Today, we will look into the basic setup of a Citrix NetScaler right out of the box. This blog post will take you from the point of having the devices racked, powered on, and connected via the console cable in the front of your MPX7500. The first thing you will see is;
REVIEW CONFIGURATION PARAMETERS MENU
------------------------------------
This menu allows you to view and/or modify the NetScaler's configuration.
Each configuration parameter displays its current value within brackets
if it has been set. To change a value, enter the number that is displayed
next to it.
------------------------------------
1. NetScaler's IP address: [192.168.160.4]
2. Netmask: [255.255.255.0]
3. Advanced Network Configuration.
4. Time zone.
5. Cancel all the changes and exit.
6. Apply changes and exit.
Select a menu item from 1 to 6 [6]:We already have a configuration here, but you would go through each number and enter your information. After this, the Netscaler reboots, and you can ssh to the NetScaler IP or the NSIP, which in this case is 192.168.160.4
Now, here is where the fun starts. You can have the Netscaler either in one-arm or two-arm mode.
One Arm Mode:
In one-arm mode, all traffic goes in and out of one interface on the NetScaler. The NetScaler’s beauty is that its interface does not bind an IP address to a MAC address, so all active NetScaler interfaces own all IP addresses unless configured.
Two Arm Mode:
In two-arm mode, you separate your outside and inside interfaces. Either assigning interfaces on the NetScaler can do this to a specific VLAN or with a .1q trunk.
Our setup is going to be in the one-arm mode. Before we get into SNIPs, MIPs, VIPs, and all alike, let’s talk about High Availability. The NetScaler supports an Active/Standby HA pair, which we will set up now. The HA configuration is the easiest I have ever done on any device. We have two NetScaler MPX devices, one on 192.168.160.4 (our primary) and one on 192.168.160.5 (secondary). The configuration calls for the primary NS to configure the standby NS IP address and vice versa; the standby configures the primary NS IP.
Basic Configuration
Primary Configuration:add ha node 1 192.168.160.5
Secondary ConfigurationAdd ha node 1 192.168.160.4
That is it. We will do a show ha node on the primary to see if our high availability is set up correctly.
> show ha node
1) Node ID: 0
IP: 192.168.160.4
Node State: UP
Master State: Primary
Fail-Safe Mode: OFF
INC State: DISABLED
Sync State: ENABLED
Propagation: ENABLED
Enabled Interfaces : 0/1 1/1
Disabled Interfaces : None
HA MON ON Interfaces : None
Interfaces on which heartbeats are not seen : None
Interfaces causing Partial Failure: None
SSL Card Status: NOT PRESENT
Hello Interval: 200 msecs
Dead Interval: 3 secs
Node in this Master State for: 0:0:18:28 (days:hrs:min:sec)
2) Node ID: 1
IP: 192.168.160.5
Node State: UP
Master State: Secondary
Fail-Safe Mode: OFF
INC State: DISABLED
Sync State: SUCCESS
Propagation: ENABLED
Enabled Interfaces : 0/1 1/1
Disabled Interfaces : None
HA MON ON Interfaces : None
Interfaces on which heartbeats are not seen : None
Interfaces causing Partial Failure: None
SSL Card Status: NOT PRESENTThe important lines are the highlighted ones. This shows that HA is functional and each device’s role. Now, you might be wondering. OK, do I need to remember which device is the primary and the secondary with configuration? Will I be warned? There are two answers: yes, you will be warned if you log in to the secondary via the web interface, but you can enter commands into the cli and save the configuration, and you will not be warned that you are on the secondary system. This can be easily fixed, though. NSIPs are unique to the NetScaler, and they cannot be shared in a HA pair under any circumstance, but what can be shared is a Subnet IP or SNIP.
An SNIP can have multiple uses; for this instance, we will use it as a floating management address, similar to the alias IP that would be configured on a Cisco ACE.
Management Access
Configuring a SNIP for management access
add ns ip 192.168.160.3 255.255.255.0 -mgmtAccess ENABLED -gui SECUREONLY
If you do a ? after enabled, you will see that you can enable telnet. You can not connect to the Netscaler using Telnet if you enable Telnet. It is disabled in the Linux kernel, so if it gets activated, nothing will happen.
If this was what we entered
add ns ip 192.168.160.3 255.255.255.0 -mgmtAccess ENABLED -telnet ENABLED -ssh ENABLED -gui SECUREONLY
The NetScaler will only respond to SSH, not telnet
The above command adds an SNIP address of 192.168.160.3, enables management access on that SNIP, and only allows access to the NetScaler GUI over HTTPS. By default, if you leave out the –type switch, the Netscaler assumes you want an SNIP, and that is the default, which we can see by issuing the command show ns IP. Also, you may see that there are other
Verify
> show ns ip
Ipaddress Type Mode Arp Icmp Vserver State
--------- ---- ---- --- ---- ------- ------
1) 192.168.160.4 NetScaler IP Active Enabled Enabled NA Enabled
2) 192.168.160.3 SNIP Active Enabled Enabled NA EnabledNow, let’s save our configuration. To save the running configuration on a NetScaler, issue the command;
save ns config
This would be the basics of getting the Netscaler up and functional, aside from copying licensing to the device and installing your license file.