CNS-218-3I 02 Basic Networking v3.01

Citrix ADC 12.
x Essentials
Basic Networking
Module 2
1 2019 Citrix Authorized Content

©
• Explain the purpose of the Citrix ADC Owned IP addresses.
• Identify the networking topologies used with the Citrix
ADC.
• Explain the use of interfaces and VLANs during
configuration.
Learning
• Discuss the available Citrix ADC routing and traffic-
Objectives handling modes.
• Define Access Control Lists and how to configure them.
• Describe the Network Address Translation feature of the
Citrix ADC.

©
OSI Networking Model
Transmit Receive
User
Data Data
Application Layer (7)
Presentation Layer (6)
Session Layer (5)
Transport Layer (4)
Network Layer (3)
Data Link Layer (2)
Physical Layer (1)
Physical Link

©
Citrix ADC System Networking Overview
Citrix ADC is an application switch that performs application-specific traffic analysis to intelligently
distribute, optimize, and secure Layer 4 - Layer 7 (L4–L7) network traffic for web applications.
Client IP Virtual IP SNIP/ Server IP

Address Address MIPAddre Address
ss

©
Citrix ADC-Owned IP Addresses

©
Citrix ADC IP Addresses
The Citrix ADC uses different types of IP
addresses for management and to proxy
connections to servers.
To perform a basic setup, the following IP
addresses are configured:
• Citrix ADC IP (NSIP) addresses
• Virtual IP (VIP) addresses
• Subnet IP (SNIP) addresses
• Mapped IP (MIP) addresses (legacy)

©
The Citrix ADC IP (NSIP) address is the primary IP address
used for managing the system.
Citrix ADC IP The Citrix ADC IP address is:

Address • Required at initial device configuration to allow system access.
• Used for system-to-system communication.
• Not removable.
If the NSIP is modified, restart the system in order for the

change to be applied.

©
Virtual IP (VIP) addresses are used for client-to-Citrix ADC
communication.
Virtual IP • A VIP address is an IP address associated with a virtual
Address server.
• ARP can be disabled to facilitate migration.
• ICMP can be disabled to turn off ping if it is required in the
environment.

©
The Subnet IP (SNIP) address functions as a proxy IP and is
used by the Citrix ADC system for Citrix ADC-to-server
Subnet IP communication.
Address (SNIP) The SNIP addresses can:
• Be bound to VLANs.
• Be used to monitor the health of servers.
• Provide management access.

©
Mapped IP (MIP) Address
• Mapped IP addresses (MIP) are used for server-side connections.
• It has similar functionality to a SNIP.
• MIP addresses are deprecated and remain only to support legacy functionality. It is
recommend that you use a SNIP instead.
• The MIP address should be available across all subnets and should never be bound to a VLAN.
• A MIP can be considered a default SNIP address, because MIPs are used when a SNIP is not
available or Use SNIP (USNIP) mode is disabled.
• MIPs can be specified in a consecutive range.
10
© 2019 Citrix Authorized Content
Use Subnet IP Mode (USNIP)
• When Use SNIP (USNIP) mode is
enabled:
• A SNIP is the source IP address of a packet sent from
the Citrix ADC to the server.
• A SNIP is the IP address that the server uses to
access the Citrix ADC.
• USNIP mode is enabled by default:

• If disabled, a MIP must be defined.
11
Use Source IP Mode (USIP)
• When Use Source IP (USIP) mode is enabled:
• The client IP is used as source IP to server.
• Server gateway is set to Citrix ADC SNIP.
• Monitors are still sourced from SNIP.
• By default the Citrix ADC uses a SNIP or MIP to

