The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure the Auto Policy-Based Routing (PBR) feature on the Citrix NetScaler Application Delivery Controller (ADC) appliance to ensure that return traffic from the real server (RS) reaches the RISE appliance.
This chapter includes the following sections:
Your software release might not support all the features documented in this module. For the latest caveats and feature information, see the Bug Search Tool at https://tools.cisco.com/bugsearch/ and the release notes for your software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "New and Changed Information"chapter or the Feature History table in this chapter.
This section includes the following topics:
Policy-Based Routing (PBR) allows the creation of policies or rules that can selectively alter the path that packets take within the network. PBR can be used to mark packets so that certain types of traffic are prioritized over the rest, sent to a different destination, or exit through a different physical interface on the router. Classification of interesting traffic is performed using access control lists (ACLs).
PBR rules ensure that return traffic from the real server (RS) reaches the Remote Integrated Service Engine (RISE) appliance. The control channel on the Cisco Nexus Series switch is used to automate the creation of PBR rules.
After the RISE appliance applies the required configuration, the appliance sends auto PBR (APBR) messages to the Cisco Nexus switch including a list of servers (IP addresses, ports, and protocol) and the next-hop IP address of the appliance.
The Cisco Nexus switch creates the PBR rules for the associated switch virtual interfaces (SVIs). For the local servers, the switch creates the ACLs and route maps.
Auto policy-based routing (APBR) rules are configured on the Cisco Nexus switch by the Citrix NetScaler appliance only if the Use Source IP (USIP) option is enabled in the services or service groups on the Citrix NetScaler appliance. The rules are withdrawn when the USIP option is disabled. The USIP option can be configured locally or globally.
Two appliances are each connected to a different VDC in the same Cisco Nexus Series switch.
In each of the preceding topologies, one appliance is active and the other is in standby. Each connection acts as a separate service and is unaware of the other service. Each appliance sends APBR rules to the service in each VDC or in each switch, depending upon the topology. Each service sends the appropriate response to the appliance to which it is connected.
When a failover occurs, the standby appliance becomes the new active appliance. The old active appliance sends a PURGE message to the service. After the APBR purge is complete and the old active appliance receives a response, the appliance sends fresh APBR rules. Sending fresh rules ensures that the stale configuration does not remain on the old active appliance
Auto policy-based routing (APBR) has the following guidelines and limitations:
The globally configured Use Source IP (USIP) takes precedence only when the user does not specify a local choice for the USIP option.
If the USIP option is set on a service or service group by way of inheritance at the time you create either the service or group, the option is sticky on that service or group.
If you modify a global property, such as USIP, after you create a service or service group, the global modification does not apply to either the service or group. However, you can modify a service or group locally by using the set commands.
One RS cannot be connected through multiple VLAN interfaces. However, one or more RSs can be connected through the same interface on the Cisco Nexus device to which the APBR policy is applied.
Multiple next-hop IP addresses for the same RS are not supported in RISE
RISE does not support multiple services with the same RS IP address and port protocol. The only exception is as follows: Two identical services (with different service names) can be on the active and standby RISE-enabled appliance, pointing to the same APBR configuration.
The virtual routing and forwarding (VRF) instance of the route to the RS must be the same as for the client VLAN switch virtual interface (SVI) to which the virtual IP (VIP) address is associated. The VRF does not need to be the default VRF.
We do not recommend that you make any route changes on the egress interface to the RS. If you do make changes, see the troubleshooting information at http://support.citrix.com/proddocs/topic/netscaler/ns-gen-netscaler-wrapper-con.html.
Equal Cost Multipath (ECMP) is not supported.
| Parameter | Default |
|---|---|
| USIP | Disabled |
This section includes the following topics:
To manually enable the RISE feature and any RISE_APBR NS modes for publishing APBR rules, type the following commands at the command prompt:
| Step 1 |
(Optional) > enable feature RISE This step is only required if you did not enable RISE when you configured Cisco RISE with Citrix Netscaler. See the “Configuring Rise” chapter. Enables the RISE feature on the appliance. |
| Step 2 |
> enable ns mode RISE_APBR Enables the modes of type RISE_APBR on the Citrix Netscaler. |
You must enable the policy-based routing feature on the Cisco Nexus Series switch to support auto policy-based routing (APBR). The Citrix Netscaler Application Delivery Controller (ADC) appliance automatically adds the appropriate rules to the Cisco Nexus switch for APBR.
