The following lab is going to run through the steps to build a working L3 NetScaler Cloud Bridge tunnel. The lab is built on VMware workstation 9.2.
This solution shows in this lab can be applied to Softlayer Cloud Offering for the secure connectivity from your own environment to Softlayer DC.
Lab environment component
NetScaler VPX Platinum Evaluation version 10.1-119.7. (You can download this edition from Citrix.com)
Vyatta Router (Note: No routing at Vyatta for 192.168.108.0/24 or 192.168.175.0/24)
Lab Topology
IP addressing
Please see the above diagram for the IP addressing
Lab Steps
Step 0. Perform initial configuration of Netscaler including NSIP, SNIP and gateway as the above topology
Step 1. Log in the Netscaler GUI management, verify Netscaler works in L3 mode in System-Settings-Configuring mode on both Netscalers
Step 2. Enable CloudBridge feature under System-Settings-Configuring advances features on both Netscalers
Step 3. Under System-CloudBridge Connector, click Getting Started to open the CloudBridge configuration wizard at Netscaler@DC-A
Step 4. In the wizard, select Netscaler icon
Step 5. Type in the remote Netscaler@DC-B NSIP and user/password
Step 6. Configure the Cloud BridgeConnector
After click Continue button, the wizard will complete the configuration for you on both Netscalers.
Step 7. Configure bridge SNIP. Netscaler @DC-A: 172.16.31.1/30 Netscaler @DC-B: 172.16.31.2/30
Step 8. Add routing from local DC to remote DC for network in the peering DC
On Netscaler@DC-A
On Netscaler@DC-B
Step 9. Verify the CloudBridge Tunnel works well
In GUI, you can see the tunnel status is up as the below:
Personally, I prefer to perform the status check by CLI.
Netscaler@DC-A
> ping 172.16.31.2
PING 172.16.31.2 (172.16.31.2): 56 data bytes
64 bytes from 172.16.31.2: icmp_seq=0 ttl=255 time=18.184 ms
64 bytes from 172.16.31.2: icmp_seq=1 ttl=255 time=2.586 ms
64 bytes from 172.16.31.2: icmp_seq=2 ttl=255 time=3.075 ms
64 bytes from 172.16.31.2: icmp_seq=3 ttl=255 time=2.590 ms
^C
— 172.16.31.2 ping statistics —
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.586/6.609/18.184/6.686 ms
> show arp
IP MAC Iface VLAN TD Origin TTL
— — —– —- — —— —
1) 127.0.0.1 00:0c:29:93:a6:c7 LO/1 1 0 PERMANENT N/A
2) 172.16.31.2 00:0c:29:17:ea:7f TUN1 1 0 DYNAMIC 1196
3) 192.168.107.20 00:0c:29:93:a6:c7 LO/1 1 0 PERMANENT N/A
4) 192.168.107.21 00:0c:29:93:a6:c7 LO/1 1 0 PERMANENT N/A
5) 192.168.107.10 00:0c:29:86:7a:18 0/1 1 0 DYNAMIC 1189
6) 192.168.107.100 00:0c:29:1a:15:a2 0/1 1 0 DYNAMIC 1184
Done
> show ip
Ipaddress TD Type Mode Arp Icmp Vserver State
——— — —- —- — —- ——- ——
1) 192.168.107.20 0 NetScaler IP Active Enabled Enabled NA Enabled
2) 192.168.107.21 0 SNIP Active Enabled Enabled NA Enabled
3) 172.16.31.1 0 SNIP Active Enabled Enabled NA Enabled
> show iptunnel
