Citrix Netscaler CloudBridge L3 mode lab

The following lab is going to run through the steps to build a working L3 NetScaler Cloud Bridge tunnel. The lab is built on VMware workstation 9.2.

This solution shows in this lab can be applied to Softlayer Cloud Offering for the secure connectivity from your own environment to Softlayer DC.

 

Lab environment component

NetScaler VPX Platinum Evaluation version 10.1-119.7. (You can download this edition from Citrix.com)

Vyatta Router (Note: No routing at Vyatta for 192.168.108.0/24 or 192.168.175.0/24)

Lab Topology

CloudBridge L3

IP addressing

Please see the above diagram for the IP addressing

Lab Steps

Step 0. Perform initial configuration of Netscaler including NSIP, SNIP and gateway as the above topology

Step 1. Log in the Netscaler GUI management, verify Netscaler works in L3 mode in System-Settings-Configuring mode on both Netscalers

Netscaler l3mode

Step 2. Enable CloudBridge feature under System-Settings-Configuring advances features on both Netscalers

CloudBridge feature

Step 3. Under System-CloudBridge Connector, click Getting Started to open the CloudBridge configuration wizard at Netscaler@DC-A

CloudBridge Wizard

Step 4. In the wizard, select Netscaler icon

CloudBridge Wizard1

Step 5. Type in the remote Netscaler@DC-B NSIP and user/password

CloudBridge Wizard2

Step 6. Configure the Cloud BridgeConnector

CloudBridge Wizard3

After click Continue button, the wizard will complete the configuration for you on both Netscalers.

Step 7. Configure bridge SNIP. Netscaler @DC-A: 172.16.31.1/30 Netscaler @DC-B: 172.16.31.2/30

Netscaler BridgeSNIP

Netscaler BridgeSNIP1

Step 8. Add routing from local DC to remote DC for network in the peering DC

On Netscaler@DC-A

Netsacler Routing1

On Netscaler@DC-B

Netsacler Routing2

Step 9. Verify the CloudBridge Tunnel works well

In GUI, you can see the tunnel status is up as the below:

Netscaler IP Tunnels

Personally, I prefer to perform the status check by CLI.

Netscaler@DC-A

> ping 172.16.31.2

PING 172.16.31.2 (172.16.31.2): 56 data bytes

64 bytes from 172.16.31.2: icmp_seq=0 ttl=255 time=18.184 ms

64 bytes from 172.16.31.2: icmp_seq=1 ttl=255 time=2.586 ms

64 bytes from 172.16.31.2: icmp_seq=2 ttl=255 time=3.075 ms

64 bytes from 172.16.31.2: icmp_seq=3 ttl=255 time=2.590 ms

^C

— 172.16.31.2 ping statistics —

4 packets transmitted, 4 packets received, 0% packet loss

 

round-trip min/avg/max/stddev = 2.586/6.609/18.184/6.686 ms

> show arp

IP               MAC                Iface VLAN  TD     Origin     TTL

—               —                —– —-  —     ——     —

1)      127.0.0.1        00:0c:29:93:a6:c7  LO/1  1     0      PERMANENT  N/A

2)      172.16.31.2      00:0c:29:17:ea:7f  TUN1  1     0      DYNAMIC    1196

3)      192.168.107.20   00:0c:29:93:a6:c7  LO/1  1     0      PERMANENT  N/A

4)      192.168.107.21   00:0c:29:93:a6:c7  LO/1  1     0      PERMANENT  N/A

5)      192.168.107.10   00:0c:29:86:7a:18  0/1   1     0      DYNAMIC    1189

6)      192.168.107.100  00:0c:29:1a:15:a2  0/1   1     0      DYNAMIC    1184

Done

> show ip

Ipaddress        TD    Type             Mode     Arp      Icmp     Vserver  State

———        —    —-             —-     —      —-     ——-  ——

1)      192.168.107.20   0     NetScaler IP     Active   Enabled  Enabled  NA       Enabled

2)      192.168.107.21   0     SNIP             Active   Enabled  Enabled  NA       Enabled

3)      172.16.31.1      0     SNIP             Active   Enabled  Enabled  NA       Enabled

> show iptunnel

1) Domain…….:               0

Name………:  cbbridge1 (TUN1)

Remote…….:  192.168.174.21   Mask……: 255.255.255.255

Local……..:  192.168.107.21   Encap…..:  192.168.107.21

Protocol…..:             GRE   Type……:               C

IPSec Profile Name…….:       cbbridge1

IPSec Tunnel Status……:              UP

 

