The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure the Auto Policy-Based Routing (PBR) feature on the Citrix NetScaler Application Delivery Controller (ADC) appliance to ensure that return traffic from the real server (RS) reaches the RISE appliance.
This chapter includes the following sections:
Your software release might not support all the features documented in this module. For the latest caveats and feature information, see the Bug Search Tool at https://tools.cisco.com/bugsearch/ and the release notes for your software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the “New and Changed Information” chapter or the Feature History table below.
This section includes the following topics:
Policy-Based Routing (PBR) allows the creation of policies or rules that can selectively alter the path that packets take within the network. PBR can be used to mark packets so that certain types of traffic are prioritized over the rest, sent to a different destination, or exit through a different physical interface on the router. Classification of interesting traffic is performed using access control lists (ACLs).
PBR rules ensure that return traffic from the real server (RS) reaches the Remote Integrated Service Engine (RISE) appliance. The control channel on the Cisco Nexus 5600 Series switch is used to automate the creation of PBR rules.
After the RISE appliance applies the required configuration, the appliance sends auto PBR (APBR) messages to the Cisco Nexus switch including a list of servers (IP addresses, ports, and protocol) and the next-hop IP address of the appliance.
The Cisco Nexus switch creates the PBR rules for the associated switch virtual interfaces (SVIs). For the local servers, the switch creates the ACLs and route maps.
Auto policy-based routing (APBR) rules are configured on the Cisco Nexus switch by the Citrix NetScaler appliance only if the Use Source IP (USIP) option is enabled in the services or service groups on the Citrix NetScaler appliance. The rules are withdrawn when the USIP option is disabled. The USIP option can be configured locally or globally.
Two appliances are each connected to a different VDC in the same Cisco Nexus 5600 Series switch.
In each of the preceding topologies, one appliance is active and the other is in standby. Each connection acts as a separate service and is unaware of the other service. Each appliance sends APBR rules to the service in each VDC or in each switch, depending upon the topology. Each service sends the appropriate response to the appliance to which it is connected.
When a failover occurs, the standby appliance becomes the new active appliance. The old active appliance sends a PURGE message to the service. After the APBR purge is complete and the old active appliance receives a response, the appliance sends fresh APBR rules. Sending fresh rules ensures that the stale configuration does not remain on the old active appliance
Product | License Requirements |
---|---|
Cisco NX-OS |
The Cisco Remote Integrated Services Engine (RISE) requires the Network Services Package on the Cisco Nexus 5600 Series switch. The NETWORK_SERVICES_PKG license is available starting with Cisco NX-OS Release 7.2(0)N1(1). If you need to use RISE and ITD features with the Cisco NX-OS Release 7.1(1)N1(1), please use the ENHANCED_LAYER2_PKG license. For a complete explanation of the Cisco NX-OS licensing scheme and how to obtain and apply licenses, see the Cisco NX-OS Licensing Guide. |
Citrix Citrix Netscaler Application Delivery Controller (ADC) operation system |
The Cisco Remote Integrated Services Engine (RISE) does not require a license on the Citrix NetScaler Application Delivery Controller (ADC) appliance for auto-attach. Advanced features, such as auto policy-based routing (APBR), require the NetScaler Platinum or Enterprise license on the Citrix NetScaler Application Delivery Controller (ADC) appliance. To display the license status, use the show license command in the NetScaler command line interface |
Auto policy-based routing (APBR) has the following guidelines and limitations:
The globally configured Use Source IP (USIP) takes precedence only when the user does not specify a local choice for the USIP option.
If the USIP option is set on a service or service group by way of inheritance at the time you create either the service or group, the option is sticky on that service or group.
If you modify a global property, such as USIP, after you create a service or service group, the global modification does not apply to either the service or group. However, you can modify a service or group locally by using the set commands.
One RS cannot be connected through multiple VLAN interfaces. However, one or more RSs can be connected through the same interface on the Cisco Nexus device to which the APBR policy is applied.
Multiple next-hop IP addresses for the same RS are not supported in RISE
RISE does not support multiple services with the same RS IP address and port protocol. The only exception is as follows: Two identical services (with different service names) can be on the active and standby RISE-enabled appliance, pointing to the same APBR configuration.
The virtual routing and forwarding (VRF) instance of the route to the RS must be the same as for the client VLAN switch virtual interface (SVI) to which the virtual IP (VIP) address is associated. The VRF does not need to be the default VRF.
We do not recommend that you make any route changes on the egress interface to the RS. If you do make changes, see the troubleshooting information at http://support.citrix.com/proddocs/topic/netscaler/ns-gen-netscaler-wrapper-con.html.
