Deployment Guide Layer 2-7 High Availability Deployment Guide A Technical Guide for Business Continuity Deployment Guide Notice: The information in this publication is subject to change without notice. THIS PUBLICATION IS PROVIDED “AS IS” WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. CITRIX SYSTEMS, INC. (“CITRIX”), SHALL NOT BE LIABLE FOR TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN, NOR FOR DIRECT, INCIDENTAL, CONSEQUENTIAL OR ANY OTHER DAMAGES RESULTING FROM THE FURNISHING, PERFORMANCE, OR USE OF THIS PUBLICATION, EVEN IF CITRIX HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE. This publication contains information protected by copyright. Except for internal distribution, no part of this publication may be photocopied or reproduced in any form without prior written consent from Citrix. The exclusive warranty for Citrix products, if any, is stated in the product documentation accompanying such products. Citrix does not warrant products other than its own. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. Copyright © 2008 Citrix Systems, Inc., 851 West Cypress Creek Road, Ft. Lauderdale, Florida 333092009 U.S.A. All rights reserved. Table of Contents Introduction...........................................................................................................................................4 Prerequisites..........................................................................................................................................5 Network Diagram..................................................................................................................................6 NetScaler Configuration.........................................................................................................................8 Deployment Model: NetScaler High Availability, Two-Arm Mode........................................................8 Important Considerations for NetScaler High Availability....................................................................9 High Availability Command Synchronization....................................................................................12 Important NetScaler IP Addresses..................................................................................................13 Add a Default Route.......................................................................................................................13 IP Addresses, Interfaces and VLANs...............................................................................................14 Configuring the Virtual MAC............................................................................................................15 High Availability Failover Operation..................................................................................................16 Before HA Failover..........................................................................................................................17 After HA Failover.............................................................................................................................18 Appendix A - NetScaler Application Switch Configuration....................................................................20 Appendix B - Layer 2/3 Switch/Router Configuration...........................................................................23 Appendix C - Helpful NetScaler CLI Commands..................................................................................28 Introduction Citrix® NetScaler® optimizes the delivery of web applications— increasing security and improving performance and Web server capacity. This approach ensures the best total cost of ownership (TCO), security, availability, and performance for Web applications. The Citrix NetScaler solution is a comprehensive network system that combines high-speed load balancing and content