Product Documentation

Using a Specified Source IP for Backend Communication

Aug 31, 2016
For communication with the physical servers or other peer devices, the NetScaler appliance uses an IP address owned by it as the source IP address. NetScaler maintains a pool of its IP addresses, and dynamically selects an IP address while connecting with a server. Depending on the subnet in which the physical server is placed, NetScaler decides which IP address to use. This address pool is used for sending traffic as well as monitor probes.

In many situations, you may want the NetScaler to use a specific IP address or any IP address from a specific set of IP addresses for backend communications. The following are a few examples:

  • A server can distinguish monitor probes from traffic if the source IP address used for monitor probes belongs to a specific set.
  • To improve server security, a server may be configured to respond to requests from a specific set of IP addresses or, sometimes, from a single specific IP address. In such a case, the NetScaler can use only the IP addresses accepted by the server as the source IP address.
  • The NetScaler can manage its internal connections efficiently if it can distribute its IP addresses into IP sets and use an address from a set only for connecting to a specific service.

To configure the NetScaler to use a specified source IP address, create net profiles (network profiles) and configure the NetScaler entities to use the profile. A net profile can be bound to load balancing or content switching virtual servers, services, service groups, or monitors. A net profile has NetScaler owned IP addresses (SNIPs and VIPs) that can be used as the source IP address. It can be a single IP address or a set of IP addresses, referred to as an IP set. If a net profile has an IP set, NetScaler dynamically selects an IP address from the IP set at the time of connection. If a profile has a single IP address, the same IP address is used as the source IP.

If a net profile is bound to a load balancing or content switching virtual server, the profile will be used for sending traffic to all the services bound to it. If a net profile is bound to a service group, NetScaler uses the profile for all the members of the service group. If a net profile is bound to a monitor, NetScaler uses the profile for all the probes sent from the monitor.
Note: When a NetScaler appliance uses a VIP address to communicate with a server, it uses session entries to identify whether the traffic destined to the VIP address is a response from a server or a request from a client.

Usage of a net profile for sending traffic:

If the Use Source IP Address (USIP) option is enabled, NetScaler uses the IP address of the client and ignores all the net profiles. If the USIP option is not enabled, NetScaler selects the source IP in the following manner:

  • If there is no net profile on the virtual server or the service/service group, NetScaler uses the default method.
  • If there is a net profile only on the service/service group, NetScaler uses that net profile.
  • If there is a net profile only on the virtual server, NetScaler uses the net profile.
  • If there is a net profile both on the virtual server and service/service group, NetScaler uses the net profile bound to the service/service group.

Usage of a net profile for sending monitor probes:

For monitor probes, NetScaler selects the source IP in the following manner:

  • If there is a net profile bound to the monitor, NetScaler uses the net profile of the monitor. It ignores the net profiles bound to the virtual server or service/service group.
  • If there is no net profile bound to the monitor,
    • If there is a net profile on the service/service group, NetScaler uses the net profile of the service/service group.
    • If there is no net profile even on the service/service group, NetScaler uses the default method of selecting a source IP.
Note: If there is no net profile bound to a service, NetScaler looks for a net profile on the service group if the service is bound to a service group.

To use a specified source IP address for communication, go through the following steps:

  1. Create IP sets from the pool of SNIPs and VIPs owned by the NetScaler. An IP set can consist of both SNIP and VIP addresses. For instructions, see Creating IP Sets.
  2. Create net profiles. For instructions, see Creating a Net Profile.
  3. Bind the net profiles to NetScaler entities. For instructions, see Binding a Net Profile to a NetScaler Entity.
Note: A net profile can have only the IP addresses specified as SNIP and VIP on the NetScaler.

Managing Net Profiles

A net profile (or network profile) contains an IP address or an IP set. During communication with physical servers or peers, the NetScaler appliance uses the addresses specified in the profile as the source IP address. For more information on the use of net profiles, see Using a User-specified Source IP Address for Backend Communication.

Creating an IP Set

An IP set is a set of IP addresses, which are configured on the NetScaler appliance as Subnet IP addresses (SNIPs) or Virtual IP addresses (VIPs). An IP set is identified with a meaningful name that helps in identifying the usage of the IP addresses contained in it. To create an IP set, add an IP set and bind NetScaler owned IP addresses to it. SNIP addresses and VIP addresses can be present in the same IP set. For more information about the use of IP sets, see Using a User-specified Source IP Address for Backend Communication.

