NetScaler VLAN’s Demystified

https://www.citrix.com/blogs/2014/12/29/netscaler-vlans-demystified/

The Citrix NetScaler appliance is an amazingly flexible application delivery controller (ADC). It’s capable of performing both simple and very complex tasks, positioning it solidly for the eighth consecutive year in the Gartner Leaders Quadrant for ADC’s: http://www.citrix.com/news/announcements/oct-2014/citrix-positioned-for-the-eighth-consecutive-year-in-the-leaders.html

Unlike many networking devices the NetScaler uses ‘floating’ IP addresses, which means that any NetScaler-owned IP address can egress any NetScaler interface with the generic default ‘vanilla’ configuration in place.

This may actually be the desired configuration, but if there is a need to ensure that ingress and egress traffic flows out one particular interface on the NetScaler, this can simply be configured by using layer three (L3) VLAN’s to bind IP subnets to specific interfaces. With L3 VLAN’s configured, all traffic destined for a particular network/subnet will be forced out the desired interface.

Note: VLAN’s are actually layer two constructs, but the term L3 VLAN is used to describe the VLAN-to-IP subnet binding occurring.

How Does This All Work?

By default all interfaces are members of Native VLAN 1. That being said, specific to RX and TX, there are a few different rules to understand.

Below shows the structure of a VLAN packet:

Port-Based VLAN’s

Let’s add a new VLAN to the NetScaler (VLAN 10). This new VLAN is created with the following command: ‘add vlan 10’

Then let’s bind interface 10/1 to the newly created VLAN 10 natively. This is accomplished with the following command: ‘bind vlan 10 -ifnum 10/1’

When bound natively, interface 10/1 is removed automatically from VLAN 1, the current native VLAN. It is then added to VLAN 10. When this configuration is implemented the following rules will then apply:

Tagged VLAN’s

Let’s add a tagged VLAN to the NetScaler (VLAN 30). This new VLAN is created with the following command: ‘add vlan 30’

Then let’s bind interface 10/2 to the newly created VLAN 30 as a tagged member. This is accomplished with the following command: ‘bind vlan 30 -ifnum 10/2 –tagged’

When VLAN 30 is bound as a tagged member of interface 10/2, it is kept in VLAN 1 as a native member, but also added to VLAN 30 as a tagged member. When this configuration is implemented the following rules will then apply.

Summary

  • An interface can have only one (hence also referred to as ‘port based’) Native VLAN.
  • Untagged packets arriving on an interface are assumed to have arrived on that Native VLAN.
  • An interface can be part of any number of tagged VLANs.
  • When an interface is bound to a VLAN Natively, its Native VLAN changes from the current one to new one.
  • When an interface is bound to a particular VLAN as a tagged member, it’s just added to the new VLAN as a tagged member.

An overview of the rules are as follows:

The Interface TAGALL Configuration

The TAGALL configuration on the NetScaler is specific only to the interface. The following rules apply when leveraging the TAGALL feature:

Link Aggregation (LA)

Let’s create a new link aggregation channel. This new LA channel is created with the following command: ‘add channel LA/1’

Then let’s bind interfaces 10/1 and 10/2 to the newly created channel with the following command: ‘bind channel LA/1 -ifnum 10/1 10/2’

Then following rules will apply for the default LA channel:

Link Aggregation (LA) and VLANs

Let’s create a new link aggregation channel (LA/2). This new LA channel is created with the following command: ‘add channel LA/2’

Then let’s bind interfaces 10/1 and 10/2 to the newly created channel with the following command: bind channel LA/2 -ifnum 10/1 10/2’ (as referenced previously the VLAN bindings of 10/1 and 10/2 are lost once they are part of an LA channel – unless specifically configured as such as we’ll see in the following example).

We can bind the new LA channel to a new VLAN with the following commands: ‘add vlan 2’ and then ‘bind vlan 2 –ifnum LA/2’

NOTES:

  1. If we unbind interfaces 10/1 and 10/2 (for example) from an LA channel (e.g. ‘unbind channel LA/1 -ifnum 10/1 10/2’) and then remove the channel with the following command: ‘rm channel LA/1’, then interfaces 10/1 and 10/2 will be moved to VLAN 1 as Native members again.
  2. The NetScaler does not have the concept of “trunk ports”, which by default will accept all VLAN IDs and only accept tagged traffic. Further restrictions on which VLANs to accept can be controlled by configuring an ‘allowed list’ of VLAN IDs on a particular interface.

Additional References:

How to Associate an IP Subnet with a NetScaler Interface by Using VLANs:http://support.citrix.com/article/CTX136926

How to Restrict the Management Access to a NetScaler Appliance from a Specific Interface: http://support.citrix.com/article/CTX126038

NetScaler VLAN’s Demystified的更多相关文章

  1. NetScaler SNIPs Bound To An Interface Without A VLAN

    NetScaler SNIPs Bound To An Interface Without A VLAN https://www.citrix.com/blogs/2014/04/09/work-yo ...