switching with state-of-the-art application acceleration, Layer 4-7 traffic management, data compression, dynamic content caching, SSL acceleration, network optimization, and robust application security into a single, tightly integrated solution. Deployed in front of application servers, the system significantly reduces processing overhead on application and database servers, reducing hardware and bandwidth costs. To help ensure application availability, NetScaler delivers fine-grained direction of client requests to ensure optimal distribution of traffic. In addition to Layer 4 information (protocol and port number), traffic management policies for TCP applications can be based upon any application-layer content. Administrators can granularly segment application traffic based upon information contained within an HTTP request body or TCP payload, as well as L4-7 header information such as URL, application data type or cookie. Numerous load-balancing algorithms and extensive server health checks provide greater application availability by ensuring client requests are directed only to correctly behaving servers. With the confidence that Citrix will keep your Applications online and servicing your clients, you may want to be assured that your Layer 2-3 Infrastructure is built for Business Continuity as well. Many pioneering advancements have been made in Layer 2-3 switching/routing in both software and hardware features for redundancy and high availability. Force10 Networks makes full use of these advancements in their product set for both Enterprise and Service Provider class switch/routers. With VLAN features standardized by IEEE in 802.1q specifications and Layer 3 routing protocols collapsed into switching platforms, organizations can take full advantage of the consolidation paradigm. As enterprises and service providers move toward the path of consolidation, they will continue to look for ways to guarantee Business Continuity for their customer base at higher layers on the OSI stack. Citrix NetScaler provides this through a High Availability pair, and is easy to configure through the NetScaler GUI. The Citrix NetScaler serves as the Layer 4-7 switch accepting incoming traffic from an untagged VLAN from the external network, and switching it back to the appropriate server farm on the backend. The Layer 2-3 switch/routers, running VRRP, serve as conduits for 802.1q VLANs, Trunks, VRRP Protocol, and Inter-VLAN routing using industry standard OSPF. Combining software and hardware redundant features at Layer 2-3 with Citrix NetScaler Layer 4-7 High Availability ensures that all the network layers are covered in your datacenter to ensure uptime and business continuity, while you consolidate resources to do more with less. This deployment guide walks through the configuration details of how to configure the Citrix NetScaler and Layer 2-3 switch/router to provide this type of integration and high availability. Prerequisites • Citrix NetScaler L4/7 Application Switch, running version 8.0+, Quantity x 2 for HA deployment. • Force10 L2/3 switch/routers, w/support for 802.1q Tagging & Trunking, VRRP, OSPF. Quantity x 4 • Client laptop/workstation running Internet Explorer 6.0+. Network Diagram The following is the Network that was used to develop this deployment guide, and is representative of a solution implemented at a customer site. VLAN Legend VLAN 91 - No Tag, VRRP VLAN 96 - No Tag VLAN 97 - Tag VLAN 98 - Tag VLAN 92 - Tag, VRRP TRUNK Primary NetScaler IP Addresses: NSIP: 10.217.105.51 Primary/Secondary NetScaler Shared IP Addresses: VIP: 192.168.2.1 VIP: 192.168.2.2 VIP: 192.168.2.4 VLAN 91: Interface 1/1, Untagged MIP: 10.217.105.54 VLAN 96: Interface 1/1, Untagged MIP: 192.168.2.3 VLAN xxx: Interface 1/3, Tagged VLAN xxx: Interface 1/3, Tagged ... ...