connect to the back end servers.
• USIP passes the actual client IP address to the server
instead of to a MIP/SNIP.
• USIP is:
• Not enabled by default.
• Must have surge protection disabled for HTTP protocol.
• Can be enabled globally or at service level.
• Limits NS functionality.
• Should only be used when required.
12
Applications that Require USIP
Client Citrix ADC Back-end Server
CIP Server IP
Client IP Virtual IP
DGW:SNIP
• Rather than using the MIP/SNIP for the connection, use Layer 3 mode to enable the Citrix ADC to pass the Client IP
address to the backend server.
• Ensure L3 mode is enabled and the SNIP is set as the server’s default gateway, as the response must pass back to
the Citrix ADC.
13
• Client-IP HTTP header insertion is useful when a backend
Client-IP HTTP server needs to identify the client that originated a
request.
Header Insertion • When the connection is being proxied by the Citrix ADC
system, it is available for HTTP and HTTPs traffic types.
• Using this instead of USIP still allows the full proxy
functionality and enables the use of Multiplexing and
surge protection.
14
IP Set
• An IP Set is a set of IP addresses.
• An IP Set has a meaningful name that helps
in identifying the usage of the IP addresses
contained in it.
15
When should you be using a MIP address instead of a SNIP?
Lesson
Objective Review
16
When should you be using a MIP address instead of a SNIP?
Answer: Only when absolutely necessary.
Lesson MIP addresses are considered as a deprecated feature and
Objective Review exists only to support a legacy functionality. Only when a
SNIP address is not available should the MIP address be
used. A SNIP gives a better control over a MIP, due to its
monitoring capabilities and is recommended to be used
whenever possible.
17
Networking Topology
18
Network Topology
You can deploy the Citrix ADC system in the following network topologies:
One-Arm Mode Two-Arm Mode
Client Client
Citrix ADC
Citrix ADC
Servers
Servers
19
One-Arm Mode
• One-arm mode is a simple configuration
with one logical interface connected to one
network segment.
• It supports: Client
• A single VLAN
• Link aggregation to satisfy additional bandwidth
requirements
Citrix ADC
Servers
20
Two-Arm Mode (Inline)
• Two-arm mode (Inline) is an advanced
configuration with a direct connection to the
client network and separate connection to
the server network. Client
• Inline mode is more complicated to set up

and supports the following:
• Layer-3 (routed) deployments with one subnet on each
side
• Layer-2 (bridged) deployments with one subnet and the Citrix ADC
Citrix ADC bridging
Servers
21
Public/Front Private Server
VLAN User Request VLAN
Step 1: A user initiates a request to a VIP representing the private servers.
22
VLAN User Request User Request VLAN
1 2
Step 2: After performing the defined Citrix ADC process, the Citrix ADC forwards the request to the backend server.
23
1 2
3
Response
Step 3: The server responds to the Citrix ADC (SNIP).
24
1 2
4 3
Response Response
Step 3: The server responds to the Citrix ADC (SNIP).
25
How is Citrix ADC deployed in your environment?
Group Discussion
26
Interfaces and VLANs
27
Traffic Flow Management
Client IP Virtual IP MIP/SNIP Server IP

Address Address Address Address
• Citrix ADC functions as a TCP proxy. It translates IP addresses before sending packets to a server.
• Clients connect to a VIP address (virtual server) instead of directly connecting to a server.
• The Citrix ADC selects a server and sends the client's request to that server using a SNIP/MIP.
28
Citrix ADC Networking Behavior
Typical Network Endpoint Device Citrix

