NetScaler VLAN’s Demystified

NetScaler VLAN’s Demystified

https://www.citrix.com/blogs/2014/12/29/netscaler-vlans-demystified/

 

The Citrix NetScaler appliance is an amazingly flexible application delivery controller (ADC). It’s capable of performing both simple and very complex tasks, positioning it solidly for the eighth consecutive year in the Gartner Leaders Quadrant for ADC’s: http://www.citrix.com/news/announcements/oct-2014/citrix-positioned-for-the-eighth-consecutive-year-in-the-leaders.html

Citrix NetScaler设备是一种非常灵活的应用程序交付控制器(ADC)。 它能够执行简单和非常复杂的任务,并将其连续第八年稳居ADC的Gartner领导者象限:http://www.citrix.com/news/announcements/oct-2014/citrix-positioned-for-the-eighth-consecutive-year-in-the-leaders.html

Unlike many networking devices the NetScaler uses ‘floating’ IP addresses, which means that any NetScaler-owned IP address can egress any NetScaler interface with the generic default ‘vanilla’ configuration in place.

与许多网络设备不同,NetScaler使用“浮动”IP地址,这意味着任何NetScaler拥有的IP地址都可以通过通用的默认“普通”配置离开任何NetScaler接口。

This may actually be the desired configuration, but if there is a need to ensure that ingress and egress traffic flows out one particular interface on the NetScaler, this can simply be configured by using layer three (L3) VLAN’s to bind IP subnets to specific interfaces. With L3 VLAN’s configured, all traffic destined for a particular network/subnet will be forced out the desired interface.

这实际上可能是所需的配置,但如果需要确保入口和出口流量流出NetScaler上的一个特定接口,则可以通过使用第三层(L3)VLAN将IP子网绑定到特定接口来简单地进行配置。配置了L3 VLAN后,所有发往特定网络/子网的流量都将被强制从所需的接口流出。

Note: VLAN’s are actually layer two constructs, but the term L3 VLAN is used to describe the VLAN-to-IP subnet binding occurring.

注意:VLAN实际上是第二层结构,但术语L3 VLAN用于描述发生的VLAN到IP子网绑定。

How Does This All Work? 这一切是怎么回事?

By default all interfaces are members of Native VLAN 1. That being said, specific to RX and TX, there are a few different rules to understand.

默认情况下,所有接口都是本机VLAN 1的成员。也就是说,对于RX和TX,有一些不同的规则需要理解。

Below shows the structure of a VLAN packet: 下面显示了VLAN数据包的结构:

 

Port-Based VLAN’s 基于端口的VLAN

Let’s add a new VLAN to the NetScaler (VLAN 10). This new VLAN is created with the following command: ‘add vlan 10’

让我们向NetScaler添加一个新的VLAN(vlan10)。此新VLAN是使用以下命令创建的:“add VLAN 10”

Then let’s bind interface 10/1 to the newly created VLAN 10 natively. This is accomplished with the following command: ‘bind vlan 10 -ifnum 10/1’

然后让我们将接口10/1绑定到新创建的vlan10。这是通过以下命令完成的:“bind vlan 10-ifnum 10/1”

When bound natively, interface 10/1 is removed automatically from VLAN 1, the current native VLAN. It is then added to VLAN 10. When this configuration is implemented the following rules will then apply:

本地绑定后,接口10/1会自动从当前本地VLAN 1中删除。 然后将其添加到VLAN10。实施此配置后,将应用以下规则:

Tagged VLAN’s 标记的VLAN

Let’s add a tagged VLAN to the NetScaler (VLAN 30). This new VLAN is created with the following command: ‘add vlan 30’

让我们向NetScaler添加一个标记的VLAN(vlan30)。使用以下命令创建新VLAN:“add VLAN 30”

Then let’s bind interface 10/2 to the newly created VLAN 30 as a tagged member. This is accomplished with the following command: ‘bind vlan 30 -ifnum 10/2  -tagged’

然后让我们将接口10/2绑定到新创建的vlan30,作为标记成员。这可以通过以下命令完成:“bind vlan 30-ifnum 10/2 -tagged”

When VLAN 30 is bound as a tagged member of interface 10/2, it is kept in VLAN 1 as a native member, but also added to VLAN 30 as a tagged member. When this configuration is implemented the following rules will then apply.

当VLAN 30作为接口10/2的标记成员绑定时,它作为本机成员保留在VLAN 1中,但也作为标记成员添加到VLAN 30中。当实现此配置时,将应用以下规则。

Summary 概要

  • An interface can have only one (hence also referred to as ‘port based’) Native VLAN. 一个接口只能有一个(因此也称为“基于端口”)本地VLAN。
  • Untagged packets arriving on an interface are assumed to have arrived on that Native VLAN. 到达接口的未标记数据包假定已到达该本地VLAN。
  • An interface can be part of any number of tagged VLANs. 接口可以是任意数量的标记VLAN的一部分。
  • When an interface is bound to a VLAN Natively, its Native VLAN changes from the current one to new one. 当接口绑定到本地VLAN时,其本地VLAN将从当前VLAN更改为新的VLAN。
  • When an interface is bound to a particular VLAN as a tagged member, it’s just added to the new VLAN as a tagged member. 当一个接口作为标记成员绑定到一个特定的VLAN时,它只是作为一个标记成员添加到新的VLAN中。

An overview of the rules are as follows: 规则概述如下:

The Interface TAGALL Configuration 接口TAGALL配置

The TAGALL configuration on the NetScaler is specific only to the interface. The following rules apply when leveraging the TAGALL feature:

NetScaler上的TAGALL配置仅特定于接口。利用TAGALL功能时,以下规则适用:

Link Aggregation (LA) 链路聚合(LA)

Let’s create a new link aggregation channel. This new LA channel is created with the following command: ‘add channel LA/1’

让我们创建一个新的链接聚合通道。使用以下命令创建新的LA通道:“add channel LA/1”

Then let’s bind interfaces 10/1 and 10/2 to the newly created channel with the following command: ‘bind channel LA/1 -ifnum 10/1 10/2’

然后让我们使用以下命令将接口10/1和10/2绑定到新创建的通道:“bind channel LA/1 -ifnum 10/1 10/2”

Then following rules will apply for the default LA channel: LA通道将应用以下默认规则:

Link Aggregation (LA) and VLANs 链路聚合(LA)和VLAN

Let’s create a new link aggregation channel (LA/2). This new LA channel is created with the following command: ‘add channel LA/2’

让我们创建一个新的链路聚合通道(LA/2)。使用以下命令创建新的LA频道:“add channel LA/2”

Then let’s bind interfaces 10/1 and 10/2 to the newly created channel with the following command: bind channel LA/2 -ifnum 10/1 10/2’ (as referenced previously the VLAN bindings of 10/1 and 10/2 are lost once they are part of an LA channel – unless specifically configured as such as we’ll see in the following example).