(etc)... ... VLAN xxx: Interface 1/3, Tagged Secondary NetScaler IP Addresses: NSIP: 10.217.105.52 S50N VLAN 96 Untagged VLAN 97 Primary VLAN 91 VRRP Secondary Citrix NetScaler® 1 L2/3 VLAN 98 L4/7 E600 E600 F10-1 L2/3 F10-2 Citrix NetScaler® 2 L4/7 VLAN 92 VRRP VLAN Trunk VLANs xxx, xxx, xxx, xxx, ....., xxx S50N L2/3 Servers NetScaler Configuration Deployment Model: NetScaler High Availability, Two-Arm Mode The NetScalers in this example will be deployed as a high availability pair, in two-arm mode. Always start with the first NetScaler. The NetScalers in Two-Arm mode provide the utmost is site security, as they provide a full reverse-proxy gateway to intercept incoming traffic before it is sent to the Application servers on the backend. As the intelligence moves up the stack, the NetScaler provides the Layer 4-7 switching intelligence needed to performance Application Layer switching, caching, compression, load balancing, acceleration and security. There are two main components that require installation in this environment, the Citrix NetScaler(s), and the Layer 2/3 switch/routers with VLAN trunking and tagging. We will start with the NetScaler configuration, step-by-step. 1) Configure NSIP on both the Primary NetScaler (NS1) and Secondary NetScaler (NS2). Connect via serial port. Default login nsroot, nsroot. Run the nsconfig command (configns if at a shell prompt), and set the NetScaler IP (NSIP). Serial: 9600, n, 8, 1 Note: Changing the NSIP requires a reboot. In this example: NS1: 10.217.105.51 NS2: 10.217.105.52 2) Connect to the NetScaler via the NSIP using a web browser. In this example: NS1: http://10.217.105.51 NS2: http://10.217.105.52 Note: Java will be installed. Default login is: nsroot,nsroot. Ethernet If you have two Application Switches, you can deploy them in a configuration where one Application Switch actively accepts connections and manages servers, while the second monitors the first. If the first Application Switch quits accepting connections for any reason, the second Application Switch takes over and begins actively accepting connections. This prevents downtime and ensures that the services provided by the Application Switch will remain available even if one Application Switch ceases to function. Important Considerations for NetScaler High Availability • The passwords for both NetScalers ‘nsroot’ account must match. You must change these manually on the switches, they are not synchronized. • The maximum node ID for Application Switches in an HA pair is 64. • Both NetScaler HA peers must be running the same version of code. • The configuration files in ‘ns.conf’ must match on both NetScalers. For this to happen, the following must occur: » The primary and secondary NetScaler Application switches must be configured with their own unique NSIP’s. » The ‘node id’ and ‘IP Address’ of one Application switch must point to the other Application switch (it’s HA peer). » You must configure RPC node passwords onto both Applicaiton switches. Initially, all Application Switches are configured with the same RPC node password. To enhance security, you should change these default RPC node passwords. 3) While connected to the primary NetScaler, add the Secondary node. In the NetScaler GUI, navigate to: NetScaler > System > High Availability > Add. Enter the Node ID and IP address for the Secondary HA peer. In this example: ‘2’, and 10.217.105.52. Note: It is important to turn ‘Off’ HA Monitoring on interfaces that it is not intended for, otherwise HA Node Synchronization will not be successful. In the NetScaler GUI: Navigate to NetScaler > Network > Interfaces. Double-click the interface number(s), and turn ‘Off’ HA Monitoring. 4a) Connect to the Secondary NetScaler and tell it to take the Secondary role. Navigate to NetScaler > System > High Availability > Open > “Stay Secondary”. 4b) Connect to the Secondary NetScaler and add the Primary node. Enter the Node ID and IP address for the Primary HA peer. In this example: ‘1’, and 10.217.105.51. 