Jump to content

Recommended Posts

Posted

I have a client that is using their adc as a layer 3 nat and acl router.  Works great.  They now want the adc to route certain ips to internal addresses without nating.  Is this possible?  So all layer 3, no virtual servers intercepting on the adc.

Posted

ADC, by default, is a L3 router. It will simply rout traffic, if you don't add NAT rules.

 

You may also use "load-balancing" to rout traffic. In case you do this, you also get some application logic. To preserve the user's IP you would need to use source IP mode.

Posted
32 minutes ago, Johannes Norz said:

ADC, by default, is a L3 router. It will simply rout traffic, if you don't add NAT rules.

 

You may also use "load-balancing" to rout traffic. In case you do this, you also get some application logic. To preserve the user's IP you would need to use source IP mode.

 

Unfortunately they don't want the ADC to own any IPs for back end services, so presenting devices as load balancers is a no go, has to all be done with routes, ACLs and NATs.

 

I have tried PBR, but still can't find a way to present the "back-end" ip to the front-end communication.

Posted
4 minutes ago, Jeff Riechers1709152667 said:

 

Unfortunately they don't want the ADC to own any IPs for back end services, so presenting devices as load balancers is a no go, has to all be done with routes, ACLs and NATs.

 

I have tried PBR, but still can't find a way to present the "back-end" ip to the front-end communication.

 

That's not right. If you use Source-IP mode (SIP mode), the ADC will proxy the connection, but instead of using it's SNIP, it fill "fake" the client IP. So the back-end server will "think", the packet came from the client. See here: https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-addressing/enabling-use-source-ip-mode.html

 

Cheers

 

Johannes Norz

Posted

Yea

3 minutes ago, Johannes Norz said:

 

That's not right. If you use Source-IP mode (SIP mode), the ADC will proxy the connection, but instead of using it's SNIP, it fill "fake" the client IP. So the back-end server will "think", the packet came from the client. See here: https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-addressing/enabling-use-source-ip-mode.html

 

Cheers

 

Johannes Norz

 

Yeah, saw that too.  But using USIP was breaking their gateway connections so might need to do some more massaging of the config to make it happen.

Posted
22 hours ago, Jeff Riechers1709152667 said:

Yeah, saw that too.  But using USIP was breaking their gateway connections so might need to do some more massaging of the config to make it happen.

Typically if USIP mode is enabled, you have to configure the backend servers with a default gateway of the ADC SNIP, so traffic for the client network returns through the ADC.

Posted
On 12/16/2020 at 7:39 PM, Rhonda Rowland1709152125 said:

Typically if USIP mode is enabled, you have to configure the backend servers with a default gateway of the ADC SNIP, so traffic for the client network returns through the ADC.

 

Sure. But that's what he did, as he is currently using L3 mode. That's why I didn't mention it.

  • 5 months later...
Posted

Hi,


I'm not sure if I can help with my case, but I solved some asymetric routing using PBR in my NetScaler.:

  • add ns pbr PBR_VLAN_XXX ALLOW -srcIP = VIP_IPs  -destIP = VLAN_SNIP  -nextHop DGW  -protocol TCP

I needed to return traffic to the client, that had an IP in the VLAN, where the LB had a SNIP too.

 

Greetings.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...