Jump to content
Welcome to our new Citrix community!

Restrict traffic to specific ports for  1 SNIP out of 2 SNIPs on Netscaler


Recommended Posts

Hi,

 

I have this scenario where in I have to restrict traffic to specific ports for  1 SNIP out of 2 SNIPs. Below is my setup.

 

Tenant 1 - VLAN10(Externally connected), VLAN11(Internally connected with SNIP1). The gateways are tied to Netprofile1 to use SNIP1 always.

Tenant2 - VLAN20(Externally connected as tagged), VLAN21(Internally connected as tagged with SNIP2). The gateways are tied to netprofile2 to use SNIP2 always.

We have LA channels configured. Interface 1,2 bound to Internal Channel and Interface 3,4 bound to external channel.

 

We can launch applications remotely through the gateways as expected. 

 

The requirement here is to restrict all traffics on SNIP2 other than on port 443, 1494, 2598.

I have the below PBRs,

 

add ns pbr "NSIP - Block Radius Traffic - UDP" DENY -srcIP = NSIP -destPort = 1812 -nextHop NEXTHOP -protocol UDP -priority 1 -kernelstate SFAPPLIED61

add ns pbr "NSIP - Block Radius Traffic - 2812 UDP" DENY -srcIP = NSIP -destPort = 2812 -nextHop NEXTHOP -protocol UDP -priority 2 -kernelstate SFAPPLIED61

add ns pbr "NSIP - Block DNS Traffic - UDP" DENY -srcIP = NSIP -destPort = 53 -nextHop NEXTHOP -protocol UDP -priority 10 -kernelstate SFAPPLIED61

add ns pbr "NSIP - Block DNS Traffic - TCP" DENY -srcIP = NSIP -destPort = 53 -nextHop NEXTHOP -protocol TCP -priority 20 -kernelstate SFAPPLIED61

add ns pbr "NSIP Management Traffic" ALLOW -srcIP = NSIP -nextHop NEXTHOP -priority 30 -kernelstate SFAPPLIED61

add ns pbr "SNIP LAN Traffic" ALLOW -srcIP = SNIP1 -nextHop NEXTHOP1 -priority 40 -kernelstate SFAPPLIED61

add ns pbr "SNIP LAN Traffic -TENANT2-1" ALLOW -srcIP = SNIP2 -destPort = 443 -nextHop NEXTHOP2 -protocol TCP -priority 50 -kernelstate SFAPPLIED61

add ns pbr "SNIP LAN Traffic -TENANT2-2" ALLOW -srcIP = SNIP2 -destPort = 1494 -nextHop NEXTHOP2 -protocol TCP -priority 60 -kernelstate SFAPPLIED61

add ns pbr "SNIP LAN Traffic -TENANT2-3" ALLOW -srcIP = SNIP2 -destPort = 2598 -nextHop NEXTHOP2 -protocol TCP -priority 70 -kernelstate SFAPPLIED61

add ns pbr "SNIP LAN Traffic -TENANT2-DENYALL" DENY -srcIP = SNIP2 -nextHop NEXTHOP2 -priority 80 -kernelstate SFAPPLIED61

 

With the above PBRs in place, I still get traffic on port 51467,80,636 and few other ports. Need to find a way to avoid these.

 

Any advice would be very helpful

 

Thank you.

Link to comment
Share on other sites

  • 1 month later...

A delayed Update - 

 

We found a work around. Basically removed the tenant2 SNIP.  Using the same IP, we created a normal VIP. 

Used a net profile to force the gateway vServers to use the VIP for all back end communications.

This made sure that Netscaler would never use tenant2 VIP for it's native requirements or other tenant's back end communications.

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...