10 4c) Both Primary and Secondary must be configured to Actively participate in HA. In the NetScaler GUI on the Primary: Navigate to NetScaler > System > High Availability > ID 0 > Open. Select HA ‘Enabled’. Enable Synchronization. Enable HA Propagation. Click ‘Ok’. Repeat for Secondary. Status HA 11 5) A successful HA Synchronization can be viewed from the High Availability screen on either the Primary or Secondary node’s GUI. 12 From the same screen you can ‘Force Synchronization’ or ‘Force Failover’. High Availability Command Synchronization In a correct HA setup, any command issued on the primary Application Switch will propagate automatically to the secondary Application Switch. Some reasons why command synchronization may not work: • Network connectivity is down • Resources are not available on the Secondary Application switch • Authentication failure, (nsroot and/or rpc node) • HA Monitoring is not turned ‘On’, ‘Off’ on same interfaces for both nodes Important NetScaler IP Addresses Acronym Description Usage Note: NSIP is Mandatory and requires a reboot. NSIP NetScaler IP Address The NetScaler IP (NSIP) is the management IP address for the appliance, and is used for all management related access to the appliance. There can only be one NSIP. MIP Mapped IP Address The mapped IP address (MIP) is used by the Application Switch to represent the client when communicating with the backend managed server. Mapped IP addresses (MIP) are used for serverside connections and Reverse NAT. Think of this as the client’s source address on the server-side of the Application Switch, assuming a two-arm proxy deployment. In this example you can think of it as the Tagged VLAN IP. SNIP Subnet IP Address The Subnet IP address (SNIP) allows the user to access an Application Switch from an external host that is residing on another subnet. When a subnet IP address is added, a corresponding route entry is made in the route table. Only one such entry is made per subnet. The route entry corresponds to the first IP address added in the subnet. VIP Virtual IP Address The Virtual Server IP address (VIP) is used by the Application Switch to represent the public facing ip address of the managed services. ARP and ICMP attributes on this IP address allow users to host the same vserver on multiple Application Switches residing on the same broadcast domain. DFG Default Gateway IP Address of the router that forwards traffic outside of the subnet where the appliance is installed. TIP: Disabling the blinking LCD Panel The LCD panel on the front of the NetScaler will flash intermittently until the unused interfaces are disabled and HA monitoring is turned off on them. In the GUI, Navigate to NetScaler > Network > Interfaces. Select an interface, right-click to disable. Right-click to Open, and disable HA monitoring. Add a Default Route 6) Add a default route. 13 NetScaler > Network > Route > Add. 13 IP Addresses, Interfaces and VLANs Assigning IP Addresses to Interfaces is done ‘virtually’ through the use of port based VLANs. By default, all the interfaces on the system are in a single port-based VLAN as untagged interfaces. This VLAN is the default VLAN with a VID equal to 1. When an interface is added to a new VLAN as an untagged member, the interface is automatically removed from the default VLAN and placed in the new VLAN. This becomes a convenient feature, such that when we plug the Netscaler into a Switch that is using VLANs with tagging, we only need to check the box, to turn on tagging. VLANs are typically used to separate subnet traffic. If Trunking is turned On, you will see an interface as a member of more than one VLAN. 7) Create VLANs and Assign Mapped IP Addresses to them. NetScaler > Network > VLANs > Add. Note: For this example: We create VLANs 96, xxx, xxx, etc. Only VLANs xxx and higher are tagged. Interface 0/1 is our management interface, in VLAN 91. Interface 1/1 is our public interface, in VLAN 96. Interface 1/3 is the server side interface, and will be used as our 802.1q VLAN Trunk. The corresponding port on the Layer 2 switch will be configured for 802.1q Trunking. NetScaler > Network > VLANs, to view VLAN and Interface assignments on the Application switch. 