然后,让我们使用以下命令将接口10/1和10/2绑定到新创建的通道:bind channel LA/2 -ifnum 10/1 10/2'(如前所述,10/1和10/2的VLAN绑定一旦成为LA通道的一部分就会丢失–除非我们在下面的示例中看到这样的配置)。

We can bind the new LA channel to a new VLAN with the following commands: ‘add vlan 2’ and then ‘bind vlan 2 -ifnum LA/2’

我们可以使用以下命令将新的LA通道绑定到新的VLAN:“add VLAN 2”然后“bind VLAN 2 -ifnum LA/2”

NOTES: 笔记:

  1. If we unbind interfaces 10/1 and 10/2 (for example) from an LA channel (e.g. ‘unbind channel LA/1 -ifnum 10/1 10/2’) and then remove the channel with the following command: ‘rm channel LA/1’, then interfaces 10/1 and 10/2 will be moved to VLAN 1 as Native members again. 如果我们从LA通道解除绑定接口10/1和10/2(例如“unbind channel LA/1-ifnum 10/1 10/2”),然后使用以下命令移除通道:“rm channel LA/1”,那么接口10/1和10/2将再次作为本机成员移动到VLAN 1。
  2. The NetScaler does not have the concept of “trunk ports”, which by default will accept all VLAN IDs and only accept tagged traffic. Further restrictions on which VLANs to accept can be controlled by configuring an ‘allowed list’ of VLAN IDs on a particular interface. NetScaler没有“中继端口”的概念,默认情况下,它将接受所有VLAN id,只接受标记的流量。通过在特定接口上配置VLAN ID的“允许列表”,可以控制要接受的VLAN的进一步限制。

Additional References: 其他参考文献:

How to Associate an IP Subnet with a NetScaler Interface by Using VLANs:http://support.citrix.com/article/CTX136926

如何使用VLAN : http://support.citrix.com/article/CTX136926

How to Restrict the Management Access to a NetScaler Appliance from a Specific Interface: http://support.citrix.com/article/CTX126038

如何从特定接口限制对NetScaler设备的管理访问 :http://support.citrix.com/article/CTX126038

-------------------------

 

FAQ: The "trunk" or "tagall" Option of NetScaler Appliance 常见问题解答:NetScaler设备的“trunk”或“tagall”选项

https://support.citrix.com/article/CTX115575

Article ConfigurationNetworking 9 found this helpful Created: 06 Feb 2014 Modified: 24 May 2016

Applicable Products

  • NetScaler Gateway
    •  
  • NetScaler

Question and Answers 问题与回答

Q: What is the "trunk" or "tagall" option on a NetScaler interface used for?  问:NetScaler界面上的“ trunk”或“ tagall”选项是什么?

A: NetScaler software release earlier than version 9.2 referred to the tagall option as trunk.

答:早于9.2版的NetScaler软件版本将tagall选项称为“主干”。

Different network equipment vendors use the term tagall differently. Some use it to describe a switch port on which you can define more than one Virtual Local Area Network (VLAN) in compliance to the Institute of Electrical and Electronics Engineers (IEEE) 802.1q guidelines. Other vendors use this term to describe a bandwidth-aggregating port, such as Link Aggregation Control Protocol (LACP). In NetScaler appliance, tagall option previously called the trunk option, mainly relates to tagging the VLAN traffic through interfaces.

不同的网络设备供应商对术语Tagall的使用不同。 有人用它来描述一个交换机端口,您可以在该端口上定义多个虚拟局域网(VLAN),以符合电气和电子工程师协会(IEEE)802.1q准则。 其他供应商使用此术语来描述带宽聚合端口,例如链路聚合控制协议(LACP)。 在NetScaler设备中,tagall选项以前称为trunk选项,主要涉及标记通过接口的VLAN流量。

When you enable the tagall option on a NetScaler interface, all the VLAN traffic on that interface, including that of the Native VLAN (VLAN1), is tagged. This is necessary because some switch vendors tag all VLANs when the trunk option is enabled on these switches.

在NetScaler接口上启用tagall选项时,将标记该接口上的所有VLAN流量,包括本机VLAN(VLAN1)的流量。 这是必要的,因为在这些交换机上启用中继选项时,某些交换机供应商会标记所有VLAN。

You must disable the tagall option on the NetScaler appliance, if you do not want all the VLAN traffic through a particular interface to be tagged. Additionally, a VLAN can be bound to an interface and tagged individually.

如果不希望标记通过特定接口的所有VLAN通信,则必须禁用NetScaler设备上的tagall选项。 此外,VLAN可以绑定到接口并单独标记。

Examples 示例

Tags all the VLANs going out of the interface 1/1 including the native VLAN: 标记从接口1/1出站的所有VLAN,包括本地VLAN:
set interface 1/1 -tagall ON

None of the VLANs are tagged through the interface 1/1 but with an exception: 没有一个VLAN通过接口1/1进行标记,但有一个例外:
add vlan 3
add vlan 4
set interface 1/1 -tagall OFF

VLANs 3 and 4 are tagged through the interface 1/1 even if the –tagall option is OFF: VLAN 3和4通过接口1/1进行标记,即使 -tagall 选项已关闭:
bind vlan 3 -ifnum 1/1 –tagged
bind vlan 4 –ifnum 1/1 –tagged

The preceding commands configures the NetScaler appliance to receive the VLAN frames on VLAN 3 and 4 through interfaces with IEEE 802.1q tags. 前面的命令将NetScaler设备配置为通过带有IEEE 802.1q标记的接口接收VLAN 3和4上的VLAN帧。

The NetScaler appliance uses the native VLAN for the high availability traffic, which includes the heartbeats packets, synchronization, and command propagation. Therefore, you must ensure that the native VLAN has connectivity through all connected interfaces. By default, the native VLAN, VLAN1, is bound to an interface if you do not explicitly bind the interface to a VLAN.

