Configuring DS-Lite
A DS-lite configuration on a Citrix ADC appliance uses the LSN commands sets. In a DS-Lite configuration, the LSN client entity specifies the IPv6 address or IPv6 network address or ACL6 rules for identifying the traffic from the B4 device. For more information on the Citrix ADC LSN feature, see Large Scale NAT. A DS-Lite configuration also includes an IPv6 profile, which specifies the IPv6 address (of type SNIP6) of the DS-Lite AFTR component on a Citrix ADC appliance.
Configuring DS-Lite on a Citrix ADC appliance consists of the following tasks:
-
Set the global LSN parameters. Global parameters include the amount of Citrix ADC memory reserved for the LSN feature and synchronization of LSN sessions in a high availability setup.
- Create an LSN client entity for identifying traffic from B4 CPE devices. The LSN client entity refers to a set of DS-Lite B4 devices. The client entity includes IPv6 addresses or IPv6 network address or ACL6 rules for identifying the traffic from these B4 devices. An LSN client can be bound to only one LSN group. The command line interface has two commands for creating an LSN client entity and binding a subscriber to the LSN client entity. The configuration utility combines these two operations on a single screen.
- Create an LSN pool and bind NAT IP addresses to it. An LSN pool defines a pool of NAT IP addresses to be used by the Citrix ADC appliance to perform LSN. The command line interface has two commands for creating an LSN pool and binding NAT IP addresses to the LSN pool. The configuration utility combines these two operations on a single screen.
- Create an LSN IP6 profile. An LSN IP6 profile defines the IPv6 address of the DS-Lite AFTR component on the Citrix ADC appliance. The IPv6 address must be one of the Citrix ADC owned IPv6 address of type SNIP6.
- (Optional) Create an LSN Transport Profile for a specified protocol. An LSN transport profile defines various timeouts and limits, such as maximum LSN sessions and maximum ports usage that a subscriber can have for a given protocol. You bind an LSN transport profile for each protocol (TCP, UDP, and ICMP) to an LSN group. A profile can be bound to multiple LSN groups. A profile bound to an LSN group applies to all subscribers of an LSN client bound to the same group. By default, one LSN transport profile with default settings for TCP, UDP, and ICMP protocols is bound to an LSN group during its creation. This profile is called the default transport profile. An LSN transport profile that you bind to an LSN group overrides the default LSN transport profile for that protocol.
- (Optional) Create an LSN Application Profile for a specified protocol and bind a set of destination ports to it. An LSN application profile defines the LSN mapping and LSN filtering controls of a group for a given protocol and for a set of destination ports. For a set of destination ports, you bind an LSN profile for each protocol (TCP, UDP, and ICMP) to an LSN group. A profile can be bound to multiple LSN groups. An LSN application profile bound to an LSN group applies to all subscribers of an LSN client bound to the same group. By default, one LSN application profile with default settings for TCP, UDP, and ICMP protocols for all destination ports is bound to an LSN group during its creation. This profile is called a default application profile. When you bind an LSN application profile, with a specified set of destination ports, to an LSN group, the bound profile overrides the default LSN application profile for that protocol at that set of destination ports. The command line interface has two commands for creating an LSN application profile and binding a set of destination ports to the LSN application profile. The configuration utility combines these two operations on a single screen.
- Create an LSN Group and bind LSN pools, LSN IPv6 profile, (optional) LSN transport profiles, and (optional) LSN application profiles to the LSN group. An LSN group is an entity consisting of an LSN client, an LSN IPv6 profile, LSN pool(s), LSN transport profile(s), and LSN application profiles(s). A group is assigned parameters, such as port block size and logging of LSN sessions. The parameter settings apply to all the subscribers of an LSN client bound to the LSN group. Only one LSN IPv6 profile can be bound to an LSN group, and an LSN IPv6 profile bound to an LSN group cannot be bound to other LSN groups. Only LSN Pools and LSN groups with the same NAT type settings can be bound together. Multiples LSN pools can be bound to an LSN group. Only one LSN client entity can be bound to an LSN group, and an LSN client entity bound to an LSN group cannot be bound to other LSN groups. The command line interface has two commands for creating an LSN group and binding LSN pools, LSN transport profiles, and LSN application profiles to the LSN group. The configuration utility combines these two operations in a single screen.