14 Configuring the Virtual MAC The Virtual MAC address (VMAC) is a floating entity shared by the primary and secondary nodes in an HA setup. In an HA setup, the primary node owns all of the floating IP addresses such as MIP, SNIP, VIP, etc. It responds to ARP requests for these IP addresses with its own MAC address. As a result, the ARP table of an external device (for example, upstream router) is updated with the floating IP address and the primary node’s MAC address. When a failover occurs, the secondary node takes over as the new primary node. It then uses Gratuitous ARP to advertise the floating IP addresses that it acquired from the primary. The MAC address that the new primary advertises is that of its own interface. Some devices do not accept Gratuitous ARP messages. You can overcome this problem by configuring a VMAC on both nodes of an HA pair. This implies that both the nodes possess identical MAC addresses. As a result, when failover occurs, the MAC address of the secondary node remains unchanged and ARP tables on the external devices do not need to be updated. To create a VMAC, you need to create a VRID and bind it to an interface. In an HA setup, you need to bind it to the interfaces on both the primary and secondary nodes. When the VRID is bound to an interface, the system generates a VMAC with the VRID as the last octet. The generic VMAC is of the form 00:00:5e:00:01:<VRID>. 8) Assign a VMAC. Navigate to NetScaler > Network > VMAC > Add. Add a Virtual Router ID to the Interface that HA Monitoring is enabled on. 15 High Availability Failover Operation The secondary Application Switch monitors the primary by sending periodic messages, or health checks, to the primary to determine whether it is accepting connections or not. If a health check fails, the secondary retries the connection for a specific time period until it determines that the primary Application Switch is not functioning normally. After making that determination, the secondary Application Switch takes over for the primary, a process called failover. During HA monitoring, all enabled ports on the Primary NetScaler are ‘active’, while all enabled ports on the Secondary NetScaler are ‘passive’. An HA failover event will occur anytime a network failure occurs which effects any critical NetScaler port which has HA monitoring (HAMON) enabled on it. HA Monitoring allows both the Primary & Secondary NetScalers to monitor each others status via HA heartbeat packets sent in milliseconds as specified by the Hello Interval parameter. An HA failover event occurs when the secondary NS does not receive an HA heartbeat on one of its HAMON enabled ports within the time frame specified specified in seconds by the Dead Interval parameter, or anytime the “force HA failover” netscaler CLI command is issued. 9a) To test HA Failover or reset back to Primary / Secondary roles, you can ‘Force Failover’ from the High Availability screen. 16 Before HA Failover 9b) The Status of HA Monitoring can be seen by clicking on the ‘Details’ button in the High Availability screen of the NetScaler GUI. View Node Details, before HA Failover. Primary. Secondary. Traffic Flow Before HA Failover L2/3 S50N VLAN 96 Untagged VLAN 97 VLAN 98 VLAN 91 VRRP Citrix NetScaler® 1 E600 L4/7 E600 L2/3 L2/3 Citrix NetScaler® 2 L4/7 VLAN 92 VRRP VLAN Trunk VLANs xxx, xxx, xxx, ..., xxx S50N L2/3 Servers 17 9c) View Node Details after HA Failover. After HA Failover Primary. Secondary. Traffic Flow After HA Failover L2/3 S50N VLAN 96 Untagged VLAN 97 VLAN 98 VLAN 91 VRRP Citrix NetScaler® 1 L2/3 L4/7 E600 E600 Citrix NetScaler® 2 L4/7 VLAN 92 VRRP VLAN Trunk VLANs xxx, xxx, xxx, ...., xxx S50N L2/3 Servers 18 L2/3 Note: Refer to the NetScaler Application Switch installation and Configuraiton Guide for more information on how to use Link Redundancy, Route Monitors, and Interface Throughput as High Availability monitors. 