NetScaler设备将本地VLAN用于高可用性流量,其中包括心跳数据包,同步和命令传播。 因此,必须确保本机VLAN通过所有连接的接口具有连接性。 默认情况下,如果未将接口显式绑定到VLAN,则将本地VLAN VLAN1绑定到接口。

If the tagall option is enabled on the NetScaler appliance, and the connecting switch does not allow or tag frames on the native VLAN, then there might be issues arising with high availability communication. This situation can lead to major problems with the high availability functionality. The following are some of the probable issues that can result from this situation: 如果NetScaler设备上启用了tagall选项,并且连接交换机不允许或在本地VLAN上标记帧,则可能会出现与高可用性通信有关的问题。这种情况可能导致高可用性功能出现重大问题。以下是这种情况可能导致的一些问题:

  • The configuration synchronization failures between the high availability nodes. 高可用性节点之间的配置同步失败。
  • Missing heartbeat packets leading to failovers. 丢失心跳数据包导致故障转移。
  • Split-Brain scenario where both the appliances become the primary appliance, which can lead to service outages. 分裂大脑的情况下,两个设备都成为主要设备,这可能导致服务中断。

Q: Can each interface of the NetScaler be assigned a separate native VLAN?  问:NetScaler的每个接口是否可以分配一个单独的本机VLAN?

A: Yes, each interface of the NetScaler can be assigned a separate native VLAN.  答:是的,可以为NetScaler的每个接口分配一个单独的本地VLAN。

Complete the following steps to change the native VLAN associated with interface 1/1 to VLAN 500: 完成以下步骤,将与接口1/1关联的本地VLAN更改为VLAN 500:

  1. Create VLAN 500 on NetScaler: 在NetScaler上创建VLAN 500:
    add vlan 500

  2. Bind VLAN 500 to interface 1/1 (ensure that you DO NOT use the -tagged option while binding) 将VLAN 500绑定到接口1/1(确保绑定时不要使用-tagged选项)
    bind vlan 500 -ifnum 1/1

  3. Verify the configuration using the following command: 使用以下命令验证配置:
    show interface 1/1

    1)      Interface 1/1 (NetScaler Virtual Interface) #0
flags=0xe060 <ENABLED, UP, UP, HAMON, 802.1q>
MTU=1500, native vlan=500, MAC=9e:b9:8c:ab:e0:22, uptime 92h53m37s
LLDP Mode: NONE,                 LR Priority: 1024

RX: Pkts(1691709) Bytes(264035416) Errs(0) Drops(513720) Stalls(0)
TX: Pkts(1352731) Bytes(162819216) Errs(0) Drops(0) Stalls(0)
NIC: InDisc(0) OutDisc(0) Fctls(0) Stalls(0) Hangs(0) Muted(0)
Bandwidth thresholds are not set.

  4. Use the tagall option to tag the native VLAN on the interface. 使用tagall选项标记接口上的本机VLAN。

 

-----------------------------------

 

How to Set up Link Aggregation Channel and VLAN Trunking on NetScaler Appliance 如何在NetScaler设备上设置链路聚合通道和VLAN中继

https://support.citrix.com/article/CTX117113

Objective 目的

This article contains information about the basic configuration required to set up an Institute of Electrical and Electronics Engineers (IEEE) 802.3ad link aggregation channel between a NetScaler appliance and a Cisco switch that supports Link Aggregation Control Protocol (LACP). In this setup, the Virtual Local Area Network (VLAN) Trunking feature is enabled to route traffic between multiple VLANs on the aggregated interface. 本文包含有关在NetScaler设备与支持链路聚合控制协议(LACP)的Cisco交换机之间建立电气和电子工程师协会(IEEE)802.3ad链路聚合通道所需的基本配置的信息。 在此设置中,启用了虚拟局域网(VLAN)中继功能以在聚合接口上的多个VLAN之间路由流量。

Requirements 要求

The following devices are required on the network:

  • A NetScaler appliance with NetScaler software release 6.0 or later installed on it.

  • A Cisco switch that supports LACP.

Background 背景

The IEEE 802.3ad Ethernet standard is a specification that defines the LACP method of bundling several physical ports to form a logical port. This is similar to the earlier Cisco EtherChannel Solution. The main difference is that the Cisco implementation uses a proprietary protocol called Port Aggregation Protocol (PAgP). Later, IEEE defined a new control protocol for link aggregation called Link Aggregation Control Protocol (LACP) in the 802.3ad Ethernet standard. IEEE 802.3ad以太网标准是一个规范,它定义了将多个物理端口捆绑在一起以形成逻辑端口的LACP方法。 这类似于较早的Cisco EtherChannel解决方案。 主要区别在于思科实施使用称为端口聚合协议(PAgP)的专有协议。 后来,IEEE在802.3ad以太网标准中为链路聚合定义了一种新的控制协议,称为链路聚合控制协议(LACP)。

Instructions 使用说明

To configure the IEEE 802.3ad link aggregation channel between a NetScaler appliance and a Cisco switch that supports the LACP protocol, complete the following procedures: 要在NetScaler设备和支持LACP协议的Cisco交换机之间配置IEEE 802.3ad链路聚合通道,请完成以下过程:

Configuring the Cisco Switch for the Link Aggregation Channel 为链路聚合通道配置Cisco交换机

To configure the Cisco switch for the link aggregation channel, complete the following procedure:

  1. Run the following commands on the Cisco switch: 要为链路聚合通道配置Cisco交换机,请完成以下过程:
    !
    interface FastEthernet0/23
    switchport trunk allowed vlan 22
    switchport mode trunk
    channel-group 3 mode active
    !
    interface FastEthernet0/24
    switchport trunk allowed vlan 22
    switchport mode trunk
    channel-group 3 mode active
    !
    interface Port-channel3
    switchport trunk allowed vlan 22
    switchport mode trunk
    !

