Configure NetScaler to source FreeBSD data traffic from a SNIP address
Some NetScaler data features run on the underlying FreeBSD OS instead of on the NetScaler OS. Because of this reason, these features send traffic sourced from the NetScaler IP (NSIP) address instead of sourced from a SNIP address. Sourcing the data traffic from the NSIP address is not desirable if your setup has configurations to separate all management and data traffic.
Some of the NetScaler data features that run on the underlying FreeBSD OS and send traffic sourced from the NetScaler IP (NSIP) address are:
- Load balancing scriptable monitors
- GSLB autosync
To resolve this issue, you can use the global Layer-2 parameter: useNetprofileBSDtraffic
. When you enable this parameter, the NetScaler features send traffic sourced from one of the SNIP addresses in a net profile associated with the feature.
Before you begin
Before configuring NetScaler to source NetScaler features related traffic from a SNIP address, note the following points:
-
Currently, the global Layer-2 parameter
useNetprofileBSDtraffic
is supported only for load balancing scriptable monitors.For configuring NetScaler to source GSLB autosync traffic from a SNIP address, you can use extended ACL rules and RNAT rules as a workaround.
-
The
useNetprofileBSDtraffic
support for load balancing scriptable monitors is applicable only for net profiles bound to the related services. TheuseNetprofileBSDtraffic
support is not applicable for net profiles bound to the related service groups.In other words, NetScaler does not use any SNIP address from the net profiles bound to the service groups for sourcing load balancing scriptable monitors traffic.
-
The
useNetprofileBSDtraffic
support is not applicable for SSL services.In other words, NetScaler does not use any SNIP address from the net profiles bound to the SSL services for sourcing load balancing scriptable monitors traffic.
Configure NetScaler to source scriptable monitors traffic from a SNIP address
-
Enable the global Layer-2 parameter
useNetprofileBSDtraffic
. -
Create a net profile and bind at least one SNIP address to it.
-
Bind the net profile to the load balancing services.
To enable the Layer-2 parameter useNetprofileBSDtraffic by using the CLI:
At the command prompt, type:
set l2param -useNetprofileBSDtraffic (ENABLED / DISABLED)
show l2param
To Create a net profile and bind SNIP addresses to it by using the CLI:
At the command prompt, type:
add netProfile <name> -srcIP <string>
show netProfile
To bind a net profile to a load balancing service by using the CLI:
At the command prompt, type:
set service <name> -netProfile <string>
show service <name>
Sample configuration
The following sample configuration enables NetScaler to source scriptable monitors traffic from a SNIP address. A net profile NETPROFILE-1 is configured with SNIP address 198.51.100.20 bound to it. A user/scriptable monitor USER-MONITOR-1 is created and is bound to a load balancing service SERVICE-1. NETPROFILE-1 is bound to SERVICE-1. NetScaler sources all scriptable monitors packets of USER-MONITOR-1 from SNIP address 198.51.100.20.
set l2param -useNetprofileBSDtraffic ENABLED
add netprofile NETPROFILE-1 -srcip 198.51.100.20
add lb monitor USER-MONITOR-1 USER -scriptName nsftp.pl -scriptArgs "file=Index.gif;user=nsroot;password=nsroot" -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -destIP 203.0.113.90 -destPort 21
bind service SERVICE-1 -monitorName USER-MONITOR-1
set service SERVICE-1 -netProfile NETPROFILE-1
<!--NeedCopy-->
Configure NetScaler to source GSLB autosync and other FreeBSD originated traffic from a SNIP address
- Create an extended ACL rule. An extended ACL rule identifies the GSLB autosync packets. This identification is based on the source IP and destination IP addresses.
- Apply ACLs. Applying ACLs activates the newly created ACL rule.
- Create an ACL based RNAT rule. An RNAT rule changes the source IP address of these packets from the NSIP address to a SNIP address.
Note:
In a high availability or cluster setup, you must add ACL and RNAT rules for all the NSIP addresses of the setup.
To create an extended ACL by using the CLI:
At the command prompt, type:
add acl <aclname> ALLOW -srcIP = <NSIP address> -destIP = <destination IP address of the packets>
show acl <aclName>
To apply extended ACLs by using the CLI:
At the command prompt, type:
apply acls
To create an ACL based RNAT rule by using the CLI:
At the command prompt, type:
add rnat <name> <aclname>
bind rnat <name> -natIP <SNIP address - source IP address for the packets>
show rnat <name>
Sample configuration
The following sample configuration enables NetScaler to source GSLB autosync traffic from a SNIP address. ACL-2 identifies GSLB autosync packets, which are sourced from NSIP address 192.0.1.20 and destined to GSLB site IP address 203.0.113.20. RNAT-2 changes the source IP address to SNIP address 198.51.100.20 for these identified packets.
add acl ACL-2 ALLOW -srcIP = 192.0.1.20 -destIP = 203.0.113.20
apply acls
add rnat RNAT-2 ACL-2
bind rnat RNAT-2 -natIP 198.51.100.20
<!--NeedCopy-->
In general, any FreeBSD originated traffic can use the earlier mentioned ACL with RNAT to choose a specific SNIP as a source IP instead of NSIP. It is good to know the destination IP address.