Friday 30 September 2016

Configuring Virtual LANs

Configuring Virtual LANs
The NetScaler supports (Layer 2) port and IEEE802.1Q tagged virtual LANs (VLANs). VLAN configurations are useful when you need to restrict traffic to certain groups of stations. You can configure a network interface to belong to multiple VLANs using IEEE 802.1q tagging.

You can bind your configured VLANs to IP subnets. The NetScaler (if it is configured as the default router for the hosts on the subnets) then performs IP forwarding between these VLANs. A NetScaler supports the following types of VLANs.

• Default VLAN. By default, the network interfaces on a NetScaler are included in a single, port-based VLAN as untagged network interfaces. This default VLAN has a VID of 1 and exists permanently. It cannot be deleted, and its VID cannot be changed.

• Port-Based VLANs. A set of network interfaces that share a common, exclusive, Layer 2 broadcast domain define the membership of a port-based VLAN. You can configure multiple port-based VLANs.

• Tagged VLAN. A network interface can be a tagged or untagged member of a VLAN. Each network interface is an untagged member of only one VLAN (its native VLAN). The untagged network interface forwards the frames for the native VLAN as untagged frames. A tagged network
interface can be a part of more than one VLAN. When you configure tagging, be sure that both ends of the link have matching VLAN settings. You can use the configuration utility to define a tagged VLAN (nsvlan) that can have any ports bound as tagged members of the VLAN. Configuring this VLAN requires a reboot of the NetScaler and therefore must be done during initial network configuration.

Note: The VLAN configuration is neither synchronized nor propagated. You must perform the configuration on each unit in a high availability (HA) pair independently. The best practice is to set the VLAN ID for an NSIP to 1.

Creating a VLAN
You can implement VLANs in the following environments:
• Single subnet
• Multiple subnets
• Single LAN
• VLANs (no tagging)
• VLANs (802.1q tagging)
You can use either of the following procedures to create a VLAN.

To create a VLAN using the configuration utility
1. In the navigation pane, expand Network and click VLANs. The VLANs page appears in the details pane.
2. Click Add. The Add VLAN dialog box appears.
3. In the VLAN Id text box, type the ID of the VLAN, for example, 2.
4. Click Create and click Close. The VLAN you added appears in the VLANs page.

To create a VLAN using the NetScaler command line
At a NetScaler command prompt, type:
add vlan 2

For more information about VLANs, see the Citrix NetScaler Networking Guide. When you create VLANs that have only untagged network interfaces as their members, the total number of possible VLANs is limited to the number of network interfaces available on the NetScaler. If more IP subnets are required with a VLAN configuration, 802.1q tagging must be used.

Binding a Network Interface to a VLAN
You can use either of the following procedures to bind a network interface to a VLAN.

To bind a network interface to a VLAN using the configuration utility
1. In the navigation pane, expand Network and click VLANs. The VLANs page appears in the details pane.
2. Select the VLAN to which you want to bind the interface, for example, 2.
3. Click Open. The Modify VLAN dialog box appears.
4. Under Interfaces, select the Active check box corresponding to the network interface that you want to bind to the VLAN, for example, 1/8.
5. Click OK.

To bind a network interface to a VLAN using the NetScaler command line
At a NetScaler command prompt, type:
bind vlan 2 -ifnum 1/8

Verifying the Configuration
Viewing the configuration enables you to troubleshoot any problem in the configuration.

Viewing the Properties of VLANs
You can view properties such as VLAN ID, members, and tagging of the configured VLANs. You can use either of the following procedures to view the properties of the VLANs.

To view the properties of VLANs using the configuration utility
1. In the navigation Pane, expand Network and click VLANs. The VLANs page appears in the details pane. The details of the available VLANs appear on this page.
2. Verify that the configured VLAN (with ID 2 if you used the example in the previous procedure) appears.
3. Select the configured VLAN and, in the Details section, verify that the parameters displayed are correctly configured.

To view the properties of VLANs using the NetScaler command line
At a NetScaler command prompt, type:
show vlan

Viewing the Statistics of a VLAN
You can view statistics such as packets received, bytes received, packets sent, and bytes sent of configured VLANs. You can use the statistics to monitor a VLAN and debug problems. You can use either of the following procedures to view the statistics of a VLAN.

To view the statistics of a VLAN using the configuration utility
1. In the navigation pane, expand Network and click VLANs. The VLANs page appears in the details pane.
2. Select the VLAN whose statistics you want to view, for example, 2.
3. Click Statistics. The VLAN Statistics dialog box appears.