  2. Run the following commands to verify that the commands in the preceding Step have worked as expected: 运行以下命令以验证上一步中的命令是否按预期工作:
    sw1#show int trunk<

     Port Mode Encapsulation Status Native vlan Po3 on 802.1q trunking 1

    sw1#sh lacp nei

     Port Flags Priority Dev ID Age Key Number State Fa0/23 SA 32768 000a.5e5a.01eb 0s 0x3 0x3 0x3D Fa0/24 SA 32768 000a.5e5a.01eb 4s 0x3 0x5 0x3D

    Consider the following points when configuring the Cisco switch for link aggregation: 在配置思科交换机进行链路聚合时,请考虑以下几点:

    • The channel-group mode must be set to Active or Passive because the NetScaler appliance does not support the PAgP protocol. Citrix recommends that you set the channel-group mode on the Cisco switch as well as on the NetScaler appliance to Active. 通道组模式必须设置为“主动”或“被动”,因为NetScaler设备不支持PAgP协议。 Citrix建议您将Cisco交换机以及NetScaler设备上的通道组模式设置为“主动”。

    • The optional interface command channel-protocol lacp forces the LACP protocol. 可选接口命令channel-protocol lacp强制执行LACP协议。

    • Do not run the switchport trunk native vlan <VLAN_ID> command on the Cisco switch. Leave the Native VLAN to default VLAN 1. There are versions of the Cisco IOS that contain a bug where the LACPDUs sent out by the Cisco are tagged with VLAN ID 1 when the switch port trunk native VLAN is modified. This causes the LACP channel to fail. Refer to the Cisco identifiers CSCse14774 and CSCsh97848 for more information. 不要在Cisco交换机上运行switchport trunk native vlan<vlan_ID>命令。将本机VLAN保留为默认VLAN 1。有些版本的Cisco IOS包含一个bug,当交换机端口trunk native VLAN被修改时,Cisco发出的lacpdu被标记为VLAN ID 1。这会导致LACP通道失效。有关更多信息,请参阅Cisco标识符CSCSCSSE14774和CSCsh97848。

Configuring the NetScaler Appliance for the Link Aggregation Channel 为链接聚合通道配置NetScaler设备

To configure the NetScaler appliance for the link aggregation channel, complete the following procedure: 要为链路聚合通道配置NetScaler设备,请完成以下过程:

  1. Run the following commands from the command line interface of the NetScaler appliance to configure an LACP channel for the required interfaces of the appliance: 从NetScaler设备的命令行界面运行以下命令,以为设备的所需接口配置LACP通道:
    set interface <First_Interface> -lacpMode ACTIVE -lacpKey <Number> -tagall OFF
    set interface <Second_Interface> -lacpMode ACTIVE -lacpKey <Number> -tagall OFF

    Note: For NetScaler software release version 9.1 and earlier, use the –trunk option instead of –tagall: 注意:对于NetScaler软件版本9.1及更早版本,请使用–trunk选项而不是–tagall:
    set interface <First_Interface> -lacpMode ACTIVE -lacpKey <Number> -trunk OFF
    set interface <Second_Interface> -lacpMode ACTIVE -lacpKey <Number> -trunk OFF

  2. Run the following command to set an LA channel on the appliance: 运行以下命令以在设备上设置LA通道:
    set channel LA/<Number> -state ENABLED -tagall OFF

    Note: For NetScaler software release version 9.1 and earlier, use the –trunk option instead of –tagall: 注意:对于NetScaler软件版本9.1和更早版本,请使用–trunk选项而不是–tagall:
    set channel LA/<Number> -state ENABLED -trunk OFF

  3. Run the following command to add a VLAN ID to the appliance: 运行以下命令以将VLAN ID添加到设备:
    add vlan <VLAN_ID>

  4. Run the following command to bind the VLAN to the LA channel you created: 运行以下命令将VLAN绑定到您创建的LA通道:
    bind vlan <VLAN_ID> -ifnum <LA_Channel> –tagged

  5. Run the following command to bind the VLAN to an IP address: 执行以下命令,将VLAN绑定到IP地址。
    bind vlan <VLAN_ID> -IPAddress <IP_Address> <NetMask>

  6. Run the following command to verify that the commands in the preceding steps have worked as expected. A sample output of the command follows the command: 运行以下命令以验证前面步骤中的命令是否按预期工作。 该命令的示例输出如下:
    ns> show lacp

     Actor SystemID: (32768, 00:0a:5e:5a:01:eb) 1) Interface LA/3 Key: 3 State: UP Member Interfaces: 1/3: PortID=(32768,3), Mux=DISTRIBUTING, Rx=CURRENT, SELECTED <Active, Long Timeout, Agg, Sync, Collecting, Distributing> Partner: SysID=(32768,00:0a:8a:b0:ea:40), Key=3, PortID=(32768,23) <Active, Long Timeout, Agg, Sync, Collecting, Distributing> 1/4: PortID=(32768,5), Mux=DISTRIBUTING, Rx=CURRENT, SELECTED <Active, Long Timeout, Agg, Sync, Collecting, Distributing> Partner: SysID=(32768,00:0a:8a:b0:ea:40), Key=3, PortID=(32768,24) <Active, Long Timeout, Agg, Sync, Collecting, Distributing>

    Consider the following points when configuring the NetScaler appliance for the link aggregation: 为链接聚合配置NetScaler设备时,请考虑以下几点:

    • VLAN <VLAN_ID> is bound to the LA/<Number> interface with 802.1q tags. The Number variable in the preceding procedure ranges between 1 to 8 (From NetScaler 10.5 onwards this value has changed from 4 to 8). You should use the same number for the Number variable with all the commands in the preceding procedure. VLAN<VLAN\u ID>用802.1q标记绑定到LA/<Number>接口。前面过程中的数字变量的范围在1到8之间(从NetScaler 10.5起,此值已从4更改为8)。对于前面过程中的所有命令,应该对number变量使用相同的数字。

