How to Restrict the Management Access to a NetScaler Appliance from a Specific Interface

How to Restrict the Management Access to a NetScaler Appliance from a Specific Interface

book

Article ID: CTX126038

calendar_today

Updated On:

Description

By default, the interfaces of a NetScaler appliance are not strictly associated to a specific IP address. The IP addresses of the NetScaler Packet Engine are floating and can be associated to any interface of the appliance. This ensures that any physical interface of the appliance can send or receive data for any NetScaler-owned IP address.

Instructions

To restrict the management access to a NetScaler appliance from a specific interface, complete the following procedure:

Note: In the following procedure, a NetScaler MPX 5500 appliance with interfaces 0/1, 0/2, 1/1, 1/2, 1/3, 1/4, and LO/1 is considered as an example.

  1. Run the > show vlan command to verify the bindings of the interfaces:

    1) VLAN ID: 1
    Member Interfaces : 1/4 1/3 1/2 1/1 0/1 0/2 LO/1 Tagged: None
    Done

    The preceding output indicates that all interfaces of the appliance are bound to the VLAN1, which is the default setting of the NetScaler appliance.

  2. Leaving the interface 0/1 on the VLAN1, run the following commands to configure additional VLANs for the rest of the interfaces:

    > add vlan 20
    Done
    > add vlan 30
    Done
    > add vlan 40
    Done
    > add vlan 50
    Done
    > add vlan 60
    Done

  3. Run the following commands to bind the interfaces to the appropriate VLANs:

    > bind vlan 20 -ifnum 1/2
    Done
    > bind vlan 30 -ifnum 1/3
    Done
    > bind vlan 40 -ifnum 1/4
    Done
    > bind vlan 50 -ifnum 0/2
    Done
    > bind vlan 60 -ifnum 1/1
    Done

  4. Run the following command to verify the VLAN bindings:

    > show vlan

    1) VLAN ID: 1
        Member Interfaces : 0/1 LO/1 Tagged: None

    2) VLAN ID: 20
         Member Interfaces : 1/2 Tagged: None

    3) VLAN ID: 30
         Member Interfaces : 1/3  Tagged: None

    4) VLAN ID: 40
         Member Interfaces : 1/4 Tagged: None

    5) VLAN ID: 50
         Member Interfaces : 0/2 Tagged: None

    6) VLAN ID: 60
        Member Interfaces : 1/1 Tagged: None
    Done

  5. If you need to enable tagged traffic on the interface 0/1, run the following command to enable the trunk option on the interface:
    > set int 0/1 -trunk on
    Note: The -trunk option is deprecated for –tagall in later versions of the NetScaler software release. Use the man set int command to view options appropriate to your version.

  6. Run the following command to enable management access on the interface 1/1 on a specified NetScaler-owned IP address:
    bind vlan 60 -IPAddress <SNIP/MIP> <Subnet_Mask>

The interfaces you do not bind to an explicit VLAN are bound to the default VLAN, VLAN1. Any interfaces bound to the VLAN1 have the management access to the NetScaler appliance. When you want to restrict the management access to an NetScaler interface, either leave it bound to the default VLAN, or associate the NetScaler-owned IP addresses to the VLAN to which the required interface is bound.

Issue/Introduction

This article contains information about restricting the management access to a NetScaler appliance from a specific interface.

Additional Information

CTX122921 - Citrix NetScaler Interface Tagging and Flow of High Availability Packets

CTX118597 - How to Configure the NetScaler Appliances in a High Availability Setup to Communicate in a Two-Arm Configuration with Different 802.1q VLAN Tags on Each Arm

CTX138140 - How to Deploy NetScaler Appliances in a High Availability Setup in Two Arm Mode When Having Multiple Subnets With VLAN IDs

Powered by Wolken Software