Product Documentation

Using a Specified Source IP for Backend Communication

Aug 02, 2017

For communication with the physical servers or other peer devices, the NetScaler appliance uses an IP address owned by it as the source IP address. NetScaler maintains a pool of its IP addresses, and dynamically selects an IP address while connecting with a server. Depending on the subnet in which the physical server is placed, NetScaler decides which IP address to use. This address pool is used for sending traffic as well as monitor probes.

In many situations, you may want the NetScaler to use a specific IP address or any IP address from a specific set of IP addresses for backend communications. The following are a few examples:

  • A server can distinguish monitor probes from traffic if the source IP address used for monitor probes belongs to a specific set.
  • To improve server security, a server may be configured to respond to requests from a specific set of IP addresses or, sometimes, from a single specific IP address. In such a case, the NetScaler can use only the IP addresses accepted by the server as the source IP address.
  • The NetScaler can manage its internal connections efficiently if it can distribute its IP addresses into IP sets and use an address from a set only for connecting to a specific service.

To configure the NetScaler to use a specified source IP address, create net profiles (network profiles) and configure the NetScaler entities to use the profile. A net profile can be bound to load balancing or content switching virtual servers, services, service groups, or monitors. A net profile has NetScaler owned IP addresses (SNIPs and VIPs) that can be used as the source IP address. It can be a single IP address or a set of IP addresses, referred to as an IP set. If a net profile has an IP set, NetScaler dynamically selects an IP address from the IP set at the time of connection. If a profile has a single IP address, the same IP address is used as the source IP.

If a net profile is bound to a load balancing or content switching virtual server, the profile will be used for sending traffic to all the services bound to it. If a net profile is bound to a service group, NetScaler uses the profile for all the members of the service group. If a net profile is bound to a monitor, NetScaler uses the profile for all the probes sent from the monitor.

Note: When a NetScaler appliance uses a VIP address to communicate with a server, it uses session entries to identify whether the traffic destined to the VIP address is a response from a server or a request from a client.

Usage of a net profile for sending traffic:

If the Use Source IP Address (USIP) option is enabled, NetScaler uses the IP address of the client and ignores all the net profiles. If the USIP option is not enabled, NetScaler selects the source IP in the following manner:

  • If there is no net profile on the virtual server or the service/service group, NetScaler uses the default method.
  • If there is a net profile only on the service/service group, NetScaler uses that net profile.
  • If there is a net profile only on the virtual server, NetScaler uses the net profile.
  • If there is a net profile both on the virtual server and service/service group, NetScaler uses the net profile bound to the service/service group.

Usage of a net profile for sending monitor probes:

For monitor probes, NetScaler selects the source IP in the following manner:

  • If there is a net profile bound to the monitor, NetScaler uses the net profile of the monitor. It ignores the net profiles bound to the virtual server or service/service group.
  • If there is no net profile bound to the monitor,
    • If there is a net profile on the service/service group, NetScaler uses the net profile of the service/service group.
    • If there is no net profile even on the service/service group, NetScaler uses the default method of selecting a source IP.

Note: If there is no net profile bound to a service, NetScaler looks for a net profile on the service group if the service is bound to a service group.

To use a specified source IP address for communication, go through the following steps:

  1. Create IP sets from the pool of SNIPs and VIPs owned by the NetScaler. An IP set can consist of both SNIP and VIP addresses. For instructions, see Creating IP Sets.
  2. Create net profiles. For instructions, see Creating a Net Profile.
  3. Bind the net profiles to NetScaler entities. For instructions, see Binding a Net Profile to a NetScaler Entity.

Note: A net profile can have only the IP addresses specified as SNIP and VIP on the NetScaler.

Managing Net Profiles

A net profile (or network profile) contains an IP address or an IP set. During communication with physical servers or peers, the NetScaler appliance uses the addresses specified in the profile as the source IP address.

Creating an IP Set

An IP set is a set of IP addresses, which are configured on the NetScaler appliance as Subnet IP addresses (SNIPs) or Virtual IP addresses (VIPs). An IP set is identified with a meaningful name that helps in identifying the usage of the IP addresses contained in it. To create an IP set, add an IP set and bind NetScaler owned IP addresses to it. SNIP addresses and VIP addresses can be present in the same IP set. 

