ADC

Understanding default traffic plane behavior and override mechanisms

The Secure Management feature in NetScaler helps keep your network more secure by separating traffic into two different routing planes: the Management plane (TD 4094) for admin tasks and the Data plane (TD 0) for regular user traffic. Normally, each NetScaler feature automatically gets assigned to one of these planes. But sometimes your network setup needs to work differently than the default settings. NetScaler provides powerful override mechanisms to redirect a feature’s traffic from its default plane to the other.

To override the default traffic plane for a feature, the configuration entity you use must belong to the target plane where you want the traffic to flow. In other words, the override mechanism must be part of the routing area (plane) you intend the traffic to use. The following sections describe the available override methods:

  • Net profile-based override
    A Net profile is a configuration object that forces a service or action to use a specific source IP address for outbound connections. By assigning a source IP (SNIP) from the target plane, you ensure that NetScaler uses the routing and network configuration of that plane (such as TD 0 for the Data plane or TD 4094 for the Management plane) for traffic associated with the Net profile. This method is commonly used to redirect traffic for services like Syslog, RADIUS, and LDAP.

  • Virtual server-based override
    Certain features or services are bound directly to a virtual server, such as a Load Balancing virtual server. By configuring or binding services to a virtual server in the desired plane, you can direct traffic for those features to flow through the target plane.

  • Policy-based routing (PBR) override
    Policy-based routing (PBR) provides a flexible way to redirect traffic by creating rules based on traffic attributes such as source/destination IP, port, and protocol. With PBR, you can intercept specific traffic flows and explicitly route them into a different Traffic Domain (TD) than their default assignment, optionally specifying a next-hop gateway. This allows for precise control over which traffic uses which plane.

Default traffic plane assignment and override methods for NetScaler features

This table summarizes the default traffic plane classification for various NetScaler features and outlines the available methods to override these defaults, directing traffic to a different plane when needed.

Feature Default Traffic Plane Override Methods Override Implementation
AAA
Data plane
Virtual server-based override Creates a backend AAA server service explicitly in the Management plane (TD 4094), allowing a Data plane LB vserver to proxy to it.
Policy Based Routing (PBR) override Uses PBR to explicitly force AAA traffic to the Management Traffic Domain (TD 4094).
Application Firewall
Data plane
Virtual server-based override Uses a Data plane LB virtual server to proxy APPFW import and update queries to backend APPFW servers in the Management plane.
PBR override Intercepts APPFW traffic destined for a server and forces it into the Management Traffic Domain (TD 4094).
DNS

Data plane

Net profile-based override Forces DNS queries to originate from the Management IP (NSIP), routing them through the Management plane.
Virtual server-based override Uses a Data plane DNS load balancing virtual server to proxy queries to Management plane DNS resolvers, bridging the planes.
PBR override Intercepts DNS traffic and forces it into the Management Traffic Domain (TD 4094).
IP Reputation
Data plane
Virtual server-based override Uses a Data plane LB virtual server to proxy IP Reputation queries to backend proxy servers located in the Management plane.
PBR override (for proxy server traffic when not direct internet access) Intercepts IP Reputation proxy traffic and forces it into the Management Traffic Domain (TD 4094).
SSL-CRLRefresh Data plane PBR override Uses PBR to intercept CRL refresh traffic destined for a pre-resolved IP and forces it into the Management Traffic Domain (TD 4094).
SSL-HSM Data plane PBR override Uses PBR to intercept HSM client traffic on a specific port and force it into the Management Traffic Domain (TD 4094).
AppFlow

Management plane

Virtual server-based override Uses a Management plane LB virtual server to proxy AppFlow traffic to a Data plane service, bridging the planes.
Netprofile-Based override (Recommended)
Forces AppFlow traffic to originate from a Data plane SNIP, routing it through the Data plane.
Note: When Secure Management is Enabled, Analytics Logstream traffic over NSIP does not function as expected. Logstream traffic must be configured to flow through the Data plane for proper operation.
SNMP Management plane PBR override Intercepts SNMP trap traffic destined for a Data plane manager and redirects it using a Data plane gateway, routing it through the Data plane.
SYSLOG
Management plane
Net profile-based override Forces SYSLOG traffic to originate from a Data plane SNIP, routing it through the Data plane.
Virtual server-based override Uses a Management plane LB virtual server to proxy SYSLOG traffic to a Data plane service, bridging the planes.
Understanding default traffic plane behavior and override mechanisms