19 Appendix A - NetScaler Application Switch Configuration Primary NetScaler set ns config –IPAddress 10.217.105.51 -netmask 255.255.255.0 set ns config -mappedIP 10.217.105.54 add HA node 2 10.217.105.52 # Disable any interfaces not connected or not being used for traffic disable interface 1/2 disable interface 1/4 disable interface 1/5 disable interface 1/6 disable interface 1/7 disable interface 1/8 set interface 0/1 -haMonitor ON -trunk OFF set interface 1/1 -haMonitor ON -trunk OFF set interface 1/2 -haMonitor OFF -trunk OFF set interface 1/3 -haMonitor ON -trunk ON set interface 1/4 -haMonitor OFF -trunk OFF set interface 1/5 -haMonitor OFF -trunk OFF set interface 1/6 -haMonitor OFF -trunk OFF set interface 1/7 -haMonitor OFF -trunk OFF set interface 1/8 -haMonitor OFF -trunk OFF add ns ip 10.217.105.54 255.255.255.0 -type MIP -vServer DISABLED add ns ip 10.1.1.50 255.255.255.0 -type MIP -vServer DISABLED add ns ip 192.168.2.1 255.255.255.0 -type VIP -snmp DISABLED add ns ip 192.168.2.2 255.255.255.0 -type VIP -snmp DISABLED add ns ip 192.168.2.4 255.255.255.0 -type VIP -snmp DISABLED add vlan 96 add vlan xxx add vlan xxx add vlan xxx add vlan xxx add vlan xxx add vlan xxx add vlan xxx add vlan xxx add vlan xxx add vlan xxx ... add vlan nnn ... bind vlan 96 -ifnum 1/1 bind vlan 96 -IPAddress 192.168.2.3 255.255.255.0 bind vlan xxx -ifnum 1/3 -tagged bind vlan xxx -IPAddress 10.1.1.50 255.255.255.0 bind vlan xxx -ifnum 1/3 -tagged bind vlan xxx -ifnum 1/3 -tagged bind vlan xxx -ifnum 1/3 -tagged bind vlan xxx -ifnum 1/3 -tagged bind vlan xxx -ifnum 1/3 -tagged bind vlan xxx -ifnum 1/3 -tagged 20 bind vlan xxx -ifnum 1/3 -tagged bind vlan xxx -ifnum 1/3 -tagged bind vlan xxx -ifnum 1/3 -tagged ... bind vlan nnn ... add vrID 60 bind vrID 60 -ifnum 0/1 # Add servers add server svr1 10.1.1.1 -state ENABLED add server webmail-svr1 10.1.1.3 -state ENABLED add server smtp_svr1 10.1.1.3 -state ENABLED add server smtp_svr2 10.1.1.4 -state ENABLED add server smtp_svr3 10.1.1.5 -state ENABLED add service svc1 svr1 HTTP 80 add service webmail-svc1 webmail-svr1 HTTP 80 add service smtp_svc1 smtp_svr1 TCP 25 add service smtp_svc2 smtp_svr2 TCP 25 add service smtp_svc3 smtp_svr3 TCP 25 . add lb vserver vip1 HTTP 192.168.2.10 80 -lbmethod ROUNDROBIN add lb vserver webmail-vip1 HTTP 192.168.2.11 80 -lbmethod ROUNDROBIN add lb vserver smtp_vip1 TCP 192.168.2.12 25 -lbMethod ROUNDROBIN add lb vserver smtp_vip2 TCP 192.168.2.13 25 -lbMethod ROUNDROBIN add lb vserver smtp_vip3 TCP 192.168.2.14 25 -lbMethod ROUNDROBIN . bind lb vserver webmail-vip1 webmail-svc1 -weight 1 bind lb vserver http_vip1 svc1 -weight 1 bind lb vserver smtp_vip1 smtp_svc1 -weight 1 bind lb vserver smtp_vip2 smtp_svc2 -weight 1 bind lb vserver smtp_vip3 smtp_svc3 -weight 1 . bind lb monitor tcp svc1 -state ENABLED bind lb monitor ping webmail-vip1 -state ENABLED . set vserver webmail-vip1 -cacheable NO -cltTimeout 180 set vserver http_vip1 -cacheable NO -cltTimeout 180 set vserver smtp_vip1 -cacheable NO -cltTimeout 9000 set vserver smtp_vip2 -cacheable NO -cltTimeout 9000 set vserver smtp_vip3 -cacheable NO -cltTimeout 9000 Secondary NetScaler set ns config –IPAddress 10.217.105.52 -netmask 255.255.255.0 set ns config -mappedIP 10.217.105.54 add HA node 1 10.217.105.51 # Disable any interfaces not connected or not being used for traffic disable interface 1/2 disable interface 1/4 disable interface 1/5 disable interface 1/6 disable interface 1/7 disable interface 1/8 set interface 0/1 -haMonitor ON -trunk OFF 21 set interface 1/1 -haMonitor ON -trunk OFF set interface 1/2 -haMonitor OFF -trunk OFF set interface 1/3 -haMonitor ON -trunk ON set interface 1/4 -haMonitor OFF -trunk OFF set interface 1/5 -haMonitor OFF -trunk OFF set interface 1/6 -haMonitor OFF -trunk OFF set interface 1/7 -haMonitor OFF -trunk OFF set interface 1/8 -haMonitor OFF -trunk OFF add vlan 96 add vlan xxx add vlan xxx add vlan xxx add vlan xxx add vlan xxx add vlan xxx add vlan xxx add vlan xxx add vlan xxx add vlan xxx ... add vlan nnn ... bind vlan 96 -ifnum 1/1 bind vlan 96 -IPAddress 192.168.2.3 255.255.255.0 bind vlan xxx -ifnum 1/3 -tagged bind vlan xxx -IPAddress 10.1.1.50 255.255.255.0 bind vlan xxx -ifnum 1/3 -tagged bind vlan xxx -ifnum 1/3 -tagged bind vlan xxx -ifnum 1/3 -tagged bind vlan xxx -ifnum 1/3 -tagged bind vlan xxx -ifnum 1/3 -tagged bind vlan xxx -ifnum 1/3 -tagged bind vlan xxx -ifnum 1/3 -tagged bind vlan xxx -ifnum 1/3 -tagged bind vlan xxx -ifnum 1/3 -tagged ... bind vlan nnn ... add vrID 60 bind vrID 60 -ifnum 0/1 ... ... Secondary will Sync to Primary... 22 Appendix B - Layer 2/3 Switch/Router Configuration Primary Switch/Router ! hostname F10-2 ! interface GigabitEthernet 0/0 ip address 192.168.6.121/24 no shutdown ! interface GigabitEthernet 0/2 no ip address no shutdown ! interface GigabitEthernet 0/4 no ip address switchport no shutdown ! interface GigabitEthernet 0/7 no ip address switchport no shutdown ! interface GigabitEthernet 0/12 no ip address switchport no shutdown ! interface GigabitEthernet 0/13 no ip address switchport no shutdown ! interface GigabitEthernet 0/14 no ip address shutdown ! interface GigabitEthernet 0/23 no ip address no shutdown ! interface GigabitEthernet 1/2 no ip address no shutdown ! interface ManagementEthernet 0/0 no shutdown ! 23 interface ManagementEthernet 1/0 ip address 192.168.0.1/24 no shutdown ! interface Port-channel 1 ip address 192.168.39.138/24 channel-member GigabitEthernet 0/2 channel-member GigabitEthernet 1/2 no shutdown ! interface Port-channel 10 no ip address switchport channel-member GigabitEthernet 0/23 channel-member GigabitEthernet 1/3 no shutdown ! interface Vlan 96 ip address 192.168.59.251/24 tagged Port-channel 10 untagged GigabitEthernet 0/12 no ip proxy-arp ! vrrp-group 7 advertise-interval 5 priority 40 virtual-address 10.1.1.254 ! vrrp-group 9 advertise-interval 5 priority 50 virtual-address 10.1.1.253 no shutdown ! interface Vlan xxx no ip address tagged GigabitEthernet 0/7,13 no shutdown ! interface Vlan xxx ip address 10.1.3.251/24 tagged GigabitEthernet 0/4,13 no shutdown ! interface Vlan xxx ip address 10.1.4.251/24 tagged GigabitEthernet 0/4,13 no shutdown ! interface Vlan xxx ip address 10.1.5.251/24 tagged GigabitEthernet 0/4,13 no shutdown ! 24 interface Vlan xxx ip address 10.1.6.251/24 tagged GigabitEthernet 0/4,13 no shutdown ! interface Vlan xxx ip address 10.1.7.251/24 tagged GigabitEthernet 0/4,13 no shutdown ! interface Vlan xxx ip address 10.1.8.251/24 tagged GigabitEthernet 0/4,13 no shutdown ! . . . interface Vlan xxx ip address 10.1.254.251/24 tagged GigabitEthernet 0/4,13 no shutdown ! Secondary Switch/Router ! hostname F10-1 ! interface GigabitEthernet 0/0 ip address 192.168.49.114/24 no shutdown ! interface GigabitEthernet 0/2 no ip address no shutdown ! interface GigabitEthernet 0/4 no ip address switchport no shutdown ! interface GigabitEthernet 0/7 no ip address switchport no shutdown ! interface GigabitEthernet 0/12 no ip address switchport no shutdown ! interface GigabitEthernet 0/13 no ip address 25 switchport no shutdown ! interface GigabitEthernet 0/14 no ip address no shutdown ! interface GigabitEthernet 0/23 no ip address no shutdown ! interface GigabitEthernet 1/2 no ip address no shutdown ! interface ManagementEthernet 0/0 no shutdown ! interface ManagementEthernet 1/0 ip address 172.31.1.31/24 no shutdown ! interface Port-channel 1 ip address 192.168.39.137/24 channel-member GigabitEthernet 0/2 channel-member