Jump to content
Welcome to our new Citrix community!

Add second vlan with same NIC


nlffel439

Recommended Posts

Hello folks,
 

currently we are working on a vlan migration , for this i would like to add another vlan to the ADC 


Example:
Current vlan 192.168.1.0/24 
New vlan 192.168.2.0/24
 

It is important that not all are migrated at once. And the interfaces in the channel can address both vLANs.


I would then like to gradually change the IP addresses of the existing vServers from "192.168.1.x" to "192.168.2.x".
 

The current configuration is pretty standard 

There is 1 interface channel (LA/1) and one vLAN (1) on the ADC. 
No tagging and no trunkmode activated.


The only maybe special feature is that it is an HA pair and the new vlan uses a different gateway.


Which I have already tried : 
I am currently testing this on the secondary node (set to STAYSECONDARY).

Interface channel in TAGGALL + trunkmode on the switch = connection lost.


Many greetings 

Link to comment
Share on other sites

To add a second vlan to an existing nic or channel, without losing the existing vlan, you will need to bind the vlan with the -tagged option enable. You will have to use a tagged vlan when creating the vlan. You can then bind the network to it.

 

You may have other network settings that need to be adjusted though. Routes/bound ip addresses to new vlan etc...  Possibly need to look at MBF or PBRs if in use.

Basic Example:

Your first vlan, was likely port-based:
add vlan 10

bind vlan 10 -ifnum LA/1   #interface or channel identifier)

bind vlan 10 -ipaddress 192.168.1.100 255.255.255.0  # bound ip address vip range or subnet via snip if in use...

 

To bind with tagged vlan:

add vlan 20

bind vlan 20 -ifnum LA/1 -tagged enabled

bind vlan 20 -ipaddress 192.168.2.100 255.255.255.0  # bound vip range (vip with subnet mask if no snip needed) or snip in network

 

 

  • Like 1
Link to comment
Share on other sites

Wow, I think I was thinking too complicated here ...

 

Thank you very much Rhonda :)

 
This helped me a lot, I was able to successfully ping the gateway in the other network.

I think I will have to work with policy based routing if I have to answer through different gateways outside. 

Link to comment
Share on other sites

I don't know what I'm doing wrong, I have a PBR configured for vlan20 so that all traffic going to that vLAN goes back through the gateway present in that vLAN. However, I cannot ping the SNIP on this network from the outside.

Link to comment
Share on other sites

Thanks a lot for your tips :)
I have actually been able to solve part of the problem by removing the vLAN 20 tagg on my PBR rule. 

Now it is possible to reach vServer with an IP from vLAN 20 from outside.

Only to backend systems the Netscaler sends all traffic via the SNIP of vLAN10. But it should only do this for vServers that are in vLAN10. 

Some info about the configuration:

- SNIP of vLAN20 is tagged to vlan20
- Firewall rules are already checked
- SNIP vLAN10 - 192.168.1.10
 

- SNIP vLAN20 - 192.168.2.10

- Current PBR configuration (with this, access to vLAN20 vIPs from outside now works):


image.thumb.png.82abffa1be55855b580ec9c687ae6ef2.png

Link to comment
Share on other sites

If you have vlan tagging enabled the switch must also be tagging vlans. (not just port-based membership)

 

1) Do you have two snips on your ADC? one for the 192.168.1.0/24 network and one of the 192.168.2.0/24 network?  It looks like yes above, but checking.

2) Do you have the 192.168.1.0/24 bound to the correct interface/channel via vlan10 and the 192.168.2.0/24 bound to the correct interface/channel via vlan 20 tagged?

3) Do you need any routes defined?

 

With or without the PBR, I would test without first. Can you then make traffic to 192.168.1.0 destiantions use SNIP1 and vlan10 and then test 192.168.2.0 destinations using SNIP2 and vlan20.

If it won't work wtihout, then you might need the PBR for source and destination 192.168.2.0 network addresses to use vlan20. Your rule may need to account for all packets and not just the source ip range only.