Citrix ADC
ADC
IP Address 1…IP Address n

NIC 1 NIC 2 NIC 1 NIC 2
MAC 1 MAC 2
MAC 1 MAC 2
IP Address 1 IP Address 2
Subnet B Subnet A
Each data interface (MAC) sends and Each data interface (MAC) can send and
receives for a bound IP address, receive for all IP addresses.
29
Citrix ADC Network Interfaces
• Network interfaces are numbered in <slot>/<port> notation.
• To configure interfaces, you can:
• Enable or disable any interface.
• Display interface configuration.
• Reset an interface.
• Clear accumulated statistics.
30
Citrix ADC
Management
Interfaces We recommend against using management ports for traffic
processing as they are not optimized for performance and
do not give line rate performance.
31
Link Aggregation
• Link aggregation combines data coming from multiple ports into a single, high-speed link.
• It increases the capacity and availability of the communication channel between the Citrix
ADC and other connected devices.
• An aggregated link is also called a “channel” and Citrix ADC supports static or manual
configuration of 802.3ad Link Aggregation (LA).
• When a network interface is bound to a channel, the channel parameters have precedence
over the network interface parameters.
32
Link Aggregation Control Protocol
Link Aggregation Control Protocol (LACP):
• Combines data from multiple ports into a
single, high-speed link.
• Uses IEEE 802.3ad standard (PAgP not
supported).
33
• Link Redundancy (LR) can be used to connect to multiple
Link switches for redundancy while avoiding any network
Redundancy loops, using a minimum threshold parameter.
(LR) • Link Redundancy allows switching to an alternative
channel when the available bandwidth falls below a
certain level.
• Link Redundancy offers the ability to have a hot standby
link (or channel).
34
Virtual Local Area Networks (VLANs)
• Use VLANs to logically group interfaces and
to restrict data flow within a set of
interfaces.
• A Citrix ADC system supports layer-2 port
and IEEE 802.1q tagged VLANs.
• VLAN configurations are useful when
restricting traffic to certain groups of
stations.
• VLAN binding does not affect the source IP
address selection.
35
VLAN Configuration
Implement VLANs in the following
environments:
• Single subnet
• Multiple subnets
• Single LAN
• VLANs (no tagging)
• VLANs (802.1q tagging)
36
Port-Based • The membership of a port-based VLAN is defined by a set
of network interfaces that share a common, exclusive
VLANs layer-2 broadcast domain.
• These allow the configuration of multiple port-based
VLANs.
37
Tagged VLANs
• VLAN tagging inserts an additional header inside the Frame Header.
• The additional header contains a protocol ID and a VLAN ID.
• The VLAN ID identifies the virtual network associated with the packet.
IEEE 802.3 Frame
38
Citrix ADC Virtual
Local Area Network
(NSVLAN) • NSVLAN is the VLAN to which the Citrix ADC management
IP (NSIP) address’s subnet is bound.
• By default, NSVLAN has a VLAN ID (VID) of 1.
39
Why would you implement VLANs with no tagging?
Group Discussion
40
Routing
41
• The Citrix ADC system supports both dynamic and static
routing.
IP Address • Most Citrix ADC implementations will use a static route to
Routing reduce routing overhead.
• Create backup static routes and monitor routes to enable
automatic switchover if a static route goes down.
• A default gateway needs to be specified during the initial
Citrix ADC configuration.
42
Static Routes
• Create static routes to allow Citrix ADC to
communicate with hosts on subnets to that
are not directly connected.
• Static routes are manually created to
improve the performance of your network.
• You can monitor static routes to avoid
service disruptions.
• You can assign weights to ECMP routes and
create null routes to prevent routing loops.
43
Static Routes
• Static routes can be used to:
• Monitor static routes in order to avoid service disruptions.
• Create null routes to prevent routing loops.
• For an ECMP route, it is possible to configure a weight value:

• The Citrix ADC then uses both the weight and the hashed value for balancing the load.
44
Policy-Based Routing
Use cases for policy-based routing:
• Traffic originating from a different network with different routing requirements, such as
selecting a different next hop.
• Secure or non-secure links for different types of originating traffic.
• Traffic isolation achieved for environments with shared infrastructure, such as those using
different routes for different VIP addresses, would simulate the multi-tenant deployments of
service providers.
• Both IPv4 and IPv6 need to be supported.
45
Policy-Based
Routing
46
Citrix ADC Traffic Domains
• Citrix ADC traffic domains consist of VLANs,
Route Tables, Services, Interfaces, and a
SNIP.
• Traffic is completely segregated between
Traffic Domains.
• Traffic Domains can be configured to use:
• Multiple route tables.
• Duplicate IP addresses.
• Duplicate Citrix ADC objects.
47
MAC-Based Forwarding (MBF) Mode
• MAC-Based Forwarding (MBF) improves performance by avoiding multiple address resolution
protocol (ARP) or route table lookups when forwarding packets.
• This mode helps in supporting multiple routers with the ability to return the responses to the
router that forwarded the original set of network packets.
• When MBF is enabled, it caches the MAC address of the uplink router that forwarded the
request to the Citrix ADC.
• When a reply is received, it is passed through to the same router that sent the client request without going through any
route lookup.
• If MBF is disabled, then the return path is determined by a route lookup or is sent to the
default route if no specific route exists.
48
MAC-Based Forwarding Mode (MBF)
IP and Mac
Router 1 Addresses are Server 1
Mac Address: 0:01:e6:ff:0d:69 cached Service: service-ANY-2
Mac Address: 0:01:e6:ff:0d:68
IP Address: 10.10 1.2
Citrix ADC
VIP Address: vserver-LB-1
Server 2
Router 1 Service: service-ANY-2
Mac Address: 0:01:e6:ff:0d:67 IP Address: 10.10 1.1
49
Should you use static or dynamic routing in your
environment?
Lesson
Objective Review
50
Should you use static or dynamic routing in your
environment?
Answer: It depends on the needs of your environment.
Lesson In simple terms Static routing reduces routing overhead,
Objective Review dynamic routing is faster and in some cases more fault
tolerant; it really depends on your environment needs.
Many environments choose to use both in order to leverage
the best of both worlds.
51
Traffic-Handling Modes
52
Default Traffic Flow
Client IP Virtual IP MIP/SNIP Server IP
Discussion question:
Based on the default behavior, when would the Citrix ADC receive packets that were not for a Citrix ADC-owned IP
address?
53
• In default traffic flow configuration, all return traffic should
be sent to a Citrix ADC-owned IP address. However, you
may need the backend server to see the Client IP address.
• Can you think of any situations where this might be a
Group Discussion requirement?
54
• By default, the Citrix ADC system functions as a Layer3
Routing Traffic network device.
Using Layer 3 • Layer 3 mode controls the Layer 3 forwarding function. You
can use this mode to configure a Citrix ADC appliance to
Mode look at its routing table and forward packets.
• With Layer 3 mode enabled the appliance performs route
table lookups and forwards all packets that are not
destined for any appliance-owned IP address.
• If you disable Layer 3 mode, the appliance drops these
packets, that are not destined for it.
55
• Layer 2 mode is disabled by default.
• You can use Layer 2 mode to configure a Citrix ADC
Routing Traffic appliance to behave as a Layer 2 device and bridge the
packets that are not destined for it.
Using Layer 2 • When this mode is enabled, packets are not forwarded to
Mode any of the MAC addresses, because the packets can arrive
on any interface of the appliance and each interface has its
own MAC address.
• The exceptions to this forwarding behavior are:
• Broadcasts received on an interface associated with a VLAN.
• ICMP and UDP traffic that exceeds the value set for packet rate filters.
• Layer 2 mode should be avoided.
• The Citrix ADC system forwards data that is not addressed to its MAC
address when running in Layer 2 (L2) mode.
56
Packet Forwarding with L2 and L3 Mode
57
Understanding Path MTU Discovery (PMTUD)
• Path MTU Discovery (PMTUD) allows the
Citrix ADC to determine the largest packet
size allowed along an arbitrary network
path.
• This enables network traffic to flow correctly
from one endpoint to another, without
dropping any of the traffic.
• Path MTU is on by default.
58
When you enable USIP on the Citrix ADC, what benefit do
you lose out that can have a big impact on your server
utilization?
Lesson
Objective Review
59
When you enable USIP on Citrix ADC, what benefit do you
lose out that can have a big impact on your server
utilization?
Answer: Multiplexing
Lesson We are asking the Citrix ADC to pass the source-ip to our
Objective Review back end resources; it can no longer offload the
conversations and multiplex. This can have a dramatic effect
on the amount of resources the servers use.
As a best practice, test out client-IP header insertion before
changing to USIP. It may solve the issue without sacrificing
the other benefit.
60
Access Control Lists
61
Access Control Lists
• The Citrix ADC system compares incoming
packets against the access control lists.
• If a packet matches an access control list rule, the action
specified in the rule is applied to the packet.
• Citrix ADC supports simple and extended

ACL rules.
• If both simple and extended ACLs are
configured, incoming packets are compared
to the simple ACLs first.
62
Simple Access Control Lists
• Simple ACLs and Simple ACL6s filter packets
on the basis of their source IP address and,
optionally, by protocol, destination port, or
traffic domain.
• Any packet that has the characteristics
specified in the ACL is dropped.
• They can only DENY traffic.
• They support TCP and UDP traffic.
• If both simple and extended ACLs are
configured, incoming packets are compared
to the simple ACLs first.
63
Extended Access Control List
• Extended ACLs filter data packets on various parameters such as:
• Source IP address
• Source port
• Action
• Protocol
• An extended ACL defines the conditions to process the packet,