Configuration by Using the Command Line
To create an LSN client by using the command line interface:
At the command prompt, type:
add lsn client <clientname>
show lsn client
<!--NeedCopy-->
To bind an IPv6 network or an ACL6 rule to an LSN client by using the command line interface:
At the command prompt, type:
bind lsn client <clientname> (-network6 <ipv6_addr|*>| -acl6name <string>)
show lsn client
<!--NeedCopy-->
To create an LSN pool by using the command line interface:
At the command prompt, type:
add lsn pool <poolname> [-nattype ( DYNAMIC )] [-portblockallocation ( ENABLED | DISABLED )] [-portrealloctimeout <secs>] [-maxPortReallocTmq <positive_integer>]
show lsn pool
<!--NeedCopy-->
To bind an IP address range to an LSN pool by using the command line interface:
At the command prompt, type:
bind lsn pool <poolname> <lsnip>
show lsn pool
<!--NeedCopy-->
Note: For removing LSN IP addresses from an LSN pool, use the unbind lsn pool command.
To configure an LSN IPv6 profile by using the command line interface:
At the command prompt, type:
add lsn ip6profile <name> –type DS-Lite –network6 < ipv6_addr|*s >
show lsn ip6profile
<!--NeedCopy-->
To create an LSN transport profile by using the command line interface:
At the command prompt, type:
add lsn transportprofile <transportprofilename> <transportprotocol> [-sessiontimeout <secs>] [-finrsttimeout <secs>] [-portquota <positive_integer>] [-sessionquota <positive_integer>] [-portpreserveparity ( ENABLED | DISABLED )] [-portpreserverange (ENABLED | DISABLED )] [-syncheck ( ENABLED | DISABLED )]
show lsn transportprofile
<!--NeedCopy-->
To create an LSN application profile by using the command line interface:
At the command prompt, type:
add lsn appsprofile <appsprofilename> <transportprotocol> [-ippooling (PAIRED | RANDOM )] [-mapping <mapping>] [-filtering <filtering>][-tcpproxy ( ENABLED | DISABLED )] [-td <positive_integer>]
show lsn appsprofile
<!--NeedCopy-->
To bind an application protocol port range to an LSN application profile by using the command line interface:
At the command prompt, type:
bind lsn appsprofile <appsprofilename> <lsnport>
show lsn appsprofile
<!--NeedCopy-->
To create an LSN group by using the command line interface:
At the command prompt, type:
add lsn group <groupname> -clientname <string> [-nattype ( DYNAMIC )] [-portblocksize <positive_integer>] [-logging (ENABLED | DISABLED )] [-sessionLogging ( ENABLED | DISABLED )][-sessionSync ( ENABLED | DISABLED )] [-snmptraplimit<positive_integer>] [-ftp ( ENABLED | DISABLED )] [-pptp ( ENABLED |DISABLED )] [-sipalg ( ENABLED | DISABLED )] [-rtspalg ( ENABLED |DISABLED )] [-ip6profile <string>]
show lsn group
<!--NeedCopy-->
To bind LSN protocol profiles and LSN pools to an LSN group by using the command line interface:
At the command prompt, type:
bind lsn group <groupname> (-poolname <string> | -transportprofilename <string> | -httphdrlogprofilename <string> | -appsprofilename <string> | -sipalgprofilename <string> | rtspalgprofilename <string>)
show lsn group
<!--NeedCopy-->
Configuration by Using the Configuration Utility
To configure an LSN client and bind an IPv6 network address or an ACL6 rule by using the configuration utility:
Navigate to System > Large Scale NAT > Clients, and add a client and then bind an IPv6 network address or an ACL6 rule to the client.
To configure an LSN pool and bind NAT IP addresses by using the configuration utility:
Navigate to System > Large Scale NAT > Pools, and add a pool and then bind an NAT IP address or a range of NAT IP addresses to the pool.
To configure an LSN IPv6 profile by using the configuration utility:
Navigate to System > Large Scale NAT > Profiles, click the IPv6 tab, and assign an IPv6 address for DS-Lite AFTR.
To configure an LSN transport profile by using the configuration utility:
- Navigate to System > Large Scale NAT > Profiles.
- On the details pane, click Transport, and then add a transport profile.
To configure an LSN application profile by using the configuration utility:
- Navigate to System > Large Scale NAT > Profiles.
- On the details pane, click Application, and then add an application profile.
