Understanding NetScaler IP Addresses

Basic Networking:

Netscaler owned IP addresses:

Netscaler IP (NSIP), MIP (Mapped IP), SNIP (Subnet IP), VIP (Virtual IP), GSLB site IP, Cluster IP.

NetScaler IP (NSIP) address:

The NSIP address (NetScaler IP Address) is the IP address which is used by the Administrator to manage and configure the NetScaler. It is mandatory when setting up and configuring the NetScaler for the first time, there can only be one NSIP address, it can not be removed and when it’s changed you will have to reboot the NetScaler.

This is the primary address of netscaler used for managing the netscaler. It is always owned and maintained by netscaler. It is also used for Netscaler to netscaler communication. It can be changed, but not removed. Remember that on a NetScaler a IP address is not directly bound to a Interface, unless specifically configured.

Mapped IP (MIP) Address:

MIP addresses are used when a SNIP address isn’t not available or when USNIP (Use SNIP) is disabled. In that case it will also be used as the source IP address. Only when the configured MIP address is the first in the subnet it (the NetScaler) will add a route entry to its routing table.

You use MIP addresses to connect to the backend servers. The MIP address is one of the NetScaler owned IP addresses. Starting with NetScaler software release 9.3, you need not configure a MIP on the appliance. However, if the Subnet IP (SNIP) address is not routable to the backend server, then you must configure a routable MIP to communicate with the backend server.

MIP is essentially a default SNIP. NetScaler looks in its routing table for the best route to the destination. If it finds one, it uses the SNIP associated with the route. If it doesn’t find one, it uses the MIP, which usually has a route to the default gateway. However, you don’t need a MIP. Just make sure you have a SNIP on the same network as your default gateway (route 0.0.0.0).

MIP is discontinued and used only for legacy configurations. When used mip address are available across all subnets and should never be bound to a vlan. MIPs are used when SNIP is not available, or Use subnet ip (USIP) is not available.

Subnet IP(SNIP) Address:

Def 1: SNIP is used for server-side communication from netscaler to the backend servers. We use snip/mip to connect to our backend servers from netscaler. They can be on single subnet or multiple subnets, one datacenter, or multiple datacenters. Recommended to configure a new snip address for each subnet that netscaler connects to directly. When a snip is added to netscaler, netscaler would automatically add a static route entry to the netscaler routing table to identify that snip as the default entry point for that subnet. Use of snip allows netscaler to have a footprint/communication in the subnet it might not be connected to. Using SNIP for communication from netscaler to the backend servers, helps in multiplexing to free up server resources. By default use of SNIPs are allowed by a mode called USIP – use subnet ip. This will set snip as source ip address to communicate with the backend servers/ internal network. When multiple snips are used in same subnet, netscaler uses round robin. For some reason, if you want to disable SNIP, you have three ways:

• Use client ip header insertion
• Disable USIP
• Configure use source ip

Def 2: This is an IP address that enables you to access a NetScaler appliance from an external host that exists on another subnet. When you add an SNIP address, the appliance adds an entry in the routing table. You need to add only one such entry to the routing table for each subnet. The route entry in the routing table corresponds to the first IP address added to the subnet. You can specify the SNIP in the NetScaler appliance whenever you want to enable it.

The SNIP enables the NetScaler appliance to connect to the subnet, which is different than that of the MIP and NSIP addresses, similar to local network of the appliance. This functionality is very useful in the topology where backend servers are connected directly to the NetScaler appliance through an L2 switch and are in different subnets than that of MIP and NSIP addressed servers.

Def 3: A SNIP (Subnet IP Address) is used for server side connections, meaning that this address will be used to route traffic from, or through, the NetScaler to a subnet directly connected to the NetScaler. The NetScaler has a mode named USNIP (Use SNIP), which is enabled by default, this causes the SNIP address to be used as the source address when sending packets from the NetScaler to the internal network.

• You can add multiple snips in same subnet. They will be used in a Round Robin fashion.
• VIP listens for user connections, and forwardes them to SNIP/MIP. VIP doesnt create connections to backend servers.
• SNIP/MIP creates connections to backend servers. SNIP/MIP doesnt listen for user connections directly(VIP does that).
• SNIPs are also known as interface IPs. Every interface/VLAN you plug into the NetScaler needs a SNIP associated with that interface/VLAN.

My explanation:

Client’s request is terminated at vip. Netscaler will check its routing table. If there is an entry in routing table to the ip that user is requesting to(means application server ip), it will use snip. If there is no entry in routing table to the ip that user is requesting to, it will use mip.

vServer:

A NetScaler entity that represents one or more applications in a server farm. External clients can use vservers to access applications hosted on the servers. It is represented by an alphanumeric name, virtual IP address (VIP), port, and protocol.

