Jump to content
Welcome to our new Citrix community!

Queries on Netscaler LB (GSLB Related and Other )


Sudhir Bhagat

Recommended Posts

Dear Experts, 

 

I am new to Netscaler Load Balancer platform and have to start working on a Data Center migration project shortly...Where have to migrate from F5 to Netscaler LB (VPX). Having certain queries. requesting help from you guys to get clarity or solution.

 

1- What is the equivalent term of "Listener IP" and Wide IP (as like in F5) in Netscaler.

2- What are ADNS IP , NSIP ,  SNIP , SNIP (GSLB Site IP) in Netscaler, if we compare these with F5 terms.

3- On What Basis , netscaler (GSLB) decide that which Date Center will serve the user request. 

4- there is a concept of member ratio or member order under GSLB wide IP in F5, member ratio configured with "0" will serve the request. What is the equivalent feature in Netscaler which decide which Netscaler/DC will respond to user (i.e. DC where app is active). 

 

Apart from these  above general queries, i am looking and searching for below :

 

5- Proposed is - 02 Data Centers (DC-1 & DC-2) to be configure in ACTIVE-PASSIVE mode . Each DC have only 01 perimeter(DMZ) FW , 01 Internal FW , 01 DMZ Netscaler LB and 01 Internal Netscaler LB .

 

In existing data centers , Scenario is  that few applications(websites) are Active On  OR  Served by DC-1 and standby in other DC-2 while  some of the applications(websites) are Active on OR Served by DC-2 and remain in passive state in other DC i.e. DC-1.  So as per understanding this is Sort of -  load Balancer in Active-Active in GSLB  prospect  (i.e ready to take and process user hits) but Active-Passive in sense of Websites. Can anyone please help me out to get the practical solution or good documents for this requirement. remember a Point - Both new Data centers to be configure in ACTIVE-PASSIVE mode (in terms of Firewalls Cluster). 

 

As of now, i am looking for reply on above queries but going further.... Since i just started to work on this assignment, I may have many more queries were i need all you guidance.  

 

 Rgds

SB

Link to comment
Share on other sites

I think Wide IP = GSLB Virtual Server. NetScaler has several types of Virtual Servers and GSLB is one of those types.

 

Listener IP sounds the same as ADNS Service IP, which listens for DNS requests.

 

NSIP = NetScaler management IP

SNIP is similar to F5 Self IP, which is used for Source NAT.

 

GSLB Virtual Servers have several load balancing algorithm options. If you bind multiple GSLB Services to the GSLB Virtual Server, then you can choose one of the algorithms, like RTT (Round Trip Time to client's DNS server), Static Proximity (static Proximity database), Least Connections, etc. There are also Persistence options configured at either the GSLB Virtual Server or the GSLB Service. 

 

You can create multiple GSLB Virtual Servers with different bound GLSB Services and configure them to cascade each other (Backup Virtual Server). The Domain Name is bound to the Primary (active) Virtual Server. If Primary is down, then the Backup Virtual Server is returned.

 

You can bind different domain names to different GSLB Virtual Servers. 

 

Here's my GSLB Getting Started guide - https://www.carlstalhood.com/global-server-load-balancing-gslb-netscaler-12/

Link to comment
Share on other sites

6 hours ago, Sudhir Bhagat said:

1- What is the equivalent term of "Listener IP" and Wide IP (as like in F5) in Netscaler.

2- What are ADNS IP , NSIP ,  SNIP , SNIP (GSLB Site IP) in Netscaler, if we compare these with F5 terms.

3- On What Basis , netscaler (GSLB) decide that which Date Center will serve the user request. 

4- there is a concept of member ratio or member order under GSLB wide IP in F5, member ratio configured with "0" will serve the request. What is the equivalent feature in Netscaler which decide which Netscaler/DC will respond to user (i.e. DC where app is active). 

 

Carl got you started.

2):  ADNS IP - any IP address that you are running the ADNS (dns authority) service on.  For GSLB to work, the original DNS query has to get from the client to the NetScaler to rseolve as part of the GSLB resolution process.  In one scenario, you can use the NS to load balance your DNS services as a DNS proxy and then the NS will direct regular (non-gslb) queries to your dns servers and then gslb-based stuff will be handled by itself. In this case no DNS authority is needed on the NS.  In other cases, you can create a subdomain or otherwise delegate records from your regular DNS to the NS to handle resolutions for.  If so, then you would need to run a DNS authority on the NS that would be reachable by the clients.

The ADNS IP is the IP of the ADNS service and can be done by either add dns namserver <IP> -local which is then an ADNS service on the specified IP on this NetScaler.  Or you would run the add service svc_adns <IP> DNS 53 setting to also create an ADNS service on the specified IP.  Then you need to work with your DNS admins to delegate a subdomain or individual records to the NS ADNS to resolve.  See the NS GSLB PRimar for more info on the dns options:  https://support.citrix.com/article/CTX123976 and this other article:  https://support.citrix.com/article/CTX122619

 

NSIP is the NS management IP and is a unique identifier on the system.  All systems have one and only one NSIP. See the NetScaler admin guide Networking for a full description of all NS-owned IPS:  https://docs.citrix.com/en-us/citrix-adc/13/networking/ip-addressing/configuring-citrix-adc-owned-ip-addresses.html

 

SNIPs are subnet ips and are mostly used for NetScaler-to-server (backend) traffic and are similar in concept to an F5 SNAT address.  Traffic goes from client to a VIP (ip of a virtual server), then traffic usually leaves from SNIP to backend destination. Many different vservers can use the same snip, depending on which networks/vlans you need to access.  SNIPs act as the NetScaler identity in the networks it is trying to connect to and can also be alternate management ips. You need at least one; more depends on networking.