To create an IP set by using the command line interface

At the command prompt, type the following commands:

  • add ipset <name>
  • bind ipset <name> <IPAddress>
    or
  • bind ipset <name> <IPAddress> 
  • show ipset [<name>]
    The above command shows the names of all the IP sets on the NetScaler if you do not pass any name. It shows the IP addresses bound to the specified IP set if you pass a name.

Examples

1. 
> add ipset skpnwipset 
 Done 
> bind ipset skpnwipset 21.21.20.1 
 Done 
 
2. 
 > add ipset testnwipset 
 Done 
> bind ipset testnwipset 21.21.21.[21-25] 
 IPAddress "21.21.21.21" bound 
 IPAddress "21.21.21.22" bound 
 IPAddress "21.21.21.23" bound 
 IPAddress "21.21.21.24" bound 
 IPAddress "21.21.21.25" bound 
 Done 
 
3. 
 > bind ipset skpipset 11.11.11.101 
 ERROR: Invalid IP address 
[This IP address could not be added because this is not an IP address owned by the NetScaler] 
 > add ns ip 11.11.11.101 255.255.255.0 -type SNIP 
 ip "11.11.11.101" added 
 Done 
 > bind ipset skpipset 11.11.11.101 
 IPAddress "11.11.11.101" bound 
 Done 
4. 
> sh ipset 
1) Name: ipset-1 
2) Name: ipset-2 
3) Name: ipset-3 
4) Name: skpnewipset 
 Done 
 
5. 
> sh ipset skpnewipset 
IP:21.21.21.21 
IP:21.21.21.22 
IP:21.21.21.23 
IP:21.21.21.24 
IP:21.21.21.25 
 Done 

To create an IP set by using the configuration utility

Navigate to System > Network > IP Sets, and create an IP set.

Creating a Net Profile

A net profile (network profile) consists of one or more SNIP or VIP addresses of the NetScaler. For more information about the usage of net profiles, see Using a User-specified Source IP Address for Backend Communication.

To create a net profile by using the command line interface

At the command prompt, type:

add netprofile <name> [-srcIp <srcIpVal>] If the srcIpVal is not provided in this command, it can be provided later by using the set netprofile command.

Examples

 
 > add netprofile skpnetprofile1 -srcIp 21.21.20.1 
 Done 
 
> add netprofile baksnp -srcIp bakipset 
 Done 
 
 > set netprofile yahnp -srcIp 12.12.23.1 
 Done 
 
> set netprofile citkbnp -srcIp citkbipset 
 Done 

Binding a Net Profile to a NetScaler Entity

A net profile can be bound to a load balancing virtual server, service, service group, or a monitor. For more information about the effect of binding a net profile to a NetScaler entity, see Using a User-specified Source IP Address for Backend Communication.
Note: You can bind a net profile at the time of creating a NetScaler entity or bind it to an already existing entity.

To bind a net profile to a server by using the command line interface

You can bind a net profile to load balancing virtual servers and content switching virtual servers. Specify the appropriate virtual server.

At the command prompt, type:

  • set lb vserver <name> -netProfile <net_profile_name>
    or
  • set cs vserver <name> -netProfile <net_profile_name>

Examples

set lb vserver skpnwvs1 -netProfile gntnp 
 Done 
set cs vserver mmdcsv -netProfile mmdnp 
 Done 

To bind a net profile to a virtual server by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers, and open the virtual server.
  2. In Advanced Settings, click Profiles, and set a net profile.

To bind a net profile to a service by using the command line interface

At the command prompt, type:

set service <name> -netProfile <net_profile_name>

Example

set service brnssvc1 -netProfile brnsnp 
 Done 

To bind a net profile to a service by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Services, and open a service.
  2. In Advanced Settings, click Profiles, and set a net profile.

To bind a net profile to a service group by using the command line interface

At the command prompt, type:

set servicegroup <serviceGroupName> -netProfile <net_profile_name>

Example

set servicegroup ndhsvcgrp -netProfile ndhnp 
 Done 

To bind a net profile to a service group by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Service Groups, and opena service group.
  2. In Advanced Settings, click Profiles, and set a net profile.

To bind a net profile to a monitor by using the command line interface

At the command prompt, type:

set monitor <monitor_name> -netProfile <net_profile_name>

Example

set monitor brnsecvmon1 -netProfile brnsmonnp 
 Done 

To bind a net profile to a monitor by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Monitors.
  2. Open a monitor, and set the net profile.