    • You can bind additional VLANs to the link aggregation channel LA/<Number> tagged. 您可以将其他VLAN绑定到标记为LA / <Number>的链路聚合通道。

    • NetScaler 10.1 supports 8 interfaces per channel and NetScaler 10.5 and 11.0 supports 16 interfaces per channel. NetScaler 10.1每个通道支持8个接口,NetScaler 10.5和11.0每个通道支持16个接口。

    • The –Tagall ON (for NetScaler software release 9.2 and later) or –Trunk ON (for NetScaler software release 9.1 and earlier) option on the NetScaler appliance tag frames on all VLANs including the native VLAN, by default VLAN 1. In most scenarios, this causes connectivity problems with the NetScaler IP (NSIP) address. This can negatively impact the communication between the high availability pair of the NetScaler appliances. The –Tagall ON or –Trunk ON option are intended for very specific applications where the switch does not accept both the tagged and untagged frames on the same physical port. In most scenarios, such as when interfacing with a Cisco switch, ensure that you set the –Tagall OFF or –Trunk OFF option on the interfaces and bind the trunked VLANs to the interfaces by using the –tagged option. 默认情况下,所有VLAN(包括本机VLAN)上的NetScaler设备标记帧上的–Tagall ON(对于NetScaler软件版本9.2及更高版本)或–Trunk ON(对于NetScaler软件版本9.1及更早版本)选项。在大多数情况下,这会导致NetScaler IP(NSIP)地址的连接问题。这可能会对NetScaler设备的高可用性对之间的通信产生负面影响。–Tagall ON或–Trunk ON选项适用于交换机不接受同一物理端口上已标记和未标记帧的非常特定的应用程序。在大多数情况下,例如与Cisco交换机接口时,请确保在接口上设置–Tagall OFF或–Trunk OFF选项,并使用–taged选项将集群VLAN绑定到接口。

 

---------------------

NetScaler网络和VLAN最佳实践

https://support.citrix.com/article/CTX214033

Information 信息

The NetScaler uses VLANs to determine which interface should be used for which traffic. In addition, NetScaler does not participate in Spanning Tree. Without the proper VLAN configuration, the NetScaler is unable to determine which interface to use and it can function more like a HUB than a switch or router in these instances (it will try to use ALL interfaces for each conversation).   NetScaler使用VLAN确定应将哪个接口用于哪个流量。 此外,NetScaler不参与生成树。 如果没有正确的VLAN配置,NetScaler将无法确定要使用哪个接口,并且在这些情况下,NetScaler的功能更像HUB,而不是交换机或路由器(它将在每次对话中尝试使用所有接口)。

Symptoms of VLAN Misconfiguration VLAN配置错误的症状

This type of issue can manifest itself in many forms, including performance issues, inability to establish connections, randomly disconnected sessions, and in severe situations, network disruptions seemingly unrelated to the NetScaler itself.  The NetScaler may also report MAC Moves, muted interfaces, and/or management interface transmit or receive buffer overflows, depending on the exact nature of the interaction with your network.   这种类型的问题可以以多种形式表现出来,包括性能问题,无法建立连接,会话随机断开以及在严重情况下网络中断似乎与NetScaler本身无关。 NetScaler可能还会报告MAC移动,静音接口和/或管理接口发送或接收缓冲区溢出,这取决于与网络交互的确切性质。

MAC Moves: (counter nic_tot_bdg_mac_moved) This indicates that the NetScaler is using more than one interface to communicate with the same device (MAC address), because it could not properly determine which interface to use. MAC移动:(计数器nic_tot_bdg_mac_moved)这表明NetScaler使用多个接口与同一设备(MAC地址)通信,因为它无法正确确定要使用的接口。

Muted interfaces: (counter nic_err_bdg_muted)  This indicates that the NetScaler has detected that it is creating a routing loop due to VLAN configuration issues, and as such, it has shut down one or more of the offending interfaces in order to prevent a network outage. 静音的接口:(计数器nic_err_bdg_muted)这表明NetScaler已检测到由于VLAN配置问题而正在创建路由环路,因此,它已关闭了一个或多个有问题的接口,以防止网络中断。

Interface buffer overflows, typically referring to management interfaces: (counter nic_err_tx_overflow) This can be caused if too much traffic is being transmitted over a management interface. Management interfaces on the NetScaler is not designed to handle large volumes of traffic, which may result from network and VLAN misconfigurations triggering the NetScaler to use a management interface for production data traffic. This often occurs because the NetScaler has no way to differentiate traffic on the VLAN / subnet of the NSIP (NSVLAN) from regular production traffic. It is highly recommended that the NSIP be on a separate VLAN and subnet from any production devices such as workstations and servers. 接口缓冲区溢出,通常是指管理接口:(计数器nic_err_tx_overflow)如果通过管理接口传输的流量过多,则可能导致溢出。 NetScaler上的管理接口并非旨在处理大量流量,这可能是由于网络和VLAN配置错误触发NetScaler使用管理接口进行生产数据流量所致。 经常发生这种情况是因为NetScaler无法将NSIP(NSVLAN)的VLAN /子网上的流量与常规生产流量区分开。 强烈建议将NSIP与任何生产设备(例如工作站和服务器)放在单独的VLAN和子网中。

Orphan ACKs (counter tcp_err_orphan_ack): This counter indicates that the NetScaler received an ACK packet that it was not expecting, typically on a different interface than the ACK'd traffic originated from. This situation can be caused by VLAN misconfigurations where the NetScaler transmits on a different interface than the target device would typically use to communicate with the NetScaler (often seen in conjunction with MAC moves) 孤立的ACK(计数器tcp_err_orphan_ack):此计数器指示NetScaler收到了它不期望的ACK数据包,通常在与ACK流量来源不同的接口上。 这种情况可能是由VLAN配置错误引起的,其中NetScaler在与目标设备通常用于与NetScaler进行通信的接口不同的接口上进行传输(通常与MAC移动结合使用)