 

GSLB Site IPs: allow NS to NS communication for GSLB MEP (metric exchange protocol). This allows the members of the GSLB config to exchange healtchecks, status, network metrics, and persistence information.  THE GSLB Site communication can either be assigned its own IP address to do gslb stuff only (but mgmt access needs to be enabled to allow the mep communication) or it can be colocated with an existing SNIP. It cann't be assigned to the NSIP or a VIP.

When you create a gslb site you tell the NetScaler the IP to use for itself as a gslb site IP and which IPs of all the partner sites.

 

3) The decision of which datacenter to deliver the IP out of depends on how gslb is configured.

A gslb service represents the potential IP you want the FQDN to resolve to.  You will then have a gslb service for each destination for each data center you want to use.

A gslb vserver is used to make the selection decision (aka gslb) between the potential ips in each datacenter.

Example:

add gslb site gslb_siteA <gslbIP1>

add gslb site gslb_siteB <gslbIP2>

add gslb service gslb_svcA <VIPA> http 80 -sitename gslb_siteA

add gslb service gslb_svcB <VIPB> http 80 -sitename gslb_siteB

add gslb vserver gslb_vsrv_demoweb HTTP -lbmethod leastconnection

bind gslb vserver gslb_vsrv_demoweb -serviceName gslb_svcA

bind gslb vserver gslb_vsrv_demoweb -serviceName gslb_svcB

bind gslb vserver gslb_vsrv_demoweb -domainName demoweb.company.com

#  This would alternate between gslb serviceA and serviceB's IP addresses based on "leastconnection".  

#  The service IPs would correspond to a specific lb vip/vpn vip/cs vip on the NSA and NSB netscalers out of each respective datacenter

 

 

If you have multiple services bound to a single gslb vserver (active/active), then your lb method would determine the decision criteria:  least connection, least bandwidth would send traffic to a data center based on traffic load.  If you used dynamic RTT or location, then you would direct users to "closest" datacenter by round trip time or by setting up a proximity ip map that compares ip addresses to location/site mappings.

 

For an active/passive config, you would have two gslb vserver with one service each and designate one as a backup vserver for the other. In this case the backup IP is only ever returned when the primary is down:

add gslb site gslb_siteA <gslbIP1>

add gslb site gslb_siteB <gslbIP2>

add gslb service gslb_svcAprimary <VIPA> http 80 -sitename gslb_siteA

add gslb service gslb_svcBbackup <VIPB> http 80 -sitename gslb_siteB

add gslb vserver gslb_vsrv_primaryweb HTTP -lbmethod leastconnection

bind gslb vserver gslb_vsrv_primaryweb -serviceName gslb_svcAprimary

bind gslb vserver gslb_vsrv_demoweb -domainName primaryweb.company.com

 

add gslb vserver gslb_vsrv_backupweb HTTP 

bind gslb vserver gslb_vsrv_backupweb -serviceName gslb_svcBbackup

 

set gslb vserver gslb_vsrv_priamryweb -backupvserver gslb_vsrv_backupweb

 

 

 

 

 

Link to comment
Share on other sites

Hi Friends, 

 

We have worked out on a plan for data Center migration, below is the approach.

 

Data Center Migration Proposed Plan  - Active-Standby Data Center Approach.

New Data Center are Represented as             :      NDC-1   &    NDC-2   (Would be Data Centers)

Existing Data Centers are represented as  :     ODC-1    &   ODC-2    

 

The bullets points are as:

 

1)   One Pair of devices will be share among both the data centers (i.e. only one hardware at each data center) : Perimeter Firewall, Internal firewall, LTM, GTM etc.

 

2)   NDC-1 will be Active for all the traffic ( 10.10.0.0/16, the ODC-1 Network range  and 10.20.0.0/16, the ODC-2 Network range).  At network devices, All VLANs of ODC-1 (Eg : 10.10.0.0/16)  and ODC-2 (Eg: 10.20.0.0/16) will be created in NDC-1 as Active and NDC-2 as Standby.

 

3)   We have to consolidate the Firewalls of Existing DCs i.e. (ODC-1 and ODC-2 Data centers) into one Firewall, active in NDC-1 and Standby is NDC-2.

 

4)   Two partitions to be created in the LTM, one each for ODC-1 VIPs ( 10.10.0.0/16) and other for ODC-2 VIPs ( 10.20.0.0/16).

 

5)   ODC-1 workloads (10.10.0.0/16)  to be migrated to NDC-1. ODC-2 workloads ( 10.20.0.0/16) to be migrated to NDC-2.

 

6)   Traffic for 10.10.0.0/16 to be served locally in NDC-1.  Traffic for 10.20.0.0/16 will hit the NDC-1 Data Center WAN layer and communicate with NDC-2 workloads over the extended L2 network. The return traffic will travel the same way, exiting from the NDC-1 Data Center.

 

7) In the event of any device failure at NDC-1 (Firewall/Load balancer), the NDC-2  will become active and the traffic will travel over the extended L2 network to reach the other DC.

 

8) In the event of complete DC failure at NDC-1:

-->     For Active-Active applications, the workloads at NDC-2 will keep running the show.

-->     For Active-Standby applications, we have to initiate the DR.

 

requesting if you feel to provide suggestion or correction on the mentioned plan and please guide for Netscaler LTM as well as GTM configurations for critical piece of segments, Would be good enough if have some sample example for configuration to understanding. 

 

Will  come back for help & suggestion on F5 iRule to Netscaler Policy conversion. Don't mind....

 

Rgds

*** 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...