Something I’ve been planning to write for a while but with all the stuff happening lately, its hard to keep track. So this is a question that comes by now and then, how does netscaler handle route entries ?
Now a Netscaler often sits between many differnet networks with a leg in DMZ, one in the internal sone and other sones. Some deployments might be two-armed with more network attached to the Netscaler, and some require it to only be using one vlan because of security requirements.
Now what decides which network the Netscaler uses to communicate with the backend servers? Since Netscaler is a L3 device it uses IP and routing tables to determine where to go.
When you are deploying a Netscaler, one of the requirements is to setup a default gateway and a subnet IP. When you add a default gateway a route entry will be added to it automatically. This route entry looks like this
Which essentially says, all traffic which I have no information about will be sent to my default gateway which is 192.168.88.1.
So if my Netscaler sits on the IP 192.168.88.2 with a prefix of / 24 and the Netscaler needs to get in touch with 192.168.89.2, then the Netscaler will go trough the default gateway.
Now also when you add a subnet-IP another route entry is added automatically where the subnet IP itself is listed as a gateway IP for reaching another subnet. This Netscaler has two SNIPs. one in the 192.168.88.0/24 network and another in the 192.168.31.0/24 network
So all traffic destined to the 192.168.31.0 network is tunneled trough the 192.168.31.127 network. Another thing that is these route entries have a prefix of /24. Meaning that the Netscaler can contact 192.168.31.127 if it needs to get in touch with an IP within that range.
Then this means that the Netscaler might have multiple paths to other subnets ? Since my default-gateway might also have access to 31 and the 88 network. Like other layer 3 devices like Cisco looks at the prefix and then decides which is closest to the target. Netscaler operates only at the cost to get to the remote location. (Thanks to Andrew for that)
Now the default gateway route has a cost of 0
But the SNIP’s have a non-existing cost value
Meaning that they are prefered paths. If I was to have multiple SNIP’s which has access to a back-end service it might also get a conflict, this can be resolved using Net-profiles, this allows you to define which source ip adress should be used to connect to the back-end services.
Attach Net-Profile to a service
But what if you are required to use a one-armed deployment ? and need access to several backend networks for the service/probes to work properly.
Then you need to add a new static route which might look like this. This static route entry says the following. “If you need to access the 192.168.89.0/24 network you need to contact 192.168.88.1)
This new route will be listed as a static route and will have the same cost as the default gateway, but since this gateway sits closer to the targets in the 89. network it will be prefered over the default gateway.
So hopefully this clears up some confusion for people out there!