Product Documentation

Configuring CloudBridge Connector Tunnel between two Datacenters

Aug 02, 2013

You can configure a CloudBridge Connector tunnel between two different datacenters to extend your network without reconfiguring it, and leverage the capabilities of the two datacenters. A CloudBridge Connector tunnel between the two geographically separated datacenters enables you to implement redundancy and safeguard your setup from failure. The CloudBridge Connector tunnel helps achieve optimal utilization of infrastructure and resources across two datacenters. The applications available across the two datacenters appear as local to the user.

To connect a datacenter to another datacenter, you set up a CloudBridge Connector tunnel between a CloudBridge 4000/5000 appliance that resides in one datacenter and another CloudBridge 4000/5000 appliance that resides in the other datacenter.

To understand how a CloudBridge Connector tunnel is configured between two different datacenters, consider an example in which a CloudBridge Connector tunnel is set up between NetScaler appliance CB_4000/5000-1 in datacenter DC1 and NetScaler appliance CB_4000/5000-2 in datacenter DC2.

Both CB_ 4000/5000-1 and CB_4000/5000-2 function in one arm mode (WCCP/PBR). They enable communication between private networks in datacenters DC1 and DC2. For example, CB_ 4000/5000-1 and CB_4000/5000-2 enable communication between client CL1 in datacenter DC1 and server S1 in datacenter DC2 through the CloudBridge Connector tunnel. Client CL1 and server S1 are on different private networks.

For proper communication between CL1 and S1, L3 mode is enabled on NS_VPX_CB_ 4000/5000-1 and NS_VPX_CB_ 4000/5000-2, and routes are configured as follows:
  • Router R1 has a route for reaching S1 through NS_VPX_CB_ 4000/5000-1.
  • NS_VPX_CB_ 4000/5000_1 has a route for reaching NS_VPX-CB_4000/5000-2 through R1.
  • S1 should have a route reaching CL1 through NS_VPX-CB_4000/5000-2.
  • NS_VPX-CB_ 4000/5000-2 has a route for reaching NS_VPX_CB_4000/5000-1 through R2.
The following table lists the settings on CB_4000/5000-1 in datacenter DC1.
Entity Name Details
IP address of Client CL1 10.102.147.10
Settings on NAT device NAT-Dev-1
NAT IP address on public side 203.0.113.30*
NAT IP address on private side 10.10.7.70
Settings on CB_4000/5000-1
Management service IP address of CB_4000/5000-1 10.10.1.10
Settings on NS_VPX_CB_4000/5000-1 running on CB_4000/5000-1
The NSIP address 10.10.1.20
SNIP address 10.10.5.30
CloudBridge Connector tunnel Cloud_Connector_DC1-DC2
  • Local endpoint IP address of the CloudBridge Connector tunnel = 10.10.5.30
  • Remote endpoint IP address of the CloudBridge Connector tunnel = 203.0.210.30*
GRE Tunnel Details
  • Name = Cloud_Connector_DC1-DC2
IPSec Profile Details
  • Name = Cloud_Connector_DC1-DC2
  • Encryption algorithm = AES
  • Hash algorithm = HMAC SHA1
Policy based Route CBC_DC1_DC2_PBR
  • Source IP range = Subnet in datacenter1 = 10.102.147.0-10.102.147.255
  • Destination IP range = Subnet in datacenter2 = 10.20.20.0-10.20.20.255
  • Next hop type = IP Tunnel
  • IP tunnel name = CBC_DC1_DC2

*These should be public IP addresses.

The following table lists the settings on CB- 4000/5000-2 in datacenter DC2.
Entity Name Details
IP address of Server S1 10.20.20.10
Settings on NAT device NAT-Dev-2
NAT IP address on public side 203.0.210.30*
NAT IP address on private side 10.10.8.80
Settings on CB_4000/5000-2
Management service IP address of CB_SDX-1 10.10.2.10
Settings on NS_VPX_CB_4000/5000-2 running on CB_4000/5000-2
The NSIP address 10.10.2.20
SNIP address 10.10.6.30
CloudBridge Connector tunnel Cloud_Connector_DC1-DC2
  • Local endpoint IP address of the CloudBridge Connector tunnel = 10.10.6.30
  • Remote endpoint IP address of the CloudBridge Connector tunnel = 203.0.113.30*
GRE Tunnel Details
  • Name = Cloud_Connector_DC1-DC2
IPSec Profile Details
  • Name = Cloud_Connector_DC1-DC2
  • Encryption algorithm = AES
  • Hash algorithm = HMAC SHA1
Policy based Route CBC_DC1_DC2_PBR
  • Source IP range = Subnet in datacenter2 = 10.20.20.0-10.20.20.255
  • Destination IP range = Subnet in datacenter1 = 10.102.147.0-10.102.147.255
  • Next hop type = IP Tunnel
  • IP tunnel name = CBC_DC1_DC2