To view the statistics of a VLAN using the NetScaler command line
At a NetScaler command prompt, type:
stat vlan 2
Posted by at No comments:

Thursday 29 September 2016

Citrix NetScaler Authentication and Authorization

Citrix NetScaler Authentication and Authorization


NetScaler authentication and authorization functions are of two basic types.The users and groups functions allow you to define who has access to the NetScaler. Command policies allow you to define what parts of the NetScaler configuration a user or group is permitted to access and modify. In other words, command policies regulate which commands, command groups, and other elements NetScaler users and groups are permitted to use.

To configure authentication and authorization, you first define the users who have access to the NetScaler. After you have defined the users, you can organize them into groups. You then configure command policies to define the types of access, and assign the policies to users and/or groups.

In This Chapter

Defining Users
Defining Groups
Command Policies

Defining Users


Once you have changed the default password, no user can access the NetScaler until you create an account for that user. After you have defined your users by creating accounts for them, you might have to change passwords or remove user accounts.

Creating a User Account

To create a user account, you simply assign a user name and password. You use the parameters described in the following table.

Parameter :
User Name
Password

Specifies :
Name that the user enters to request access.
Password that the user enters to request access.

To create a user account, use either of the following procedures.

To add a user account using the configuration utility

1. In the navigation pane, expand System and click Users.
2. On the System Users page, Click Add.
3. In the Create System User dialog box, in the User Name text box, type a
name for the user (for example, johnd).
4. In the Password text box, type a password to assign to the user.
5. In the Confirm Password text box, again type the password that you have
typed in the Password text box.
6. Click Create and click Close.

To add a user account using the NetScaler command line

At the NetScaler command prompt, type:
add system user userName

Example
add system user johnd

Changing a User Password

The following table describes the parameter you set to change a user password on the NetScaler.

Parameter :
Password

Specifies :
The password you assign for the user account.

To change a user password, use either of the following procedures.

To change the user password using the configuration utility

1. In the navigation pane, expand System and click Users.
2. On the System Users page, select the user account for which you want to
change the password (for example, johnd) and click Change Password.
3. In the Password text box, type the new password.
4. In the Confirm Password text box, type the new password again.
5. Click OK.

To change the user password using the NetScaler command line At the NetScaler command prompt, type:

set system user userName newpassword

Example
set system user johnd johnd1

Removing User Accounts

You can remove user accounts if the policy assigned to your account allows you to do so, or if you log in to the nsroot account. The nsroot account cannot be removed.

To remove a user account, use either of the following procedures.

To remove a user account using the configuration utility

1. In the navigation pane, expand System and click Users.
2. On the System Users page, select the user account that you want to
remove. For example, johnd.
3. Click Remove. The Remove pop-up window appears.
4. Click Yes.

To remove a user using the NetScaler command line At the NetScaler command prompt, type:
rm system user userName

Example
rm system user johnd

Defining Groups


To define a group, you first create the group, then bind users to the group.

Adding Groups

The following table describes the parameter you set to create a group.

Parameter :
Group Name

Specifies :
Name for the group of NetScaler users..

Use either of the following procedures to add a group.

To add a group using the configuration utility

1. In the navigation pane, expand System and click Groups.
2. On the System Groups page, click Add.
3. In the Create System Group dialog box, in the Group Name text box, type a name for the group (for example, Managers).
4. Click Create, and click Close.

To add a group using the NetScaler command line At the NetScaler command prompt, type:
add system group groupName

Example
add system group Managers

Binding a User to a Group

You can bind each user account to more than one group. Binding user accounts to multiple groups may allow more flexibility when applying command policies. The following table describes the parameter you set to bind a user to a group.

Parameter :
User name

Specifies :
Name for the NetScaler user to be bound to the group.

To bind a user to a group, use either of the following procedures.

To bind a user to a group using the configuration utility

1. In the navigation pane, expand System and click Groups.
2. On the System Groups page, select a group and click Open.
3. In the Configure System Group dialog box, under Members section, select a user you want to bind to the group, from the Available Users list and click Add.

To bind a user to a group using the NetScaler command line At the NetScaler command prompt, type:
bind system group groupName userName

Example
bind system group Managers johnd

Removing Groups

All the users and command policies that are currently bound to the group should be unbound before removing a group.

To remove a group using the configuration utility

1. In the navigation pane, expand System and click Groups.
2. On the System Groups page, select the group that you want to remove. (for example, Managers).
3. Click Remove.
4. In the Remove pop-up, click Yes.