Make sure that you are in the correct VDC on the Cisco Nexus switch. To switch VDCs, use the switchto vdc command.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
switch# config term |
Enters global configuration mode |
| Step 2 |
switch(config)# feature pbr |
|
| Step 3 |
switch(config)# exit |
|
This section includes the following topics:
The NetScaler management IP address (NSIP) is the IP address for management and general system access to the Citrix NetScaler Application Delivery Controller (ADC) appliance and for high availability (HA) communication.
You can configure the NSIP on your appliance by using either the configuration prompts or the command-line interface (CLI).
 Note |
To prevent an attacker from impeding your ability to send packets to the appliance, choose a nonroutable IP address on your organization's LAN as your appliance IP address. |
Ensure that a port channel is configured on the appliance and that the appliance's physical ports are mapped to this port channel.
|
Perform one of the following tasks:
Example:The following example shows how to configure the NSIP using the CLI: |
Create a port channel on the Citrix NetScaler Application Delivery Controller (ADC) appliance and map its physical ports to this port channel.
| Step 1 |
Navigate to System > Settings. |
| Step 2 |
In the details pane, under Settings, click Change NSIP Settings. |
| Step 3 |
In the Configure NSIP Settings dialog box, set the parameters. For a description of a parameter, hover the mouse cursor over the corresponding field. |
| Step 4 |
Under Interfaces, choose the interfaces from the Available Interfaces list and click Add to move them to the Configured Interfaces list. |
| Step 5 |
Click OK. In the Warning dialog box, click OK. The configuration takes effect after the Citrix NetScaler Application Delivery Controller (ADC) appliance is restarted. |
The NSVLAN is a VLAN to which the NetScaler management IP (NSIP) address's subnet is bound. The NSIP subnet is available only on interfaces that are associated with NSVLAN. By default, NSVLAN is VLAN1, but you can designate a different VLAN as NSVLAN. If you designate a different VLAN as an NSVLAN, you must reboot the Citrix NetScaler Application Delivery Controller (ADC) appliance for the change to take effect. After the reboot, NSIP subnet traffic is restricted to the new NSVLAN.
Perform only one of the following tasks:
Enter the following commands prompt to configure NSVLAN using the CLI:
Create a port channel on the Citrix NetScaler Application Delivery Controller (ADC) appliance and map its physical ports to this port channel.
Configure the NS IP address (NSIP) on the appliance.
| Step 1 |
set ns config - nsvlan positive_integer - ifnum interface_name ... [-tagged (YES | NO)]
|
||
| Step 2 |
(Optional) show ns config |
||
| Step 3 |
(Optional) unset ns config -nsvlan Restores the default configuration. |
Create a port channel on the Citrix NetScaler Application Delivery Controller (ADC) appliance and map its physical ports to this port channel.
Configure the NetScaler IP address (NSIP) on the appliance.
| Step 1 |
Navigate to System > Settings. |
| Step 2 |
In the details pane, under Settings, click Change NSVLAN Settings. |
| Step 3 |
In the Configure NSVLAN Settings dialog box, set the parameters. For a description of a parameter, hover the mouse cursor over the corresponding field. |
| Step 4 |
Under Interfaces, choose the interfaces from the Available Interfaces list and click Add to move them to the Configured Interfaces list. |
| Step 5 |
Click OK. In the Warning dialog box, click OK. The configuration takes effect after the Citrix NetScaler Application Delivery Controller (ADC) appliance is restarted. |
APBR rules are configured on the Cisco Nexus Series switch by the Citrix Netscaler Application Delivery Controller (ADC) appliance when the Use Source IP (USIP) option is enabled. Perform only one of the following tasks to enable the USIP option on the Citrix Netscaler Application Delivery Controller (ADC) appliance:
To create a service and enable and set the Use Source IP (USIP) option on that service, type the following commands at the command prompt:
Ensure that the NSIP and NSVLAN are configured on the Citrix Netscaler Application Delivery Controller (ADC) appliance.
| Step 1 |
Use one of the following commands:
Example:The following example shows how to create a service named svc12 and enable the USIP option on the service: Example:The following example shows how to change a previously created service (svc12) to enable APBR: |
||||||||||
| Step 2 |
(Optional) unset service service-name Example:The following example shows how to disable the USIP option on the service and delete the corresponding APBR route on the Cisco Nexus device: |
To create a service group and enable the Use Source IP (USIP) option on that group, enter the following commands at the command prompt:
Ensure that the NSIP and NSVLAN are configured on the Citrix Netscaler Application Delivery Controller (ADC) appliance.
| Step 1 |
> add serviceGroup service_name protocol-type port_number [-usip [yes | no] Creates a service group and enables the USIP option. The RISE appliance sends multiple APBR messages to the Cisco Nexus device. The protocol-type argument specifies a supported protocol including but not limited to the following keywords: dns , http , ssl , tcp , or udp .
