Jump to content
Welcome to our new Citrix community!

Netscaler Networkong

Alex Heng

Recommended Posts



I got a Citrix infrastructure that is running for about a year odd. I would like to know more about the Networking aspect of Netscaler.


I understand that there are 4 IPs to be given for the Netscaler and this is where I need some form of enlightenment.


The Netscaler & subnet IP are internal. Another subnet IP and virtual IP are external.


I understand that the Netscaler IP is for management of the Netscaler. Is my understanding correct? 


How about the subnet IP? Why is it internal?


There is also another set of external IP for both the subnet and virtual IP.


I understand that virtual IP is a external IP is due to the fact that it's tagged to a FQDN (virtual server). Is my understanding correct?


How about subnet IP? Why is it external IP?


Appreciate any form of enlightenment.


Thank You






Link to comment
Share on other sites



management ip should be from an internal subnet that is not exposed to internet. It should also have some firewall to limit access to this to only who needs to.

Then you can have a subnet used for the back-end, that means that servers will be in this subnet. Or this subnet can be used via routing (dynamic or static) to reach the servers in the back-end. you can have more than one subnet for this purpose.

Another subnet is for front-end this can be a public ip subnet or  if you also have a firewall in front that does NAT-ing this can be a private ip subnet. The vip ip's should be from this subnet. you can have more than one subnet for this purpose.



Link to comment
Share on other sites

  • 2 weeks later...

NSIP is the primary management IP, unique per box. Absolutely required


SNIP is simplistically described as the "proxy IP", used to send live traffic to the backend servers. (It is also possible to manage netscaler via a SNIP: this is very useful when you have an HA pair, as you will always connect to the active unit, which is where you need to be to make config changes, and gather live traffic stats). If you don't have a SNIP, then there's no way to talk to the backend = required!


The VIP (ie the IP on a vserver) is what the outside world connects to, and is ONLY used for the traffic to that vserver. So required! 


So why an "outside" SNIP? I can think of 2 reasons:


a) if there is any other traffic to/from netscaler, that can't go via the VIP, then you need a SNIP.


b) When you create a VIP by creating a VServer, then the VIPs netmask will be "", which will mean things won't work. There are 2 solutions to sort this out, both are valid: One is to include a SNIP, with the correct netmask (probably "") that defines the subnet that the VIP is in. The other way is to edit the VIP to have the correct netmask.


It used to be (and still is, for many people) "normal" to use a SNIP on the outside subnet when setting up a Netscaler

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...