Done

> show route

Network          Netmask          Gateway/OwnedIP  State   TD     Type

——-          ——-          —————  —–   —     —-

1)      0.0.0.0          0.0.0.0          192.168.107.10   UP      0     STATIC

2)      127.0.0.0        255.0.0.0        127.0.0.1        UP      0     PERMANENT

3)      172.16.31.0      255.255.255.252  172.16.31.1      UP      0     DIRECT

4)      192.168.107.0    255.255.255.0    192.168.107.20   UP      0     DIRECT

Done

> stat ipsec counters

 

Secure tunnel(s) summary

Rate (/s)                Total

Bytes Received                                     0                  176

Bytes Sent                                         0                  352

Packets Received                                   0                    2

Packets Sent                                       0                    4

Done

Netscaler@DC-B

> ping 172.16.31.1

PING 172.16.31.1 (172.16.31.1): 56 data bytes

64 bytes from 172.16.31.1: icmp_seq=0 ttl=255 time=0.485 ms

64 bytes from 172.16.31.1: icmp_seq=1 ttl=255 time=0.559 ms

^C

— 172.16.31.1 ping statistics —

2 packets transmitted, 2 packets received, 0% packet loss

round-trip min/avg/max/stddev = 0.485/0.522/0.559/0.037 ms

Done

 

> show arp

IP               MAC                Iface VLAN  TD     Origin     TTL

—               —                —– —-  —     ——     —

1)      127.0.0.1        00:0c:29:17:ea:7f  LO/1  1     0      PERMANENT  N/A

2)      172.16.31.1      00:0c:29:93:a6:c7  TUN1  1     0      DYNAMIC    1065

3)      192.168.174.10   00:0c:29:86:7a:22  0/1   1     0      DYNAMIC    1190

4)      192.168.174.20   00:0c:29:17:ea:7f  LO/1  1     0      PERMANENT  N/A

5)      192.168.174.21   00:0c:29:17:ea:7f  LO/1  1     0      PERMANENT  N/A

Done

> show ip

Ipaddress        TD    Type             Mode     Arp      Icmp     Vserver  State

———        —    —-             —-     —      —-     ——-  ——

1)      192.168.174.20   0     NetScaler IP     Active   Enabled  Enabled  NA       Enabled

2)      192.168.174.21   0     SNIP             Active   Enabled  Enabled  NA       Enabled

3)      172.16.31.2      0     SNIP             Active   Enabled  Enabled  NA       Enabled

Done

> show iptunnel

1) Domain…….:               0

Name………:  cbbridge1 (TUN1)

Remote…….:  192.168.107.21   Mask……: 255.255.255.255

Local……..:  192.168.174.21   Encap…..:  192.168.174.21

Protocol…..:             GRE   Type……:               C

IPSec Profile Name…….:       cbbridge1

IPSec Tunnel Status……:              UP

 

Done

> show route

Network          Netmask          Gateway/OwnedIP  State   TD     Type

——-          ——-          —————  —–   —     —-

1)      0.0.0.0          0.0.0.0          192.168.174.10   UP      0     STATIC

2)      127.0.0.0        255.0.0.0        127.0.0.1        UP      0     PERMANENT

3)      172.16.31.0      255.255.255.252  172.16.31.2      UP      0     DIRECT

4)      192.168.174.0    255.255.255.0    192.168.174.20   UP      0     DIRECT

> stat ipsec counters

 

Secure tunnel(s) summary

Rate (/s)                Total

Bytes Received                                     0                  304

Bytes Sent                                         0                  204

Packets Received                                   0                    4

Packets Sent                                       0                    2

Done

Ping Test from DC-A to DC-B

> ping -S 192.168.108.20 192.168.175.20

PING 192.168.175.20 (192.168.175.20) from 192.168.108.20: 56 data bytes

64 bytes from 192.168.175.20: icmp_seq=0 ttl=255 time=9.419 ms

64 bytes from 192.168.175.20: icmp_seq=1 ttl=255 time=2.559 ms

64 bytes from 192.168.175.20: icmp_seq=2 ttl=255 time=3.598 ms

64 bytes from 192.168.175.20: icmp_seq=3 ttl=255 time=2.561 ms

64 bytes from 192.168.175.20: icmp_seq=4 ttl=255 time=2.592 ms

64 bytes from 192.168.175.20: icmp_seq=5 ttl=255 time=3.107 ms

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s