Example:The following example shows how to create a service named svc12 and enable the USIP option on the service: |
||
| Step 2 |
> bind serviceGroup service_group_name ipaddress port_number Associates an IP address and port to the service group being configured. Repeat this step for each member IP address and port.
Example:The following example shows how to associate three IP addresses and ports to the group being configured. |
||
| Step 3 |
> set serviceGroup service_name [-usip [yes] Sets the specified service and enables the USIP option.
Example:The following example shows how to disable the USIP option on all members of a service group and delete the corresponding APBR rules on the Cisco Nexus device: |
To globally enable Use Source IP (USIP) on the Citrix Netscaler Application Delivery Controller (ADC) appliance and set the USIP option on all services and service groups, enter the following command at the command prompt
|
> enable ns mode usip Enables USIP on the Netscaler Application Delivery Controller (ADC) appliance. All subsequent added services are APBR services. Example:The following example shows how to enable USIP on the Citrix Netscaler Application Delivery Controller (ADC) appliance and then create a service for which the USIP option is set because the setting is inherited from the global configuration: |
To display the auto policy-based routing (APBR) configuration on the Citrix NetScaler Application Delivery Controller (ADC) appliance, perform one of the following tasks on appliance:
| Command | Purpose |
|---|---|
|
show apbrSvc service |
Displays information about the APBR service. |
|
show apbrSvc -summary [detail] |
Displays information about the APBR service. |
|
show license |
Displays information about the license that is loaded on the Citrix NetScaler Application Delivery Controller (ADC) appliance. |
|
show rise apbrSvc |
Displays the RISE running configuration on the Cisco Nexus Series switch. |
|
show rise profile |
Displays information about service profile. |
|
show service service-name |
Displays information about the specified service. |
> show apbrSvc
1) Entity Name : s1
Entity Type : Service
Server IP : 192.168.15.252
Server Port : 80
Protocol : HTTP
Nexthop IP : 192.168.4.100
VLAN : 4
2) Entity Name : s2
Entity Type : Service
Server IP : 192.168.15.253
Server Port : 80
Protocol : HTTP
Nexthop IP : 192.168.4.100
VLAN : 4
3) Entity Name : s3
Entity Type : Service
Server IP : 192.168.15.254
Server Port : 80
Protocol : HTTP
Nexthop IP : 192.168.4.100
VLAN : 4
4) Entity Name : sg2
Entity Type : ServiceGroup
Server IP : 192.168.13.202
Server Port : 101
Protocol : HTTP
Nexthop IP : 192.168.4.100
VLAN : 4
5) Entity Name : sg2
Entity Type : ServiceGroup
Server IP : 192.168.13.202
Server Port : 102
Protocol : HTTP
Nexthop IP : 192.168.4.100
VLAN : 4
Done
> show rise apbrSvc -summary
----------------------------------------------------------------------------
EntityName IPAddress Port Protocol NexthopIP VLAN
----------------------------------------------------------------------------
1 s1 192.168.15.252 80 HTTP 192.168.4.100 4
2 s2 192.168.15.253 80 HTTP 192.168.4.100 4
3 s3 192.168.15.254 80 HTTP 192.168.4.100 4
4 sg2 192.168.13.202 101 HTTP 192.168.4.100 4
5 sg2 192.168.13.202 102 HTTP 192.168.4.100 4
Done
Note |
|
> show service svc_grp_1
s1 (192.168.15.252:80) - HTTP
State: DOWN
Last state change was at Thu Apr 3 13:04:15 2014
Time since last state change: 0 days, 00:00:28.850
Server Name: 192.168.15.252
Server ID : None Monitor Threshold : 0
Max Conn: 0
Max Req: 0 Max Bandwidth: 0 kbits
Use Source IP: YES <===
Use Proxy Port: NO
Client Keepalive(CKA): YES
Access Down Service: NO
TCP Buffering(TCPB): YES
HTTP Compression(CMP): YES
Idle timeout: Client: 180 sec
Server: 360 sec
Client IP: DISABLED
Cacheable: NO
SC: OFF
SP: OFF
Down state flush: ENABLED
Appflow logging: ENABLED
TD: 0
RISE CODE: APBR rule successfully Added <===
.
