NetScaler VLAN’s Demystified

https://www.citrix.com/blogs/2014/12/29/netscaler-vlans-demystified/

The Citrix NetScaler appliance is an amazingly flexible application delivery controller (ADC). It’s capable of performing both simple and very complex tasks, positioning it solidly for the eighth consecutive year in the Gartner Leaders Quadrant for ADC’s: http://www.citrix.com/news/announcements/oct-2014/citrix-positioned-for-the-eighth-consecutive-year-in-the-leaders.html

Unlike many networking devices the NetScaler uses ‘floating’ IP addresses, which means that any NetScaler-owned IP address can egress any NetScaler interface with the generic default ‘vanilla’ configuration in place.

This may actually be the desired configuration, but if there is a need to ensure that ingress and egress traffic flows out one particular interface on the NetScaler, this can simply be configured by using layer three (L3) VLAN’s to bind IP subnets to specific interfaces. With L3 VLAN’s configured, all traffic destined for a particular network/subnet will be forced out the desired interface.

Note: VLAN’s are actually layer two constructs, but the term L3 VLAN is used to describe the VLAN-to-IP subnet binding occurring.

How Does This All Work?

By default all interfaces are members of Native VLAN 1. That being said, specific to RX and TX, there are a few different rules to understand.

Below shows the structure of a VLAN packet:

Port-Based VLAN’s

Let’s add a new VLAN to the NetScaler (VLAN 10). This new VLAN is created with the following command: ‘add vlan 10’

Then let’s bind interface 10/1 to the newly created VLAN 10 natively. This is accomplished with the following command: ‘bind vlan 10 -ifnum 10/1’

When bound natively, interface 10/1 is removed automatically from VLAN 1, the current native VLAN. It is then added to VLAN 10. When this configuration is implemented the following rules will then apply:

Tagged VLAN’s

Let’s add a tagged VLAN to the NetScaler (VLAN 30). This new VLAN is created with the following command: ‘add vlan 30’

Then let’s bind interface 10/2 to the newly created VLAN 30 as a tagged member. This is accomplished with the following command: ‘bind vlan 30 -ifnum 10/2 –tagged’

When VLAN 30 is bound as a tagged member of interface 10/2, it is kept in VLAN 1 as a native member, but also added to VLAN 30 as a tagged member. When this configuration is implemented the following rules will then apply.

Summary

  • An interface can have only one (hence also referred to as ‘port based’) Native VLAN.
  • Untagged packets arriving on an interface are assumed to have arrived on that Native VLAN.
  • An interface can be part of any number of tagged VLANs.
  • When an interface is bound to a VLAN Natively, its Native VLAN changes from the current one to new one.
  • When an interface is bound to a particular VLAN as a tagged member, it’s just added to the new VLAN as a tagged member.

An overview of the rules are as follows:

The Interface TAGALL Configuration

The TAGALL configuration on the NetScaler is specific only to the interface. The following rules apply when leveraging the TAGALL feature:

Link Aggregation (LA)

Let’s create a new link aggregation channel. This new LA channel is created with the following command: ‘add channel LA/1’

Then let’s bind interfaces 10/1 and 10/2 to the newly created channel with the following command: ‘bind channel LA/1 -ifnum 10/1 10/2’

Then following rules will apply for the default LA channel:

Link Aggregation (LA) and VLANs

Let’s create a new link aggregation channel (LA/2). This new LA channel is created with the following command: ‘add channel LA/2’

Then let’s bind interfaces 10/1 and 10/2 to the newly created channel with the following command: bind channel LA/2 -ifnum 10/1 10/2’ (as referenced previously the VLAN bindings of 10/1 and 10/2 are lost once they are part of an LA channel – unless specifically configured as such as we’ll see in the following example).

We can bind the new LA channel to a new VLAN with the following commands: ‘add vlan 2’ and then ‘bind vlan 2 –ifnum LA/2’

NOTES:

  1. If we unbind interfaces 10/1 and 10/2 (for example) from an LA channel (e.g. ‘unbind channel LA/1 -ifnum 10/1 10/2’) and then remove the channel with the following command: ‘rm channel LA/1’, then interfaces 10/1 and 10/2 will be moved to VLAN 1 as Native members again.
  2. The NetScaler does not have the concept of “trunk ports”, which by default will accept all VLAN IDs and only accept tagged traffic. Further restrictions on which VLANs to accept can be controlled by configuring an ‘allowed list’ of VLAN IDs on a particular interface.

