Citrix ADC

Configure to source Citrix ADC FreeBSD data traffic from a SNIP address

Some Citrix ADC data features run on the underlying FreeBSD OS instead of on the Citrix ADC OS. Because of this reason, these features send traffic sourced from the Citrix ADC IP (NSIP) address instead of sourced from a SNIP address. Sourcing the data traffic from the NSIP address is not desirable if your setup has configurations to separate all management and data traffic.

The following Citrix ADC data features run on the underlying FreeBSD OS and send traffic sourced from the Citrix ADC IP (NSIP) address:

  • Load balancing scriptable monitors
  • GSLB autosync

To resolve this issue, you can use the global Layer-2 parameter: useNetprofileBSDtraffic. When you enable this parameter, the Citrix ADC features send traffic sourced from one of the SNIP addresses in a net profile associated with the feature.

Before you begin

Before configuring the Citrix ADC appliance to source Citrix ADC features related traffic from a SNIP address, note the following points:

  • Currently, the global Layer-2 parameter useNetprofileBSDtraffic is supported only for load balancing scriptable monitors.

    For configuring the Citrix ADC appliance to source GSLB autosync traffic from a SNIP address, you can use extended ACL rules and RNAT rules as a workaround.

  • The useNetprofileBSDtraffic support for load balancing scriptable monitors is applicable only for net profiles bound to the related services. The useNetprofileBSDtraffic support is not applicable for net profiles bound to the related service groups.

    In other words, the Citrix ADC appliance does not use any SNIP address from the net profiles bound to the service groups for sourcing load balancing scriptable monitors traffic.

  • The useNetprofileBSDtraffic support is not applicable for SSL services.

    In other words, the Citrix ADC appliance does not use any SNIP address from the net profiles bound to the SSL services for sourcing load balancing scriptable monitors traffic.

Configure the Citrix ADC appliance to source scriptable monitors traffic from a SNIP address

Configuring the Citrix ADC appliance to source scriptable monitors traffic from a SNIP address consists of the following tasks:

  • Enable the global Layer-2 parameter useNetprofileBSDtraffic.
  • Create a net profile and bind at least one SNIP address to it.
  • Bind the net profile to the load balancing services that are using scriptable monitors.

To enable the Layer-2 parameter useNetprofileBSDtraffic by using the CLI:

At the command prompt, type:

  • set l2param -useNetprofileBSDtraffic (ENABLED / DISABLED)
  • show l2param

To Create a net profile and bind SNIP addresses to it by using the CLI:

At the command prompt, type:

  • add netProfile <name> -srcIP <string>
  • show netProfile

To bind a net profile to a load balancing service by using the CLI:

At the command prompt, type:

  • set service <name> -netProfile <string>
  • show service <name>

Sample configuration

The following sample configuration enables a Citrix ADC appliance to source scriptable monitors traffic from a SNIP address. A net profile NETPROFILE-1 is configured with SNIP address 198.51.100.20 bound to it. A user/scriptable monitor USER-MONITOR-1 is created and is bound to a load balancing service SERVICE-1. NETPROFILE-1 is bound to SERVICE-1. The Citrix ADC appliance sources all scriptable monitors packets of USER-MONITOR-1 from SNIP address 198.51.100.20.

set l2param -useNetprofileBSDtraffic ENABLED

set netprofile NETPROFILE-1 -srcip 198.51.100.20

add lb monitor USER-MONITOR-1 USER -scriptName nsftp.pl -scriptArgs "file=Index.gif;user=nsroot;password=nsroot" -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -destIP 203.0.113.90 -destPort 21

bind service SERVICE-1 -monitorName USER-MONITOR-1

set service SERVICE-1 -netProfile NETPROFILE-1

Configure the Citrix ADC appliance to source GSLB autosync traffic from a SNIP address

Configuring the Citrix ADC appliance to source GSLB autosync traffic from a SNIP address consists of the following workaround tasks:

  • Create an extended ACL rule. An extended ACL rule identifies the GSLB autosync packets. This identification is based on the source IP and destination IP addresses.
  • Apply ACLs. Applying ACLs activates the newly created ACL rule.
  • Create an ACL based RNAT rule. An RNAT rule changes the source IP address of these packets from the NSIP address to a SNIP address.

Note:

In a high availability or cluster setup, you must add ACL and RNAT rules for all the NSIP addresses of the setup.

To create an extended ACL by using the CLI:

At the command prompt, type:

  • add acl <aclname> ALLOW -srcIP = <NSIP address> -destIP = <destination IP address of the packets>
  • show acl <aclName>

To apply extended ACLs by using the CLI:

At the command prompt, type:

  • apply acls

To create an ACL based RNAT rule by using the CLI:

At the command prompt, type:

  • add rnat <name> <aclname>
  • bind rnat <name> -natIP <SNIP address - source IP address for the packets>
  • show rnat <name>

Sample configuration

The following sample configuration enables a Citrix ADC appliance to source GSLB autosync traffic from a SNIP address. ACL-2 identifies GSLB autosync packets, which are sourced from NSIP address 192.0.1.20 and destined to GSLB site IP address 203.0.113.20. RNAT-2 changes the source IP address to SNIP address 198.51.100.20 for these identified packets.

add acl ACL-2 ALLOW -srcIP = 192.0.1.20  -destIP = 203.0.113.20

apply acls

add rnat RNAT-2 ACL-2

bind rnat RNAT-2 -natIP 198.51.100.20
Configure to source Citrix ADC FreeBSD data traffic from a SNIP address