSCLI. Use either of the following procedures to enable or disable RIP. After you enable RIP, the NetScaler starts the RIP process. After you disable RIP, the NetScaler stops the RIP process. To enable or disable RIP routing using the configuration utility 1. In the navigation pane, expand System and click Settings. 2. In the details pane, under Modes and Features group, click Change advanced features. 3. In the Configure Advanced Features dialog box, do one of the following: To enable RIP routing, select the RIP Routing check box. To disable RIP routing, clear the RIP Routing check box. 4. Click OK. 5. In the Enable/Disable Feature(s)? dialog box, click Yes.

111 Chapter 4 IP Routing 99 To enable or disable RIP routing using the NetScaler command line At the NetScaler command prompt, type one of the following: enable ns feature protocol disable ns feature protocol s enable ns feature rip disable ns feature rip Configuring RIP On the NetScaler, RIP can function in one of the following modes: Advertising and learning routes Listen only No Route learning Advertising Routes RIP enables an upstream router to load balance traffic between two identical vservers hosted on two standalone NetScaler devices. By using route advertisement, an upstream router can track network entities located behind the NetScaler. The following table describes the commands you have to set to advertise routes. Route Advertising VTYSH commands for RIP Commands passive-interface interface_name network ipaddress/prefix length redistribute static redistribute kernel Specifies Suppress routing updates on an interface. Broadcast network on which RIP is to be run. State of the router in redistributing static routes. Use this command to enable the redistribution of static routes. State of the router in redistributing kernel routes. Use this command to enable the redistribution of kernel routes. Use the following procedures to configure RIP to advertise routes on the NetScaler.

112 100 Citrix NetScaler Networking Guide To configure RIP to advertise routes using the VTYSH command line To use the VTYSH command-line interface to configure RIP as the routing protocol, proceed as follows: VTYSH An output similar to the following appears: NS170# You are now at the VTYSH command prompt. At the VTYSH command prompt, type: NS170# configure terminal NS170(config)# router rip NS170(config-router)# network IPaddress/PrefixLength NS170(config-router)# redistribute kernel [route-map map-tag] Limiting RIP Propagations If you need to troubleshoot your configuration, you can configure the listen-only mode on any given interface. The following table describes the commands you have to set to configure an interface for listen-only mode. Limiting RIP VTYSH Command Commands passive-interface interface_name Specifies Suppress routing updates on an interface. Use the following procedures to limit RIP propagation by setting an interface to listen-only mode. To limit RIP propagations using the VTYSH command line VTYSH An output similar to the following appears: NS170# You are now at the VTYSH command prompt. At the VTYSH command prompt, type: NS170# configure terminal NS170(config)# router rip NS170(config-router)# passive-interface interface_name

113 Chapter 4 IP Routing 101 Controlling Route Learning Route learning is disabled by default. You can configure route learning using only the configuration utility or the NSCLI only. The following table describes the parameter you have to set if you want to configure route learning. Route Learning Parameters for RIP Parameter Learn Route (learnroute) Specifies State of Route learning. Use this option to enable route learning and installation in the kernel. Possible values: Enabled and Disabled. Default value: Disabled. Use either of the following procedures to set RIP to learn routes. To configure RIP to learn routes using the configuration utility 1. In the navigation pane, expand Network, expand Routing, and click RIP. 2. On the RIP page, select the network for which you want to configure RIP (for example, ), and then click Open. 3. In the Configure RIP dialog box, select the Learn Routes check box. 4. Click OK. To configure RIP to learn routes using the NetScaler command line set router rip -learnroute Displaying RIP Information Use the following procedures to display the RIP settings. To view the RIP settings using the VTYSH command line VTYSH You are now in the VTYSH command prompt. An output similar to the following appears: NS170# At the VTYSH command prompt, type: NS170# sh ip rip NS170# sh ip rip database NS170# sh ip rip interface

114 102 Citrix NetScaler Networking Guide Using OSPF The NetScaler supports Open Shortest Path First (OSPF) Version 2 (RFC 2328). The features of OSPF on the NetScaler are: The NetScaler supports OSPF within a single area only. If a vserver is active, the host routes to the vserver can be injected into the routing protocols. OSPF can run on any subnet. Route learning advertised by neighboring OSPF routers can be disabled on the NetScaler. The NetScaler can advertise Type-1 or Type-2 external metrics for all routes. The NetScaler can advertise user-specified metric settings for VIP routes. For example, you can configure a metric per VIP without special route maps. You can specify the OSPF area ID for the NetScaler. In this Section Enabling and Disabling OSPF Configuring OSPF Displaying OSPF Settings NSSA Support Enabling and Disabling OSPF You can enable or disable OSPF using the configuration utility or the NSCLI only. When OSPF is enabled, the NetScaler starts the OSPF process. When OSPF is disabled, the NetScaler stops the OSPF routing process. Use either of the following procedures to enable or disable the OSPF routing protocol. To enable or disable OSPF routing using the configuration utility 1. In the navigation pane, expand System, and then click Settings. 2. In the details pane, under the Modes and Features group, click Change advanced features. 3. In the Configure Advanced Features dialog box, do one of the following: To enable OSPF routing, select the OSPF Routing check box. To disable OSPF routing, clear the OSPF Routing check box.

115 Chapter 4 IP Routing Click OK. 5. In the Enable/Disable Feature(s)? dialog box, click Yes. To enable or disable OSPF routing using the NetScaler command line At the NetScaler command prompt, type one of the following: enable ns feature OSPF disable ns feature OSPF Configuring OSPF You can configure OSPF on an existing route. In addition to basic configuration, you can configure route learning and route advertising. If necessary, you can limit OSPF propagation. The NetScaler supports the OSPF NSSA enhancement. After configuration, you should review your settings. Configuring the Basic OSPF Parameters The following table describes the commands you have to configure to use OSPF. OSPF Basic VTYSH commands Commands router-id IPAddress network IPaddress/prefix length area AreaID host Specifies Id for the OSPF process. OSPF router-id is specified IP address format. Broadcast network on which RIP is to be run. Area ID of the area in which OSPF is running. The stub link or the host address. Use the following procedures to configure the basic OSPF parameters. To configure basic OSPF using the VTYSH command line To use the VTYSH command-line interface to configure OSPF as the routing protocol, proceed as follows: VTYSH You are now in the VTYSH command prompt. An output similar to the following appears: NS170# At the VTYSH command prompt, type: NS170# configure terminal

116 104 Citrix NetScaler Networking Guide NS170(config)# router ospf NS170(config-router)# router-id IPaddress NS170(config-router)# network IPaddress/prefix length NS170(config-router)# area AreaID Configuring Route Advertisement OSPF enables an upstream router to load balance traffic between two identical vservers hosted on two standalone NetScaler devices. By using route advertising, an upstream router can track network entities located behind the NetScaler. The following table lists and describes the commands required for advertising routes. Route Advertising VTYSH commands for OSPF Commands redistribute static redistribute kernel redistribute connected Specifies Redistribute static routes. Redistribute kernel routes. Redistribute connected routes. Use the following procedures to configure OSPF to advertise routes on the NetScaler. To configure OSPF to advertise routes using the VTYSH command line VTYSH You are now in the VTYSH command prompt. An output similar to the following appears: NS170# At the VTYSH command prompt, type: NS170# configure terminal NS170(config)# router ospf NS170(config-router)# redistribute kernel [route-map map-tag] Limiting OSPF Propagation To facilitate troubleshooting, you can set an interface to listen-only mode. The following table describes the relevant commands. Limiting OSPF Propagation Parameter Commands passive-interface interface_name Specifies Suppress routing updates on an interface.

117 Chapter 4 IP Routing 105 Use the following procedures to limit OSPF propagation. To limit OSPF propagations using the VTYSH command line VTYSH You are now in the VTYSH command prompt. An output similar to the following appears: NS170# At the VTYSH command prompt, type: NS170# configure terminal NS170(config)# router ospf NS170(config-router)# passive-interface interface_name Controlling Route Learning You can configure route learning using only the configuration utility or the NSCLI only. The following table describes the parameter you can set to control route learning. Route Learning Parameter for OSPF Parameter Learn Route (learnroute) Specifies Learn OSPF routes. Possible values: Enabled and Disabled. Default: Disabled. Use either of the following procedures to control route learning. To configure OSPF to learn routes using the configuration utility 1. In the Configure OSPF dialog box, select the Learn Routes check box. 2. Click OK. To configure OSPF to advertise routes using the NetScaler command line set route ospf -learnroute Displaying OSPF Settings To view the OSPF settings using the VTYSH command line VTYSH

118 106 Citrix NetScaler Networking Guide You are now in the VTYSH command prompt. An output similar to the following appears: NS170# At the VTYSH command prompt, type: NS170# sh ip ospf NS170# sh ip ospf border-routers NS170# sh ip ospf database NS170# sh ip ospf interface NS170# sh ip ospf neighbor NS170# sh ip ospf route NS170# sh ip ospf virtual-links NSSA Support The NetScaler now supports not-so-stubby-areas (NSSAs). An NSSA is similar to an OSPF stub area but allows injection of external routes in a limited fashion into the stub area. To support NSSAs, a new option bit (the N bit) and a new type (Type 7) of Link State Advertisement (LSA) area have been defined. Type 7 LSAs support external route information within an NSSA. An NSSA area border router (ABR) translates a type 7 LSA into a type 5 LSA that is propagated into the OSPF domain. The OSPF specification defines only the following general classes of area configuration: Type 5 LSA: Originated by routers internal to the area are flooded into the domain by AS boarder routers (ASBRs). Stub: Allows no type 5 LSAs to be propagated into/throughout the area and instead depends on default routing to external destinations. Using BGP The NetScaler supports BGP-4 (RFC 1771). The features of BGP on the NetScaler are: The NetScaler advertises routes to BGP peers. The NetScaler injects host routes to virtual IP addresses (VIPs) based on the health of the underlying vservers. The NetScaler generates configuration files for running BGP on the secondary node after failover. In this Section Enabling and Disabling BGP

119 Chapter 4 IP Routing 107 Configuring BGP Displaying BGP Settings Enabling BGP on a Non-NSIP Network Enabling and Disabling BGP You can enable or disable BGP using the configuration utility or the NSCLI only. When BGP is enabled, the NetScaler starts the BGP process on the NetScaler IP (NSIP) subnet. When BGP is disabled, the NetScaler stops the BGP process on the NSIP subnet. To enable or disable BGP routing using the configuration utility 1. In the navigation pane, expand System and click Settings. 2. In the details pane, under the Modes and Features group, click Change advanced features. 3. In the Configure Advanced Features dialog box, do one of the following: To enable BGP routing, select the BGP Routing check box. To disable BGP routing, clear the BGP Routing check box. 4. Click OK. 5. In the Enable/Disable Feature(s)? dialog box, click Yes. To enable or disable BGP routing using the NetScaler command line enable ns feature Protocol disable ns feature Protocol enable ns feature BGP disable ns feature BGP Configuring BGP You can use BGP on a NetScaler to advertise routes and to learn routes. The following table describes the required command for configuring BGP. Basic BGP VTYSH command Command router bgp AS number Specifies BGP autonomous system. As number is a mandatory parameter. Possible values: 1 to

120 108 Citrix NetScaler Networking Guide Use the following procedures to create a basic BGP configuration. To create a basic BGP configuration using the VTYSH command line VTYSH You are now in the VTYSH command prompt. An output similar to the following appears: NS170# At the VTYSH command prompt, type: NS170# configure terminal NS170(config)# router bgp ASnumber Advertising Routes You can configure the NetScaler to advertise host routes to VIPs and to advertise routes to downstream networks. The following table describes the commands for configuring the NetScaler to advertise BGP routes. Route Advertising VTYSH commands for BGP Commands redistribute static redistribute kernel redistribute connected Specifies Redistribute static routes. Redistribute kernel routes. Redistribute connected routes. Use the following procedures to configure BGP to advertise routes on the NetScaler. To configure BGP to advertise routes using the VTYSH command line VTYSH You are now in the VTYSH command prompt. An output similar to the following appears: NS170# At the VTYSH command prompt, type: NS170# configure terminal NS170(config)# router bgp ASnumber NS170(config-router)# redistribute kernel [route-map map-tag]

121 Chapter 4 IP Routing 109 Configuring Route Maps You can configure route maps to define policies for route redistribution. Route maps can be associated with BGP neighbors or with the redistribute directive. You can use route maps on the NetScaler to: Set the next hops for the routes being advertised to a neighbor (setting the next-hop in a route map, then associating it with that neighbor). Control the prefixes that are advertised (using the matchip argument and associating it with the redistribute directive). To configure route maps, use the following VTYSH commands: NS170# configure terminal NS170(config)# route-map abcd deny 1 You can associate both prefix lists and access lists with route maps by using the following command: NS170(config-router)# match ip address <prefix-list> <accesslist> <1-199> IP access-list name < > IP access-list name WORD IP access-list name prefix-list Match entries of prefix-lists Displaying BGP Settings Use the following procedures to view the BGP settings. To view the BGP settings using the VTYSH command line VTYSH You are now in the VTYSH command prompt. An output similar to the following appears: NS170# At the VTYSH command prompt, type: NS170# sh ip BGP NS170# sh ip BGP neighbors NS170# sh ip BGP summary NS170# sh ip BGP route-map map-tag

122 110 Citrix NetScaler Networking Guide Enabling BGP on a Non-NSIP Network To enable BGP on a non-nsip network, perform the following tasks: 1. Enable management access on the Subnet IP (SNIP). 2. Enable dynamic routing on the IP. 3. Enable mode Use Subnet IP (USNIP). 4. Add a service that points to each peer. Configuring Route Health Injection The NetScaler uses RIP, OSPF, and BGP to advertise routes to networks and/or VIPs owned by the NetScaler and to the neighboring router. For VIPs owned by the NetScaler, the advertisement of host routes depends on the state of the entity associated with the host route. These entities are vservers, services, or other downstream devices. If an entity is not active, its host route is not advertised. This controlled advertisement of host routes through the routing protocol is known as Route Health Injection (RHI). This section provides information about the following aspects of RHI: Enabling RHI Limiting Host Route Advertising for VIPs Advertising Networks Displaying Routes Learned Through Dynamic Routing Protocols Enabling RHI Use either of the following procedures to enable RHI. (The procedures include examples for enabling RHI for the IPv4 VIP , so that the NetScaler advertises the host route associated with this IP address.) To enable RHI using the configuration Utility 1. In the navigation pane, expand Network and click IPs. 2. On the IPs page, on the IPV4s tab, select the vserver IP address for which you want to enable RHI (for example, select ), and then click Open. 3. In the Configure IP dialog box, under Host Route, select the Enable check box. 4. Click OK.

