Product Documentation

Use Case: Configuring Auto Policy-Based Routing

Aug 30, 2016

Auto Policy-Based Routing (APBR) automatically routes the return traffic from the servers to the NetScaler ADC, preserving the client IP addresses. The automatic policy based routes are defined on the Cisco Nexus 7000 series switch. When the return traffic from the server reaches the Cisco Nexus 7000 series switch, the APBR policies defined on the switch route the traffic to the NetScaler ADC, which in turn routes the traffic to the client.

To understand the need for APBR, first consider a NAT based scenario in which a packet flows from the client to the server and from the server back to the client.

Figure 1. Packet Flow


  1. Client initiates the traffic to the virtual IP (VIP) address.

    SRC_IP= Client IP; DST_IP= VIP

  2. The Cisco Nexus switch forwards the packet to the NetScaler ADC.

    SRC_IP= Client IP; DST_IP= VIP

  3. The ADC performs source NAT and destination NAT (Network Address Translation), changes the source IP and destination IP addresses, and sends the packet to the Cisco Nexus switch.

    SRC_IP= NAT_IP; DST_IP= RS_IP

  4. The Cisco Nexus switch receives the packet and forwards it to a server.

    SRC_IP= NAT_IP; DST_IP= RS_IP

  5. The server processes the packet and forwards it to the Cisco Nexus 7000 series switch.

    SRC_IP= RS_IP IP; DST_IP= NAT_IP

  6. The Cisco Nexus switch forwards the packet to the NetScaler ADC.

    SRC_IP= RS_IP IP; DST_IP= NAT_IP

  7. The NetScaler ADC changes the source IP address and forwards the packet to the Cisco Nexus 7000 series switch.

    SRC_IP= VIP; DST_IP= Client_IP

  8. The Cisco Nexus 7000 series switch forwards the packet to the client.

    SRC_IP= VIP; DST_IP= Client_IP

    The client receives the packet. However, the client IP address is not visible to the server.

Now, consider a scenario in which policy based routing (PBR) directs packet flow.
  1. Client initiates the traffic to the virtual IP (VIP) address.

    SRC_IP= Client IP; DST_IP= VIP

  2. The Cisco Nexus switch forwards the packet to the NetScaler ADC.

    SRC_IP= Client IP; DST_IP= VIP

  3. The ADC performs destination NAT (Network Address Translation), changes the destination IP, and then sends the packet to the Cisco Nexus switch.

    SRC_IP= Client IP; DST_IP= RS_IP

  4. The Cisco Nexus switch receives the packet and forwards it to a server.

    SRC_IP= Client IP; DST_IP= RS_IP

  5. The server processes the packet and forwards it to the Cisco Nexus 7000 series switch.

    SRC_IP= RS_IP IP; DST_IP= Client IP

  6. The Cisco Nexus switch forwards the packet to the NetScaler ADC.

    SRC_IP= RS_IP IP; DST_IP= Client IP

  7. The NetScaler ADC changes the source IP address and forwards the packet to the Cisco Nexus 7000 series switch.

    SRC_IP= VIP; DST_IP= Client_IP

  8. The Cisco Nexus 7000 series switch forwards the packet to the client.

    SRC_IP= VIP; DST_IP= Client_IP

  9. The client receives the packet. The client IP address is visible to the server. However, PBR requires manual and complex configurations and is prone to errors.
To overcome these drawbacks, configure APBR rules on the RISE appliance. When APBR is configured, the packets flow as described in the following procedure:
  1. Client initiates the traffic to the virtual IP (VIP) address.

    SRC_IP= Client IP; DST_IP= VIP

  2. The Cisco Nexus switch forwards the packet to the NetScaler ADC.

    SRC_IP= Client IP; DST_IP= VIP

  3. The ADC performs load balancing and changes the destination IP address to the appropriate server IP address and forwards the packet to the Cisco Nexus switch in an APBR message.

    SRC_IP= Client IP; DST_IP= RS_IP

  4. The Cisco Nexus switch receives the packet and forwards it to a server by using a route map.

    SRC_IP= Client IP; DST_IP= RS_IP

  5. The server processes the packet and forwards it to the Cisco Nexus 7000 series switch.

    SRC_IP= RS_IP IP; DST_IP= Client_IP

  6. When the packet reaches the Nexus switch, the switch applies the APBR rules, sets the next hop IP address to that of the NetScaler ADC, and forwards the packet to the NetScaler ADC.

    SRC_IP= RS_IP IP; DST_IP= Client_IP

  7. The NetScaler ADC changes the source IP address and forwards the packet to the Cisco Nexus 7000 series switch.

    SRC_IP= VIP; DST_IP= Client_IP

  8. The Cisco Nexus 7000 series switch forwards the packet to the client.

    SRC_IP= VIP; DST_IP= Client_IP

  9. The client receives the packet successfully.
Note: APBR rules are configured on the Cisco Nexus switch by the Citrix Netscaler appliance only if the Use Source IP (USIP) option is enabled in the services or service groups on the Citrix Netscaler appliance.
The APBR message control flow is explained below
  1. After USIP is enabled in the services on Netscaler ADC, it publishes the IP address, port number and protocol details of the server to the Cisco Nexus 7000 series switch over the RISE control channel.
  2. Using the IP address, port number and protocol details of the server, the Cisco Nexus 7000 series switch creates an APBR rule which consists of ACLs and route maps.
    Note:
    • For local servers, the switch creates ACLs and route maps.
    • For remote servers , the switch forwards the APBR messages to other Cisco Nexus 7000 series switches.
  3. The RISE appliance then applies the APBR rules to the switch virtual interface on the Cisco Nexus 7000 series switch connected to server.
To configure the APBR functionality:
  • Enable the feature on the Cisco Nexus switch
  • Configure APBR on NetScaler ADC
    • Configure NSIP
    • Configure NSVLAN
    • Enable USIP option
For more information, see Configuring Auto Policy-Based Routing.