bridge the packet, or drop the packet.
• An entry can be enabled or disabled as needed.
• Extended ACLs MUST be applied to take effect.
• At the CLI, the apply ns acls command makes all enabled access-
control-list entries active.
64
Extended Access Control Lists Application
Each ACL has an active status and an applied status:
• The active status indicates whether an access control list is ENABLED or DISABLED.
• The applied status indicates whether the access control list is APPLIED or NOTAPPLIED.
66
What is the default action for any client request that hits
your Citrix ADC from an IP NOT associated with any ACL?
Lesson
Objective Review
67
What is the default action for any client request that hits
your Citrix ADC from an IP NOT associated with any ACL?
Answer: Default rule is Allow.
Lesson Unlike many ACL’s configured on firewalls the Citrix ADC has
Objective Review a default allow rule in place. This means we are usually
utilizing our ACL’s to identify traffic we wish to stop, not that
we wish to allow.
68
Network Address Translation
69
Network Address • Network Address Translation (NAT) involves modification
Translation of the source IP address, destination IP addresses, or the
TCP/UDP port numbers of IP packets that pass through the
(NAT) Citrix ADC system.
• It is supported for IPv4 and IPv6.
• The Citrix ADC system supports the following types:
• Inbound Network Address Translation
• Reverse Network Address Translation
70
Inbound Network Address Translation (INAT)
• When a client sends a packet to a Citrix ADC
system that is configured for INAT, the
system:
• Translates the public destination IP address of the packets
to a private destination IP address.
• Forwards the packets to the server at that address.
• To protect the Citrix ADC from DoS attacks,
you can enable TCP proxy. However, if
other protection mechanisms are used in
your network, you may want to disable
them.
• The source IP is determined by what you
select during creation and what is enabled
or disabled on your Citrix ADC.
71
Reverse Network Address Translation (RNAT)
• When servers send data through the system,
RNAT allows server-side addresses to be
translated to the MIP address or a SNIP
address of the Citrix ADC system.
• RNAT supports FTP.
• Before configuring a RNAT rule, consider the
following points:
• View RNAT and NAT IP address statistics, including bytes
received, bytes sent, and packets received. If both INAT
and RNAT are configured, the INAT rule takes precedence
over the RNAT rule.
• Both Link Load Balancing (LLB) and RNAT for traffic
originating from the server, the appliance selects the
source IP address based on the router. The LLB
configuration determines selection of the router.
72
RNAT Example
2 Packet received by the client after RNAT 1 Packet generated by the back-end server
Source IP Address Destination IP Address Source IP Address Destination IP Address

100.100.100.1 200.200.200.1 192.168.1.1 200.200.200.1
Client Citrix ADC SNIP Address Back-end Server
(200.200.200.1) Internet (100.100.100.1) Private Network (192.168.1.1)
Source IP Address Destination IP Address Source IP Address Destination IP Address

200.200.200.1 100.100.100.1 200.200.200.1 192.168.1.1
3 Response packet from client 4 Packet received by the server after RNAT
73
• Ex 2-1: Configuring Networking
Lab Exercise
74
• Citrix ADC-owned IP addresses are an important part of
the configuration when enabling product features.
• It is possible to configure a number of traffic modes to
Key Takeaways customize the flow of traffic in the environment.
• Access control lists can be configured on the Citrix ADC to
help control traffic flow.
75
Work better. Live better.
76

CNS-218-3I 02 Basic Networking v3.01

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CNS-218-3I 02 Basic Networking v3.01

Uploaded by

Copyright:

Available Formats

Citrix ADC 12.

1 2019 Citrix Authorized Content

2 2019 Citrix Authorized Content

Application Layer (7)

Presentation Layer (6)

Session Layer (5)

Transport Layer (4)

Network Layer (3)

Data Link Layer (2)

Physical Layer (1)

3 2019 Citrix Authorized Content

Client IP Virtual IP SNIP/ Server IP

4 2019 Citrix Authorized Content

5 2019 Citrix Authorized Content

6 2019 Citrix Authorized Content

Citrix ADC IP The Citrix ADC IP address is:

If the NSIP is modified, restart the system in order for the

7 2019 Citrix Authorized Content

8 2019 Citrix Authorized Content

9 2019 Citrix Authorized Content

• USNIP mode is enabled by default:

• By default the Citrix ADC uses a SNIP or MIP to

Client Citrix ADC Back-end Server

One-Arm Mode Two-Arm Mode

• Inline mode is more complicated to set up

Step 1: A user initiates a request to a VIP representing the private servers.

Step 3: The server responds to the Citrix ADC (SNIP).

Step 3: The server responds to the Citrix ADC (SNIP).

Client Citrix ADC Back-end Server

Client IP Virtual IP MIP/SNIP Server IP

Typical Network Endpoint Device Citrix

IP Address 1…IP Address n

IEEE 802.3 Frame

• For an ECMP route, it is possible to configure a weight value:

Client Citrix ADC Back-end Server

Client IP Virtual IP MIP/SNIP Server IP

• Citrix ADC supports simple and extended

• An extended ACL defines the conditions to process the packet,

Source IP Address Destination IP Address Source IP Address Destination IP Address

Client Citrix ADC SNIP Address Back-end Server

(200.200.200.1) Internet (100.100.100.1) Private Network (192.168.1.1)

Source IP Address Destination IP Address Source IP Address Destination IP Address

You might also like