1) Domain…….: 0
Name………: cbbridge1 (TUN1)
Remote…….: 192.168.174.21 Mask……: 255.255.255.255
Local……..: 192.168.107.21 Encap…..: 192.168.107.21
Protocol…..: GRE Type……: C
IPSec Profile Name…….: cbbridge1
IPSec Tunnel Status……: UP
Done
> show route
Network Netmask Gateway/OwnedIP State TD Type
——- ——- ————— —– — —-
1) 0.0.0.0 0.0.0.0 192.168.107.10 UP 0 STATIC
2) 127.0.0.0 255.0.0.0 127.0.0.1 UP 0 PERMANENT
3) 172.16.31.0 255.255.255.252 172.16.31.1 UP 0 DIRECT
4) 192.168.107.0 255.255.255.0 192.168.107.20 UP 0 DIRECT
Done
> stat ipsec counters
Secure tunnel(s) summary
Rate (/s) Total
Bytes Received 0 176
Bytes Sent 0 352
Packets Received 0 2
Packets Sent 0 4
Done
Netscaler@DC-B
> ping 172.16.31.1
PING 172.16.31.1 (172.16.31.1): 56 data bytes
64 bytes from 172.16.31.1: icmp_seq=0 ttl=255 time=0.485 ms
64 bytes from 172.16.31.1: icmp_seq=1 ttl=255 time=0.559 ms
^C
— 172.16.31.1 ping statistics —
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.485/0.522/0.559/0.037 ms
Done
> show arp
IP MAC Iface VLAN TD Origin TTL
— — —– —- — —— —
1) 127.0.0.1 00:0c:29:17:ea:7f LO/1 1 0 PERMANENT N/A
2) 172.16.31.1 00:0c:29:93:a6:c7 TUN1 1 0 DYNAMIC 1065
3) 192.168.174.10 00:0c:29:86:7a:22 0/1 1 0 DYNAMIC 1190
4) 192.168.174.20 00:0c:29:17:ea:7f LO/1 1 0 PERMANENT N/A
5) 192.168.174.21 00:0c:29:17:ea:7f LO/1 1 0 PERMANENT N/A
Done
> show ip
Ipaddress TD Type Mode Arp Icmp Vserver State
——— — —- —- — —- ——- ——
1) 192.168.174.20 0 NetScaler IP Active Enabled Enabled NA Enabled
2) 192.168.174.21 0 SNIP Active Enabled Enabled NA Enabled
3) 172.16.31.2 0 SNIP Active Enabled Enabled NA Enabled
Done
> show iptunnel
1) Domain…….: 0
Name………: cbbridge1 (TUN1)
Remote…….: 192.168.107.21 Mask……: 255.255.255.255
Local……..: 192.168.174.21 Encap…..: 192.168.174.21
Protocol…..: GRE Type……: C
IPSec Profile Name…….: cbbridge1
IPSec Tunnel Status……: UP
Done
> show route
Network Netmask Gateway/OwnedIP State TD Type
——- ——- ————— —– — —-
1) 0.0.0.0 0.0.0.0 192.168.174.10 UP 0 STATIC
2) 127.0.0.0 255.0.0.0 127.0.0.1 UP 0 PERMANENT
3) 172.16.31.0 255.255.255.252 172.16.31.2 UP 0 DIRECT
4) 192.168.174.0 255.255.255.0 192.168.174.20 UP 0 DIRECT
> stat ipsec counters
Secure tunnel(s) summary
Rate (/s) Total
Bytes Received 0 304
Bytes Sent 0 204
Packets Received 0 4
Packets Sent 0 2
Done
Ping Test from DC-A to DC-B
> ping -S 192.168.108.20 192.168.175.20
PING 192.168.175.20 (192.168.175.20) from 192.168.108.20: 56 data bytes
64 bytes from 192.168.175.20: icmp_seq=0 ttl=255 time=9.419 ms
64 bytes from 192.168.175.20: icmp_seq=1 ttl=255 time=2.559 ms
64 bytes from 192.168.175.20: icmp_seq=2 ttl=255 time=3.598 ms
64 bytes from 192.168.175.20: icmp_seq=3 ttl=255 time=2.561 ms
64 bytes from 192.168.175.20: icmp_seq=4 ttl=255 time=2.592 ms
64 bytes from 192.168.175.20: icmp_seq=5 ttl=255 time=3.107 ms
InsidePacket 