Typically, a Citrix ADC appliance is inserted as a separate L3 inline node in the Gi-LAN, similarly to an L3 router.
Figure: A simple depiction of a Gi-LAN
A physical Citrix ADC connectivity to upstream switches is recommended to provide for sufficient redundancy. For example, assuming that a Citrix ADC appliance is inserted in a Gi-LAN that is handling a total (uplink+downlink) of 24Gbps, connectivity with 4x10GbE or more interfaces is recommended. This effectively provides for N+1 redundancy in case of a link failure.
The relevant ports on the upstream switch should be configured for LACP port aggregation. The relevant configuration on Citrix ADC is outlined below:
set interface 10/1 –tagall ON –lacpMode ACTIVE –lacpKey 1 set interface 10/2 –tagall ON –lacpMode ACTIVE –lacpKey 1 set interface 10/3 –tagall ON –lacpMode ACTIVE –lacpKey 1 set interface 10/4 –tagall ON –lacpMode ACTIVE –lacpKey 1 <!--NeedCopy-->
You can verify the appropriate functionality of LACP using the “show interface” command:
sh interface LA/1 1) Interface LA/1 (802.3ad Link Aggregate) #39 flags=0x4100c020 <ENABLED, UP, AGGREGATE, UP, HAMON, 802.1q> MTU=1500, native vlan=1, MAC=02:e0:ed:33:88:b0, uptime 340h11m56s Requested: media NONE, speed AUTO, duplex NONE, fctl NONE, throughput 0 Actual: throughput 4000 LLDP Mode: NONE, RX: Pkts(918446) Bytes(110087414) Errs(0) Drops(795989) Stalls(0) TX: Pkts(124113) Bytes(15255532) Errs(0) Drops(0) Stalls(0) NIC: InDisc(0) OutDisc(0) Fctls(0) Stalls(0) Hangs(0) Muted(0) Bandwidth thresholds are not set. Disable the remaining unused interfaces and turn off the monitor. set interface 10/5 –haMonitor OFF <!--NeedCopy-->
set interface 10/24 –haMonitor OFF disable interface 10/5 disable interface 10/24 <!--NeedCopy-->
Configuration of physical interfaces is not shared across the two Citrix ADC units. Hence, the above commands must be run across both Citrix ADC nodes in case of an HA pair deployment.
All other configuration parameters are shared between the Citrix ADC nodes of an HA pair. Hence, HA sync should be enabled prior to any other configuration commands being run. Basic HA configuration involves the following steps:
1. Using the exact same Citrix ADC hardware, software, and license: HA pairs are not supported between different models (i.e. a T1100 and an MPX21550) or same models with different firmware levels. Refer to the appropriate instructions on upgrading an existing HA pair - Upgrading to Release 11.1.
2. Establishing the HA pair.
netscaler-1> add HA node 1 <netscaler-2-NSIP> netscaler-2> add HA node 1 <netscaler-1-NSIP> <!--NeedCopy-->
3. Verify the HA pair establishment running the following command in either node; both nodes should be visible, one of them as Primary (active), the other as a Secondary (standby).
show HA node <!--NeedCopy-->
4. Enable failsafe mode and maxFlips. This ensures that in case of a route monitor failure on both nodes at least one node remains active without active/standby status constantly switching.
set HA node –failsafe ON set HA node -maxFlips 3 -maxFlipTime 1200 <!--NeedCopy-->
5. Finally, enable HA sync to occur over the dedicated intra-Citrix ADC ports rather than the OAM network.
add vlan 4080 -aliasName syncVlan set HA node -syncvlan 4080 <!--NeedCopy-->
The VLAN 4080 in the commands in the above example shouldn’t be taken literally. Any unused VLAN-ID might be reserved.
After the physical interfaces have been appropriately configured, you might configure the appropriate Gi-LAN VLANs. For instance, consider a rather simple Gi-LAN environment with an ingress/egress VLAN pair with 100/101 VLAN-identifier respectively.