To remove a group using the NetScaler command line
rm system group groupName

Example
rm system group Managers

Command Policies


Command policies regulate which commands, command groups, vservers, and other elements NetScaler users and user groups are permitted to use. The NetScaler provides a set of built-in command policies, and you can configure custom policies. To apply the policies, you bind them to user and/or groups.

Here are the key points to keep in mind when defining and applying command policies.

• No global command policies may be created on the NetScaler. Command policies must be bound directly to NetScaler users and groups.

• Users or groups with no associated command policies are subject to the default DENY -ALL command policy, and will therefore be unable to execute any commands until the proper command policies are bound their accounts.

• All users inherit the policies of the groups to which they belong.

• You must assign a priority to a command policy when you bind it to a user account or group account. This enables the NetScaler to determine which policy has priority when two or more conflicting policies apply to the same user or group.

• The following commands are available by default to any any user and are unaffected by any command policies you specify:

help cli, show cli attribute, clear cli prompt, alias, unalias, batch, source, help, history, man, quit, exit, whoami, config, set cli mode, unset cli mode, show cli mode, set cli prompt, and show cli prompt.

Built-in Command Policies

Four default command policies are available on the NetScaler. The following table describes them.

Policy Name :
read-only
operator
network
superuser

Allows :
Read-only access to all show commands except show runningconfig, show ns.conf, and the show commands for the NetScaler command group.
Read-only access and access to commands to enable and disable services and servers or place them in ACCESSDOWN mode.
Full access except to NetScaler commands, the shell command, and the show ns.conf and sh runningconfig commands.
Full access. Same privileges as the nsroot user.

Creating Custom Command Policies

Regular expression support is offered for users with the resources to maintain more customized expressions and those deployments that require the flexibility that regular expressions offer. For most users, the built-in command policies should be sufficient. Users who need additional levels of control, but are unfamiliar with regular expressions, may want to use only simple expressions, such as those in the examples provided in this section, to maintain policy readability.

When you use a regular expression to create a command policy, keep the following in mind.

• When you use regular expressions to define commands that will be affected by a command policy, you must enclose the commands in double quotes. For example, if you want to create a command policy named allowShow that includes all commands that begin with show, you should type the following:
“^show .*$”

If you want to create a command policy that includes all commands that being with rm, you should type the following:
DENY “^rm .*$”

• Regular expressions used in command policies are case insensitive.

The following table gives examples of regular expressions:

Command Specification :
- “^rm\s+.*$”
- “^show\s+.*$”
- “^shell$”
- “^add\s+vserver\s+.*$”
- “^add\s+(lb\s+vserver)\s+ .*”
- “^set\s+lb\s+.*$”

Matches these Commands :
- All remove actions, because all remove actions begin with the rm string, followed by a space and additional parameters and flags.
- All show commands, because all show actions begin with the show string, followed by a space and additional parameters and flags.
- The shell command alone, but not combined with any other parameters or flags.
- All create a vserver actions, which consist of the add vserver command followed by a space and additional parameters and flags.
- All create an lb vserver actions, which consist of the add lb vserver command followed by a space and additional parameters and flags.
- All commands that configure load balancing settings at the command group level.
Posted by at 1 comment:

Thursday 22 September 2016

Configuring Modes of Packet Forwarding

Configuring Modes of Packet Forwarding
A NetScaler can use the following modes to forward the packets it receives:
• Layer 2 (L2) Mode
• Layer 3 (L3) Mode
• MAC-Based Forwarding Mode

Enabling and Disabling Layer 2 Mode
Layer 2 mode controls the Layer 2 forwarding (bridging) function. You can use this mode to configure a NetScaler to behave as a Layer 2 device and bridge the packets that are not destined for it. When this mode is enabled, packets are not forwarded to any of the MAC addresses, because the packets can arrive on any interface of the NetScaler and each interface has its own MAC address.

With Layer 2 mode disabled (which is the default), a NetScaler drops packets that are not destined for one of its MAC address. If another Layer 2 device is installed in parallel with a NetScaler, Layer 2 mode must be disabled to prevent bridging (Layer 2) loops. You can use either of the following procedures to enable Layer 2 mode.

To enable Layer 2 mode using the configuration utility
1. In the navigation pane, expand System and click Settings. The Settings page appears in the details pane.
2. In the Modes and Features group, click Change modes. The Configure  Modes dialog box appears.
3. Select the Layer 2 Mode check box.
4. Click OK. The Enable/Disable Feature(s)? message appears.
5. Click Yes.

To enable Layer 2 mode using the NetScaler command line
At a NetScaler command prompt, type: enable ns mode l2 You can use either of the following procedures to disable Layer 2 mode.

