Jump to content
Welcome to our new Citrix community!

Basic SNIP to Virtual Server bind question


Recommended Posts

Hello community,

 

so far i had only simple adc projects with one virtual server an no vlan and traffic isolation.

Now i have the first project with 4 or 5 virtual Servers on a adc vpx cluster and i  have  basic questions to SNIP´s.

I want to separate the outgoing traffic to the backend servers, every virtual server has to use his own SNIP for this traffic, in order to make matching firewall

rules on a incomming IP Address.


Questions : 

Can the SNIP´s for 5 virtual Servers come from one Subnet or do i have to use seperate subnets and matching  SNIPS ?

 

Is there an easy way to bind all the backend traffic from one virtual server to a specific SNIP ? 

 

Can  i assign one VLAN but different subnets to SNIP´s  ( IP Binding) or do i have to use a vlan and a matching subnet with a matching snip for that subnet ? 


 

Sorry for perhaps some stupid questions ? 


Regards 

Christian 

Link to comment
Share on other sites

You can create multiple SNIPs on same subnet. However, ADC will round-robin those SNIPs unless you configure Net Profiles on each VIP. https://docs.citrix.com/en-us/citrix-adc/13/load-balancing/load-balancing-manage-clienttraffic/use-specified-srcip.html

 

When creating a VLAN, only select one SNIP per subnet. Are you saying that you have multiple subnets on one VLAN?

  • Like 1
Link to comment
Share on other sites

If you want a separate backend IP per Vserver without the problems of multiple SNIPs in same network, you can also use the net profile to assign a "VIP" instead as the alternate backend IP.  In this case though you are actually using a "VIP" as an alternate backend IP and not an actual IP of a virtual server.  Just define an IP with /32 netmask as a VIP but place it in your backend network.  Use the net profile as always; avoids issues of multiple SNIPs and the VIP is just used as the alternate backend IP but none of the SNIP functions (no management access or other behaviors).

 

Regarding your other questions:

18 hours ago, Christian Kolbe said:

[1] Can the SNIP´s for 5 virtual Servers come from one Subnet or do i have to use seperate subnets and matching  SNIPS ?

 

[2] Is there an easy way to bind all the backend traffic from one virtual server to a specific SNIP ? 

 

[3] Can  i assign one VLAN but different subnets to SNIP´s  ( IP Binding) or do i have to use a vlan and a matching subnet with a matching snip for that subnet ? 

 

 

[1] As Carl mentioned above (and I mentioned), you typically want to avoid multiple SNIPs in the same subnet. So while you can have 5 snips in same subnet and use separate net profiles to assign a SNIP per vserver, the problem is that the SNIPs will actual as having multiple gateways in the same subnet. While outbound traffic will use the SNIP assigned to the vserver, the return traffic from the server may use a different SNIP during the ARP lookup to return to the ADC.  If you create VIPs in your backend network (same subnet that you would have had the SNIP) and use the net profile to assign a unique "backend" VIP per vserver, then you avoid this while still maintaining a unique outbound/return IP per vserver.

 

[2] An easy way to bind all the backend traffic from one vserver to a specific SNIP (or alternate IP). Again, use the net profile.  If the net profile is configured on the lb vserver, then it applies to all services/service group members bound to this vserver. So "one and done".  If you assigne a net profile to a service, then the service net profile would be used for traffic to that destination and you could in theory have unique IPs per service destination.  But as long as you set it on the lb vserver itself, then that setting applies to services if no service level setting.

 

If instead you have a vserver frontending services in different subnet destinations and you wanted to use a net profile to assign a single IP for all destinations. The answer is it depends on other factors. I'm going to assume you meant the first scenario and not this one, but clarify if needed.

 

[3] A given VLAN can only have a single ip/subnet mask bound. So either a SNIP OR a VIP range (fancy way of saying a VIP with a subnet mask other than /32).  All IPs in that subnet represented by the SNIP/mask or VIP/mask will then be "owned" by that VLAN and its associated interface.

While the VLAN can have only "subnet" binding, the subnet mask you use would cover multiple IPS in that ip/netmask in use.  (Also associating the ownership of the IPs to the interface/channel bound to the VLAN).  A given interface/channel can participate in multiple vlan bindings if you used tagged vlans.

 

Different SUBNETs would usually be part of different VLANs.

 

 

 

  • Like 1
Link to comment
Share on other sites

1 hour ago, Christian Kolbe said:

I wil recommend to the customer ... to use different Subnets and VLans into the backend for every vserver.

One thing I might not have made clear that I intended: is that if you use the net profile to assign a backend "vip" as the backend ip, they can be in same subnet.

IF you still want separate vlans, then you can stick with your plan.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...