Understanding default traffic plane behavior and override mechanisms
The Secure Management feature in NetScaler helps keep your network more secure by separating traffic into two different routing planes: the Management plane (TD 4094) for admin tasks and the Data plane (TD 0) for regular user traffic. Normally, each NetScaler feature automatically gets assigned to one of these planes. But sometimes your network setup needs to work differently than the default settings. NetScaler provides powerful override mechanisms to redirect a feature’s traffic from its default plane to the other.
To override the default traffic plane for a feature, the configuration entity you use must belong to the target plane where you want the traffic to flow. In other words, the override mechanism must be part of the routing area (plane) you intend the traffic to use. The following sections describe the available override methods:
-
Net profile-based override
A Net profile is a configuration object that forces a service or action to use a specific source IP address for outbound connections. By assigning a source IP (SNIP) from the target plane, you ensure that NetScaler uses the routing and network configuration of that plane (such as TD 0 for the Data plane or TD 4094 for the Management plane) for traffic associated with the Net profile. This method is commonly used to redirect traffic for services like Syslog, RADIUS, and LDAP. -
Virtual server-based override
Certain features or services are bound directly to a virtual server, such as a Load Balancing virtual server. By configuring or binding services to a virtual server in the desired plane, you can direct traffic for those features to flow through the target plane. -
Policy-based routing (PBR) override
Policy-based routing (PBR) provides a flexible way to redirect traffic by creating rules based on traffic attributes such as source/destination IP, port, and protocol. With PBR, you can intercept specific traffic flows and explicitly route them into a different Traffic Domain (TD) than their default assignment, optionally specifying a next-hop gateway. This allows for precise control over which traffic uses which plane.
Default traffic plane assignment and override methods for NetScaler features
This table summarizes the default traffic plane classification for various NetScaler features and outlines the available methods to override these defaults, directing traffic to a different plane when needed.
| Feature | Default Traffic Plane | Override Methods | Override Implementation |
|---|---|---|---|
|
AAA
|
Data plane
|
Virtual server-based override | Creates a backend AAA server service explicitly in the Management plane (TD 4094), allowing a Data plane LB vserver to proxy to it. |
| Policy Based Routing (PBR) override | Uses PBR to explicitly force AAA traffic to the Management Traffic Domain (TD 4094). | ||
|
Application Firewall
|
Data plane
|
Virtual server-based override | Uses a Data plane LB virtual server to proxy APPFW import and update queries to backend APPFW servers in the Management plane. |
| PBR override | Intercepts APPFW traffic destined for a server and forces it into the Management Traffic Domain (TD 4094). | ||
|
DNS
|
Data plane
|
Net profile-based override | Forces DNS queries to originate from the Management IP (NSIP), routing them through the Management plane. |
| Virtual server-based override | Uses a Data plane DNS load balancing virtual server to proxy queries to Management plane DNS resolvers, bridging the planes. | ||
| PBR override | Intercepts DNS traffic and forces it into the Management Traffic Domain (TD 4094). | ||
|
IP Reputation
|
Data plane
|
Virtual server-based override | Uses a Data plane LB virtual server to proxy IP Reputation queries to backend proxy servers located in the Management plane. |
| PBR override (for proxy server traffic when not direct internet access) | Intercepts IP Reputation proxy traffic and forces it into the Management Traffic Domain (TD 4094). | ||
| SSL-CRLRefresh | Data plane | PBR override | Uses PBR to intercept CRL refresh traffic destined for a pre-resolved IP and forces it into the Management Traffic Domain (TD 4094). |
| SSL-HSM | Data plane | PBR override | Uses PBR to intercept HSM client traffic on a specific port and force it into the Management Traffic Domain (TD 4094). |
|
AppFlow
|
Management plane
|
Virtual server-based override | Uses a Management plane LB virtual server to proxy AppFlow traffic to a Data plane service, bridging the planes. |
| Netprofile-Based override (Recommended)
|
Forces AppFlow traffic to originate from a Data plane SNIP, routing it through the Data plane. | ||
| Note: When Secure Management is Enabled, Analytics Logstream traffic over NSIP does not function as expected. Logstream traffic must be configured to flow through the Data plane for proper operation. | |||
| SNMP | Management plane | PBR override | Intercepts SNMP trap traffic destined for a Data plane manager and redirects it using a Data plane gateway, routing it through the Data plane. |
|
SYSLOG
|
Management plane
|
Net profile-based override | Forces SYSLOG traffic to originate from a Data plane SNIP, routing it through the Data plane. |
| Virtual server-based override | Uses a Management plane LB virtual server to proxy SYSLOG traffic to a Data plane service, bridging the planes. |