The following commands configure the relevant VLANs on top of the LACP channel created in the prior step.
add vlan 100 add vlan 101 bind vlan 100 –ifnum LA/1 –tagged bind vlan 101 –ifnum LA/1 –tagged <!--NeedCopy-->
Typically, a Citrix ADC appliance requires one SNIP per VLAN. The example below assumes that the networks outlined in the Gi-LAN integration diagram, given in the begining of this page, have a /24 subnet mask:
add ns ip 192.168.1.254 255.255.255.0 –vserver DISABLED –mgmtAccess DISABLED add ns ip 192.168.2.254 255.255.255.0 –vserver DISABLED –mgmtAccess DISABLED <!--NeedCopy-->
After the SNIPs have been configured they should be associated with the appropriate VLAN:
bind vlan 100 –IPAddress 192.168.1.254 255.255.255.0 bind vlan 101 –IPAddress 192.168.2.254 255.255.255.0 <!--NeedCopy-->
IPv4 Static Routing
The example outlined in the Management Network section calls for only a couple of static routing rules:
- A 10.0.0.0/8 static route to the clients through the ingress router
- A default route to the internet through the egress router
add route 0.0.0.0 0.0.0.0 192.168.2.1 add route 10.0.0.0 255.0.0.0 192.168.1.1 <!--NeedCopy-->
IPv4 Policy-Based (VLAN - VLAN) routing
A Citrix ADC appliance allows for policy-based routing instead of static routing, with routing decisions usually keyed against the incoming interface and/or VLAN rather than destination IP. Policy-based routing is either a convenient alternative, in case the client source IP address range is subject to periodic changes, or a mandatory consideration, in case a packet’s destination IP address is not sufficient by itself to reach a routing decision (i.e. in case of overlapping client IP addresses across multiple VLANs).
add ns pbr fromWirelessToInternet ALLOW –nextHop 192.168.2.1 –vlan 100 –priority 10 Done add ns pbr fromInternetToWireless ALLOW –nextHop 192.168.1.1 –vlan 200 –priority 20 Done apply ns pbrs <!--NeedCopy-->
The following commands assign IPv6 SNIP per vlan. The example below assumes that the networks outlined in the Figure: A simple depiction of a Gi-LAN in this page have a /64 subnet mask:
add ns ip6 fd00:192:168:1::254/64 -vServer DISABLED –mgmtAccess DISABLED add ns ip6 fd00:192:168:2::254/64 -vServer DISABLED –mgmtAccess DISABLED bind vlan 100 -IPAddress fd00:192:168:1::254/64 bind vlan 200 -IPAddress fd00:192:168:2::254/64 <!--NeedCopy-->
After IPv6 addressing is complete, IPv6 static routing might be configured:
- A fd00:10::/64 static route to the clients via the ingress router
- A default route to the internet via the egress router
add route6 fd00:10::/64 fd00:192:168:1::1 add route6 ::/0 fd00:192:168:2::1 <!--NeedCopy-->
Or using policy-based routing:
add ns pbr6 fromWirelessToInternetv6 ALLOW -vlan 100 -priority 10 -nextHop fd00:192:168:2::1 add ns pbr6 fromInternetToWirelessv6 ALLOW -vlan 200 -priority 20 -nextHop fd00:192:168:1::1 apply ns pbr6 <!--NeedCopy-->
LACP Redundancy and Failover
In case of an HA configuration, it’s recommended to leverage the throughput option to configure a low threshold for the LACP channel. For instance, consider a 25Gbps Gi-LAN and a 4x10GbE channel between each Citrix ADC appliance in the HA pair and the upstream switch to provide N+1 link redundancy:
set interface LA/1 –haMonitor ON –throughput 29000 <!--NeedCopy-->
In case of a double-link failure between the primary appliance and the upstream switch the maximum Gi-LAN throughput that can be supported would fall to 20Gbps. A 29Gbps low threshold per the example above would result in a redundancy switchover event to the secondary appliance (which has not suffered similar link failures) so that Gi-LAN traffic is not affected.
In addition to LACP redundancy, route monitor checks might be configured and associated with the HA pair configuration. Route monitor checks can be useful to detect failures between the Citrix ADC appliance and the next-hop routers, especially if said routers are not directly connected but through an upstream switch.
A typical HA route monitor configuration per the sample Gi-LAN in section 2.5.1 is outlined below:
add route 192.168.1.0 255.255.255.0 192.168.1.1 -msr ENABLED -monitor arp add route 192.168.2.0 255.255.255.0 192.168.2.1 -msr ENABLED -monitor arp bind HA node -routeMonitor 192.168.1.0 255.255.255.0 bind HA node -routeMonitor 192.168.2.0 255.255.255.0 <!--NeedCopy-->