To configure an LSN group and bind an LSN client, an LSN IPv6 profile, pools, transport profiles, and application profiles by using the configuration utility:
Navigate to System > Large Scale NAT > Groups, and add a group and then bind an LSN client, an LSN IPv6 profile, pools, transport profiles, and application profiles to the group.
> add lsn client LSN-DSLITE-CLIENT-1
Done
> bind lsn client LSN-DSLITE-CLIENT-1 -network6 2001:DB8::3:0/100
Done
> add lsn pool LSN-DSLITE-POOL-1
Done
> bind lsn pool LSN-DSLITE-POOL-1 203.0.113.61 - 203.0.113.70
Done
> add lsn ip6profile LSN-DSLITE-PROFILE-1 -type DS-Lite -network6 2001:DB8::5:6
Done
> add lsn group LSN-DSLITE-GROUP-1 -clientname LSN-DSLITE-CLIENT-1 -portblocksize 1024 -ip6profile LSN-DSLITE-PROFILE-1
Done
> add lsn group LSN-DSLITE-GROUP-1 -poolname LSN-DSLITE-POOL-1
Done
Logging and Monitoring DS-Lite
You can log DS-Lite information to diagnose or troubleshoot problems, and to meet legal requirements. The Citrix ADC appliance supports all LSN logging features for logging DS-Lite information. For configuring DS-Lite logging, use the procedures for configuring LSN logging, described at Logging and Monitoring LSN.
A log message for a DS-Lite LSN mapping entry consists of the following information:
- Citrix ADC owned IP address (NSIP address or SNIP address) from which the log message is sourced
- Time stamp
- Entry type (MAPPING)
- Whether the DS-Lite LSN mapping entry was created or deleted
- IPv6 address of B4
- Subscriber’s IP address, port, and traffic domain ID
- NAT IP address and port
- Protocol name
- Destination IP address, port, and traffic domain ID might be present, depending on the following conditions:
- Destination IP address and port are not logged for Endpoint-Independent mapping.
- Only the destination IP address is logged for Address-Dependent mapping. The port is not logged.
- Destination IP address and port are logged for Address-Port-Dependent mapping.
A log message for a DS-Lite session consists of the following information:
- Citrix ADC owned IP address (NSIP address or SNIP address) from which the log message is sourced
- Time stamp
- Entry type (SESSION)
- Whether the DS-Lite session is created or removed
- IPv6 address of B4
- Subscriber’s IP address, port, and traffic domain ID
- NAT IP address and port
- Protocol name
- Destination IP address, port, and traffic domain ID
The following table shows sample DS-Lite log entries of each type stored on the configured log servers. These log entries are generated by a Citrix ADC appliance whose NSIP address is 10.102.37.115.You can log DS-Lite information to diagnose or troubleshoot problems, and to meet legal requirements. The Citrix ADC appliance supports all LSN logging features for logging DS-Lite information. For configuring DS-Lite logging, use the procedures for configuring LSN logging, described at Logging and Monitoring LSN.
A log message for a DS-Lite LSN mapping entry consists of the following information:
- Citrix ADC owned IP address (NSIP address or SNIP address) from which the log message is sourced
- Time stamp
- Entry type (MAPPING)
- Whether the DS-Lite LSN mapping entry was created or deleted
- IPv6 address of B4
- Subscriber’s IP address, port, and traffic domain ID
- NAT IP address and port
- Protocol name
- Destination IP address, port, and traffic domain ID might be present, depending on the following conditions:
- Destination IP address and port are not logged for Endpoint-Independent mapping.
- Only the destination IP address is logged for Address-Dependent mapping. The port is not logged.
- Destination IP address and port are logged for Address-Port-Dependent mapping.
A log message for a DS-Lite session consists of the following information:
- Citrix ADC owned IP address (NSIP address or SNIP address) from which the log message is sourced
- Time stamp
- Entry type (SESSION)
- Whether the DS-Lite session is created or removed
- IPv6 address of B4
- Subscriber’s IP address, port, and traffic domain ID
- NAT IP address and port
- Protocol name
- Destination IP address, port, and traffic domain ID
The following table shows sample DS-Lite log entries of each type stored on the configured log servers. These log entries are generated by a Citrix ADC appliance whose NSIP address is 10.102.37.115.
