Citrix NetScaler… The basics continued, part two. Static routes, SNIP and MIP!

Before we jump into what a static route actually is and why we would like, or need, to configure one we must first have a basic understanding of the so-called SNIP, or Subnet IP Address, in full. And while we are at it, we will have a quick look at the MIP, Mapped IP Address, as well. Both er important to understand how traffic flows through a NetScaler device.

Other (related) articles from these series include:

1. Citrix NetScaler Gateway, the basics!
2. Citrix NetScaler (10.5) licensing. What’s new with Access Gateway!
3. Citrix NetScaler… The basics continued, part one. VIP’s, Monitors and other objects!
4. Citrix NetScaler… The basics continued, part three. High Availability!
5. Citrix NetScaler… The basics continued, part four. What about SSL?
6. Citrix NetScaler… The basics continued, part five. Global Server Load Balancing!
7. Citrix NetScaler… The basics continued, Part six. Content Switching!
8. Citrix NetScaler… The basics continued, part seven. Split Tunneling!

Let’s SNIP

A NetScaler SNIP address is probably best compared to a layer 3 routing table entry. Not only does it tell the NetScaler that it has a connection to a specific network, so it is ‘known’, it also tells it how and where to reach it so that it is able to route network traffic its way. In fact, when you configure a SNIP address it will automatically add in a route to the NetScalers routing table. If your NetScaler is connected to multiple internal or DMZ subnets / VLANS you simply configure multiple SNIP addresses, one for each subnet / VLAN, so that the NetScaler knows where to route traffic.

By default a SNIP address is not bound to a NetScaler interface, all network traffic is transmitted on all interfaces. So you could say that it’s closer to a network hub then anything else. Fortunately you have a few options in binding SNIP addresses to a NetScaler interface, or multiple, when needed. Without going into to much detail for now I’d like to highlight these two articles, both are written bij Citrix employees. This article describes how to associate an IP subnet with a NetScaler interface by using VLANs. And here is another one showing you two more alternatives.

Default route

When configuring a NetScaler from scratch it will also ask you for a so-called default route, which will function as the default gateway for the NetScaler. Without any internal routes known to the NetScaler, in the form of a SNIP or MIP (in a minute) address, it wouldn’t know what to do with the received traffic or where to send it. It will then send out all traffic over its default route, back onto the Internet where it probably came from to begin with.

Note that internal network traffic can also be send through the NetScaler, this is not uncommon when load balancing traffic destined for StoreFront and/or Delivery Controllers using a load balance virtual server.

When traffic is routed using one the NetScalers SNIP addresses, the source address of the IP packets changes into that of the SNIP address, which makes sense since it will route traffic to subnets directly connected to the NetScaler. When multiple SNIP addresses have access to the same subnet the SNIP, which sits closest to the actual target will be used. Due note that a SNIP address is not mandatory when setting up and configuring your NetScaler. And as a side-note, you can also configure a SNIP address as a management IP, instead of, or better said, alongside the NSIP address used to manage your NetScaler, a bit more on this in part three.

Use Subnet IP

I have to also mention that the NetScaler has a feature referred to as USNIP, use Subnet IP, which is enabled by default. If this ‘mode’ is disabled then no SNIP addresses can or will be used. Ok, so what then you ask? Or what if you have a subnet connected to the NetScaler without a SNIP address configured? This is where the Mapped IP Address comes into play.

let’s MIP

A MIP address, if configured, would be used as the source IP address if the above-mentioned USNIP mode is set to disabled or when no SNIP addresses are available. Also, when used in conjunction with a SNIP address, if they both reside on the same subnet for example, a MIP address might also be used as a source IP address when routing traffic from the NetScaler. However, only if the MIP address is the first address on the subnet a route will be added to the NetScaler routing table.

Static routes

A static route entry can be best interpreted as: if you need to access a resource, which is located on network D, you will have to go through, or contact, network A to get there. That’s basically it. You give the NetScaler a specific path to follow when a certain network or resource needs to be addressed. It will be listed as a Static route.

For example, let’s say you have a SNIP configured on your NetScaler connecting you to subnet A. On your internal network you also have a subnet D, but it isn’t directly reachable from the NetScaler. Traffic will have to travel over, or through, subnet A, which is connected to a routing device connecting it to subnet D. SNIP addresses only work with directly reachable subnets / networks, so adding in an additional SNIP for subnet D won’t work.

Instead you need to configure a static route (add route) telling the NetScaler to route network traffic destined for subnet D over, or through, subnet A including the IP address of the routing device connected to subnet D. Here the same rules apply as before, if no ‘known’ route to subnet D is configured, the NetScaler will forward all traffic to its default route highlighted earlier.

In the above overview you see the 192.168.10.25 SNIP address directly connecting the NetScaler to the 192.168.10.0/24 subnet. Subnet D however isn’t directly reachable from the NetScaler, a static rout is needed. The ‘add route’ tells the NetScaler to route traffic over the 192.168.10.0/24 subnet A to the 192.168.10.50 router interface, to finally reach the 192.168.20.0/24 subnet D. Hopefully this relatively short post helped you in understanding some of the NetScaler basic routing operations. Part three is on its way, to be continued…

Bas van Kaam

Field CTO EMEA by day, author by night @ Nerdio

Father of three, EMEA Field CTO @ Nerdio, Author of the book Van de Basis tot aan Meester in de Cloud, Co-author of the book Project Byte-Sized and Yuthor of the book: Inside Citrix – The FlexCast Management Architecture, over 500 blog posts and multiple (ultimate) cheat sheets/e-books. Public speaker, sport enthusiast­­­­­­­­: above-average runner, 3 x burpee-mile finisher and a former semiprofessional snooker player. IT community participant and initiator of the AVD User group Community world wide.