123 Chapter 4 IP Routing 111 To enable RHI using the NetScaler command line set ip IPAddress -hostroute Value set ip hostroute enabled Note: To enable RHI for IPv6 addresses, use the same procedure but with an IPv6 address. For more information on the parameters, see Customizing VIP IPv6 Addresses, on page 134. Limiting Host Route Advertising for VIPs If a VIP represents primary and backup vservers, the state of the VIP depends on the effective state of the vservers it represents. By default, a host route associated with a VIP is not advertised if the effective state of the vserver is either DOWN or DISABLED. The effective state of a VIP is UP if either the primary vserver or a backup vserver is UP. For example, the following table lists the possible effective states of a VIP assigned to a primary vserver that has only a single backup. Establishing Effective State of the VIP State of the Primary Vserver State of the Backup Vserver Effective State of the VIP UP UP UP Yes* UP DOWN UP Yes* DOWN UP UP Yes* DOWN DOWN DOWN No* Advertising of RHI Routes * Advertising of RHI host routes depends on the vserver RHI level setting, as shown in the following table. Limiting Route Advertising Parameters for VIPs VserverRHILevel Setting ONE_VSERVER ALL_VSERVERS None Specifies Host route is advertised when at least a single vserver is running. Host route is advertised only when all the vservers are running. Host route is advertised when none of the vservers are running.

124 112 Citrix NetScaler Networking Guide In the configuration utility, you can set the vserver RHI level in either the Create IP or the Configure IP dialog box. At the NetScaler command line, enter one of the settings shown in the preceding table as the value for the vserverrhilevel argument of either the add ns ip or set ns ip command. For more information on the parameters required, see Customizing the Attributes of a VIP, on page 3. Advertising Networks The following table describes the required parameters for advertising networks for RHI. Route Advertising for RHI Parameter Network (network) Netmask (netmask) Gateway IP (gateway) Over-ride Global (advertise) Specifies Destination network. Subnet mask of the destination network. Gateway for this route. Advertise this route. Possible values: DISABLED and ENABLED. Use either of the following procedure to advertise networks. (The procedures include examples that set the first IP address in the network to , the subnet mask of the network to , and the gateway for the network to The dynamic routing protocol is set to OSPF, but RIP and BGP are also valid choices.) To advertise networks using the configuration utility 1. In the navigation pane, expand Network, expand Routing, and click Routes. 2. In the details pane, click Add. 3. In the Create Route dialog box, in the Network, Netmask and Gateway IP text boxes, respectively, type the network, subnet mask and the gateway IP address for the network you want to advertise (for example, , , and ). 4. Under Route Advertisement, select the Over-ride Global check box. 5. Select Enable. 6. Under Protocol, select a check box (for example, OSPF).

125 Chapter 4 IP Routing Click Create and click Close. To advertise networks using the NetScaler command line add route IPAddress Subnetmask GatewayIPAddress -advertise Value -protocol Protocol add route advertise ENABLED -protocol OSPF Note: If you have configured static routes on the NetScaler and enabled L3 mode, static routes configuration takes precedence over the L3 mode configuration. For instance, if you have configured a firewall load balancing vserver and static routes on the NetScaler, the NetScaler uses the routing table to route the traffic instead of sending the traffic to the firewall load balancing vserver. Displaying Routes Learned Through Dynamic Routing Protocols You can view all routes in the routing table. Dynamically installed routes are marked as DYNAMIC. To view the routes using the configuration utility In the navigation pane, expand Network, expand Routing, and then click Routes. The Routes page appears in the details pane. The information about the networks, subnet mask, gateway IP, costs, flags and route advertising appear on the Routes page. To view the routes using the NetScaler command line show route Configuring Static Routes Static routes are manually created to improve the performance of your network. You can monitor static routes to avoid service disruptions. Also, you can assign weights to ECMP routes, and you can create null routes to prevent routing loops.

126 114 Citrix NetScaler Networking Guide Monitored Static Routes Normally, if a manually created (static) route goes down, a backup route is not automatically activated. You must delete the inactive primary static route. But the NetScaler can automatically activate a backup route if you configure the static route as a monitored route. Static route monitoring can also be based on the accessibility of the subnet. A subnet is usually connected to a single Interface but can be logically accessed via other interfaces. Subnets bound to a VLAN are accessible only if the VLAN is up. VLANs are logical interfaces through which packets are transmitted and received by the NetScaler. A static route is marked as DOWN if the next hop lies on a subnet that is unreachable. Note: In a High Availability configuration, the default value for MSR on the secondary node is UP. The value is so set to avoid a state transition gap on failover which results in dropping of packets on those routes. Weighted Static Routes When the NetScaler makes routing decisions involving routes with equal distance and cost, that is, Equal Cost Multi-Path (ECMP) routes, it balances the load between them by using a hashing mechanism based on the source and destination IP addresses. For an ECMP route, however, you can configure a weight value. The NetScaler then uses both the weight and the hashed value for balancing the load. Null Routes If the route chosen in a routing decision is inactive, the NetScaler chooses a backup route. If all the routes become inaccessible, the NetScaler might reroute the packet to the sender, which could result in a routing loop leading to network congestion. To prevent this situation, you can create a null route, which adds a null interface as a gateway. The null route is never the preferred route, because it has a higher administrative distance than the other static routes. But it is selected if the other static routes become inaccessible. In that case, the NetScaler drops the packet and prevents a routing loop.

127 Chapter 4 IP Routing 115 Adding a Static Route You can add a simple static route or a null route by setting a few parameters, or you can set additional parameters to configure a monitored or monitored and weighted static route. The following table describes the parameters for configuring a static route. Basic Static Route Parameters Parameter Network (network) Netmask (netmask) Null Route (null) Gateway IP (gateway) Distance (distance) Cost (cost) Weight (weight) Over-ride Global (advertise) Protocol (protocol) Monitored Static Route (msr) Monitor (monitor) Specifies Network for which the route is being created. Subnet mask for the network Drop the packets this route receives. Possible values: Yes and No. Default: No. Null routes have a fixed distance of 255. Gateway for this route. Administrative distance of this route. Possible values: 1 through 255. Default: 1. Value used by the routing algorithms to compare performance. Route having lowest cost is the most preferred route. Value that this parameter can take is between 0 and Value to facilitate balancing the load on ECMP routes. This value is compared with the hashed value of the packet and a route is chosen. Specific to ECMP routes. Possible values: 1 to Default: 1. State of advertisement of this route. Possible values: Enabled or Disabled. Default: Enabled. Routing protocols used for advertising routes. Possible values: OSPF, RIP, and BGP. Monitor this route. Possible values: Enabled and Disabled. Default: Disabled. Type of monitor. Determines the protocol used for monitoring the route (for example, PING or ARP).

128 116 Citrix NetScaler Networking Guide The following procedure includes sample IP addresses that you could use to create three different static routes. By performing the procedure three times, and using different values each time, you could create a simple static route to destination network with a gateway IP of , a null route to destination , and a monitored static route to destination with a gateway IP of To create a static route using the configuration utility 1. In the navigation pane, expand Network, expand Routing, and click Routes. 2. In the details pane, on the Basic tab, click Add. 3. In the Create Route dialog box, in the Network, Netmask, and Gateway IP text boxes, type the network IP address, the subnet mask of the network and the Gateway IP address (for example, , , or and , or 192,168,10.0 and ). 4. If you are creating a null route, set the NULL Route radio button to Yes, and then click Create and Close. If this is not to be a null route, leave the radio button set to No and proceed with the following steps. 5. In the Gateway IP textbox, enter the Gateway IP address (for example, or ). 6. In the Cost textbox, type the cost metric of the route (for example, 2). 7. Optionally, to assign a weight to the route, change the value in the Weight text box from the default value of 1 to a higher value. 8. Optionally, to advertise the route, select the Over-ride Global checkbox, and then select the Enable radio button. 9. To create an unmonitored static route, click Create, and then click Close. To create a monitored static route, proceed with the following steps. 10. In the Distance textbox, type the administrative distance of the route (for example, 3). 11. Select the Monitored Static Route checkbox. In the Monitor list box, select the monitor that you want to use for monitoring the static route (for example, PING). 12. Click Create, and then click Close. To create a static route using the NetScaler command line add network route Network Netmask GatewayIPAddress cost Value advertise Value

129 Chapter 4 IP Routing 117 add network route cost 2 advertise enabled To create a monitored static route using the NetScaler command line add network route Network Netmask Gateway IP -weight Value - distance Value msr Value monitor Value add network route weight 5 distance 3 msr ENABLED monitor PING To add a null route using the NetScaler command line At the NetScaler command prompt type, add network route Network Netmask null add network route null Customizing a Static Route You can change the parameters of a static route. For example, you might want to assign a weight to an unweighted route, or you might want to disable monitoring on a monitored route. In the configuration utility, you just open the route and specify a new value or values. To modify a route at the NetScaler command line, you specify the route, the parameter(s) to be changed, and the new value(s). To customize a static route using the configuration utility 1. In the navigation pane, expand Network, expand Routing, and click Routes. 2. On the Routes page, click the Basic tab, select the route you want to modify (for example, ), and then click Open. 3. In the Configure Route dialog box, which contains the same elements as does the Add Route dialog box as described in Adding a Static Route, on page 115, change one or more values. To change a text field, select it and enter a new value. (For example, in the Weight text box, you could enter a value such as 5.) 4. To change values that do not have text fields, select or clear check boxes as appropriate, or select a different radio button. (For example, to disable monitoring of the route, clear the Monitored Static Route check box.)

130 118 Citrix NetScaler Networking Guide 5. Click Create and then click Close. To assign weights to a monitored static route using the NetScaler command line set network route Network Netmask GatewayIPAddress weight Value set network route weight 5 To disable monitoring of a static route using the NetScaler command line At the NetScaler command prompt type, set network route Network Netmask GatewayIPAddress msr Value set network route msr disabled Removing a Static Route Use either of the following procedures to remove a static route. The procedures include examples for removing the static route created in an earlier example. To remove a route using the configuration utility 1. In the navigation pane, expand Network, expand Routing, and click Routes. 2. On the Routes page, click the Basic tab, select the route you want to remove (for example, ), and then click Remove. 3. In the Remove dialog box, click Yes. To remove a static route using the NetScaler command line rm network route Network Netmask GatewayIPAddress rm network route

131 Chapter 4 IP Routing 119 Gathering Information to Troubleshoot Generic Routing Issues To make your troubleshooting process as efficient as possible, begin by gathering information about your network and learning how to perform troubleshooting procedures. You need to obtain the following information about the NetScaler and other systems in the Network: Complete Topology diagram, including interface connectivity and intermediate switch details. Running Configuration. You can use the show running command to get the running configuration for ns.conf and ZebOS.conf. Output of the History command, to determine whether any configuration changes were made when the issue arose. Output of the Top and ps -ax commands, to determine whether any routing daemon is overutilizing the CPU or is misbehaving. Any routing related core files in /var/core - nsm, bgpd, ospfd, or ripd. Check the timestamp to see if they are relevant. dr_error.log and dr_info.log files from /var/log. Output of the date command and time details for all relevant systems. Print dates across all devices one after another, so that the times on the log messages can be correlated with various events. Relevant ns.log, newnslog files. Configuration files, log files and command history details from upstream and downstream routers. Learning Troubleshooting Procedures Users typically have the following questions about how to troubleshoot generic routing issues: How do I enable Health Monitoring for CS vservers? By default, the states of content switching vservers are not updated. Therefore, these servers always remain up, which prevents RHI from working effectively for cs vservers. Use the nsapimgr knob to enable updating CS vserver states. root@ns# nsapimgr -y -s csw_state_update=1 How do I save the config files?