Equal Cost Multipath (ECMP) is not supported.
Parameter | Default |
---|---|
USIP | Disabled |
This section includes the following topics:
To manually enable the RISE feature and any RISE_APBR NS modes for publishing APBR rules, type the following commands at the command prompt:
You must enable the policy-based routing feature on the Cisco Nexus 5600 Series switch to support auto policy-based routing (APBR). The Citrix Netscaler Application Delivery Controller (ADC) appliance automatically adds the appropriate rules to the Cisco Nexus switch for APBR.
Make sure that you are in the correct VDC on the Cisco Nexus switch. To switch VDCs, use the switchto vdc command.
Command or Action | Purpose |
---|
This section includes the following topics:
The NetScaler management IP address (NSIP) is the IP address for management and general system access to the Citrix NetScaler Application Delivery Controller (ADC) appliance and for high availability (HA) communication.
You can configure the NSIP on your appliance by using either the configuration prompts or the command-line interface (CLI).
Note | To prevent an attacker from impeding your ability to send packets to the appliance, choose a nonroutable IP address on your organization's LAN as your appliance IP address. |
Ensure that a port channel is configured on the appliance and that the appliance's physical ports are mapped to this port channel.
Step 1 | Navigate to System > Settings. |
Step 2 | In the details pane, under Settings, click Change NSIP Settings. |
Step 3 | In the Configure NSIP Settings dialog box, set the parameters. For a description of a parameter, hover the mouse cursor over the corresponding field. |
Step 4 | Under Interfaces, choose the interfaces from the Available Interfaces list and click Add to move them to the Configured Interfaces list. |
Step 5 | Click OK. In the Warning dialog box, click OK. The configuration takes effect after the Citrix NetScaler Application Delivery Controller (ADC) appliance is restarted. |
The NSVLAN is a VLAN to which the NetScaler management IP (NSIP) address's subnet is bound. The NSIP subnet is available only on interfaces that are associated with NSVLAN. By default, NSVLAN is VLAN1, but you can designate a different VLAN as NSVLAN. If you designate a different VLAN as an NSVLAN, you must reboot the Citrix NetScaler Application Delivery Controller (ADC) appliance for the change to take effect. After the reboot, NSIP subnet traffic is restricted to the new NSVLAN.
Perform only one of the following tasks:
Enter the following commands prompt to configure NSVLAN using the CLI:
Step 1 | set ns config - nsvlan
positive_integer - ifnum interface_name ... [-tagged (YES |
NO)]
| ||
Step 2 | (Optional)
show ns config
set ns config -nsvlan 300 -ifnum 1/1 1/2 1/3 -tagged NO save config | ||
Step 3 | (Optional)unset ns config -nsvlan
Restores the default configuration. |
Step 1 | Navigate to System > Settings. |
Step 2 | In the details pane, under Settings, click Change NSVLAN Settings. |
Step 3 | In the Configure NSVLAN Settings dialog box, set the parameters. For a description of a parameter, hover the mouse cursor over the corresponding field. |
Step 4 | Under Interfaces, choose the interfaces from the Available Interfaces list and click Add to move them to the Configured Interfaces list. |
Step 5 | Click OK. In the Warning dialog box, click OK. The configuration takes effect after the Citrix NetScaler Application Delivery Controller (ADC) appliance is restarted. |
APBR rules are configured on the Cisco Nexus 5600 Series switch by the Citrix Netscaler Application Delivery Controller (ADC) appliance when the Use Source IP (USIP) option is enabled. Perform only one of the following tasks to enable the USIP option on the Citrix Netscaler Application Delivery Controller (ADC) appliance:
To create a service and enable and set the Use Source IP (USIP) option on that service, type the following commands at the command prompt:
Ensure that the NSIP and NSVLAN are configured on the Citrix Netscaler Application Delivery Controller (ADC) appliance.
Step 1 | Use one of the
following commands:
Example: The following example shows how to create a service named svc12 and enable the USIP option on the service: > add service svc12 192.168.12.23 http 80 -usip YES Example: The following example shows how to change a previously created service (svc12) to enable APBR: > set service svc12 -usip YES | ||||||||||
Step 2 | (Optional)unset service
service-name
Disables disable the USIP option on an already configured service and deletes the corresponding APBR route on the Cisco Nexus device Example: The following example shows how to disable the USIP option on the service and delete the corresponding APBR route on the Cisco Nexus device: unset service svc12 |
To create a service group and enable the Use Source IP (USIP) option on that group, enter the following commands at the command prompt:
Ensure that the NSIP and NSVLAN are configured on the Citrix Netscaler Application Delivery Controller (ADC) appliance.