To disable Layer 2 mode using the configuration utility
1. In the navigation pane, expand System and click Settings. The Settings page appears in the details pane.
2. In the Modes and Features group, click Change modes. The Configure Modes dialog box appears.
3. Clear the Layer 2 Mode check box.
4. Click OK. The Enable/Disable Feature(s)? message appears.
5. Click Yes.

To disable Layer 2 mode using the NetScaler command line
At a NetScaler command prompt, type:

Enabling and Disabling Layer 3 Mode
Layer 3 mode controls the Layer 3 forwarding function. You can use this mode to configure a NetScaler to look at its routing table and forward packets that are not destined for it. With Layer 3 mode enabled (which is the default), a NetScaler performs route table lookups and forwards all packets that are not destined for any NetScaler-owned IP address. If you disable Layer 3 mode, the NetScaler drops these packets. You can use either of the following procedures to enable
Layer 3 mode.

To enable Layer 3 mode using the configuration utility
1. In the navigation pane, expand System and click Settings. The Settings page appears in the details pane.
2. In the Modes and Features group, click Change modes. The Configure Modes dialog box appears.
3. Select the Layer 3 Mode (IP Forwarding) check box.
4. Click OK. The Enable/Disable Feature(s)? message appears.
5. Click Yes.

To enable Layer 3 mode using the NetScaler command line
At a NetScaler command prompt, type: enable ns mode l3 You can use either of the following procedures to disable Layer 3 mode.

To disable Layer 3 mode using the configuration utility
1. In the navigation pane, expand System and click Settings. The Settings page appears in the details pane.
2. In the Modes and Features group, click Change modes. The Configure Modes dialog box appears.
3. Clear the Layer 3 Mode (IP Forwarding) check box.
4. Click OK. The Enable/Disable Feature(s)? message appears.
5. Click Yes.

To disable Layer 3 mode using the NetScaler command line
At a NetScaler command prompt, type:
disable ns mode l3

Enabling and Disabling MAC-Based Forwarding Mode
You can use MAC-based forwarding to process traffic more efficiently and avoid multiple-route or ARP lookups when forwarding packets, because the NetScaler remembers the MAC address of the source. To avoid multiple lookups, the NetScaler caches the source MAC address of every connection for which it performs an ARP lookup, and it returns the data to the same MAC address.
MAC-based forwarding is useful when you use VPN devices, because the NetScaler ensures that all traffic flowing through a particular VPN passes through the same VPN device.

When MAC-based forwarding is enabled, a NetScaler caches the MAC address of:
• The source (a transmitting device such as router, firewall, or VPN device) of the inbound connection.
• The server that responds to the requests.

When a server responds through a NetScaler, the NetScaler sets the destination MAC address of the response packet to the cached address, ensuring that the traffic flows in a symmetric manner, and then forwards the response to the client. The process bypasses the route table lookup and ARP lookup functions. However, when a NetScaler initiates a connection, it uses the route and ARP tables for the lookup function. To enable MAC-based forwarding, use either of the following procedures.


To enable MAC-based forwarding using the configuration utility

1. In the navigation pane, expand System and click Settings. The Settings page appears in the details pane.
2. In the Modes and Features group, click Change modes. The Configure Modes dialog box appears.
3. Select the MAC Based Forwarding check box.
4. Click OK. The Enable/Disable Feature(s)? message appears.
5. Click Yes.

To enable MAC-based forwarding using the NetScaler command line
At a NetScaler command prompt, type: enable ns mode mbf

Some deployments require the incoming and outgoing paths to flow through different routers. In these situations, MAC-based forwarding breaks the topology design. For a global server load balancing (GSLB) site that requires the incoming and outgoing paths to flow through different routers, you must disable MACbased forwarding and use the NetScaler unit’s default router as the outgoing router.
With MAC-based forwarding disabled and Layer 2 or Layer 3 connectivity enabled, a route table can specify separate routers for outgoing and incoming connections. To disable MAC-based forwarding, use either of the following procedures.

To disable MAC-based forwarding using the configuration utility
1. In the navigation pane, expand System and click Settings. The Settings page appears in the details pane.
2. In the Modes and Features group, click Change modes. The Configure Modes dialog box appears.
3. Clear the MAC Based Forwarding check box.
4. Click OK. The Enable/Disable Feature(s)? message appears.
5. Click Yes.

To disable MAC-based forwarding using the NetScaler command line
At a NetScaler command prompt, type: disable ns mode mbf
Posted by at No comments:
Subscribe to: Posts (Atom)