Networking

Configure to source Citrix ADC FreeBSD data traffic from a SNIP address

Some Citrix ADC data features run on the underlying FreeBSD OS instead of on the Citrix ADC OS. Because of this reason, these features send traffic sourced from the Citrix ADC IP (NSIP) address instead of sourced from a SNIP address. Sourcing the data traffic from the NSIP address is not desirable if your setup has configurations to separate all management and data traffic.

The following Citrix ADC data features run on the underlying FreeBSD OS and send traffic sourced from the Citrix ADC IP (NSIP) address:

  • Load balancing scriptable monitors
  • GSLB autosync

You can configure the Citrix ADC appliance for these Citrix ADC data features to send traffic sourced from a SNIP address by using extended ACL and RNAT rules.

Configuration steps

To configure a Citrix ADC appliance to source Citrix ADC FreeBSD data packets from a SNIP address consists of the following tasks:

  • Create an extended ACL rule. An extended ACL rule identifies the packets generated by the Citrix ADC data features, running on the underlying FreeBSD OS. This identification is based on the source IP and destination IP addresses.
  • Apply ACLs. Applying ACLs activates the newly created ACL rule.
  • Create an ACL based RNAT rule. An RNAT rule changes the source IP address of these packets from the NSIP address to a SNIP address.

Note:

In a high availability or cluster setup, you must add ACL and RNAT rules for all the NSIP addresses of the setup.

To create an extended ACL by using the CLI:

At the command prompt, type:

  • add acl <aclname> ALLOW -srcIP = <NSIP address> -destIP = <destination IP address of the packets>
  • show acl <aclName>

To apply extended ACLs by using the CLI:

At the command prompt, type:

  • apply acls

To create an ACL based RNAT rule by using the CLI:

At the command prompt, type:

  • add rnat <name> <aclname>
  • bind rnat <name> -natIP <SNIP address - source IP address for the packets>
  • show rnat <name>

Sample configuration - Source scriptable monitors traffic from a SNIP address

The following sample configuration enables a Citrix ADC appliance to source scriptable monitors traffic from a SNIP address. ACL-1 identifies scriptable monitors packets, which are sourced from NSIP address 192.0.1.10 and destined to load balancing server IP address 203.0.113.10. RNAT-2 changes the source IP address to SNIP address 198.51.100.10 for these identified packets.

add acl ACL-1 ALLOW -srcIP = 192.0.1.10  -destIP = 203.0.113.10

apply acls

add rnat RNAT-1 ACL-1

bind rnat RNAT-1 -natIP 198.51.100.10

Sample configuration - Source GSLB autosync traffic from a SNIP address

The following sample configuration enables a Citrix ADC appliance to source GSLB autosync traffic from a SNIP address. ACL-2 identifies GSLB autosync packets, which are sourced from NSIP address 192.0.1.20 and destined to GSLB site IP address 203.0.113.20. RNAT-2 changes the source IP address to SNIP address 198.51.100.20 for these identified packets.

add acl ACL-2 ALLOW -srcIP = 192.0.1.20  -destIP = 203.0.113.20

apply acls

add rnat RNAT-2 ACL-2

bind rnat RNAT-2 -natIP 198.51.100.20

Configure to source Citrix ADC FreeBSD data traffic from a SNIP address