Additional References:

How to Associate an IP Subnet with a NetScaler Interface by Using VLANs:http://support.citrix.com/article/CTX136926

How to Restrict the Management Access to a NetScaler Appliance from a Specific Interface: http://support.citrix.com/article/CTX126038

NetScaler VLAN’s Demystified的更多相关文章

  1. NetScaler SNIPs Bound To An Interface Without A VLAN

    NetScaler SNIPs Bound To An Interface Without A VLAN https://www.citrix.com/blogs/2014/04/09/work-yo ...

  2. hd loadBalanceServer F5 BIG-IP / Citrix NetScaler / Radware / Array / HAProxy /

    s 五.Citrix NetScaler 和 CDN 案例 问题描述: Citrix 10.5.66.9软件版本下,存在计时器bug,此bug会造成CDN长连接回源超过设备默认的180S,会发fin包 ...

  3. Spanning Tree Protocol (STP) in NetScaler Appliance

    Spanning Tree Protocol (STP) in NetScaler Appliance 来源 https://support.citrix.com/article/CTX112341 ...

  4. NetScaler + Wireshark = A Perfect Combination!

    NetScaler + Wireshark = A Perfect Combination! https://www.citrix.com/blogs/2014/05/03/netscaler-wir ...

  5. NetScaler Best Practice With VMAC In A High Availability Configuration

    NetScaler Best Practice With VMAC In A High Availability Configuration https://www.citrix.com/blogs/ ...

  6. SNMP OID Reference - NetScaler 10

    SNMP OID Reference - NetScaler 10 https://docs.citrix.com/content/dam/docs/en-us/netscaler/10/downlo ...

  7. NetScaler Active-Active模式

    NetScaler Active-Active模式 NetScaler Active-Active模式 (此文档基于版本:NS9.3: Build 55.6 nc) By ShingTan Activ ...

  8. Citrix NetScaler HA(高可用性)解析

    Citrix NetScaler HA(高可用性)解析 来源 https://www.iyunv.com/thread-172259-1-1.html 1.1     NetScaler高可用概述 我 ...

  9. Configure a VLAN on top of a team with NetworkManager (nmcli) in RHEL7

    SOLUTION VERIFIED September 13 2016 KB1248793 Environment Red Hat Enterprise Linux 7 NetworkManager ...

随机推荐

  1. JavaScript---复选框反选全选

    Script <script type="text/javascript"> /*直接使用document.getElementsByName("c1&quo ...

  2. Homebrew安装Redis找不到redis.conf文件

    使用Homebrew安装redis完成后,使用命令 redis-server 启动redis,如下图所示: 启动信息中存在一条警告信息:没有指定的配置文件 然而在安装目录中并没有发现redis.con ...

  3. webpack loader 生成虚拟文件的方案

    此文已由作者张磊授权网易云社区发布. 欢迎访问网易云社区,了解更多网易技术产品运营经验. 前言 使用 webpack 的时候,难免需要写一些 loader,接着就会遇到一个很纠结的问题.该 loade ...

  4. Mate20兼容性如何?WeTest带你抢先测!

    自从九月份 iPhone XS 系列发布后,WeTest团队迅速入库了iPhone XS和iPhone XR设备,十月份国内巨头华为也重磅推出了一款“Mate 20”设备,让下半年的国内手机市场又热闹 ...

  5. 最小生成树与Prim算法

    最小生成树(MST) 定义 首先是一棵树(废话 其次没有回路(废话 包含全部顶点和V-1条边 边的权重和最小!!!!! 所以如果是单棵最小生成树,至少说明图是连通的.不然就是森林. 生成思路 既然是根 ...

  6. clientHeight、offsetHeight、scrollHeight、clientTop、scrollTop、offsetTop的对比

    首先,这些都是dom节点的属性. 高宽属性:clientHeight:html元素不含border的高度. 对于box-sizing不同的情况,有些地方需要注意一下.当box-sizing为conte ...

  7. UVa 1583 - Digit Generator 解题报告 - C语言

    1.题目大意 如果a加上a的各个数字之和得到b,则说a是b的生成元.给出n其中$1\le n\le 100000$,求其最小生成元,若没有解则输出0. 2.思路 使用打表的方法打出各个数字a对应的b, ...

  8. Linux系统inotify工具安装配置

    inotify主要功能 Inotify 是一个 Linux特性,它监控文件系统操作,比如读取.写入和创建.Inotify 反应灵敏,用法非常简单,并且比 cron 任务的繁忙轮询高效得多.学习如何将 ...

  9. javaScript中两个等于号和三个等于号之间的区别

    一言以蔽之:==先转换类型再比较,===先判断类型,如果不是同一类型直接为false. ===表示恒等于,比较的两边要绝对的相同 alert(0 == ""); // trueal ...

  10. es6从零学习(四):Class的继承

    es6从零学习(四):Class的继承 一:继承的方式 1.Class 可以通过extends关键字实现继承 class Point { } class ColorPoint extends Poin ...