132 120 Citrix NetScaler Networking Guide The write command from VTYSH saves only ZebOS.conf. Run the save config command from nscli to save both ns.conf and ZebOS.conf files. When I enable the -learnroute option, the default routes are not downloaded into the NS kernel routing table. How to enable default route learning? HA monitoring must be enabled for default routes to be downloaded to the Kernel. This option has to be enabled even if the NetScaler is run as a standalone system. Use the bind node command to enable HA monitoring. bind node -routemonitor In version 8.0, this precondition can be ignored using an nsapimgr command. root@ns# nsapimgr -s ignore_rt_mon_dflt=on In this case, HA monitoring is turned OFF for the default route, and a failover is not triggered even if this route goes down. If I have configured both a static default route and a dynamically learned default route, which is the preferred default route? The dynamically learned route is the preferred default route. This behavior is unique to default routes. However, in case of the Network Services Module (NSM), unless the administrative distances are modified, a statically configured route in the RIB is preferred over a dynamic route. The route that is downloaded to the NSM FIB is the static route. How do I block the advertisement of default routes? After release 7.0, the default route is not injected into ZebOS. However, if you are working with 7.0 or an earlier release, you must apply a suitable route map in the redistribute kernel command for each protocol to block default route advertisement. For example: ns(config)#access-list 1 deny ns(config)#access-list 2 permit any ns(config)#route-map redist-kernel permit 5 ns(config-route-map)#match ip address 1 ns(config)#route-map redist-kernel permit 10 ns(config-route-map)#match ip address 2 ns(config-route-map)#q ns(config)#router ospf 1

133 Chapter 4 IP Routing 121 ns(config-router)#redistribute kernel route-map redist-kernel ns(config-router)#q ns(config)#q ns#show route-map ns# route-map redist-kernel, permit, sequence 5 Match clauses: ip address 1 Set clauses: route-map redist-kernel, permit, sequence 10 Match clauses: ip address 2 Set clauses: ns#show access-list Standard IP access list 1 deny Standard IP access list 2 permit any How do I view the debug output of networking daemons? You can write debugging output from networking daemons to a file by entering the following log file command from the global configuration view in VTYSH: ns(config)#log file /var/zebos.log With release 8.1, you can direct debug output to the console by entering the terminal monitor command from VTYSH user view. ns#terminal monitor How do I collect cores of running daemons? You can use the gcore utility to collect cores of running daemons for processing by gdb. This might be helpful in debugging misbehaving daemons without bringing the whole routing operation to a standstill. gcore [-s] [-c core] [executable] pid The -s option temporarily stops the daemon while gathering the core image. This is a recommended option because it guarantees that the resulting image shows the core in a consistent state. root@ns#gcore -s -c nsm.core /netscaler/nsm 342

134 122 Citrix NetScaler Networking Guide How do I reload ZebOS.conf without rebooting the NetScaler? The recommended method is to reload the configuration on the NetScaler through a reboot. Do not reload the ZebOS.conf file without rebooting the NetScaler except in unavoidable circumstances. To reload the ZebOS.conf file, you must: A. Kill all routing protocol daemons, such as nsm, ospfd, ripd, and bgpd. B. Edit the ZebOS.conf file or copy the ZebOS.conf file, and create a new one. C. Restart each daemon with the new config file. For example: ns(config)#show running-config Current configuration: interface 0/1 interface 1/1 ip address /24 interface 1/2 interface 1/3 interface 1/4 interface lo0 ip address /8 router bgp 1 network /24 route-map r1 permit 10 match tag 1 set metric 843 end ns(config)#exit ns#write ns#conf t [Saved to /nsconfig/zebos.conf] root@ns# killall nsm ospfd ripd bgpd root@ns# vi ZebOS.conf? killing all daemons? modifying the saved file! Config for ZebOS version 6.0.1: (i386-unknownfreebsdelf4.9) interface 0/1

135 Chapter 4 IP Routing 123 interface 1/1 ip address /24 interface 1/2 interface 1/3 interface 1/4 interface lo0 ip address /8 router ospf network area 1 router bgp 1 network /24 network /24 route-map r2 permit 10 match tag 1 set metric 843 end ZebOS.conf: 34 lines, 396 characters. root@ns# /netscaler/nsm -d -f /nsconfig/zebos.conf & root@ns# /netscaler/ospfd -d -f /nsconfig/zebos.conf & root@ns# /netscaler/ripd -d -f /nsconfig/zebos.conf & root@ns# /netscaler/bgpd -d -f /nsconfig/zebos.conf & root@ns# exit > VTYSH ZebOS version 6.0.1: (i386-unknown-freebsdelf4.9) ns#show running-config Current configuration: interface 0/1 interface 1/1 ip address /24 interface 1/2 interface 1/3 interface 1/4 interface lo0 ip address /8

136 124 Citrix NetScaler Networking Guide ns# router ospf network area 1 router bgp 1 network /24 network /24 route-map r2 permit 10 match tag 1 set metric 843!end How do I run a batch of ZebOS commands? You can run a batch of ZebOS commands from a file by entering the VTYSH -f <file-name> command. This does not replace the running configuration, but appends to it. However, by including commands to delete the existing configuration in the batch file and then add those for the new, desired configuration, you can use this mechanism to replace a specific configuration.! router bgp 234 network ! route-map bgp-out2 permit 10! set metric 9900 set community 8602:300 Troubleshooting OSPF Specific Issues Before you start debugging any OSPF specific issue, you must collect information from the NetScaler and all systems in the affected LAN, including upstream and downstream routers. To begin, enter the following commands: 1. show interface from both nscli and VTYSH 2. show ip ospf interface 3. show ip ospf neighbor detail 4. show ip route 5. show ip ospf route

137 Chapter 4 IP Routing show ip ospf database summary A. If there are only few LSAs in the database, then enter show ip ospf database router, show ip ospf database network, show ip ospf database external, and other commands to get the full details of LSAs. B. If there are a large number of LSAs in the database, then enter the show ip ospf database self-originated command. 7. show ip ospf 8. show ns ip This ensures that the details of all VIPs of interest are included. 9. Get the logs from peering devices and run the following command: gcore -s -c xyz.core /netscaler/ospfd <pid> Note: The gcore command is non-disruptive. Collect additional information from the NetScaler as follows: 1. Enable logging of error messages by entering the following command from the global configuration view in VTYSH: ns(config)#log file /var/ospf.log 2. Get the details of:./nsconmsg -d stats grep ospf 3. For adjacency related defects, run the following command:./nsapimgr -B "call nsospf_print_area" 4. Enable debugging ospf events ifsm nfsm route and log them using the following command: ns(config)#log file /var/ospf.log 5. Enable debug ospf lsa packet only if the number of LSAs in the database is relatively small (< 500). Configuring IPv6 Static Routes You can configure a maximum of six default IPv6 static routes. IPv6 routes are selected based on whether the MAC address of the destination device is reachable. This can be determined by using the IPv6 Neighbor Discovery feature. Routes are load balanced and only source/destination-based hash mechanisms are used. Therefore, route selection mechanisms such as round robin are not supported. The next hop address in the default route need not belong to the NSIP subnet.

138 126 Citrix NetScaler Networking Guide Adding an IPv6 Route The following table describes the parameters used to add an IPv6 route. Parameters for creating an IPv6 Route Parameter Network (network) Gateway IP (gateway) VLAN (vlan) Distance (distance) Cost (cost) Weight (weight) Advertise (advertise) Specifies Network for which the route is being created. Mandatory. Gateway for this route. Mandatory. Virtual LAN (VLAN) number associated with the route. Possible values: 1 to Default: 0. Mandatory for linklocal address type. Administrative distance of this route. Possible values: 1 through 255. Default: 1 Value used by the routing algorithms to compare performance. Route having lowest cost is the most preferred route. Possible values: 0 to Value for balancing the load on ECMP routes. This value is compared with the hashed value of the packet and a route is chosen. Specific to ECMP routes. Possible values: 1 to Default: 1. Advertise this route. Possible values: Enabled and Disabled. Default: Enabled. Use either of the following procedures to add an IPv6 route. To add an IPv6 route using the configuration utility 1. In the navigation pane, expand Network, expand Routing, and click Routes. 2. On the Routes page, click the IPv6 tab, and then click Add. 3. In the Create IPv6 Route dialog box, in the Network, Gateway IP text boxes, type the network, Gateway IP address, for which you want to add a route (for example, ::/0 and fe80::67). 4. If you are adding a link-local IP address, in the VLAN text box, type the VLAN for which you want add the route (for example, 5). 5. Click Create and click Close. To add a IPv6 route using the NetScaler command line

139 Chapter 4 IP Routing 127 add route6 Network GatewayIPAddress -vlan Value add route6 ::/0 fe80::67 -vlan 5 Removing an IPv6 Route Use either of the following procedures to remove an IPv6 route from the NetScaler. To remove an IPv6 route using the configuration utility 1. In the navigation pane, expand Network, expand Routing, and click Routes. 2. On the Routes page, click the IPV6 tab. 3. Select the network from which you want to remove the route (for example, ::/0), and then click Remove. 4. In the Remove dialog box, click Yes. To remove an IPv6 route using the NetScaler command line rm route6 Network GatewayIPAddress rm route6 ::/0 2001::1 Customizing an IPv6 Route The following procedure describes the steps to customize a configured IPv6 route. Parameters for customizing an IPv6 Route Parameter Distance (distance) Cost (cost) Weight (weight) Specifies Administrative distance of this route. Possible values: 1 through 255. Default: 1 Value used by the routing algorithms to compare performance. Route having lowest cost is the most preferred route. Possible values: 0 to Value for balancing the load on ECMP routes. This value is compared with the hashed value of the packet and a route is chosen. Specific to ECMP routes. Possible values: 1 to Default: 1.

140 128 Citrix NetScaler Networking Guide Parameters for customizing an IPv6 Route Parameter Advertise (advertise) Specifies Advertise this route. Possible values: Enabled and Disabled. Default: Enabled. To customize an IPv6 route using the configuration utility 1. In the navigation pane, expand Network, expand Routing, and click Routes. 2. On the Routes page, click the IPV6 tab. 3. Select the network that you want to customize (for example, ::/0) and click Open. 4. In the Configure IPv6 Route dialog box, in the Distance, Cost, and Weight text boxes, modify the distance, cost, and weight (for example, 1, 2, and 5). 5. To enable advertising the IPv6 route, select the Advertise check box. To customize an IPv6 route using the NetScaler command line set route6 Network GatewayIP -distance Value -cost Value -weight Value -advertise Value set route6 1::1/ ::1 -distance 1 -cost 2 -weight 5 -advertise Enabled Verifying the Configuration Use either of the following procedures to display the configured IPv6 routes so that you can verify the settings. To display the IPv6 routes using the configuration utility 1. In the navigation pane, expand Network, expand Routing, and then click Routes. 2. On the Routes page, click the IPV6 tab. To display the IPv6 routes using the NetScaler command line show route6

141 CHAPTER 5 IP version 6 IPv6 Features The NetScaler supports most, but not all, features of IPv6. You have to license the IPv6 feature before you can implement it. After setting up your basic configuration, you can configure neighbor discovery and router learning, and you can apply IPv6 support to various NetScaler features. In This Chapter IPv6 Features Implementing IPv6 Support Configuring Neighbor Discovery and Router Learning Adding IPv6 Support to NetScaler Features The NetScaler supports both server-side and client-side IPv6. This means that the NetScaler can function as an IPv6 node. It can accept connections from IPv6 nodes (both hosts and routers) and from IPv4 nodes. Depending on the configuration of your servers, the NetScaler can perform Protocol Translation (RFC 2765) before sending traffic to the services. The following table shows which IPv6 features the NetScaler supports. Supported and Unsupported IPv6 Features Features IPv6 addresses for SNIPs (NSIP6, VIP6, and SNIP6) Neighbor Discovery (Address Resolution, Duplicated Address Detection, Neighbor Unreachability Detection, Router Discovery, PD) Management Applications (ping6, telnet6, ssh6) Static Routing and Dynamic routing (OSPF) Port Based VLANs Access Control Lists for IPv6 addresses (ACL6) IPv6 Protocols (TCP6, UDP6, ICMP6, FTP6) Supported on NetScaler Yes Yes Yes Yes Yes Yes Yes

142 130 Citrix NetScaler Networking Guide Supported and Unsupported IPv6 Features Features Server Side Support (IPv6 addresses for vservers, services) Tools Support (Packet capture, nserrinject, nstxtest, nsapimgr, nsconmsg) USIP (Use source IP) and DSR (Direct Server Return) for IPv6 SNMP and CVPN for IPv6 HA with native IPv6 node address IPv6 addresses for MIPs Path-MTU discovery for IPv6 Supported on NetScaler Yes Yes Yes Yes No No No Implementing IPv6 Support IPv6 support is a licensed feature, which you have to enable before you can use or configure it. The next step is to add your IPv6 addresses. For most users, adding the addresses and customizing them are separate procedures, followed by verifying the configuration. You can display IPv6 statistics to monitor your configuration. Enabling or Disabling IPv6 If IPv6 is disabled, the NetScaler does not process IPv6 packets. It displays the following warning when you run an unsupported command: "Warning: Feature(s) not enabled [IPv6PT]" The following message appears if you attempt to run IPv6 commands without the appropriate license: "ERROR: Feature(s) not licensed" After licensing the feature, use either of the following procedures to enable or disable IPv6. To enable or disable IPv6 using the configuration utility 1. In the navigation pane, expand System and click Settings. 2. In the Settings page, under the Modes & Features group, click change advanced features. 3. In the Configure Advanced Features dialog box, do one of the following: To enable IPv6, select the IPv6 Protocol Translation check box.