Step 1 | >
add
serviceGroup
service_name protocol-type port_number [-usip [yes |
no]
Creates a service group and enables the USIP option. The RISE appliance sends multiple APBR messages to the Cisco Nexus device. The protocol-type argument specifies a supported protocol including but not limited to the following keywords: dns, http, ssl, tcp, or udp.
Example: The following example shows how to create a service named svc12 and enable the USIP option on the service: > add serviceGroup svc_grp_1 http 80 -usip YES | ||
Step 2 | >
bind serviceGroup
service_group_name ipaddress port_number
Associates an IP address and port to the service group being configured. Repeat this step for each member IP address and port.
Example: The following example shows how to associate three IP addresses and ports to the group being configured. > bind serviceGroup svc_grp_1 192.168.14.12 80 > bind serviceGroup svc_grp_1 192.168.14.13 80 > bind serviceGroup svc_grp_1 192.168.14.14 80 | ||
Step 3 | >
set
serviceGroup
service_name [-usip [yes]
Sets the specified service and enables the USIP option.
Example: > set serviceGroup svc_grp_1 The following example shows how to disable the USIP option on all members of a service group and delete the corresponding APBR rules on the Cisco Nexus device: unset serviceGroup svc_grp_1 |
To globally enable Use Source IP (USIP) on the Citrix Netscaler Application Delivery Controller (ADC) appliance and set the USIP option on all services and service groups, enter the following command at the command prompt
1. > enable ns mode usip
Enables USIP on the Netscaler Application Delivery Controller (ADC) appliance. All subsequent added services are APBR services. Example: The following example shows how to enable USIP on the Citrix Netscaler Application Delivery Controller (ADC) appliance and then create a service for which the USIP option is set because the setting is inherited from the global configuration: > enable ns mode USIP Done > add service svc_gl 192.168.12.72 http 80 Done |
To display the auto policy-based routing (APBR) configuration on the Citrix NetScaler Application Delivery Controller (ADC) appliance, perform one of the following tasks on appliance:
Command | Purpose |
---|---|
show apbrSvc service |
Displays information about the APBR service. |
show apbrSvc -summary [detail] |
Displays information about the APBR service. |
show license |
Displays information about the license that is loaded on the Citrix NetScaler Application Delivery Controller (ADC) appliance. |
show rise apbrSvc |
Displays the RISE running configuration on the Cisco Nexus 5600 Series switch. |
show rise profile |
Displays information about service profile. |
show service service-name |
Displays information about the specified service. |
> show apbrSvc 1) Entity Name : s1 Entity Type : Service Server IP : 192.168.15.252 Server Port : 80 Protocol : HTTP Nexthop IP : 192.168.4.100 VLAN : 4 2) Entity Name : s2 Entity Type : Service Server IP : 192.168.15.253 Server Port : 80 Protocol : HTTP Nexthop IP : 192.168.4.100 VLAN : 4 3) Entity Name : s3 Entity Type : Service Server IP : 192.168.15.254 Server Port : 80 Protocol : HTTP Nexthop IP : 192.168.4.100 VLAN : 4 4) Entity Name : sg2 Entity Type : ServiceGroup Server IP : 192.168.13.202 Server Port : 101 Protocol : HTTP Nexthop IP : 192.168.4.100 VLAN : 4 5) Entity Name : sg2 Entity Type : ServiceGroup Server IP : 192.168.13.202 Server Port : 102 Protocol : HTTP Nexthop IP : 192.168.4.100 VLAN : 4 Done
> show rise apbrSvc -summary ---------------------------------------------------------------------------- EntityName IPAddress Port Protocol NexthopIP VLAN ---------------------------------------------------------------------------- 1 s1 192.168.15.252 80 HTTP 192.168.4.100 4 2 s2 192.168.15.253 80 HTTP 192.168.4.100 4 3 s3 192.168.15.254 80 HTTP 192.168.4.100 4 4 sg2 192.168.13.202 101 HTTP 192.168.4.100 4 5 sg2 192.168.13.202 102 HTTP 192.168.4.100 4 Done
Note |