PBR's allow set next hop router overrides for the traffic meeting the pbr condition. Traffic that doesn't match falls back to regular routing table. So if the PBR doesn't hit your regular networking is being used and if your 192.168.2.0/24 network traffic is therefore not using the correct interface/vlan/snip, you have an underlying issue before the PBR is in the mix OR your PBR is to narrow.

 

 

 

  • Like 1
Link to comment
Share on other sites

So vLAN 10 (on the Picture  vLAN 1 / default of the Netscaler) here LA/1 is included.

In addition, there is vLAN20 on which the LA/1 channel is connected:

 

image.thumb.png.620e7b20c72c4d6ddecbc9c8ebe67fd8.png


These are the IP addresses on the appliance:

image.thumb.png.4bb724ed48bbee4cd476b5e38eae37e2.png

 

Here is the routing:

 

image.thumb.png.de5b2df4d89bcb2a5818ce730019477e.png

 

So it will probably be because the PBR does not apply to outgoing traffic and therefore the default route via gateway 192.168.1.0 is used.

Link to comment
Share on other sites

I would also check your vlan has a the SNIP binding too:

show vlan 20

bind vlan 20 -ifnum LA1 -tagged

bind vlan 20 -ipaddress <snip2/netmask>

 

But yes, your PBR, if needed, needs to affect routing to the 192.168.2.0/xx network.  And possibly return traffic; you might require to different rules one inbound and one outbound.

If you don't need PBRs you can use MBF. And it might be a good test without PBRs at all. If traffic is still switching vlans; try mbf. If mbf works then you will need mbf or pbrs. 

If you then want to revisit the pbrs, disable mbf and then proceed with testing the pbrs. (don't mix pbrs and mbf).

  • Like 2
Link to comment
Share on other sites

14 hours ago, Nino L&ouml;ffelmann said:

So vLAN 10 (on the Picture  vLAN 1 / default of the Netscaler) here LA/1 is included.

In addition, there is vLAN20 on which the LA/1 channel is connected:

 

image.thumb.png.620e7b20c72c4d6ddecbc9c8ebe67fd8.png


These are the IP addresses on the appliance:

image.thumb.png.4bb724ed48bbee4cd476b5e38eae37e2.png

 

Here is the routing:

 

image.thumb.png.de5b2df4d89bcb2a5818ce730019477e.png

 

So it will probably be because the PBR does not apply to outgoing traffic and therefore the default route via gateway 192.168.1.0 is used.

 

 

One last question on this, for the traffic leaving the system, where is it going to?  The 192.168.2.0/24 destinations or somewhere else?

Because any traffic not going to 192.168.2.0 destinations is going to use the default route which will use the 192.168.1.0/24 network.

And the PBR isn't going to do any good here in this case as currently defined.

 

 

  • Like 1
Link to comment
Share on other sites

The backends are not in the two vLANs but in others.
 

I hope it is better to understand by this example:

If the ADC sends something over a vIP in vLAN20, then take this way.
but if it sends something over a vIP vLAN10 then send it over the default route.
 

vLAN10 and vLAN20 stand for two different DMZ vLANs, vLAN10 is currently used by all vServers (NAT and communication to the backends) and gradually they should be moved to their new DMZ vLAN20 by change the vIP.
 

The goal is to end up using the other gateway in vLAN20 for both incoming and outgoing traffic by changing the vIP.
We would like to migrate to our new internet connection this way without a "BigBang".

 

Link to comment
Share on other sites

I have solved the problem that still exists, which must be eliminated only over the time of a migration, by assigning each migrated backend vLAN its own route. I would like to have solved this solution also via PBR, but in the current configuration this is not possible without making further deep network adjustments to the MPX. 

 

I will continue to work on this general topic to implement a solution for possible future projects.

 

Thanks anyway for the support :) 

The tips with the PBR settings have helped me a lot

 

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...