143 Chapter 5 IP version To disable IPv6, clear the IPv6 Protocol Translation check box. 4. Click OK. 5. In the Enable/Disable Feature(s)? dialog box, click Yes. To enable or disable IPv6 using the NetScaler command line At the NetScaler command prompt, type one of the following: enable ns feature Value disable ns feature Value enable ns feature ipv6pt disable ns feature ipv6pt Adding an IPv6 Address You can configure one global NSIP IPv6 address at run time. If you create a new global IPv6 NSIP, the old one is overwritten. The NetScaler is configured with one link local address that can be modified. Both of these addresses respond to ping, telnet, and ssh. You can configure NSIPs and SNIPs for management access. Management access is enabled by default for NSIP. However, it is disabled by default for SNIP. The NetScaler does not support MIPs with IPv6 addresses. If default routes are not configured, packets that do not belong to the NSIP subnet are dropped. The following table lists and describes the parameters required for adding a basic IPv6 address. IPv6 Basic Parameters Parameters IPv6Address Scope (scope) Type (type) Mapped IP (map) Specifies Unique identification used to represent the NetScaler. IPv6 address. Mandatory parameter. Scope of the IPV6 address. Possible values: global and link-local. Default: global. Type of IPV6 address. Possible values: NSIP, SNIP, and VIP. Default: SNIP. Mapped IPV4 address for IPV6. All incoming requests are translated into a form that is acceptable to the servers by modifying the host header information. The following procedure includes an example for adding fe80::2c0:95ff:fec5:d9b8 as a link-local IPv6 address.

144 132 Citrix NetScaler Networking Guide To add an IPv6 address using the configuration utility 1. In the navigation pane, expand Network and click IPs. 2. In the IPs page, on the IPV6s tab, click Add. 3. In the Create IP6 dialog box, in the IPv6 Address text box, type the IPv6 address that you want to configure (for example, fe80::2c0:95ff:fec5:d9b8). 4. In the Scope drop-down list box, select the scope of the IPv6 address (for example, link-local). 5. Click Create and click Close. To add an IPv6 address using the NetScaler command line add nsip6 IPv6Address -scope Value add nsip6 fe80::2c0:95ff:fec5:d9b8 -scope link-local The following procedure includes examples for adding a global IPv6 address (2002::50) with a specified prefix length (64). Note: You can configure only one link-local IPv6 address. The default linklocal IPv6 address type is SNIP. To add an IPv6 address with prefix length using the configuration utility 1. In the navigation pane, expand Network and click IPs. 2. In the IPs page, click the IPV6s tab and click Add. 3. In the Create IP6 dialog box, in the IPv6 Address text box, type the IPv6 address and prefix length that you want to configure (for example, 2002::50/64). 4. In the Scope drop-down list box, select the scope of the IPv6 address (for example, global). 5. In the Type drop-down list box, select the type of the IPv6 address (for example, NSIP). 6. Click Create and click Close. To add an IPv6 address with prefix length using the NetScaler command line add nsip6 IPv6Address/Prefixlen -scope Value -type Value

145 Chapter 5 IP version add nsip6 2002::50/64 -scope global -type NSIP Customizing SNIP and NSIP IPv6 Addresses You can access and manage the NetScaler through services such as Telnet, SSH, GUI, and FTP. These services can provide access to the NetScaler IP address (NSIP) and to Subnet IP addresses (SNIPs). The following table describes the parameters used to customize the SNIP and NSIP addresses. Customizable Parameters of SNIP and NSIP IPv6 Address Parameter Telnet (telnet) FTP (ftp) GUI (gui) SSH (ssh) SNMP (snmp) Management Access (mgmtaccess) Enable Dynamic Routing (dynamicrouting) Specifies Telnet access to the IPv6 address. Possible values: Enabled and Disabled. Default: Enabled. File Transfer Protocol (FTP) access to the IPv6 address. Possible values: Enabled and Disabled. Default: Enabled. Graphical User Interface (GUI) access to the IPv6 address. Possible values: Enabled, SECUREONLY, and Disabled. Default: Enabled. Secure Shell (SSH) access to the IPv6 address. Possible values: Enabled and Disabled. Default: Enabled. Simple Network Management Protocol (SNMP) access to the IPv6 address. Possible values: Enabled and Disabled. Default: Enabled. External access to the IPv6 address. Possible values: Enabled and Disabled. Default: Disabled. Enable dynamic routing on the IPv6 address. Possible values: Enabled and Disabled. Default: Disabled. The following procedures include examples for modifying IPv6 address 2008:0:0:0:0:0:0:13/128 to enable management access control. These procedures do not affect the existing connections. To modify a SNIP or NSIP IPv6 address using the configuration utility 1. In the navigation pane, expand Network and click IPs. 2. In the IPs page, click the IPV6s tab and select the IP address that you want to modify (for example, 2008:0:0:0:0:0:0:13/64). 3. Click Open.

146 134 Citrix NetScaler Networking Guide 4. In the Configure IPV6 dialog box, select the parameter or parameters to enable (for example, under Application Access Controls, select the Enable Management Access control to support the below listed applications check box, and then select the application(s) to enable. 5. Click OK. To modify an IPv6 address using the NetScaler command line set ns ip6 IPAddress -Parameter value set ns ip6 2008:0:0:0:0:0:0:13/64 -mgmtaccess enabled Customizing VIP IPv6 Addresses The virtual server IPv6 address (VIP) is the IP address associated with a vserver. Specifying a VIP is not mandatory when you initially configure the NetScaler. You can host the same vserver on multiple NetScalers residing on the same broadcast domain by using ICMP attributes. The following table describes the parameters used to customize an IPv6 VIP address. Parameters of VIP IPv6 Address Parameter ICMP (icmp) Virtual Server (virtualserver) ND Responses (nd) Host Route (hostroute) Host Route Gateway (ip6hostrtgw) metric (metric) Specifies Use Internet Control Message Protocol (ICMP) to send error messages. The user network applications that use ICMP are ping and traceroute. Possible values: Enabled and Disabled. Default: Enabled. Vserver attribute of the IPv6 address. Possible values: Enabled and Disabled. Default: Enabled. Send neighbor discovery responses from this IPv6 address. Possible values: Enabled and Disabled. Default: Enabled. Advertising a route to this address. Possible values: Enabled and Disabled. Default: Disabled. IPv6 address of the network that is advertised as the route to connect the network to external networks such as the Internet. Default: 0 Value used by routing algorithms to compare performance of the route. The route with lowest metric is the preferred route. Based on the routing protocol selected, a default value is assigned to the route. To change the default value, assign a value to this parameter. Possible values: +a to -z.

147 Chapter 5 IP version Parameters of VIP IPv6 Address Parameter VIP RHI Controls (vserverrhilevel) OSPF6 Route Adv Type (ospf6lsatype) OSPF Area ID (ospfarea) Specifies Advertise the host route associated with the VIP when the specified vservers are UP. Possible values: ONE_VSERVER, ALL_VSERVERS, and NONE. Default: ONE_VSERVER. Route Advertisement type used by the OSPF6 protocol to discover and maintain neighbor relationships.possible values: Intra_Area, External. Default: External. Logical collection of OSPF networks, routers, and links that are identified by an Area ID. Possible values: 0. If Host Route is disabled, this route is not advertised. The following procedure includes example for modifying VIP IPv6 address 2002:0:0:0:0:0:0:45/128 by enabling host route advertising and specifying OSPF advertising. To modify a VIP IPv6 address using the configuration utility 1. In the navigation pane, expand Network and click IPs. 2. In the IPs page, click the IPV6s tab and select the VIP IPv6 address that you want to modify (for example, 2002:0:0:0:0:0:0:45/64). 3. Click Open. 4. In the Configure IPV6 dialog box, select or enter values for the parameters you want to set. For example, in the Host Route, VIP RHI Controls, and OSPF6 Route Adv Type list boxes, select the host route, VIP RHI controls, and OSPF6 route advertisement type (for example, enabled, ONE_VSERVER, External). 5. Click OK. To modify an IPv6 address using the NetScaler command line set ns ip6 IPAddress -Parameter value set ns ip6 2002:0:0:0:0:0:0:45/64 -mgmtaccess enabled Verifying the Configuration When your configuration is complete, display the IPv6 parameters to verify their settings.

148 136 Citrix NetScaler Networking Guide To display a configured IPv6 address using the configuration utility In the navigation pane, expand Networks and click IPs. The IPs page appears in the details pane. Click the IPV6s tab. The IPs page displays the configured the IPv6 addresses, and for each address shows the state, scope, type, and mapped IP address. (To set a mapped IP address, see Host Header Modification, on page 146.) To display a configured IPv6 address using the NetScaler command line show ns ip6 Monitoring the Configuration To monitor your configuration, you can display statistics for an IPv6 address. The following table describes the statistics associated with IPv6. IPv6 Statistics Statistic IPv6 packets received IPv6 bytes received IPv6 packets transmitted IPv6 bytes transmitted IPv6 Fragments received TCP Fragments reassembled UDP Fragments reassembled IPv6 Fragments processed without reassembly IPv6 Fragments bridged IPv6 error hdr packets IPv6 unsupported next header IPv6 Land-attacks Reassembled data too big Description IPv6 packets received Bytes of IPv6 data received IPv6 packets transmitted Bytes of IPv6 data transmitted IPv6 fragments received TCP fragments processed after reassembly TCP fragments processed after reassembly IPv6 fragments processed without reassembly IPv6 fragments forwarded to the client or server without reassembly Packets received that contain an error in one or more components of the IPv6 header. Packets received that contain an unsupported next header. The supported next headers are TCP, ICMP, UDP, OSPF, and FRAGMENT. Land-attack packets received. The source and destination addresses are the same. If not dropped, these packets can lock up the appliance. Packets received for which the reassembled data exceeds the Ethernet packet data length of 1500 bytes.

149 Chapter 5 IP version IPv6 Statistics Statistic Zero fragment length received Description Packets received with a fragment length of 0 bytes. Use either of the following procedures to display IPv6 statistics, such as the number of IPv6 packets transmitted and received and the number of IPv6 bytes transmitted and received. To display the IPv6 statistics using the configuration utility 1. In the navigation pane, expand Network and click IPs. 2. In the IPs page, click the IPV6s tab and select the IPv6 address for which you want to view statistics. 3. Click Statistics. To view the IPv6 statistics using the NetScaler command line stat protocol ipv6 Configuring Neighbor Discovery and Router Learning The NetScaler supports neighbor discovery (ND) for IPv6. When the state of a vserver changes from DOWN to UP, the NetScaler sends gratuitous NA or unsolicited NA messages. The NetScaler also supports and router learning. Neighbor Discovery Neighbor discovery (ND) is one of the most important protocols of IPv6. It is a message-based protocol that combines the functionality of the Address Resolution Protocol (ARP), Internet Control Message Protocol (ICMP), and Router Discovery. ND allows nodes to advertise their link layer addresses and obtain the MAC addresses or link layer addresses of the neighboring nodes.this process is performed by the Neighbor Discovery protocol (ND6). Neighbor discovery can perform the following functions: Router Discovery. Enables a host to discover the local routers on an attached link and automatically configure a default router. Prefix Discovery. Enables the host to discover the network prefixes for local destinations.

