NetScaler Best Practice With VMAC In A High Availability Configuration

https://www.citrix.com/blogs/2015/01/05/netscaler-best-practice-with-vmac-in-a-high-availability-configuration/

The NetScaler appliance is an extremely flexible application delivery controller (ADC). With the default configuration in place, the NetScaler IP addresses are ‘floating’, which means that they are not restricted to any particular interface. Additionally with a High Availability (HA) configuration in place, all of the NetScaler-owned IP addresses (apart from the NSIP – the NetScaler IP Address) will be shared across the HA pair. This will include SNIP’s, MIP’s (decremented) and VIP’s.

When the HA pair experiences a failover, whether forced or not, the NetScaler will GARP (gratuitous ARP) the new IP-to-MAC address binding for the newly established Primary NetScaler. More details about GARP can be found here: http://support.citrix.com/article/ctx109980. This GARP behavior is to advertise to partner-attached NetScaler devices that the IP-to-MAC address has changed, and hence forward traffic to the new Primary NetScaler.

The NetScaler MAC addresses are not floating by default; just the IP addresses. This may cause issues with an older network switch connected to the NetScaler, or perhaps a firewall (FW) that does not understand GARP. In the event that a switch or FW does not understand GARP, or may not be able to keep up with the rate at which the GARP’s are sent during an HA failover event (approximately 200/s), the NetScaler can be configured with VMAC to create a floating MAC address to pair up with the floating IP addresses. This will solve the potential issues associated with GARP’s from the NetScaler.

When the HA failover event occurs, the NetScaler will continue to advertise GARPs, but the downstream devices will not see a new IP-to-MAC address binding, and as such will continue to forward traffic to the known IP/MAC address, preventing the network from ‘black-holing’ the packets.

To configure VMAC on your NetScaler HA pair, please follow the example provided below. As a note, the VRID configured below will basically change the MAC address for each respective interface configured on, and then will be a floating MAC across the HA pair):

To configure VMAC on a NetScaler appliance, complete the following procedure:

Run the following command to create a VRID (Virtual Router ID):

> add vrid <Number>

Run the following command to bind the VRID to an interface:

>bind vrid <Number> -ifnum <Interface_Number>

If you need to display the VMAC configured, run the following command:

> show vrid <Number>

If you need to unbind the VRID from an interface, run the following commands:

> unbind vrid <vrid number> <Interface_Number>

If you want to remove the VMAC, run the following command:

> rm vrid <Number>

Note: There is no need to reboot the NetScaler Appliance after VMAC is configured.

Resources:

How to Configure VMAC on a NetScaler Appliance: http://support.citrix.com/article/CTX121681

VMAC Addresses for NetScaler VPX Appliance Hosted on VMWare EsXi: http://support.citrix.com/article/CTX129008

Recommended Settings and Best Practices for a Generic Implementation of a NetScaler Appliance: http://support.citrix.com/article/CTX121149

============================ End

https://support.citrix.com/article/CTX121149

CTX121149

Recommended Settings and Best Practices for Generic Implementation of a NetScaler Appliance

Article | Configuration | 110 found this helpful | Created: 26 Mar 2014 | Modified: 30 Apr 2018

Applicable Produ

Information

Recommended Settings for a Generic Implementation of a NetScaler Appliance

The following sections contain the recommended settings for a generic implementation of some features of a NetScaler appliance:

Modes

To configure the modes on an appliance, complete the following procedure:

Expand the System node of the Navigation pane on the appliance.
Select the Settings node.
In the details pane, under Modes and Features, click Configure modes.
Select the Fast Ramp option.
Note: With Fast-Ramp enabled the NetScaler starts with the congestion window of the freshest server connection. For more information refer to Citrix Blog.
Clear the Layer 2 Mode option.
Note: Select this mode if servers are connected directly to the appliance or if the appliance is used as a transparent bridge.
Select the Use Source IP option.
Note: Select this mode only if an application requires the source IP address.
Clear the Client Keep-Alive option.
Note: Applications can stop working due to optimization. Select this option only when there are performance issues.
Clear the TCP Buffering option.
Note: If the network does not support Window Scaling and there are performance issues, select this option.
Clear the MAC Based Forwarding option.
Note: If you are using one-arm configuration, then select this option.
Select the Use Subnet IP option.
Note: Always select this option unless specific requirements of the network set up do not require it.
Select the Layer 3 Mode (IP Forwarding) option.
Note: If there are security issues and you want to use the appliance as a firewall, then clear this option.
Select the Path MTU Discovery option. This mode helps avoid fragmentation of packets.
Clear the Static Route Advertisement option.
Note: If you are using the dynamic routing feature, select this option.
Clear the Direct Route Advertisement option.
Clear the Intranet Route Advertisement option.
Clear the Ipv6 Static Route Advertisement option.
Clear the Ipv6 Direct Route Advertisement option.
Clear the Bridge BPDUs option.