LSN Log Entry Type | Sample Log Entry |
DS-Lite session creation | Local4.Informational 10.102.37.115 08/14/2015:13:35:38 GMT 0-PPE-1 : default LSN LSN_SESSION 37647607 0 : SESSION CREATED 2001:DB8::3:4 Client IP:Port:TD 192.0.2.51:2552:0, NatIP:NatPort 203.0.113.61:3002, Destination IP:Port:TD 198.51.100.250:80:0, Protocol:TCP |
DS-Lite session deletion | Local4.Informational 10.102.37.115 08/14/2015:13:38:22 GMT 0-PPE-1 : default LSN LSN_SESSION 37647617 0 : SESSION DELETED 2001:DB8::3:4 Client IP:Port:TD 192.0.2.51:2552:0, NatIP:NatPort 203.0.113.61:3002, Destination IP:Port:TD 198.51.100.250:80:0, Protocol: TCP |
DS-Lite LSN mapping creation | Local4.Informational 10.102.37.115 08/14/2015:13:35:39 GMT 0-PPE-1 : default LSN LSN_EIM_MAPPING 37647610 0 : EIM CREATED 2001:DB8::3:4 Client IP:Port:TD 192.0.2.51:2552:0, NatIP:NatPort 198.51.100.250:80, Protocol: TCP |
DS-Lite LSN mapping deletion | Local4.Informational 10.102.37.115 08/14/2015:13:38:25 GMT 0-PPE-1 : default LSN LSN_EIM_MAPPING 37647618 0 : EIM DELETED 2001:DB8::3:4 Client IP:Port:TD 192.0.2.51:2552:0, NatIP:NatPort 198.51.100.250:80, Protocol: TCP |
Displaying Current DS-Lite Sessions
You can display the current DS-Lite sessions for detecting any unwanted or inefficient sessions on the Citrix ADC appliance. You can display all or some DS-Lite sessions, on the basis of selection parameters.
Configuration by Using the Command Line Interface
To display all DS-Lite sessions by using the command line interface:
At the command prompt, type:
show lsn session –nattype DS-Lite
<!--NeedCopy-->
To display selected DS-Lite sessions by using the command line interface:
At the command prompt, type:
show lsn session –nattype DS-Lite [-clientname <string>] [-network <ip_addr> [-netmask <netmask>] [-td <positive_integer>]] [-natIP <ip_addr> [-natPort <port>]]
<!--NeedCopy-->
Example:
The following sample ouput displays all DS-Lite sessions existing on a Citrix ADC appliance:
show lsn session –nattype DS-Lite
B4-Address SubscrIP SubscrPort SubscrTD DstIP DstPort DstTD NatIP NatPort Proto Dir
1. 2001:DB8::3:4 192.0.2.51 2552 0 198.51.100.250 80 0 203.0.113.61 3002 TCP OUT
2. 2001:DB8::3:4 192.0.2.51 3551 0 198.51.100.300 80 0 203.0.113.61 52862 TCP OUT
3. 2001:DB8::3:4 192.0.2.100 4556 0 198.51.100.250 0 0 203.0.113.61 48116 ICMP OUT
4. 2001: DB8::190 192.0.2.150 3881 0 198.51.100.199 80 0 203.0.113.69 48305 TCP OUT
Done
<!--NeedCopy-->
Configuration Using the Configuration Utility
To display all or selected DS-Lite sessions by using the configuration utility
- Navigate to System > Large Scale NAT > Sessions, and click the DS-Lite tab.
- For displaying DS-Lite sessions on the basis of selection parameters, click Search.
Clearing DS-Lite Sessions
You can remove any unwanted or inefficient DS-Lite sessions from the Citrix ADC appliance. The appliance immediately releases the resources (such as NAT IP address, port, and memory) allocated for these sessions, making the resources available for new sessions. The appliance also drops all the subsequent packets related to these removed sessions. You can remove all or selected DS-Lite sessions from the Citrix ADC appliance.
To clear all DS-Lite sessions by using the command line interface:
At the command prompt, type:
flush lsn session –nattype DS-Lite
show lsn session –nattype DS-Lite
To clear selected DS-Lite sessions by using the command line interface:
At the command prompt, type:
flush lsn session –nattype DS-Lite [-clientname <string>] [-network <ip_addr> [-netmask <netmask>] [-td <positive_integer>]] [-natIP <ip_addr> [-natPort <port>]]
show lsn session –nattype DS-Lite
<!--NeedCopy-->
To clear all or selected DS-Lite sessions by using the configuration utility:
- Navigate to System > Large Scale NAT > Sessions, and click the DS-Lite tab.
- Click Flush Sessions.