This article describes how to configure the appliances in a high availability setup to communicate in a two-arm configuration with different 802.1q VLAN tags on each arm.

In some network topologies, administrators enforce a security policy where VLAN traffic through their switching equipment must be tagged, but VLAN 1 is not allowed. The NSVLAN configuration is not always supported to configure the appliances in a high availability setup with a two-arm topology with this type of policy.

The following diagram demonstrates this configuration:

This is an overly simplistic diagram demonstrating the fact that the outward facing interfaces of the NetScaler are only allowed to send traffic via VLAN 12 tagged and the inward (or Backend Server) facing interfaces are only allowed to transmit frames via VLAN 9 tagged.

As seen in this scenario, you want a failover to occur if either of the interfaces on the primary appliance fails. Therefore, you must enable HA MON on all interfaces. With NSVLAN, you can only modify the NetScaler IP (NSIP) address to use one VLAN for HA heartbeat packets.

Instructions

As a work around for the NSVLAN limitation, use the -trunk ON functionality available in the set interface command. As explained in CTX115575 - FAQ: The "trunk" or "tagall" Option of NetScaler Appliance, the -trunk option allows you to tag all frames coming from an interface.

The default native VLAN that all interfaces are initially associated with is VLAN 1, but in the preceding scenario VLAN 1 is not allowed across the Switch. To modify the native VLAN for an interface, you must bind it to a VLAN without the -tagged option. By doing this you are essentially taking VLAN 1 off the interface and adding another VLAN ID as the native VLAN for that interface. In the preceding example, the native VLAN for interface 1/1 is VLAN 12 and the native VLAN for interface 1/2 is VLAN 9.

After completing this, the -trunk option is set to ON and all HA frames are tagged with the ID of the untagged VLAN that the interface is associated with. For the preceding topology requirement, the following configuration is required:

• add vlan 9
• add vlan 12
• bind vlan 9 -ifnum 1/2
• bind vlan 12 -ifnum 1/1
• set int 1/1 -trunk ON
• set int 1/2 -trunk ON

Note: The preceding workaround tags the HA frames on a different native VLAN on each interface. If these two interfaces need additional tagged VLANs for different subnets to the backend servers, you can bind these VLANs to the appropriate interface with the -tagged Switch. Therefore, you send that traffic out on the appropriate VLAN with the appropriate tag.