*These should be public IP addresses.

Following is the traffic flow in the CloudBridge Connector tunnel:
  1. Client CL1 sends a request to server S1.
  2. The request reaches the NetScaler virtual appliance NS_VPX_CB_4000/5000-1 running on CloudBridge appliance CB_4000/5000-1.
  3. NS_VPX_CB_ 4000/5000-1 forwards the packet to one of the CloudBridge repeater instances running on the CloudBridge appliance CB_4000/5000-1 for WAN optimization. After processing the packet, the CloudBridge repeater instance returns the packet to NS_VPX_CB_4000/5000-1.
  4. The request packet matches the condition specified in PBR entity CBC_DC1_DC2_PBR (configured in NS_VPX_CB_4000/5000-1), because the source IP address and the destination IP address of the request packet belong to the source IP range and destination IP range, respectively, set in CBC_DC1_DC2_PBR.
  5. Because CloudBridge tunnel CBC_DC1_DC2_PBR is bound to CBC_DC1_DC2_PBR, the appliance prepares the packet to be sent across the Cloud_Connector_DC1-DC2 tunnel.
  6. NS_VPX_CB_ 4000/5000-1 uses the GRE protocol to encapsulate each of the request packets by adding a GRE header and a GRE IP header to the packet. In the GRE IP header, the destination IP address is the address of the CloudBridge tunnel (Cloud_Connector_DC1-DC2) end point in datacenter DC2.
  7. For CloudBridge Connector tunnel Cloud_Connector_DC1-DC2, NS_VPX_CB_4000/5000-1 checks the storedIPSec security association (SA) parameters for processing outbound packets, as agreed between NS_VPX_CB_4000/5000-1 and NS_VPX_CB_4000/5000-2. The IPSec Encapsulating Security Payload (ESP) protocol in NS_VPX_CB_4000/5000-1 uses these SA parameters for outbound packets, to encrypt the payload of the GRE encapsulated packet.
  8. The ESP protocol ensures the packet's integrity and confidentiality by using the HMAC hash function and the encryption algorithm specified for the CloudBridge Connector tunnel Cloud_Connector_DC1-DC2. The ESP protocol, after encrypting the GRE payload and calculating the HMAC, generates an ESP header and an ESP trailer and inserts them before and at the end of the encrypted GRE payload, respectively.
  9. NS_VPX_CB_4000/5000-1 sends the resulting packet NS_VPX_CB_4000/5000-2.
  10. NS_VPX_CB_4000/5000-2 checks the stored IPSec security association (SA) parameters for processing inbound packets, as agreed between CB_DC-1 and NS_VPX-AWS for the CloudBridge Connector tunnel Cloud_Connector_DC1-DC2. The IPSec ESP protocol on NS_VPX_CB_4000/5000-2 uses these SA parameters for inbound packets, and the ESP header of the request packet, to decrypt the packet.
  11. NS_VPX_CB_4000/5000-2 then decapsulates the packet by removing the GRE header.
  12. NS_VPX_CB_4000/5000-2 forwards the resulting packet to CB_VPX_CB_4000/5000-2, which applies WAN-optimization-related processing to the packet. CB_VPX_CB_4000/5000-2 then returns the resulting packet to NS_VPX_CB_4000/5000-2.
  13. The resulting packet is the same one that was received by CB_VPX_CB_4000/5000-2 in step 2. This packet has the destination IP address set to the IP address of server S1. NS_VPX_CB_4000/5000-2 forwards this packet to server S1.
  14. S1 processes the request packet and sends out a response packet. The destination IP address in the response packet is the IP address of client CL1, and the source IP address is the IP address of server S1.