To create an IP set by using the command line interface

At the command prompt, type the following commands:

  • add ipset <name>
  • bind ipset <name> <IPAddress>
    or
  • bind ipset <name> <IPAddress> 
  • show ipset [<name>]
    The above command shows the names of all the IP sets on the NetScaler if you do not pass any name. It shows the IP addresses bound to the specified IP set if you pass a name.

Examples

``` pre codeblock

  1. add ipset skpnwipset Done bind ipset skpnwipset 21.21.20.1 Done

  2. add ipset testnwipset Done bind ipset testnwipset 21.21.21.[21-25] IPAddress “21.21.21.21” bound IPAddress “21.21.21.22” bound IPAddress “21.21.21.23” bound IPAddress “21.21.21.24” bound IPAddress “21.21.21.25” bound Done

  3. bind ipset skpipset 11.11.11.101 ERROR: Invalid IP address [This IP address could not be added because this is not an IP address owned by the NetScaler] add ns ip 11.11.11.101 255.255.255.0 -type SNIP ip “11.11.11.101” added Done bind ipset skpipset 11.11.11.101 IPAddress “11.11.11.101” bound Done

  4. sh ipset 1) Name: ipset-1 2) Name: ipset-2 3) Name: ipset-3 4) Name: skpnewipset Done

  5. sh ipset skpnewipset IP:21.21.21.21 IP:21.21.21.22 IP:21.21.21.23 IP:21.21.21.24 IP:21.21.21.25 Done ```

To create an IP set by using the configuration utility

Navigate to System > Network > IP Sets, and create an IP set.

Creating a Net Profile

A net profile (network profile) consists of one or more SNIP or VIP addresses of the NetScaler. 

To create a net profile by using the command line interface

At the command prompt, type:

add netprofile <name> [-srcIp <srcIpVal>] If the srcIpVal is not provided in this command, it can be provided later by using the set netprofile command.

Examples

``` pre codeblock

add netprofile skpnetprofile1 -srcIp 21.21.20.1 Done

add netprofile baksnp -srcIp bakipset Done

set netprofile yahnp -srcIp 12.12.23.1 Done

set netprofile citkbnp -srcIp citkbipset Done ```

Binding a Net Profile to a NetScaler Entity

A net profile can be bound to a load balancing virtual server, service, service group, or a monitor. 

Note: You can bind a net profile at the time of creating a NetScaler entity or bind it to an already existing entity.

To bind a net profile to a server by using the command line interface

You can bind a net profile to load balancing virtual servers and content switching virtual servers. Specify the appropriate virtual server.

At the command prompt, type:

  • set lb vserver <name> -netProfile <net_profile_name>
    or
  • set cs vserver <name> -netProfile <net_profile_name>

Examples

``` pre codeblock set lb vserver skpnwvs1 -netProfile gntnp Done set cs vserver mmdcsv -netProfile mmdnp Done


### To bind a net profile to a virtual server by using the configuration utility

1.  <span id="d1486e69__d1486e78">Navigate to Traffic Management \> Load Balancing \> Virtual Servers, and open the virtual server.</span>
1.  <span id="d1486e69__d1486e88">In Advanced Settings, click Profiles, and set a net profile.</span>

### To bind a net profile to a service by using the command line interface

At the command prompt, type:

set service \<name\> -netProfile \<net\_profile\_name\>

#### Example

``` pre codeblock
set service brnssvc1 -netProfile brnsnp
 Done

To bind a net profile to a service by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Services, and open a service.
  2. In Advanced Settings, click Profiles, and set a net profile.

To bind a net profile to a service group by using the command line interface

At the command prompt, type:

set servicegroup <serviceGroupName> -netProfile <net_profile_name>

Example

``` pre codeblock set servicegroup ndhsvcgrp -netProfile ndhnp Done


### To bind a net profile to a service group by using the configuration utility

1.  <span id="d1486e187__d1486e196">Navigate to Traffic Management \> Load Balancing \> Service Groups, and opena service group.</span>
1.  <span id="d1486e187__d1486e206">In Advanced Settings, click Profiles, and set a net profile.</span>

### To bind a net profile to a monitor by using the command line interface

At the command prompt, type:

set monitor \<monitor\_name\> -netProfile \<net\_profile\_name\>

#### Example

``` pre codeblock
set monitor brnsecvmon1 -netProfile brnsmonnp
 Done

To bind a net profile to a monitor by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Monitors.
  2. Open a monitor, and set the net profile.