150 138 Citrix NetScaler Networking Guide Note: Currently, the NetScaler does not support Prefix Discovery. Parameter Discovery. Enables a host to discover additional operating parameters, such as MTU and the default hop limit for outbound traffic. Address Autoconfiguration. Enables hosts to automatically configure IP addresses for interfaces both with and without stateful address configuration services such as DHCPv6. The NetScaler does not support Address Autoconfiguration for Global IPv6 addresses. Address Resolution. Equivalent to ARP in IPv4, enables a node to resolve a neighboring node's IPv6 address to its link-layer address. Neighbor Unreachability Detection. Enables a node to determine the reachability state of a neighbor. Duplicate Address Detection. Enables a node to determine whether an NSIP address is already in use by a neighboring node. Redirect. Equivalent to the IPv4 ICMP Redirect message, enables a router to redirect the host to a better first-hop IPv6 address to reach a destination. Note: The NetScaler does not support IPv6 Redirect. To enable neighbor discovery, you must create entries for the neighbors. Adding IPv6 Neighbors The following table describes the parameters required for adding an IPv6 neighbor. Neighbor Discovery Parameters Parameter Neighbor (neighbor) MAC Address (mac) Interface (ifnum) VLAN (vlan) Specifies IPv6 neighbor entry. Mandatory. Unique address assigned to identify the network appliance. Mandatory. The interface on which the MAC resides. Mandatory. Virtual LAN (VLAN) that the neighbor is part of. To add an IPv6 neighbor using the configuration utility 1. In the navigation pane, expand Network and click IPv6 Neighbors.

151 Chapter 5 IP version In the IPv6 Neighbors page, click Add. 3. In the Create IPv6 Neighbor dialog box, in the Neighbor and MAC Address text boxes, respectively, type IPv6 address and MAC Address of the neighbour (for example, 3ffe:100:100::1, 00:d0:68:0b:58:da). 4. If the neighbor is part of a VLAN, in the and VLAN field, type the VLAN ID (for example, 1). 5. In the Interface list box, select the interface of the neighbour (for example, LO/1). 6. Click Create, and click Close. To add an IPv6 neighbor using the NetScaler command line add nd6 Neighbor MACAddress IFnum [-vlan Value] add nd6 3ffe:100:100::1 00:d0:68:0b:58:da 1/3 -vlan 1 Removing IPv6 Neighbors Use either of the following procedures to remove a single Neighbor Discovery (ND6) entry from the NetScaler. To remove a neighbor discovery entry using the configuration utility 1. In the navigation pane, expand Network and click IPv6 Neighbor. 2. In the IPv6 Neighbors page, select the neighbour entry that you want to remove (for example,3ffe:100:100::1). 3. Click Remove. To remove a neighbor discovery entry using the NetScaler command line rm nd6 Neighbour -vlan Value rm nd6 3ffe:100:100::1 -vlan 1 Use either of the following procedures to clear the Neighbor Discovery (ND6) entries from the NetScaler. To remove neighbor discovery entries using the configuration utility 1. In the navigation pane, expand Network and click IPv6 Neighbor.

152 140 Citrix NetScaler Networking Guide 2. In the IPv6 Neighbors page, click Clear. To remove neighbor discovery entries using the NetScaler command line clear nd6 Displaying Discovered Neighbors Use either of the following procedures to display information about the neighbors configured for discovery. To view discovered neighbors using the configuration utility In the navigation pane, expand Network and click IPv6 Neighbor. The IPv6 Neighbors page appears in the details pane, displaying information about the Neighbors, MAC Address, VLAN, Interface, State, and Time parameters. To view discovered neighbors using the NetScaler command line show nd6 Router Learning The NetScaler can learn default routers from RA and RS messages. However, the NetScaler ignores other properties in RA messages, such as prefix list and MTU. Use either of the following procedures to enable router advertisement learning. To enable router discovery learning using the configuration utility 1. In the navigation pane, click Network. 2. In the Network page, click the Router Advertisement Learning link. 3. In the Configure RA Learning dialog box, select the Enable Router Advertisement Learning check box. 4. Click OK. To enable router discovery learning using the NetScaler command line set ipv6 -ralearning Value set ipv6 -ralearning enabled

153 Chapter 5 IP version Adding IPv6 Support to NetScaler Features A number of NetScaler components use IPv6 addresses or support the use of IPv6 addresses. The following table lists components that support IPv6 addresses and the sections that document them. Components that support using of IPv6 addresses NetScaler Component Network Section that documents IPv6 support Adding, Customizing, Removing, Removing all, and Viewing routes. Document Title Citrix NetScaler Networking Guide SSL Offload Creating IPv6 vservers for SSL Offload Citrix NetScaler Traffic Management Guide SSL Offload Specifying IPv6 SSL Offload Monitors Citrix NetScaler Traffic Management Guide SSL Offload Creating IPv6 SSL Offload Servers Citrix NetScaler Traffic Management Guide Load Balancing Load Balancing Load Balancing Creating IPv6 vservers for Load Balancing Specifying IPv6 Load Balancing Monitors Creating IPv6 Load Balancing Servers Citrix NetScaler Traffic Management Guide Citrix NetScaler Traffic Management Guide Citrix NetScaler Traffic Management Guide DNS Creating AAAA Records Citrix NetScaler Traffic Management Guide You can also configure LB, CS, and CR vservers with IPv6 addresses, and you can create IPv6 VLANs. You can configure host header modification to send IPv6 requests to servers with IPv4 addresses, and VIP insertion to enable the servers to identify IPv6 vservers that send requests. Adding an IPv6 Vserver The following procedures include examples for adding a vserver named VS1 of type HTTP with global IPv6 address 2002::45. The procedure fails if the IPv6 address of a vserver is not a global address. To add an IPv6 vserver using the configuration utility 1. In the navigation pane, expand Load Balancing and click Virtual Servers. 2. In the Load Balancing Virtual Servers page, click Add. The Create Virtual Servers (Load Balancing) dialog box appears.

154 142 Citrix NetScaler Networking Guide 3. Select the IPv6 check box. 4. In the Name, Port, and IP Address text boxes, type the name, port, and IP address of the vserver (for example, vserver-lb-6, 80, and 2002::45/64). 5. In the Protocol drop-down list box, select the type of the vserver, for example, HTTP. 6. Click Create and click Close. To add an IPv6 vserver using the NetScaler command line add lb vserver Vservername Protocol IPv6Address Port add lb vserver vserver-lb-6 HTTP 2002::45/64 80 VLAN Support If you need to send broadcast or multicast packets without identifying the VLAN (for example, during DAD for NSIP, or ND6 for the next hop of the route), you can configure the NetScaler to send the packet on all the interfaces with appropriate tagging. The VLAN is identified by ND6, and a data packet is sent only on the VLAN. For more information on ND6 and VLANs, see Adding IPv6 Neighbors. Port-based VLANs are common for IPv4 and IPv6. Prefix-based VLANs are supported for IPv6. Simple Deployment Scenario Following is an example of a simple load balancing set-up consisting of an IPv6 vserver and IPv4 services, as illustrated in the following topology diagram.

155 Chapter 5 IP version IPv6 sample topology The following table summarizes the names and values of the entities that must be configured on the NetScaler. Entity values to be configured on the NetScaler Entity Type Name Value LB Vserver VS1_IPv6 2002::9 Services SVC SVC

156 144 Citrix NetScaler Networking Guide The following figure shows the entities and values of the parameters to be configured on the NetScaler. IPv6 Entity Diagram To configure this deployment scenario, you need to do the following: 1. Create an IPv6 service 2. Create an IPv6 LB vserver 3. Bind the services to the vserver The following procedure describes the steps to add two services, SVC1 and SVC2, of type HTTP. To create the IPv4 services using the configuration utility 1. In the navigation pane, expand Load Balancing and click Services. 2. On the Services page, click Add. 3. In the Create Service dialog box, in the Service Name, Server, and Port text boxes, type the name, IP address, and port of the service (for example, SVC1, , and 80). 4. In the Protocol drop-down list box, select the type of the service (for example, HTTP). 5. Click Create and click Close.

157 Chapter 5 IP version Repeat Steps 1-5 to create a service SVC2 with IP address and port 80. To create the IPv4 services using the NetScaler command line add service Name IPAddress Protocol Port add service Name IPAddress Protocol Port add service SVC HTTP 80 add service SVC HTTP 80 You can use either of the following procedures to add an IPv6 vserver named VS1_IPv6 of type HTTP, with an IP address of 2002::9. To create the IPv6 vserver using the configuration utility 1. In the navigation pane, expand Load Balancing and click Virtual Servers. 2. In the Load Balancing Virtual Servers page, click Add. 3. In the Create Virtual Servers (Load Balancing) dialog box, select the IPv6 check box. 4. In the Name, Port, and IP Addresses text boxes, type the name, port, and IP address of the vserver (for example, VS1_IPv6, 80, and 2002::9). 5. Click Create and click Close. To create the IPv6 vserver using the NetScaler command line add lb vserver Name Protocol IPv6Address Port add lb vserver VS1_IPv6 HTTP 2002::9 80 Use either of the following procedures to bind the services to the vserver. To bind a service to an LB vserver using the configuration utility 1. In the navigation pane, expand Load Balancing and click Virtual Servers. 2. In the Load Balancing Virtual Servers page, select the vserver for which you want to bind the service (for example, VS1_IPv6). 3. Click Open.

158 146 Citrix NetScaler Networking Guide 4. In the Configure Virtual Server (Load Balancing) dialog box, on the Services tab, select the Active check box corresponding to the service that you want to bind to the vserver (for example, SVC1). 5. Click OK. 6. Repeat Steps 1-4 to bind the service (for example, SVC2 to the vserver). To bind a service to an LB vserver using the NetScaler command line bind lb vserver Name service bind lb vserver VS1_IPv6 SVC1 The vservers receive IPv6 packets and the NetScaler performs Protocol Translation (RFC 2765) before sending traffic to the IPv4-based services. Host Header Modification When an HTTP request has an IPv6 address in the host header, and the server does not understand the IPv6 address, you must map the IPv6 address to an IPv4 address. The IPv4 address is then used in the host header of the HTTP request sent to the vserver. The following procedures include examples for mapping the IPv4 address to the VIP 2002::9. To change the IPv6 address in the host header to an IPv4 address using the configuration utility 1. In the navigation pane, expand Networks and click IPs. 2. In the IPs page, click the IPV6s tab and select the IP address for which you want to configure a mapped IP address, for example, 2002:0:0:0:0:0:0:9. 3. Click Open. 4. In the Configure IP6 dialog box, in the Mapped IP text box, type the mapped IP address that you want to configure, for example, Click OK. To change the IPv6 address in the host header to an IPv4 address using the NetScaler command line set ns ip6 IPv6Address -map IPAddress

159 Chapter 5 IP version set ns ip6 2002::9 -map VIP Insertion If an IPv6 address is sent to an IPv4-based server, the server may not understand the IP address in the HTTP header, and may generate an error. To avoid this, you can map an IPv4 address to the IPv6 VIP and enable VIP insertion The following procedures include examples for mapping IPv4 address to VIP 2002::9. To configure a mapped IPv6 address using the configuration utility 1. In the navigation pane, expand Networks and click IPs. 2. In the IPs page, click the IPV6s tab and select the IP address for which you want to configure a mapped IP address (for example, 2002:0:0:0:0:0:0:9). 3. Click Open. 4. In the Configure IP6 dialog box, in the Mapped IP text box, type the mapped IP address that you want to configure (for example, ). 5. Click OK. To configure a mapped IPv6 address using the NetScaler command line set ns ip6 IPv6Address -map IPAddress set ns ip6 2002::9 -map Use either of the following procedures to enable insertion of an Ipv4 VIP address and port number in the HTTP requests sent to the servers. To enable VIP insertion using the configuration utility 1. In the navigation pane, expand Load Balancing and click Virtual Servers. 2. In the Load Balancing Virtual Servers page, in the Load Balancing Virtual Servers page, select the vserver that you want to enable port insertion (for example, VS1_IPv6). 3. Click Open. 4. In the Configure Virtual Server (Load Balancing) dialog box, click the Advanced tab.

160 148 Citrix NetScaler Networking Guide 5. In the Vserver IP Port Insertion drop-down list box, select VIPADDR. 6. In the Vserver IP Port Insertion text box, type the vip header. To enable VIP insertion using the NetScaler command line set lb vserver Name -insertvserveripport Value set lb vserver VS1_IPv6 -insertvserveripport ON

161 CHAPTER 6 High Availability This chapter describes how High Availability (HA) works in a NetScaler deployment to ensure uninterrupted operation in any transaction. It tells you about the prerequisites of an HA setup, and also how to configure an HA setup in NetScaler and later customize it. You can also improve the reliability of an HA setup by configuring virtual MAC addresses, link redundancy, and route monitors. You can configure the state of a node such that the primary is forced to stay as primary or the secondary is forced to stay as a secondary. Also, learn how to troubleshoot HA issues that you may encounter after setting up the NetScaler HA pair. In This Chapter How High Availability Works Considerations for a High Availability Setup Configuring High Availability Customizing a High Availability Setup Configuring Virtual MAC Addresses Improving the Reliability of a High Availability Setup Configuring the State of a Node Troubleshooting High Availability Issues How High Availability Works If you have two NetScaler appliances, you can deploy them in a high availability configuration, with one NetScaler as the primary node and the other NetScaler as the secondary node. The primary node accepts connections and manages servers while the secondary node monitors the primary. If, for any reason, the primary node is unable to accept connections, the secondary node takes over. A high availability configuration prevents downtime and ensures uninterrupted service when an appliance ceases to function.

