VDA nor Register to DDC - VLAN's are behind Netscaler

[Uwe Meyer]

Hi,

we have the following setup:

 

1 ADC as VPX on VMWARE

with 1 NIC (Access Management and VSERVERS)

and 1 NIC (all VLAN's - on VMWARE tagged as 4095)

 

In the Netscaler we have created 2 VLAN. In one VLAN is the DDC in the other is the VDA. All VLAN's has an own SNIP

Now the VDA can't register to the DDC.

If i enable USIP - the VDA is registering - but then i can't access from outside to the published Applications

If i disable USIP the VDA can't regisert.

 

I think, the VDA use the SNIP to access to the DDC when i disable USIP.

Is there a way to enable USIP for only one VLAN (or ip range) - so that the VLAN with the VDA is used the Source IP?

 

Regards

Uwe

 

 

 

[Gunther De Poortere]

Hi Uwe,

 

I'm a bit confused here. You're having VDAs register to the DDC through the NetScaler? That doesn't seem very efficient honestly. VDAs should be able to talk with the DDCs directly and not go through a load balancer. Maybe I'm not fully understanding your question though, so please clarify if you can.

 

Cheers,

G.

[Uwe Meyer]

No.

The Netscaler don't loadbalancing the DDC's. The Netscaler has 2 VLAN's . 

1. VLAN: (10.1.1.x/24) (SNIP: 10.1.1.3) (Static Routes 10.1.1.3) (DDC)

2. VLAN: (10.1.2.x/24)  (SNIP: 10.1.2.3)  (Static Routes 10.1.2.3) (VDA)

 

So -  the VDA should access the DDC directly over the Netscaler (10.1.2.100 (VDA) -> 10.1.2.3 -> 10.1.1.150(DDC))

Then there is no FW between this and the VDA should register. But i think the VDA use the SNIP for registering.

 

Or am I wrong?

 

Regards

Uwe

 

 

[Gunther De Poortere]

I still don't understand unfortunately. Are you using the NetScaler as L3 router here? your VDA should contact the DDC directly, so 10.1.2.100 > 10.1.1.150. Why are you going over/through the NetScaler here?

[Uwe Meyer]

our idea was to use the vlan only on the netscaler. these vlan are not routed over our main router.

I can also ping the DDC and a trace route has no other hops in between. the firewalls are also deactivated for testing.

or is it not a good idea to put a vlan behind the netscaler, which is only routed via the netscaler.

[Gunther De Poortere]

If you can avoid it I would not advise to have the NetScaler route traffic like this. While it is technically capable of doing this, it's not really its core purpose and it can create all kinds of headaches and/or need for special configs. If you insist on doing this, I would suggest that you use PBRs to make sure that traffic is processed the correct way.

[Uwe Meyer]

OK. Thank you for your assessment.

So each VLAN should be routed through the main router.

Should the Netscaler then be connected to a SNIP in each of the VLANs, or should this traffic then be routed?

[Gunther De Poortere]

There's no general rule here, you can have SNIPs in every subnet, or you can route the subnets and have only a single SNIP, either way is fine for the NetScaler as long as it can reach the destination. My guess would be that it will depend on your current topology and preference. Without seeing some diagrams and have some more info on the environment it really isn't feasible to give you advice on this to be honest.

[Uwe Meyer]

Okay. No Problem.

 

I will discuss this with our network team.

Thank you for your input.

 

Regards

Uwe