Virtual IP(VIP) Address:

Def 1: A VIP address is the IP address associated with a virtual server. It is the public IP address to which clients connect. An appliance managing a wide range of traffic may have many VIPs configured. A VIP address (Virtual IP Address) is the IP address of a vServer that the end users will connect to, and through which they will eventually be authenticated etc. For now just remember that the VIP address is never used as the source IP and thus isn’t involved in back-end server communication, instead this will always be handled by a SNIP and or MIP address, where, more often than not, SNIP addresses are used over MIP’s, but they can be mixed and used to connect to the same IP subnet even, again, Round Robin will than be used to determine the most optimal route.

Def 2: VIP is ip address of virtual server that end users connect to when they use services on their client work stations. VIP addresses are used for client to netscaler communications. Incoming data packets are sent to the VIP and routed to actual network interfaces. VIP is an ip address where end users connect to the netscaler and to connect to their backend resources. In a typical configuration VIPs face the client and SNIPs face the servers. We can also bind SNIP as NSIP. When you setup a HA pair, this is most preferred way.

VIP is an IP address associated with a virtual server.

This is how the communication goes:

Client initiates a tcp connection on port 80 and it goes to Netscaler VIP. (Here, this combination of protocol, port, name(tcp here) is called vServer. Meaning, user’s request goes to a vserver in netscaler).

Netscaler then opens seperate connection to server using source ip address known as SNIP/MIP.

Compare the below steps with above image. Traffic flows like this:

1. Client -> VIP(which is on NetScaler, vip to vserver and vserver to service (ie., SNIP/MIP))
2. SNIP(snip is in netscaler) -> Server
3. Server -> SNIP-> service -> vserver -> VIP -> Client

you can NOT use / share the MIP, SNIP or NSIP as a VIP. Difference between service and vserver is that in service, backend server owns the ip address and service can be bound or attached to a vserver. In vServer, Netscaler owns IP address and clients connect to VIP.

Client communication process:

Client/user connects to netscaler using VIP. When a connection is received by netscaler, it terminates/decouples that request and sends it to the actual resources/servers. To contact actual servers in the backend, netscaler needs an IP as source to contact them (remember, user’s connection is decoupled already, it doesn’t have any source ip now). Netscaler changes the source ip address as SNIP/MIP, and destination ip as the backend server ip and forwards it to the backend server. So by now, SNIP is set as source ip and backend server ip is set as destination ip. SNIP also allows you to bind to a VLAN, bind to a subnet and full monitoring.

NSIP, SNIP and VIP are the minimum ip addresses necessary to configure the netscaler.

IP Set:

IP Set is grouping of SNIP or VIP addresses on netscaler. IP Sets allow you to set aside a group of IP addresses to be reserved. Navigate to IP sets tab in GUI to do so. You can bind both VIP and SNIP ip addresses in same IP set. Give it a meaningful name so that you can identify them later, when needed.

Service:

Service is a pointer to the backend server that defines the server name/ip address, port, and protocol of the backend server. Each service has a name and specifies an existing IP address (or existing server name), a port, and the type of data that is served. While creating a service you have to:

• Specify any name to the service.
• Add new server or choose existing server (or ip address that you added earlier)
• Select port and protocol(SSL or HTTP etc)

If you choose new server and enter ip address, that new server will be added to the servers section with the ip address that you provided. Adding monitor to the service is optional. If you dont choose any monitor, NS will automatically add “tcp” monitor to the service by default.

Service describes network specifics of an application hosted by server outside netscaler. This might be web or app server. Service consists of Name(name of the server hosting the application), protocol(application protocol ex, http, https, ftp), ip address(the ip address that server is listening on for connections on that application) and port(the port on which server listens on, for connections tcp 80, 443, etc).

Example, In a scenario where you want to create a load balanced storefront VIP, you can create service by selecting storefront server1 and port as 443 and protocol as SSL. You add second storefront server in the same way. Next you create a storefront VIP by adding these services.

Best way to use services is, create service with each of your xendesktop or storefront servers and add a monitor to them. So, when you click on services tab, you can easily see if all the services are up or easily identify which specific service is down. You can directly login to that server and check what is down. This will save time while troubleshooting.

Service Groups:

Service groups allow you to manage servers as a single entity. You create a service group and add servers to it so that they can be managed as a group. For example, if you enable or disable any option, such as compression, health monitoring or graceful shutdown, for a service group, the option gets enabled for all the members of the service group.

After creating a service group, you can bind it to a virtual server, and you can add services to the group. You can also bind monitors to service groups. The members of a service group can be identified by IP address or server name.

• Service points to single backend server and defines address/port/protocol for that server.
• Service group points to multiple backend servers and defines address/port/protocol for all of them.

Complete Netscaler definitions are given HERE.