162 150 Citrix NetScaler Networking Guide The secondary node monitors the primary by sending periodic messages (often called heartbeat messages or health checks) to determine whether the primary node is accepting connections. If a health check fails, the secondary node retries the connection for a specified period, after which it determines that the primary node is not functioning normally. The secondary node then takes over for the primary (a process called failover). After a failover, all clients must reestablish their connections to the managed servers, but the session persistence rules are maintained as they were before the failover. With Web server logging persistence enabled, no log data is lost due to the failover. For logging persistence to be enabled, the log server configuration must carry entries for both systems in the log.conf file. The following figure shows a network configuration with an HA pair. NetScalers in a High Availability Configuration Considerations for a High Availability Setup Note the following requirements for configuring systems in an HA setup: In an HA configuration, the primary and secondary NetScalers should be of the same model. Different NetScaler models are not supported in an HA pair (for example, you cannot configure a model and a 7000 model as an HA pair). Entries in the configuration file (ns.conf) on both the primary and the secondary system must match, with the following exceptions:

163 Chapter 6 High Availability 151 The primary and the secondary systems must each be configured with their own unique NetScaler IPs (NSIPs.) In an HA pair, the node ID and associated IP address of one node must point to the other node. For example, if you have nodes, NS1 and NS2, you must configure NS1 with a the unique node ID and the IP address of NS2, and you must configure NS2 with a unique node ID and the IP address of NS1. If you create a configuration file on either node using a method other than the direct GUI or the CLI (for example, SSL certificates, or changes to startup scripts), you must copy the configuration file to the other node or create an identical file on that node. Initially, all NetScaler appliances are configured with the same RPC node password. RPC nodes are internal system entities used for system-tosystem communication of configuration and session information. For security, you should change the default RPC node passwords. One RPC node exists on each NetScaler. This node stores the password, which is checked against the password provided by the contacting system. In order to communicate with other systems, each NetScaler requires knowledge of those systems, including how to authenticate on those systems. RPC nodes maintain this information, which includes the IP addresses of the other systems, and the passwords they require for authentication. RPC nodes are implicitly created when adding a node or adding a Global Server Load Balancing (GSLB) site. You cannot create or delete RPC nodes manually. Note: If the NetScaler appliances in a high availability setup are configured in one-arm mode, you must disable all system interfaces except the one connected to the switch or hub. Configuring High Availability This section describes how to configure a basic high availability setup. The following topics are covered: Configuring a Basic High Availability Setup Modifying an Existing High Availability Setup

164 152 Citrix NetScaler Networking Guide Configuring a Basic High Availability Setup This section describes procedures to configure two NetScaler appliances in a high availability setup, as illustrated in the following figure. Two NetScaler connected in an High Availabilty configuration In the figure, nodes NS1 and NS2 are on the same subnet. To configure high availability, you must configure one NetScaler as the primary and the other as the secondary node. You need to perform the following procedures: Add a node Disable HA monitoring for unused interfaces Verify the configuration Adding a Node This section describes how to add a node in an HA setup. The new node is identified by a unique ID and its NSIP. The maximum number of node IDs for systems in a high availability setup is 64. Note: To ensure that each node in the High Availability configuration has the same settings, you should synchronize your SSL certificates, startup scripts, and other configuration files with those on the primary node..

165 Chapter 6 High Availability 153 To add a node, use the parameters described in the following table. Parameter Node ID IP Address Specifies Unique number that identifies the node to be added. Possible values: 1 to 64. IP Address of the node to be added. To add a node using the configuration utility 1. In the navigation pane, expand System and click High Availability. 2. On the High Availability page, select the Nodes tab. 3. Click Add. 4. In the High Availability Setup dialog box, in the Remote Node IP Address text box, type an IP Address (for example, ). 5. Select or clear the Configure remote system to participate in High Availability setup check box based on whether you want to add the local node to the peer node. By default, this check box is selected. 6. Select the Turn off HA monitor on interfaces/channels that are down check box to disable the HA monitor on interfaces that are down. By default, this check box is selected. 7. Click Ok and click Close. To add a node using the NetScaler command line add HA node id IPAddress add HA node Disabling the High Availability Monitor for Unused Interfaces If you configure HA from the NetScaler command line, you must disable the HA monitor for each interface that is not connected or not being used for traffic.this step is not required if you configure HA through the configuration utility. To disable an HA monitor, use the parameters described in the following table. Parameter id Specifies Interface number, in the slot/port notation.

166 154 Citrix NetScaler Networking Guide Parameter HA monitor Specifies Option used for a High Availability configuration to specify which interfaces to monitor for failing events. Possible values: ON and OFF. Default: ON To disable HA monitor using the NetScaler command line set interface id -hamonitor Value set interface 1/3 -hamonitor OFF Verifying the Configuration To verify your configuration, you can display the node and check its status in the local system. One node will be primary and other will be secondary. To display the configuration using the configuration utility 1. In the navigation pane, expand System and click High Availability. 2. On the High Availability page, select the Nodes tab. The Nodes page displays the primary and the secondary nodes. To display the configuration using the NetScaler command line sh ha node Modifying an Existing HA Setup This section describes the procedures to modify an existing high availability configuration. The following topics are covered: Disabling a Node Enabling a Node Removing a Node Disabling a Node You can disable only a secondary node. When you disable a secondary node, it stops sending heartbeat messages to the primary node, and therefore the primary node therefore can no longer check the status of the secondary.

167 Chapter 6 High Availability 155 To disable a node using the configuration utility 1. In the navigation pane, expand System and click High Availability. 2. On the High Availability page, select the Nodes tab. 3. On Nodes page, select the secondary node and click Open. 4. In the Configure Node dialog box, under High Availability Status, select the DISABLED (Do not participate in HA) option. 5. Click OK. To disable a node using the NetScaler command line set HA node -hastatus Value set HA node -hastatus DISABLED Enabling a Node When you enable a node, the node takes part in the high availability configuration. You can enable only a secondary node. To enable a node using the configuration utility 1. In the navigation pane, expand System and click High Availability. 2. On the High Availability page, select the Nodes tab. 3. On the Nodes page, select the secondary node and click Open. 4. In the Configure Node dialog box, under High Availability Status, select the ENABLED (Actively participates in HA) option. 5. Click OK, and click Close. To enable a node using the NetScaler command line set HA node -hastatus Value set ha node -hastatus ENABLED Removing a Node If you remove a node, the nodes are no longer in high availability configuration.

168 156 Citrix NetScaler Networking Guide To remove a node using the configuration utility 1. In the navigation pane, expand System and click High Availability. 2. On the High Availability page, select the Nodes tab. 3. On the Nodes page, select the node that you want to remove. 4. On the Remove dialog box, click Yes. To remove a node using the NetScaler command line rm ha node id rm ha node 3 Customizing a High Availability Setup This section describes the steps to customize a high availability setup. The following topics are covered: Configuring the Communication Intervals Configuring Synchronization Configuring Command Propagation Forcing a Node to Fail Over Configuring the Communication Intervals This section describes the procedure to configure the communication intervals in a high availability configuration. The hello interval is the interval at which the heartbeat messages are sent to the peer node. The dead interval is the time interval after which the peer node is marked DOWN if heartbeat packets are not received. The heartbeat messages are UDP packets sent to port 3003 of the other node in an HA pair. To set the hello and the dead intervals, use the parameters listed in the following table. Parameter Hello Interval Specifies Interval between successive heartbeat messages, in milliseconds. Possible values: 200 to Default: 200.

169 Chapter 6 High Availability 157 Parameter Dead Interval Specifies Number of seconds after which a node is marked DOWN if there is no response to heartbeat messages. Possible values: 3 to 60. Default: 3. To set the hello and dead intervals using the configuration utility 1. In the navigation pane, expand System and click High Availability. 2. On the High Availability page, select the Nodes tab. 3. On the Nodes page, select the node for which you want to change the hello interval and click Open. 4. In the Configure dialog box, under Intervals, in the Hello Interval (msecs), type the interval (for example, 400). 5. In the Dead Interval (secs), type the interval (for example, 6). 6. Click OK. To set the hello and dead intervals using the NetScaler command line set HA node -hellointerval msecs -deadinterval secs set HA node -hellointerval 400 -deadinterval 6 Configuring Synchronization Synchronization is a process of duplicating the configuration of the primary node on the secondary node. The purpose of synchronization is to ensure that there is no loss of configuration information between the primary and the secondary nodes, regardless of the number of failovers that occur. Synchronization uses port Synchronization is triggered by the following circumstances: The secondary node in an HA setup comes up after a restart. The primary node becomes secondary after a failover. Disabling or Enabling Synchronization HA synchronization is enabled by default in each node in an HA pair. You can enable or disable HA synchronization on either node in an HA pair.

170 158 Citrix NetScaler Networking Guide To disable or enable automatic synchronization using the configuration utility 1. In the navigation pane, expand System and click High Availability. 2. On the High Availability page, select the Nodes tab. 3. On Nodes page, select the local node and click Open. 4. In the Configure dialog box, under HA Synchronization, clear the Secondary node will fetch the configuration from Primary option. 5. Click OK and then click Close. Note: To enable HA synchronization, in step 4 above, you must select Secondary node will fetch the configuration from Primary. To disable or enable automatic synchronization using the NetScaler command line set HA node -hasync Value set HA node -hasync ENABLED set HA node -hasync DISABLED Forcing the Secondary Node to Synchronize with the Primary Node In addition to automatic synchronization, the NetScaler supports forced synchronization. You can force the synchronization from either the primary or the secondary node. When you force synchronization from the secondary node, it starts synchronizing its configuration with the primary node. However, if synchronization is already in progress, forced synchronization fails and the system displays a warning. Forced synchronization also fails in the following circumstances: You force synchronization on a standalone system. The secondary node is disabled. HA synchronization is disabled on the secondary node. To force synchronization using the configuration utility 1. In the navigation pane, expand System and click High Availability.

171 Chapter 6 High Availability On the High Availability page, select the Nodes tab. 3. On the Nodes page, click Force Synchronization. To force synchronization using the NetScaler command line force HA sync Configuring Command Propagation In an HA setup, any command issued on the primary node propagates automatically to, and is executed on, the secondary before it is executed on the primary. If command propagation fails, or if command execution fails on the secondary, the primary node executes the command and logs an error. Command propagation uses port In an HA pair configuration, command propagation is enabled by default on both the primary and secondary nodes. You can enable or disable command propagation on either node in an HA pair. If you disable command propagation on the primary node, commands are not propagated to the secondary node. If you disable command propagation on the secondary node, commands propagated from the primary are not executed on the secondary node. Note: After reenabling propagation, remember to force synchronization If synchronization occurs while you are disabling propagation, any configurationrelated changes that you make before the disabling of propagation takes effect are synchronized with the secondary node. This is also true for cases where propagation is disabled while synchronization is in progress. To disable or enable command propagation using the configuration utility 1. In the navigation pane, expand System and click High Availability. 2. On the High Availability page, select the Nodes tab. 3. On the Nodes page, select the local node and click Open. 4. In the Configure Node dialog box, under HA Propagation, clear the Primary node will propagate configuration to the Secondary option. 5. Click OK. Note: To enable HA synchronization, in Step 4 you must select the Primary node will propagate configuration to the Secondary.

