Product Documentation

Masking a Virtual Server IP Address

Nov 12, 2013

You can configure a mask and a pattern instead of a fixed IP address for a virtual server. This enables traffic that is directed to any of the IP addresses that match the mask and pattern to be rerouted to a particular virtual server. For example, you can configure a mask that allows the first three octets of an IP address to be variable, so that traffic to 111.11.11.198, 22.22.22.198, and 33.33.33.198 is all sent to the same virtual server.

By configuring a mask for a virtual server IP address, you can avoid reconfiguration of your virtual servers due to a change in routing or another infrastructure change. The mask allows the traffic to continue to flow without extensive reconfiguration of your virtual servers.

The mask for a virtual server IP address works somewhat differently from the IP pattern definition for a server described in Translating the IP Address of a Domain-Based Server. For a virtual server IP address mask, a non-zero mask is interpreted as an octet that is considered. For a service, the non-zero value is blocked.

Additionally, for a virtual server IP address mask, either leading or trailing values can be considered. If the virtual server IP address mask considers values from the left of the IP address, this is known as a forward mask. If the mask considers the values to the right side of the address, this is known as a reverse mask.

Note: The NetScaler appliance evaluates all forward mask virtual servers before evaluating reverse mask virtual servers.

When masking a virtual server IP address, you also need to create an IP address pattern for matching incoming traffic with the correct virtual server. When the appliance receives an incoming IP packet, it matches the destination IP address in the packet with the bits that are considered in the IP address pattern, and after it finds a match, it applies the IP address mask to construct the final destination IP address.

Consider the following example:

  • Destination IP address in the incoming packet: 10.102.27.189
  • IP address pattern: 10.102.0.0
  • IP mask: 255.255.0.0
  • Constructed (final) destination IP address: 10.102.27.189.

In this case, the first 16 bits in the original destination IP address match the IP address pattern for this virtual server, so this incoming packet is routed to this virtual server.

If a destination IP address matches the IP patterns for more than one virtual server, the longest match takes precedence. Consider the following example:

  • Virtual Server 1: IP pattern 10.10.0.0, IP mask 255.255.0.0
  • Virtual Server 2: IP pattern 10.10.10.0, IP mask 255.255.255.0
  • Destination IP address in the packet: 10.10.10.45.
  • Selected virtual server: Virtual Server 2.

The pattern associated with Virtual Server 2 matches more bits than that associated with Virtual Server 1, so IPs that match it will be sent to Virtual Server 2.

Note: Ports are also considered if a tie-breaker is required.

To configure a virtual server IP address mask by using the command line interface

At the command prompt, type:

add lb vserver <name>@ http -ipPattern <ipAddressPattern> -ipMask <ipMask> <listenPort>

Example

Pattern matching based on prefix octets:

add lb vserver myLBVserver http -ippattern 10.102.0.0 -ipmask 255.255.0.0 80

Pattern matching based on trailing octets:

add lb vserver myLBVserver1 http -ippattern 0.0.22.74 -ipmask 0.0.255.255 80

Modify a pattern-based virtual server:

set lb vserver myLBVserver1 -ippattern 0.0.22.74 -ipmask 0.0.255.255

To configure a virtual server IP address mask by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers.
  2. In the Address Type list, select IP Pattern, and specify an IP pattern and IP mask.