Features

For information on the features available and how to enable them on NetScaler, refer to CTX122942 - How to Activate Various Features and Modes of a NetScaler Appliance.
Note: Enabling features impacts the performance of the NetScaler appliance. Enable only the features that you want to use.

Global System Settings

To configure the global system settings on an appliance, complete the following procedure:

Expand the System node of the Navigation pane on the appliance.
Select the Settings node.
Click the Change global system settings link on the Settings page.
Select the Window Scaling option.
Note: Clear the Window Scaling option only if it is not supported by the network.
In NetScaler 10.5, 11.0 and 11.1 builds the "Window Scaling" option is under System > Settings > Change TCP Parameters.
Select the Selective Acknowledgment option.
Note: Clear this option only if the Window Scaling option is clear.
In NetScaler 10.5, 11.0 and 11.1 builds the "Selective Acknowledgment" option is under System > Settings > Change TCP Parameters.
Select the Use Nagle’s algorithm option.
Note: Select this option to use ICA or for heavy flow of small packets.
In NetScaler 10.5, 11.0 and 11.1 builds the "Nagle’s algorithm" option is under System > Settings > Change TCP Parameters.
Select the Enable RNAT TCP Proxy option.

HTTP Parameters

To configure the HTTP parameters of an appliance, complete the following procedure:

Expand the System node of the Navigation pane on the appliance.
Select the Settings node.
Click the Change HTTP parameters link on the Settings page.
Select the Version 1 option.
Note: Select the Version 0 option only if the environment has earlier releases of web browser that do not support Cookie Version 1.
Select the Drop invalid HTTP requests option.
Ensure that you always select this option. It helps in detecting the invalid HTTP headers.
NOTE: This can cause some resources not to load through a Vserver, so be sure to thoroughly test after enabling. If you have subsequent issues accessing resources, disable this setting and test.

SNMP Alarms

To configure the recommended settings for Simple Network Management Protocol (SNMP) Alarms on an appliance, complete the following procedure:

Expand the System node of the Navigation pane on the appliance.
Expand the SNMP node.
Select the Alarms node.
Select the CPU-USAGE alarm in the SNMP Alarms page.
Configure the following options in the Configure SNMP Alarm dialog box:
- Type 95 in the Alarm Threshold field.
- Type 35 in the Normal Threshold field.
- Select Informational from the Severity list.
- Select the Enable option.
Click OK.
Select the MEMORY alarm and click Open.
Configure the following options in the Configure SNMP Alarm dialog box:
- Type 95 in the Alarm Threshold field.
  Note: If this threshold is reached, then force failover the appliance. If it happens again, then contact Citrix Technical Support.
- Type 35 in the Normal Threshold field.
- Select Critical from the Severity list.
- Select Enabled from the Logging list.
- Select the Enable option.

Network Interfaces

To configure the network interfaces on an appliance, complete the following procedure:

Expand the Network node of the Navigation pane on the appliance.
Select the Interfaces node.
Select the interface not in use and click Disable.
Repeat this step for each interface that is not in use.
Disable High Availability Monitoring on all disabled interfaces and on the enabled interface that does not require High Availability Monitoring. To disable High Availability Monitoring on an interface, complete the following procedure:
1. Select the interface.
2. Select the OFF option for HA Monitoring.
3. Click OK.

General Best Practices

The following is a list of best practices for a generic implementation of an appliance:

Disable any feature or option that you are not using on the appliance.
In NetScaler MPX appliance models, management ports 0/1 and 0/2 are only intended for administration of the appliance.
In NetScaler 9000, 9010, and 10000 appliances, rear facing management port 0/1 is only intended for administration of the appliance.
In NetScaler 7000 appliance, ports 1/1 through 1/6 are designed to function as 100 Mbps ports.
For VLAN and core networking, please refer to NetScaler Networking and VLAN Best Practices

Additional Resources

For command reference, refer to Citrix Documentation - Command Reference.

Additional Resources

https://support.citrix.com/article/CTX131681

============================ End