172 160 Citrix NetScaler Networking Guide To disable or enable command propagation using the NetScaler command line set HA node -haprop Value set HA node -haprop ENABLED set HA node -haprop DISABLED Forcing a Node to Fail Over You might want to force a failover if, for example, you need to replace or upgrade the primary node. You can force failover from either the primary or the secondary node. A forced failover is not propagated or synchronized. To view the synchronization status after a forced failover, you can view the status of the node. A forced failover fails in the following circumstances: You force failover on a standalone system. The secondary node is disabled. The secondary node is configured to remain secondary. Forcing the Primary Node to Fail Over If you force failover on the primary node, the primary becomes the secondary and the secondary becomes the primary. Forced failover is possible only when the primary node can determine that the secondary node is UP. If the secondary node is DOWN, the Force Failover command returns the error message Operation not possible due to invalid peer state. Rectify and retry. If the secondary system is in the claiming state or inactive, it returns the message Operation not possible now. Please wait for system to stabilize before retrying. To force the primary node to fail over using the configuration utility 1. In the navigation pane, expand System and click High Availability. 2. On the High Availability page, select the Nodes tab. 3. Click Force Failover. 4. In the Warning dialog box, click Yes. To force the primary node to fail over using the NetScaler command line

173 Chapter 6 High Availability 161 force HA failover Forcing the Secondary Node to Fail Over If you execute the force failover command from the secondary node, the secondary node becomes primary and the primary node becomes secondary. A force failover can occur only if the secondary node s health is good and it is not configured to stay secondary. If the secondary node cannot become the primary node, or if secondary node was configured to stay secondary (using the STAYSECONDARY option), the node displays the message Operation not possible as my state is invalid. View the node for more information. To force the secondary node to failover, use either of the following procedures: To force the secondary node to fail over using the configuration utility 1. In the navigation pane, expand System and click High Availability. 2. On the High Availability page, select the Nodes tab. 3. Click Force Failover. 4. In the Warning dialog box, click Yes. To force the secondary node to fail over using the NetScaler command line force HA failover Forcing Failover When Nodes are in Listen Mode When the two nodes of an HA pair are running different versions of the system software, the node running the higher version switches to the listen mode. In this mode, neither command propagation nor synchronization works. Before upgrading the system software on both nodes, you should test the new version on one of the nodes. To do this, you need to force a failover on the system that has already been upgraded. The upgraded system then takes over as the primary node, but neither command propagation or synchronization occurs. Also, all connections need to be re-established. To force failover when nodes are in listen mode, use either of the following procedures: To force fail over when nodes are in listen mode using the configuration utility 1. In the navigation pane, expand System and click High Availability. 2. On the High Availability page, select the Nodes tab.

174 162 Citrix NetScaler Networking Guide 3. Click Force Failover. 4. In the Warning dialog box, click Yes. To force failover when nodes are in listen mode using the NetScaler command line force HA failover Configuring Virtual MAC Addresses The Virtual MAC address (VMAC) is a floating entity shared by the primary and the secondary nodes in an HA setup. In an HA setup, the primary node owns all of the floating IP addresses, such as the MIPs, SNIPs, and VIPs. The primary node responds to Address Resolution Protocol (ARP) requests for these IP addresses with its own MAC address. As a result, the ARP table of an external device (for example, an upstream router) is updated with the floating IP address and the primary node's MAC address. When a failover occurs, the secondary node takes over as the new primary node. It then uses the Gratuitous ARP (GARP) to advertise the floating IP addresses that it acquired from the primary. However, the MAC address that the new primary advertises is the MAC address of its own interface. Some devices (notably a few routers) do not accept GARP messages generated by the Citrix NetScaler system. As a result, some external devices retain the old IP to MAC mapping advertised by the old primary node. This can result in a site going down. You can overcome this problem by configuring a VMAC on both nodes of an HA pair. When you do this, both nodes possess identical MAC addresses. Therefore, when failover occurs, the MAC address of the secondary node remains unchanged, and the ARP tables on the external devices do not need to be updated. To create a VMAC, you need to first create a Virtual Router ID (VRID) and bind it to an interface. (In an HA setup, you need to bind the VRID to the interfaces on both nodes.) Once the VRID is bound to an interface, the system generates a VMAC with the VRID as the last octet. Configuring IPv4 VMACs When you create a IPv4 VMAC address and bind it a interface, any IPv4 packet going out of this interface uses the VMAC address bound to that interface. If there is no IPv4 VMAC bound to an interface, it uses the physical MAC address of this interface.

175 Chapter 6 High Availability 163 The generic VMAC is of the form 00:00:5e:00:01:<VRID>. For example, if you create a VRID with a value of 60 and bind it to an interface, the resulting VMAC is 00:00:5e:00:01:3c, where 3c is the hex representation of the VRID. You can create 255 VRIDs with values from 1 to 254. This section covers the following procedures: Adding a Virtual MAC Addresses Binding Interfaces to the VMAC Verifying the VMAC Configuration Managing VMACs Adding a VMAC The scenario described in this section illustrates the configuration of a VMAC on a standalone system with a VRID value of 100. To add a virtual MAC, use the parameters in the following table. Parameter Virtual Router ID Interface Number. Specifies The VRID that identifies the VMAC. Possible values: 1 to 255. The interface number (slot/port notation) to be bound to the VMAC. To add a VMAC using the configuration utility 1. In the navigation pane, expand Network and click VMAC. 2. On the VMAC page, click Add. 3. In the Add VMAC dialog box, in Virtual Router ID text box, type a number (for example, 100). 4. Click Create. To add a VMAC using the NetScaler command line add vrid id add vrid 100

176 164 Citrix NetScaler Networking Guide Binding Interfaces to the VMAC The following procedure illustrates the steps to bind the VRID to interface 1/1. You cannot bind multiple VRIDs to an interface. To bind an interface to a VMAC, use the parameters listed in the following table. Parameter Virtual Router ID. Interface Name Specifies The VRID that identifies the VMAC. Possible values: 1 to 255. The interface number (slot/port notation) to be bound to the VMAC. To bind interfaces to the VMAC using the configuration utility 1. In the navigation pane, expand Network and click VMAC. 2. On the VMAC page, click Open. 3. In the Configure VMAC dialog box, select the desired interfaces from the Available Interfaces table and click Add (for example, 1/1, 1/2, and 1/3). 4. Click OK. To bind interfaces to the VMAC using the NetScaler command line bind vrid id -ifnum interface_name... bind vrid 100 -ifnum 1/1 1/2 1/3 Verifying the VMAC Configuration To verify the VMAC configuration, you should display and examine the VMACs and the interfaces bound to the VMACs. To verify VMACs using the configuration utility 1. In the navigation pane, expand Network and click VMAC. 2. Examine the settings on the VMAC page. To verify VMACs using the NetScaler command line sh vrid

177 Chapter 6 High Availability 165 To verify the interfaces bound to the VMAC using the configuration utility 1. In the navigation pane, expand Network and click VMAC. 2. On the VMAC page, select a virtual router id (for example, 100) and examine the settings displayed at the bottom of the page. To view the interfaces bound to the VMAC using the NetScaler command line At the NetScaler command prompt, type the following command and examine the output: sh vrid id sh vrid 100 Managing VMACs This section describes procedures for unbinding the interfaces from a VMAC and deleting the created VMAC from the system. To unbind interfaces from a VMAC using the configuration utility 1. In the navigation pane, expand Network and click VMAC. 2. On the VMAC page, select a virtual router id (for example, 100), and click Open. 3. In the Modify VMAC dialog box, under Configured Interfaces, select interfaces that you want to unbind from the VMAC (for example, 1/2 and 1/3). 4. Click Remove. 5. Click OK. To unbind interfaces from a VMAC using the NetScaler command line unbind vrid id -ifnum interface_name... unbind vrid 100 1/2 1/3 To remove a VMAC using the configuration utility 1. In the navigation pane, expand Network and click VMAC.

178 166 Citrix NetScaler Networking Guide 2. On the VMAC page, select the virtual router id that you want to remove (for example, 100). 3. Click Remove. 4. In the Remove dialog box, click Yes. To remove a VMAC using the NetScaler command line rm vrid id rm vrid 100 Configuring IPv6 VMACs The NetScaler supports VMAC6 for IPv6 packets. You can bind any interface to VMAC6 regardless of whether IPv4 VMAC is bound to the interface or not. Any IPv6 packet going out of this interface uses the VMAC6 bound to that interface. If there is no VMAC6 bound to an interface, it uses the physical MAC. This section covers the following procedures: Adding a Virtual MAC Addresses6 Binding Interfaces to the VMAC6 Verifying the VMAC6 Configuration Managing VMAC6s Adding a VMAC6 The scenario described in this section illustrates the configuration of a VMAC6 on a standalone NetScaler with a VRID value of 100. To add a virtual MAC, use the parameters in the following table. Parameter Virtual Router ID Interface Number Specifies The VRID that identifies the VMAC6. Possible values: 1 to 255. The interface number (slot/port notation) to be bound to the VMAC6. To add a VMAC6 using the configuration utility 1. In the navigation pane, expand Network, and then click VMAC.

179 Chapter 6 High Availability On the VMAC6 tab, click Add. 3. In the Add VMAC6 dialog box, in Virtual Router ID text box, type a number (for example, 100). 4. Click Create. To add a VMAC6 using the NetScaler command line add vrid6 id add vrid6 100 Binding Interfaces to the VMAC6 The following procedure illustrates the steps to bind the VRID to interface 1/1. You cannot bind multiple VRIDs to an interface. To bind an interface to a VMAC6, use the parameters listed in the following table. Parameter Virtual Router ID Interface Name Specifies The VRID that identifies the VMAC6. Possible values: 1 to 255. The interface number (slot/port notation) to be bound to the VMAC6. To bind interfaces to the VMAC6 using the configuration utility 1. In the navigation pane, expand Network, and then click VMAC. 2. In the details pane, on the VMAC6 tab, click virtual router ID that you want to bind to an interface, and then click Open. 3. In the Configure VMAC6 dialog box, select the desired interfaces from the Available Interfaces table, and then click Add (for example, 1/1, 1/2, and 1/3). 4. Click OK. To bind interfaces to the VMAC6 using the NetScaler command line bind vrid6 id -ifnum interface_name... bind vrid 100 -ifnum 1/1 1/2 1/3

180 168 Citrix NetScaler Networking Guide Verifying the VMAC6 Configuration To verify the VMAC6 configuration, you should display and examine the VMAC6 and the interfaces bound to the VMAC6s. To verify VMAC6 configurations using the configuration utility 1. In the navigation pane, expand Network, and then click VMAC. 2. In the details pane, on the VMAC6 tab, examine the settings. To verify VMAC6s using the NetScaler command line sh vrid6 To verify the interfaces bound to the VMAC6 using the configuration utility 1. In the navigation pane, expand Network, and then click VMAC. 2. In the details pane, on the VMAC6 tab, select a virtual router ID (for example, 100), and then examine the settings displayed at the bottom of the page. To verify the interfaces bound to the VMAC6 using the NetScaler command line sh vrid6 id sh vrid6 100 Managing VMAC6 Configurations This section describes procedures for unbinding the interfaces from a VMAC6 and deleting the VMAC6 from the appliance. To unbind interfaces from a VMAC6 using the configuration utility 1. In the navigation pane, expand Network, and then click VMAC. 2. In the details pane, on the VMAC6 tab, select a virtual router id (for example, 100), and click Open. 3. In the Modify VMAC6 dialog box, under Configured Interfaces, select interfaces that you want to unbind from the VMAC6 (for example, 1/2 and 1/3). 4. Click Remove.

181 Chapter 6 High Availability Click OK. To unbind interfaces from a VMAC6 using the NetScaler command line unbind vrid6 id -ifnum interface_name... unbind vrid /2 1/3 To remove a VMAC6 using the configuration utility 1. In the navigation pane, expand Network, and then click VMAC. 2. In the details pane, on the VMAC6 tab, select the virtual router ID that you want to remove (for example, 100), and then click Remove. To remove a VMAC6 using the NetScaler command line rm vrid6 id rm vrid6 100 Improving the Reliability of a High Availability Setup This section describes link redundancy and route monitors, system functions that can be helpful in a cross-network HA configuration. This section also describes the health check process used by a system to ensure that its partner node is up and running. The section covers the following topics: Configuring High Availability for Nodes in Different Subnets Configuring Link Redundancy Configuring Route Monitors HA Health Check Computation

182 170 Citrix NetScaler Networking Guide Configuring High Availability Nodes in Different Subnets Configuring a Basic High Availability Setup, on page 152, covered a typical HA deployment where both systems in an HA pair reside on the same subnet. This section describes an HA pair configuration where the two systems reside on different subnets. The section provides sample configurations and lists differences between HA configurations within one subnet and those configured across networks. The following figure shows an HA deployment with the two systems located in different subnets: High Availability over a routed network In the figure, the systems NS1 and NS2 are connected to two separate routers, R3 and R4, on two different subnets. The systems exchange heartbeat packets through the routers. This configuration could be expanded to accommodate deployments involving any number of interfaces.