High rates of retransmissions / retransmit giveups: (counters: tcp_err_retransmit_giveups, tcp_err_7th_retransmit, various other retransmit counters) The NetScaler will attempt to retransmit a TCP packet a total of 7 times before it gives up and terminates the connection. While this situation can be caused by network conditions, it often occurs as a result of VLAN and interface misconfiguration. 重发/重发放弃率高:(计数器:tcp_err_retransmit_giveups,tcp_err_7th_retransmit,各种其他重发计数器)NetScaler将尝试重发TCP数据包,总共7次,然后再放弃并终止连接。 虽然这种情况可能是由网络状况引起的,但通常是由于VLAN和接口配置错误而发生的。

High Availability Split Brain: Split Brain is a condition where both HA nodes believe they are Primary, leading to duplicate IP addresses and loss of NetScaler functionality. This is caused when the two HA nodes cannot communicate with each-other using HA Heartbeats on UDP Port 3003 using the NSIP, across any interface. This is typically caused by VLAN misconfigurations where the native VLAN on the NetScaler interfaces do not have connectivity between NetScalers. 高可用性裂脑:裂脑是两个HA节点都认为它们是主节点的情况,从而导致IP地址重复和NetScaler功能丧失。 当两个HA节点无法使用NSIP通过任何接口在UDP端口3003上使用HA心跳来彼此通信时,会导致这种情况。 这通常是由VLAN配置错误引起的,其中NetScaler接口上的本地VLAN在NetScaler之间没有连接。

Best Practices for VLAN and Network Configurations VLAN和网络配置的最佳做法

    1. Each subnet should be associated with a VLAN. 每个子网应与一个VLAN关联

    2. More than one subnet can be associated with the same VLAN (depending on your network design). 多个子网可以与同一VLAN关联(取决于您的网络设计)。

    3. EACH VLAN SHOULD BE ASSOCIATED TO ONLY ONE INTERFACE (for purposes of this discussion, a LA Channel counts as a single interface). 每个VLAN应该只与一个接口相关联(在本讨论中,LA通道算作一个接口)。

    4. If you require more than one subnet to be associated with an interface, the subnets must be tagged. 如果需要与一个接口关联多个子网,则必须对子网进行标记。

    5. Contrary to popular belief, the Mac-Based-Forwarding (MBF) feature on the NetScaler is not designed to mitigate this type of issue. MBF is designed primarily for the DSR (Direct Server Return) mode of the NetScaler, which is rarely used in most environments (it is designed to allow traffic to purposely bypass the NetScaler on the return path from the backend servers). MBF may hide VLAN issues in some instances, but it should not be relied-upon to resolve this type of problem. 与普遍的看法相反,NetScaler上的基于Mac的转发(MBF)功能并非旨在缓解此类问题。 MBF主要是为NetScaler的DSR(直接服务器返回)模式设计的,该模式在大多数环境中很少使用(它设计为允许流量有目的地绕过后端服务器返回路径上的NetScaler)。 MBF在某些情况下可能会掩盖VLAN问题,但不应依靠它来解决此类问题。

    6. Every interface on NetScaler requires a native VLAN (unlike Cisco, where native VLANs are optional), although the TagAll setting on an interface can be used so that no untagged traffic will leave the interface in question. NetScaler上的每个接口都需要一个本机VLAN(与Cisco不同,在本机中,本机VLAN是可选的),尽管可以使用接口上的TagAll设置,以使没有未标记的流量都不会引起该接口的问题。

    7. The native VLAN can be tagged if necessary for your network design (this is the TagAll option for the interface). 如果您的网络设计需要,可以标记本地VLAN(这是接口的TagAll选项)。

    8. The VLAN for the subnet of your NetScaler's NSIP is a special case. This is called the NSVLAN. The concepts are the same but the commands to configure it are different and changes to the NSVLAN require a reboot of the NetScaler to take effect.  If you attempt to bind a VLAN to a SNIP that shares he same subnet as the NSIP, you will get “Operation not permitted.” This is because you have to use the NSVLAN commands instead. See CTX123172 for details.  Also, on some firmware versions, you cannot set an NSVLAN if that VLAN number already exists via the “add VLAN” command. Simply remove the VLAN and then set the NSVLAN again. NetScaler的NSIP子网的VLAN是一种特殊情况。 这称为NSVLAN。 概念相同,但配置命令不同,并且对NSVLAN的更改要求重新启动NetScaler才能生效。 如果您尝试将VLAN绑定到与NSIP共享相同子网的SNIP,您将得到“不允许操作”。 这是因为您必须改用NSVLAN命令。 有关详细信息,请参见CTX123172。 另外,在某些固件版本上,如果通过“ add VLAN”命令已存在该VLAN号,则无法设置NSVLAN。 只需删除VLAN,然后再次设置NSVLAN。

    9. HA Heartbeats always use the Native VLAN of the respective interface (optionally tagged if the TagAll option is set on the interface). HA心跳信号始终使用相应接口的本机VLAN(如果在接口上设置了TagAll选项,则可以选择标记)。

    10. There must be communication between at least one set of Native VLAN(s) on the two nodes of an HA pair (this can be direct or via a router). The native VLANs are used for HA heartbeats. If the NetScalers cannot communicate between native VLANs on any interface, this will lead to HA failovers and possibly a split-brain situation where both NetScalers think they are primary (leading to duplicate IP addresses, amongst other things). HA对的两个节点上的至少一组本机VLAN之间必须存在通信(可以是直接通信,也可以是通过路由器)。 本地VLAN用于HA心跳。 如果NetScaler无法在任何接口上的本机VLAN之间进行通信,这将导致HA故障转移,并可能导致两个NetScaler都认为它们是主要的裂脑情况(导致IP地址重复)。

    11. The NetScaler does not participate in spanning tree.  As such, it is not possible to use spanning tree to provide for interface redundancy when using a NetScaler. Instead, use a form of Link Aggregation (LACP or manual LAG) for this purpose.
      Note: If you wish to have link aggregation between multiple physical switches, you must have the switches configured as a virtual switch, using a feature such as Cisco's Switch Stack. 