.
.
Done> show rise profile
1) Service Name : NS-rise
Status : Active
Mode : Indirect
Device Id : JAF1429CJLB
Slot Number : 300
VDC Id : 1
vPC Id : 0
SUP IP : 173.173.1.1
VLAN : 3
VLAN Group : 1
ISSU : None
Interface : N/ATo display the auto policy-based routing (APBR) configuration on the Cisco Nexus Series switch and verify that the APBR policy was added, perform one of the following tasks on the switch:
| Command | Purpose |
|---|---|
|
show access list dynamic |
Displays information about the APBR service. |
|
show rise [detail] |
Displays information about the APBR service. |
|
show route-map |
Displays information about the license that is loaded on the Citrix Netscaler appliance. |
|
show service rise auto-pbr ipv4 slot slot |
Displays the RISE running configuration on the Cisco Nexus Series switch. |
switch# show access-lists dynamic
Example correct output:
IPV4 ACL _rise-system-acl-172.16.10.5-Vlan1010
10 permit tcp 10.10.10.11/32 eq 80 any
20 permit tcp 10.10.10.12/32 eq 80 any
IPV4 ACL _rise-system-acl-172.16.11.5-Vlan1011
10 permit tcp 10.10.11.11/32 eq 50000 any
switch# show rise
Name Slot Vdc Rise-Ip State Interface
Id Id
--------------- ---- --- --------------- ------------ ---------
MPX 300 1 10.175.1.11 active Po10
Emu 301 1 100.0.1.4 active N/A
VPX 302 1 100.0.1.6 active N/A
APBR Configuration <===
rs ip rs port protocol nhop ip rs nhop apbr state slot-id
--------------- ------- -------- --------------- -------- ---------- -------
100.0.1.1 33275 TCP 100.0.1.2 Vlan100 ADD FAIL 301
100.0.1.3 64301 TCP 100.0.1.4 Vlan100 ADD DONE 301
100.0.1.5 21743 TCP 100.0.1.6 Vlan100 ADD DONE 301switch# show rise detail
RISE module name: MPX
State: active
Admin state: enabled
Interface: Po10
Mode: direct
Slot id: 300
Service token: 0x6
Serial number: AJSFH28FUF
SUP IP: 10.175.1.99
RISE IP: 10.175.1.11
VDC id: 1
VLAN: 175
VLAN group: N/A
VLAN list: N/A
Data Interface: N/A
RISE module name: Emu
State: active
Admin state: enabled
Interface: N/A
Mode: indirect
Slot id: 301
Service token: 0x7
Serial number: 123-SERIAL
SUP IP: 100.0.1.1
RISE IP: 100.0.1.4
VDC id: 1
VLAN: 100
VLAN group: N/A
VLAN list: N/A
Data Interface: N/A
RISE module name: VPX
State: active
Admin state: enabled
Interface: N/A
Mode: indirect
Slot id: 302
Service token: 0x8
Serial number: HE2H81UJ47
SUP IP: 100.0.1.1
RISE IP: 100.0.1.6
VDC id: 1
VLAN: 100
VLAN group: N/A
VLAN list: N/A
Data Interface: N/A
APBR Configuration
rs ip rs port protocol nhop ip rs nhop apbr state slot-id
--------------- ------- -------- --------------- -------- ---------- -------
100.0.1.1 33275 TCP 100.0.1.2 Vlan100 ADD FAIL 301
100.0.1.3 64301 TCP 100.0.1.4 Vlan100 ADD DONE 301
100.0.1.5 21743 TCP 100.0.1.6 Vlan100 ADD DONE 301
switch# show service rise ipv4 auto-pbr slot 301
APBR routes added by slot 301
rs ip port protocol nhop ip rs nexthop inf
--------------- ------ -------- --------------- --------------
100.0.1.1 33275 TCP 100.0.1.2 Vlan100
100.0.1.3 64301 TCP 100.0.1.4 Vlan100
100.0.1.5 21743 TCP 100.0.1.6 Vlan100
The following table lists the feature history for this feature.
| Feature Name | Release | Feature Information |
|---|---|---|
|
Auto policy-based routing (APBR) |
Cisco NX-OS 6.2(8) |
Support for this feature was introduced on the Cisco Nexus 7000 Series switches. |
|
Appliance high availability |
||
|
APBR on vPC |
Feedback