GigabitEthernet 1/2 no shutdown ! interface Port-channel 10 no ip address switchport channel-member GigabitEthernet 0/23 channel-member GigabitEthernet 1/3 no shutdown ! interface Vlan 96 ip address 192.168.59.252/24 tagged Port-channel 10 untagged GigabitEthernet 0/12 no ip proxy-arp ! vrrp-group 7 advertise-interval 5 priority 50 virtual-address 192.168.59.254 ! vrrp-group 9 advertise-interval 5 priority 40 virtual-address 192.168.59.253 no shutdown ! interface Vlan xxx ip address 10.1.1.252/24 26 ip address 172.21.1.254/24 secondary tagged GigabitEthernet 0/4,13 track ip GigabitEthernet 0/4 no ip proxy-arp ! interface Vlan xxx no ip address tagged GigabitEthernet 0/7,13 no shutdown ! interface Vlan xxx ip address 10.1.3.252/24 tagged GigabitEthernet 0/4,13 no shutdown ! interface Vlan xxx ip address 10.1.4.252/24 tagged GigabitEthernet 0/4,13 no shutdown ! interface Vlan xxx ip address 10.1.5.252/24 tagged GigabitEthernet 0/4,13 no shutdown ! interface Vlan xxx ip address 10.1.6.252/24 tagged GigabitEthernet 0/4,13 no shutdown ! interface Vlan xxx ip address 10.1.7.252/24 tagged GigabitEthernet 0/4,13 no shutdown ! interface Vlan xxx ip address 10.1.8.252/24 tagged GigabitEthernet 0/4,13 no shutdown ! interface Vlan xxx ip address 10.1.254.252/24 tagged GigabitEthernet 0/4,13 no shutdown ! 27 Appendix C - Helpful NetScaler CLI Commands The NetScaler Application switch can also be managed and configured via CLI Commands, by connecting to the Serial port or a SSH connection to the NSIP. The following commands can be used in lieu of the NetScaler GUI for operations detailed in this deployment guide. > nsconfig (configns) > show rpcnodes > set rpcnode <IP_address> -password <PASSWORD> > disable interface <ifnum> > set interface <ifnum> -hamonitor OFF > add node <id> <ipAddress> > set node -hastatus STAYSECONDARY > set node -hastatus ENABLE > show node > force HA sync > force HA failover > set ha node –hasync DISABLE > set ha node –hasync ENABLE > show ip > show interface 28 Citrix Worldwide Worldwide headquarters Citrix Systems, Inc. 851 West Cypress Creek Road Fort Lauderdale, FL 33309 USA T +1 800 393 1888 T +1 954 267 3000 Regional headquarters Americas Citrix Silicon Valley 4988 Great America Parkway Santa Clara, CA 95054 USA T +1 408 790 8000 Europe Citrix Systems International GmbH Rheinweg 9 8200 Schaffhausen Switzerland T +41 52 635 7700 Asia Pacific Citrix Systems Hong Kong Ltd. Suite 3201, 32nd Floor One International Finance Centre 1 Harbour View Street Central Hong Kong T +852 2100 5000 Citrix Online division 5385 Hollister Avenue Santa Barbara, CA 93111 USA T +1 805 690 6400 www.citrix.com About Citrix Citrix Systems, Inc. (Nasdaq:CTXS) is the global leader and the most trusted name in application delivery infrastructure. More than 200,000 organizations worldwide rely on Citrix to deliver any application to users anywhere with the best performance, highest security and lowest cost. Citrix customers include 100% of the Fortune 100 companies and 98% of the Fortune Global 500, as well as hundreds of thousands of small businesses and prosumers. Citrix has approximately 6,200 channel and alliance partners in more than 100 countries. Annual revenue in 2006 was $1.1 billion. Citrix®, NetScaler®, GoToMyPC®, GoToMeeting®, GoToAssist®, Citrix Presentation Server™, Citrix Password Manager™, Citrix Access Gateway™, Citrix Access Essentials™, Citrix Access Suite™, Citrix SmoothRoaming™ and Citrix Subscription Advantage™ and are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the U.S. Patent and Trademark Office and in other countries. UNIX® is a registered trademark of The Open Group in the U.S. and other countries. Microsoft®, Windows® and Windows Server® are registered trademarks of Microsoft Corporation in the U.S. and/or other countries. All other trademarks and registered trademarks are property of their respective owners. www.citrix.com