      NetScaler不参与生成树。 因此,在使用NetScaler时,不可能使用生成树来提供接口冗余。 为此,请使用一种形式的链路聚合(LACP或手动LAG)。
      注意:如果希望在多个物理交换机之间进行链路聚合,则必须使用Cisco的Switch Stack等功能将这些交换机配置为虚拟交换机。

    12. The HA Synchronization and Command Propagation, by default, uses the NSIP/NSVLAN. To separate these out to a different VLAN, you can use the SyncVLAN option of the set HA node command. 默认情况下,HA同步和命令传播使用NSIP / NSVLAN。 要将它们分离到另一个VLAN,可以使用set HA node命令的SyncVLAN选项。

    13. There is nothing built-in to the NetScaler's default configuration that denotes that a management interface (0/1 or 0/2) is restricted to management traffic only. This must be enforced by the enduser through VLAN configuration. The Management interfaces are not designed to handle data traffic, so your network design should take this into account. Management interfaces, contained on the Netscaler motherboard, lack various offloading features such as CRC offload, larger packet buffers, and other optimizations, making them much less efficient in handling large amounts of traffic.  In order to separate production data and management traffic, the NSIP should not be on the same subnet/VLAN as your data traffic. NetScaler的默认配置中没有内置任何东西表示管理接口(0/1或0/2)仅限于管理通信量。这必须由最终用户通过VLAN配置来实施。管理接口不是为处理数据流量而设计的,因此您的网络设计应该考虑到这一点。包含在Netscaler主板上的管理接口缺少各种卸载功能,如CRC卸载、更大的数据包缓冲区和其他优化,使得它们在处理大量流量时效率大大降低。为了分离生产数据和管理流量,NSIP不应与数据通信位于同一子网/VLAN上。

    14. If it is desired to use a management interface to carry management traffic, it is best practice that the Default Route be on a subnet other than the subnet of the NSIP (NSVLAN). In many configurations, the default route will be relied-upon for workstation commmunications (in an internet scenario). If the default route is on the same subnet as the NSIP this will lead to such traffic using the management interface, which can cause the interface to be overloaded. 如果希望使用管理接口来承载管理流量,则最佳做法是默认路由位于NSIP(NSVLAN)的子网之外的子网中。在许多配置中,默认路由将依赖于工作站通信(在互联网场景中)。如果默认路由与NSIP位于同一子网中,这将导致使用管理接口的此类通信量,这可能导致接口过载。

    15. Additionally to #10-on an SDX-the SVM, XenServer, and all Netscaler instance NSIP's should be on the same VLAN and subnet. There is no "backplane" inside of the SDX that allows for communication between SVM/Xen/Instances. If they are not on the same VLAN/subnet/interface, traffic between them must leave the physical hardware, be routed on your network, and return. This can lead to obvious connectivity issues between the instances and SVM and as such, is not recommended. A common symptom of this is a Yellow Instance State indicator in the SVM for the VPX instance in question and the inability to use the SVM to reconfigure a VPX instance. 除了在SDX上排第10位之外,SVM,XenServer和所有Netscaler实例NSIP都应位于相同的VLAN和子网上。 SDX内部没有“背板”,允许SVM / Xen /实例之间的通信。 如果它们不在同一VLAN /子网/接口上,则它们之间的流量必须离开物理硬件,在网络上路由,然后返回。 这可能会导致实例与SVM之间明显的连接问题,因此不建议这样做。 常见的症状是所讨论的VPX实例的SVM中的黄色实例状态指示器,并且无法使用SVM重新配置VPX实例。

    16. In the event that some VLANs are bound to subnets and some are not, during an HA failover, GARP packets will not be sent for any IP addresses on any of the subnets that are not bound to a VLAN.  This can cause dropped connections and connectivity issues during HA failovers, as the NetScaler cannot notify the network of the change of MAC ownership of IP addresses on non-VMAC-configured Netscalers. Symptoms of this are that during/after a HA failover, the ip_tot_floating_ip_err counter increments on the former primary NetScaler for more than a few seconds, indicating that the network did not receive or process GARP packets and the network is continuing to transmit data to the new secondary NetScaler. 如果某些VLAN绑定到子网,而有些没有绑定到子网,则在HA故障转移期间,不会为未绑定到VLAN的任何子网上的任何IP地址发送GARP数据包。在HA故障转移期间,这可能会导致连接断开和连接问题,因为NetScaler无法将非VMAC配置的NetScaler上IP地址的MAC所有权的更改通知网络。这种情况的症状是在HA故障转移期间/之后,前一个主NetScaler上的ip_tot_floating_ip_err计数器会增加数秒以上,这表明网络没有接收或处理GARP数据包,并且网络正在继续向新的辅助NetScaler传输数据。

 

---------------------------

NetScaler Interface Tagging and Flow of High Availability Packets Examples NetScaler接口标记和高可用性数据包流示例

https://support.citrix.com/article/CTX122921

Information 信息

This article describes the flow of High Availability packets when various combinations of tagging are implemented in the NetScaler configuration. For additional information on HA traffic not seen on tagged channels refer to CTX201788. 本文描述了在NetScaler配置中实现各种标记组合时的高可用性数据包流。有关在标记通道上看不到的HA流量的更多信息,请参阅CTX201788。

Flow of High Availability Packets 高可用性数据包流

Heart beats, that is High Availability packets, are always untagged unless the NSVLAN is configured using set ns config -nsvlan command or an interface is configured with the -trunk on option in NetScaler software release 9.2 and earlier or -tagall option in NetScaler software release 9.3 and later. 心跳(即高可用性数据包)总是未标记的,除非使用set ns config-NSVLAN命令配置NSVLAN,或者在NetScaler软件版本9.2及更早版本中配置了-trunk on选项或NetScaler软件版本9.3及更高版本中配置了-tagall选项。

The following scenarios help in describing the flow of the High Availability packets: 以下场景有助于描述高可用性数据包的流:

Scenario 1 情景1

NSVLAN is default (VLAN 1)
interface 1/1 is bound to VLAN 2
Interface 1/2 is bound to VLAN 3

add vlan 2
add vlan 3
bind vlan 2 -ifnum 1/1
bind vlan 3 -ifnum 1/2

High Availability packets flow as untagged on the 1/1 and 1/2 interfaces on the native VLAN (of those interfaces - 2 and 3 respectively).