183 Chapter 6 High Availability 171 Note: If you use static routing on your network, you must add static routes between all the systems to ensure that heartbeat packets are sent and received successfully. (If you use dynamic routing on your systems, static routes are unnecessary.) If the nodes in an HA pair reside on two separate networks, the secondary node must have an independent network configuration. This means that nodes on different networks cannot share entities such as MIPs, SNIPs, VLANs, and routes. This type of configuration, where the nodes in an HA pair have different configurable parameters, is known as Independent Network Configuration (INC) or Symmetric Network Configuration (SNC). The following table describes the parameters that you must set on each node in an INC. Configurable Parameters IPs (NSIP/MIP/SNIPs) VIP Vlans Routes ACLs Dynamic routing L2 mode L3 mode Reverse NAT (RNAT) Behavior Node-specific. Active only on that unit. Floating. Node-specific. Active only on that unit. Node-specific. Active only on that unit. LLB route is floating. Floating (Common). Active on both units. Node-specific. Active only on that unit. The secondary node should also run the routing protocols and peer with upstream routers. Floating (Common). Active on both units. Floating (Common). Active on both units. Node-specific. RNAT with VIP, because NATIP is floating. When two nodes of an HA pair reside on different subnets, each node must have a different network configuration. Therefore, to configure two independent systems to function as an HA pair, you must specify an INC mode during the configuration process. To specify an INC mode, perform the following tasks: Add a node with the inc option enabled. Disable HA monitoring for unused interfaces.

184 172 Citrix NetScaler Networking Guide Adding a Node This section describes the procedure to add a node in a different subnet than the local node, using the parameters listed in the following table. Parameter Node ID IP Address Specifies Unique number that identifies the node to be added. Possible values: 1 to 64. IP Address of the node to be added. To add a node using the configuration utility 1. In the navigation pane, expand System and click High Availability. 2. On the High Availability page, select the Nodes tab. 3. Click Add. 4. In the High Availability Setup dialog box, in the Remote Node IP Address text box, type an IP Address (for example, ). 5. Select or clear the Configure remote system to participate in High Availability setup check box based on whether you want to add the local node to the peer node. By default, this check box is selected. 6. Select the Turn off HA monitor on interfaces/channels that are down check box to disable the HA monitor on interfaces that are down. By default, this check box is selected. 7. Select or clear the Turn off INC (Independent Network Configuration) mode on self mode check box based on whether your nodes are on the same subnet or different subnets. By default, this check box is not selected. 8. Click Ok and click Close. To add a node using the NetScaler command line add HA node id IPAddress -inc Value add HA node inc ENABLED Disabling High Availability Monitor in Interfaces If you configure HA from the NetScaler command line, you must disable the HA monitor for each interface that is not connected or not being used for traffic.this step is not required if you configure HA through configuration utility.

185 Chapter 6 High Availability 173 To disable HA MON in the interfaces, use the interface number parameter, as described in the following table. Parameter id HA monitor Specifies The interface number (represented in the <slot/port> notation) Option used for a High Availability configuration to specify which interfaces to monitor for failing events. Possible values: ON and OFF. Default: ON To disable High Availability monitor using the NetScaler command line set interface id -hamonitor Value set interface 1/3 -hamonitor OFF Configuring Link Redundancy Link redundancy is a way to prevent failover by grouping interfaces so that, when one interface fails, other functioning interfaces will still be available. Configuring High Availability Nodes in Different Subnets, on page 170, describes a scenario in which the first interface on the primary system, NS1, fails, triggering failover, even though it can still serve client requests through its second link. The link redundancy feature allows you to group the two interfaces into a failover interface set (FIS), which prevents the failure of a single link from causing failover to the secondary system unless all of the interfaces on the primary system are nonfunctional. Each interface in a FIS maintains independent bridge entries. HA MON interfaces that are not bound to a FIS are known as critical interfaces (CI) because if any of them fails, failover is triggered. Adding a Failover Interface Set This section describes the procedure to add a Failover Interface Set (FIS) in the system. To add an FIS using the configuration utility 1. In the navigation pane, expand System and click High Availability. 2. On the High Availability page, select the Failover Interface Set tab.

186 174 Citrix NetScaler Networking Guide 3. On the Failover Interface Set page, click Add. 4. In the Create FIS dialog box, in Name text box, type a name for the FIS to be created (for example, FIS1). 5. Click Create. To add a FIS using the NetScaler command line add fis name add fis FIS1 Binding the Interfaces to a FIS To bind interfaces to the Failover Interface Set, use the parameters listed in the following table. Parameter FIS Name Interface Number Specifies Name of the FIS to which interfaces are to be bound. Iinterface number (slot/port notation) to be bound to the FIS. To bind interfaces to the FIS using the configuration utility 1. In the navigation pane, expand System and click High Availability. 2. On the High Availability page, select the Failover Interface Set tab. 3. On the Failover Interface Set page, select a FIS, and then click Open. 4. In the Configure FIS dialog box, select interfaces under Available Interfaces and click Add. To bind interfaces using the NetScaler command line bind fis name interface names... bind fis FIS1 1/1 1/2 1/3 Verifying the Created FIS To verify a FIS, display its settings and examine them.

187 Chapter 6 High Availability 175 To display a FIS using the configuration utility 1. In the navigation pane, expand System and click High Availability. 2. On the High Availability page, select the Failover Interface Set tab. To display a FIS using the NetScaler command line sh fis name sh fis FIS1 Managing Link Redundancy This section describes how to unbind interfaces from a FIS and how to remove a FIS. Unbinding an Interface from the FIS This following procedure describess the steps to unbind interfaces from a FIS. An unbound interface becomes a critical interface (CI) if it is enabled and HA MON is on. To unbind interfaces from the Failover Interface Set, use the parameters in the following table. Parameter FIS Name Interface Name Specifies Name of the FIS from which the interfaces are to be unbound. Interface name (slot/port notation.). To unbind an interfaces from the FIS, use either of the following procedures. To unbind an interface from a FIS using the configuration utility 1. In the navigation pane, expand System and click High Availability. 2. On the High Availability page, select the Failover Interface Set tab. 3. On the Failover Interface Set page, select the FIS from which you want to unbind interfaces and click Open. 4. In the Configure FIS dialog box, under Configured Interfaces table, select the interface you want to unbind from the FIS, and click Remove. 5. Click OK.

188 176 Citrix NetScaler Networking Guide To unbind an interface from a FIS using the NetScaler command line unbind fis name interface names... unbind fis FIS1 1/1 1/2 Removing a FIS The following sample procedure describes the steps to remove a FIS that you have created. Once the FIS is removed, its interfaces become CIs. To remove a Failover Interface Set, use the parameter in the following table. Parameter FIS Name Specifies Name of the FIS that is to be removed. To remove a FIS using the configuration utility 1. In the navigation pane, expand System and click High Availability. 2. On the High Availability page, select the Failover Interface Set tab. 3. On the Failover Interface Set page, select the FIS that you want to remove (for example, FIS1) and click Remove. 4. In the Remove dialog box, click Yes. To remove a FIS using the NetScaler command line rm fis name rm fis FIS1 Configuring Route Monitors You can make the HA state independent of the internal routing table, whether or not dynamically learned routes are present. The procedure requires using route monitors. If the route on which the route monitor is bound is present, the node can become primary. If the route is absent, it cannot. Note: Route monitors are neither propagated by nodes nor exchanged during synchronization.

189 Chapter 6 High Availability 177 In an HA configuration, a route monitor on each system watches the internal routing table to make sure that an entry for the other system is always present. This is especially important when using dynamic routing, because a router error can make an HA node believe that the other node is down when it is not. When the nodes of an HA pair reside on different networks, the HA state of a node depends on its reachability. Before the route monitor runs, you must save the configuration. Note: Clearing the configuration does not delete the route monitors on a system. You must remove the route monitors manually. Binding a Route Monitor to a High Availability Node This section describes how to add a route monitor in the system. To add a route monitor, use the parameters in the following table. Parameter Network Netmask Specifies Network prefix of the route to be monitored Subnet mask for the network To add a route monitor using the configuration utility 1. In the navigation pane, expand System and click High Availability. 2. On the High Availability page, select the Route Monitors tab. 3. On the Route Monitors page, click Configure. 4. In Bind / Unbind Route Monitor(s) dialog box, in the Network text box, type a network IP (for example, ). 5. In the Netmask text box, type a subnet mask (for example, ). 6. Click Add. The Route Monitor is added and appears in the Configured Route Monitors table. 7. Click OK. Note: When a route monitor is not bound to a node, the HA state (primary or secondary) of the node is determined solely by the state of the interfaces.

190 178 Citrix NetScaler Networking Guide To add a route monitor using the NetScaler command line bind HA node id -routemonitor IP address netmask bind HA node 3 -routemonitor Verifying Route Monitors To verify a route monitor, display its settings and examine them. To display a route monitor using the configuration utility 1. In the navigation pane, expand System and click High Availability. 2. On High Availability page, select the Route Monitors tab. To display a route monitor using the NetScaler command line sh HA node Removing Route Monitors To remove a route monitor, use either of the following procedures: To remove a route monitor using the configuration utility 1. In the navigation pane, expand System and click High Availability. 2. On High Availability page, select the Route Monitors tab. 3. On the Route Monitors page, click Configure. 4. In the Bind / Unbind Route Monitor(s) dialog box, under Configured Route Monitors, select a route monitor to remove and click Remove. To remove a route monitor using the NetScaler command line unbind HA node id -routemonitor IP address netmask unbind ns node -routemonitor

191 Chapter 6 High Availability 179 High Availability Health Check Computation The following table summarizes the factors examined in a health check computation: State of the CIs State of the FISs State of the route monitors The following table summarizes the health check computation. FIS CI Route Monitor Condition N Y N If the system has any CIs, all of those CIs must be UP. Y Y N If the system has any FISs, all of those FISs must be UP. Y Y Y If the system has any route monitors configured, all monitored routes must be present in the FIS. Configuring the State of a Node This section describes how to configure the state of the secondary node to remain secondary and the state of the primary node to remain primary. Forcing the Secondary Node to Stay Secondary In an HA setup, the secondary node can be forced to stay secondary regardless of the state of the primary node. For example suppose the primary node needs to be upgraded and the process will take a few seconds. During the upgrade, the primary node may go down for a few seconds, but you do not want the secondary node to take over; you want it to remain the secondary node even if it detects a failure in the primary node. When you force the secondary node to stay secondary, it will remain secondary even if the primary node goes down. Also, when you force the status of a node in an HA pair to stay secondary, it does not participate in HA state machine transitions. The status of the node is displayed as STAYSECONDARY. Forcing the node to stay secondary works on both standalone and secondary nodes. On a standalone node, you must use this option before you can add a node to create an HA pair. When you add the new node, the existing node continues to function as the primary node, and the new node becomes the secondary node.

192 180 Citrix NetScaler Networking Guide Note: When you force a system to remain secondary, the forcing process is not propagated or synchronized. It affects only the node on which the command is executed. To force the secondary node to stay secondary using the configuration utility 1. In the navigation pane, expand System and click High Availability. 2. On the High Availability page, click the Nodes tab. 3. On Nodes page, click Open. 4. In the Configure Dialog box, under High Availability Status, select STAY SECONDARY. 5. Click OK. To force the secondary node to stay secondary using the NetScaler command line set node -hastatus Value set node -hastatus STAYSECONDARY Forcing the Primary Node to Stay Primary In an HA setup, you can force the primary node to remain primary even after a failover. You can enable this option either on a primary node in an HA pair or on a standalone system. On a standalone system, you must execute this option before you can add a node to create an HA pair. When you add the new node, it becomes the primary node. The existing node stops processing traffic and becomes the secondary node in the HA pair. To force the primary node to stay primary using the configuration utility 1. In the navigation pane, expand System and click High Availability. 2. On the High Availability page, select the Nodes tab. 3. On Nodes page, select a node, and then click Open. 4. In the Configure Node dialog box, under High Availability Status, select STAY PRIMARY.

193 Chapter 6 High Availability Click OK. To force the secondary node to stay secondary using the NetScaler command line set node -hastatus Value set node -hastatus STAYPRIMARY Troubleshooting High Availability Issues This section gives troubleshooting tips for the following issues in a high availability setup: Improper synchronization of VLAN configuration in high availability systems. In HA pairs, synchronization does not work properly if only one system has a VLAN configured. To prevent this problem, configure your VLANs after you configure your systems as an HA pair, and be sure to configure them both. Retrieving a lost configuration. If the primary system is unable to send the configuration to the secondary system due to a network error, the secondary system may not have an accurate configuration and may not behave correctly if a failover occurs. If this happens, you can retrieve the current configuration from the configuration backup on the hard disk of the primary system. The operating system saves the last four copies of the ns.conf file in the /nsconfig directory as ns.conf.0, ns.conf.1, ns.conf.2, and ns.conf.3. The ns.conf.0 file contains the current configuration. To retrieve the current system configuration: 1. Exit from the CLI to FreeBSD by typing the following command and pressing the Enter key: > shell The FreeBSD shell prompt appears, as shown below. # 2. Copy the latest backup file to /nsconfig/ns.conf, using the following command: # cp ls -t /nsconfig/ns.conf.? head -1` /nsconfig/ns.conf

194 182 Citrix NetScaler Networking Guide If you perform a configuration using the NSConfig utility, it is not propagated. If you create a configuration using NSconfig, you must repeat the configuration steps separately for each node in an HA pair.