  2. hd loadBalanceServer F5 BIG-IP / Citrix NetScaler / Radware / Array / HAProxy /

    s 五.Citrix NetScaler 和 CDN 案例 问题描述: Citrix 10.5.66.9软件版本下,存在计时器bug,此bug会造成CDN长连接回源超过设备默认的180S,会发fin包 ...

  3. Spanning Tree Protocol (STP) in NetScaler Appliance

    Spanning Tree Protocol (STP) in NetScaler Appliance 来源 https://support.citrix.com/article/CTX112341 ...

  4. NetScaler + Wireshark = A Perfect Combination!

    NetScaler + Wireshark = A Perfect Combination! https://www.citrix.com/blogs/2014/05/03/netscaler-wir ...

  5. NetScaler Best Practice With VMAC In A High Availability Configuration

    NetScaler Best Practice With VMAC In A High Availability Configuration https://www.citrix.com/blogs/ ...

  6. SNMP OID Reference - NetScaler 10

    SNMP OID Reference - NetScaler 10 https://docs.citrix.com/content/dam/docs/en-us/netscaler/10/downlo ...

  7. NetScaler Active-Active模式

    NetScaler Active-Active模式 NetScaler Active-Active模式 (此文档基于版本:NS9.3: Build 55.6 nc) By ShingTan Activ ...

  8. Citrix NetScaler HA(高可用性)解析

    Citrix NetScaler HA(高可用性)解析 来源 https://www.iyunv.com/thread-172259-1-1.html 1.1     NetScaler高可用概述 我 ...

  9. Configure a VLAN on top of a team with NetworkManager (nmcli) in RHEL7

    SOLUTION VERIFIED September 13 2016 KB1248793 Environment Red Hat Enterprise Linux 7 NetworkManager ...

随机推荐

  1. 北京Uber优步司机奖励政策(1月11日)

    滴快车单单2.5倍,注册地址:http://www.udache.com/ 如何注册Uber司机(全国版最新最详细注册流程)/月入2万/不用抢单:http://www.cnblogs.com/mfry ...

  2. ServletContext详解 以及用法

    ServletContext,是一个全局的储存信息的空间,服务器开始,其就存在,服务器关闭,其才释放.request,一个用户可有多个:session,一个用户一个:而servletContext,所 ...

  3. BBU+RRU基本介绍

    现代移动通信网络中的数模转化架构:RRU+BBU: 因为学习需要了解RRU+BBU.特此网上查找了一番,找到了一些还不错的解释,分享给大家! BBU与RRU的区别: 通常大型建筑物内部的层间有楼板,房 ...

  4. Linux用户切换和密码修改

    1.普通用户切换到root su - 再输入root密码,密码正确,成功切换,再输入exit则切换回普通用户 2.root切换到其他用户,例user su - user 再输入exit,则切换回roo ...

  5. JMeter录制Web脚本

    设置Firefox浏览器代理, 点击右上角的菜单: 点击选项: 点击高级: 点击设置: 点击手动配置代理, 输入本地的IP地址和端口号8888,与JMeter代理服务器的端口号保持一致: 好了,浏览器 ...

  6. 使用jenkins构建一个maven项目

    1.登陆到jenkins首页,创建项目-->选择maven-->输入项目名称-->选择项目类型 2.进入项目配置:{先写一下项目描述和设置下保留的历史构建,然后向下拉} 找到源吗管理 ...

  7. python 终极篇 ---django 认证

    Django自带的用户认证 我们在开发一个网站的时候,无可避免的需要设计实现网站的用户系统.此时我们需要实现包括用户注册.用户登录.用户认证.注销.修改密码等功能,这还真是个麻烦的事情呢. Djang ...

  8. FastJson 序列化与反序列化一些说明

    最近所属的组需要对接一些征信结构,就涉及到很多中的数据格式,而springmvc中使用的是jackson作为@ResponseBody的依赖jar 但是个人认为fastkson的性能要高于jackso ...

  9. OpenMPI 集群配置

    现在有2台机器,希望可以尝试一下在多台机器上跑MPI的感觉,所以跑之前就得配置,先参考网址: https://www.cnblogs.com/awy-blog/p/3402949.html: 1. 配 ...

  10. 安卓客户端浏览器ajax注意

    这两天被一个bug搞疯了,就是公司安卓app上我负责的网页死活不进ajax,一开始我用的是post方式提交的,但是参数那一栏没写,直接把参数写在url上了,后来老大跟我说post不写参数会出问题,后来 ...