高可用性数据包在本地VLAN的1/1和1/2接口(分别为2和3)上以未标记的方式流动。

Scenario 2 情景2

NSVLAN is default (VLAN 1)
interface 1/1 is bound to VLAN 2, which is configured with -trunk ON
Interface 1/2 is bound to VLAN 3, which is configured with -trunk OFF (default)

set interface 1/1 -trunk ON
add vlan 2
add vlan 3
bind vlan 2 -ifnum 1/1
bind vlan 3 -ifnum 1/2

High Availability packets flow on 1/1 as tagged with a VLAN ID of 2 (as all other native packets of this interface), and untagged on the 1/2 interface.

高可用性数据包在1/1上流动,标记为VLAN ID 2(与该接口的所有其他本机数据包一样),在1/2接口上未标记。

Scenario 3 情景3

NSVLAN is VLAN10 (non default)
interface 1/1 is bound to VLAN 2
interface 1/2 is bound to VLAN 3
interface 1/3 is bound to VLAN 10

add vlan 2
add vlan 3
bind vlan 2 -ifnum 1/1
bind vlan 3 -ifnum 1/2
set ns config -nsvlan 10 -ifnum 1/3

High Availability packets flow as tagged (default) on VLAN 10, interface 1/3 only and do not flow on VLAN 2 or VLAN 3.

高可用性数据包按标记(默认)在VLAN 10上流动,仅在接口1/3上流动,在VLAN 2或VLAN 3上不流动。

Additional Resources 其他资源

Tagged: This indicates 802.1q with native VLAN support, similar to “trunk” in Cisco. 标记:这表明802.1q具有本地VLAN支持,类似于Cisco中的“ trunk”。

Trunk/Tagall: This indicates the port is in the trunking mode with no native VLAN support, which indicates that all the VLANS are tagged including the native VLAN. This option was made available for compatibility with some force10 switches. “Trunk” in NetScaler is an equivalent of “Tag native VLAN” in Cisco. Trunk / Tagall:这表示端口处于中继模式,没有本机VLAN支持,这表示所有VLAN都已标记,包括本机VLAN。 提供此选项是为了与某些force10交换机兼容。 NetScaler中的“ Trunk”等效于Cisco中的“ Tag native VLAN”。

Notes: High Availability Heartbeat packets are always sent using the native VLAN, so if an interface is in Trunk/Tagall mode, High Availability heart beats are tagged with the interface Native VLAN ID. 注意:高可用性心跳数据包始终使用本地VLAN发送,因此,如果接口处于Trunk / Tagall模式,则高可用性心跳信号将用接口本地VLAN ID进行标记。
For adding a subnet to a specific VLAN use the following command: 要将子网添加到特定的VLAN,请使用以下命令:
bind vlan <vlan-#> -ipAddress ip-address mask

CTX115575 - FAQ: The "trunk" or "tagall" Option of NetScaler Appliance
Citrix Documentation -  Restricting High-Availability Synchronization Traffic to a VLAN

 

----------------------

NetScaler与交换机使用LACP对接配置指导

https://forum.huawei.com/enterprise/zh/thread-301473.html

 

LACP概述

LACP(Link Aggregation Control Protocol)链路聚合技术,提高了Trunk的容错性。静态链路聚合能够对Trunk内链路端口按照全双工/高速率、全双工/低速率、半双工/高速率、半双工/低速率的优先次序进行调度,确保trunk内各个链路的负载均衡。

对接组网

Switch的0/0/1、0/0/2、0/0/3三个端口组成trunk,分别与NetScaler的1/1、1/2、1/3连接,NetScaler上业务网段所在VLAN ID为2300。下面将以此组网进行配置。

配置交换机

1. 配置交换机Trunk

<SwitchA> system-view

[SwitchA] interface eth-trunk 1

[SwitchA-Eth-Trunk1] port link-type trunk

[SwitchA-Eth-Trunk1] undo port trunk allow-pass vlan 1

[SwitchA-Eth-Trunk1] port trunk allow-pass vlan 2300

[SwitchA-Eth-Trunk1] bpdu enable

[SwitchA-Eth-Trunk1] mode lacp-static

[SwitchA-Eth-Trunk1] quit

2. 将接口加入Trunk

[SwitchA] interface gigabitethernet 0/0/1

[SwitchA-GigabitEthernet0/0/1] eth-trunk 1

[SwitchA-GigabitEthernet0/0/1] quit

[SwitchA] interface gigabitethernet 0/0/2

[SwitchA-GigabitEthernet0/0/2] eth-trunk 1

[SwitchA-GigabitEthernet0/0/2] quit

[SwitchA] interface gigabitethernet 0/0/3

[SwitchA-GigabitEthernet0/0/3] eth-trunk 1

[SwitchA-GigabitEthernet0/0/3] quit

3. 保存配置

[SwitchA] quit

<SwitchA>save

4.  配置NetScaler

1. 通过SSH登录到NetScaler命令行窗口

2. 运行下面的命令,配置指定接口为LACP模式此处lacpKey为接口所属的LA channel的编号,可以取1-4的整数,比如我们取值为1

set interface 1/1 –lacpMode ACTIVE –lacpKey 1 -tagall OFF

set interface 1/2 –lacpMode ACTIVE –lacpKey 1 -tagall OFF

set interface 1/3 –lacpMode ACTIVE –lacpKey 1 -tagall OFF

3. 配置LA channel

set channel LA/1 -state ENABLED –tagall OFF

4. 添加VLAN ID,此处VLAN ID为NetScaler上业务网段的VLAN ID,前面已经假定为2300

add vlan 2300

5. 绑定vlan到LA channel

bind vlan 2300 –ifnum LA/1 -tagged

6. 保存配置

save ns config 

 

============= End

 

posted @ 2018-07-25 10:34  lsgxeva  阅读(581)  评论(0编辑  收藏  举报