|
> show service svc_grp_1 s1 (192.168.15.252:80) - HTTP State: DOWN Last state change was at Thu Apr 3 13:04:15 2014 Time since last state change: 0 days, 00:00:28.850 Server Name: 192.168.15.252 Server ID : None Monitor Threshold : 0 Max Conn: 0 Max Req: 0 Max Bandwidth: 0 kbits Use Source IP: YES <=== Use Proxy Port: NO Client Keepalive(CKA): YES Access Down Service: NO TCP Buffering(TCPB): YES HTTP Compression(CMP): YES Idle timeout: Client: 180 sec Server: 360 sec Client IP: DISABLED Cacheable: NO SC: OFF SP: OFF Down state flush: ENABLED Appflow logging: ENABLED TD: 0 RISE CODE: APBR rule successfully Added <=== . . . Done
> show rise profile 1) Service Name : NS-rise Status : Active Mode : Indirect Device Id : JAF1429CJLB Slot Number : 300 VDC Id : 1 vPC Id : 0 SUP IP : 173.173.1.1 VLAN : 3 VLAN Group : 1 ISSU : None Interface : N/A
To display the auto policy-based routing (APBR) configuration on the Cisco Nexus 5600 Series switch and verify that the APBR policy was added, perform one of the following tasks on the switch:
Command | Purpose |
---|---|
show access list dynamic |
Displays information about the APBR service. |
show rise [detail] |
Displays information about the APBR service. |
show route-map |
Displays information about the license that is loaded on the Citrix Netscaler appliance. |
show service rise auto-pbr ipv4 slot slot |
Displays the RISE running configuration on the Cisco Nexus 5600 Series switch. |
switch# show access-lists dynamic Example correct output: IPV4 ACL _rise-system-acl-172.16.10.5-Vlan1010 10 permit tcp 10.10.10.11/32 eq 80 any 20 permit tcp 10.10.10.12/32 eq 80 any IPV4 ACL _rise-system-acl-172.16.11.5-Vlan1011 10 permit tcp 10.10.11.11/32 eq 50000 any
switch# show rise Name Slot Vdc Rise-Ip State Interface Id Id --------------- ---- --- --------------- ------------ --------- MPX 300 1 10.175.1.11 active Po10 Emu 301 1 100.0.1.4 active N/A VPX 302 1 100.0.1.6 active N/A APBR Configuration <=== rs ip rs port protocol nhop ip rs nhop apbr state slot-id --------------- ------- -------- --------------- -------- ---------- ------- 100.0.1.1 33275 TCP 100.0.1.2 Vlan100 ADD FAIL 301 100.0.1.3 64301 TCP 100.0.1.4 Vlan100 ADD DONE 301 100.0.1.5 21743 TCP 100.0.1.6 Vlan100 ADD DONE 301
switch# show rise detail RISE module name: MPX State: active Admin state: enabled Interface: Po10 Mode: direct Slot id: 300 Service token: 0x6 Serial number: AJSFH28FUF SUP IP: 10.175.1.99 RISE IP: 10.175.1.11 VDC id: 1 VLAN: 175 VLAN group: N/A VLAN list: N/A Data Interface: N/A RISE module name: Emu State: active Admin state: enabled Interface: N/A Mode: indirect Slot id: 301 Service token: 0x7 Serial number: 123-SERIAL SUP IP: 100.0.1.1 RISE IP: 100.0.1.4 VDC id: 1 VLAN: 100 VLAN group: N/A VLAN list: N/A Data Interface: N/A RISE module name: VPX State: active Admin state: enabled Interface: N/A Mode: indirect Slot id: 302 Service token: 0x8 Serial number: HE2H81UJ47 SUP IP: 100.0.1.1 RISE IP: 100.0.1.6 VDC id: 1 VLAN: 100 VLAN group: N/A VLAN list: N/A Data Interface: N/A APBR Configuration rs ip rs port protocol nhop ip rs nhop apbr state slot-id --------------- ------- -------- --------------- -------- ---------- ------- 100.0.1.1 33275 TCP 100.0.1.2 Vlan100 ADD FAIL 301 100.0.1.3 64301 TCP 100.0.1.4 Vlan100 ADD DONE 301 100.0.1.5 21743 TCP 100.0.1.6 Vlan100 ADD DONE 301
switch# show service rise ipv4 auto-pbr slot 301 APBR routes added by slot 301 rs ip port protocol nhop ip rs nexthop inf --------------- ------ -------- --------------- -------------- 100.0.1.1 33275 TCP 100.0.1.2 Vlan100 100.0.1.3 64301 TCP 100.0.1.4 Vlan100 100.0.1.5 21743 TCP 100.0.1.6 Vlan100
The following table lists the feature history for this feature.
Feature Name | Release | Feature Information |
---|---|---|
Auto policy-based routing (APBR) |
Cisco NX-OS 7.1(1)N1(1) |
Support for this feature was introduced on the Cisco Nexus 5600 Series switches. |
Appliance high availability |
||
APBR on vPC |