Professional Documents
Culture Documents
CNS-223-1I Implement Citrix ADC 13.x: Basic Networking Lab Manual
CNS-223-1I Implement Citrix ADC 13.x: Basic Networking Lab Manual
Basic Networking
1
CNS-223-1I Implement Citrix ADC 13.x
PUBLISHED BY
Citrix Systems, Inc.
851 West Cypress Creek Road Fort
Lauderdale, Florida 33309 USA
http://www.citrix.com
All rights reserved. Citrix, the Citrix logo are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries,
and may be registered with the U.S. Patent and Trademark Office and in other countries. [Citrix ADC.] All other marks
appearing herein are the property of their respective owners.
Citrix Systems, Inc. (Citrix) makes no representations or warranties with respect to the content or use of this
publication. Citrix specifically disclaims any expressed or implied warranties, merchantability or fitness for any
particular purpose. Citrix reserves the right to make any changes in specifications and other information contained
in this publication without prior notice and without obligation to notify any person or entity of such revisions or
changes.
No part of the publication may be reproduced or transmitted in any form or by any means, electronic or mechanical,
including photocopying, recording or information storage and retrieval systems, for any purpose other than the
purchaser’s personal use, without express written permission of.
2
CNS-223-1I Implement Citrix ADC 13.x
Credits Page
Title Name
Architect Jesse Wilson
Product Managers Lissette Jimenez
Technical Solutions Developers Aman Sharma
Anton Mayers
Shruti V. Dhamale
Ravindra G Hunashimarad
Uma Upraity
Offering Manager Amit Ben-Chanoch
Instructional Designer Jayshree Nair
Graphics Designer Ryan Flowers
Publication Services Rahul Mohandas
Special Thanks Layer8 Training
3
CNS-223-1I Implement Citrix ADC 13.x
Contents
Credits Page ........................................................................................................................................................... 3
Lab Manual Overview............................................................................................................................................. 5
Lab Environment Overview .................................................................................................................................... 6
Module 2: Basic Networking ................................................................................................................................... 8
Exercise 2-1: Configuring Networking (GUI)....................................................................................................... 10
Exercise 2-1: Configuring Networking (CLI) ........................................................................................................ 12
4
CNS-223-1I Implement Citrix ADC 13.x
5
CNS-223-1I Citrix ADC 13.x Essentials
SERVER LIST
6
CNS-223-1I Citrix ADC 13.x Essentials
GRN.workspacelab.com
7
CNS-223-1I Citrix ADC 13.x Essentials
After the initial Citrix ADC configuration, you are tasked with configuring the Citrix ADC with
networking access. The Citrix ADC is configured with a two-interface inline configuration.
The Citrix ADC needs to be configured with a default gateway for the Citrix ADC
Management network (192.168.10.0/24). Through the management network, the Citrix ADC
will also have access to the Backend Network (192.168.30.0/24). Virtual IP addresses will be
hosted in the Frontend network (172.21.10.0/24).
In this environment, interface 1/1 is associated with the Frontend Network and interface
0/1 is associated with the Management and Backend Networks.
During the networking configuration of the NYC-ADC-001, you need to address multiple
configuration objectives.
8
CNS-223-1I Citrix ADC 13.x Essentials
• Implement a VLAN configuration and prevent access to the NSIP address from the
Frontend Network and the associated interface (1/1).
• Enable MAC-based forwarding to ensure that traffic returns over the same interface
it was received.
This Citrix ADC is being deployed in an inline configuration where interface 1/1 will act as
the frontend interface with access to the 172.21.10.0/24 (Frontend) network and interface
0/1 will act as the backend interface with access to the 192.168.10.0/24 (Management) and
192.168.30.0/24 (Backend) networks.
The NSIP will continue to be associated with the native VLAN (VLAN 1). But the frontend
interface (1/1) will be associated with VLAN 2, which will remove it from the native VLAN.
This will isolate interface 1/1 from accessing the NSIP. With only one interface remaining
associated with VLAN 1, this effectively isolates the NSIP (and other management SNIPs) to
only being accessible from VLAN 1 over interface 0/1.
• Configure VLAN 2 on the Citrix ADC and restrict it to interface 1/1 only.
• Associate a network with VLAN 2 and interface 1/1 for frontend resources. The
Frontend Network will be hosting virtual IP addresses only, so no additional Subnet
IP addresses will be required. Instead, create an initial virtual IP address
172.21.10.101 with a 255.255.255.0 Netmask and bind it to VLAN 2. This will limit
access to all virtual IP addresses in the 172.21.10.0 /24 network that will be
configured in later exercises to interface 1/1 and VLAN 2 only.
VLAN Configuration Summary:
VLAN Interface IP Address and Netmask Details
1 0/1 <Default> NSIP and SNIPs in 192.168.10.0 /24 network.
• Configure interface, IP address, and route properties on the Citrix ADC. Bind IP
addresses and interfaces to VLANs to manage traffic flow.
This module contains the following exercise using the Citrix ADC Configuration Utility GUI
and the Citrix ADC CLI:
9
CNS-223-1I Citrix ADC 13.x Essentials
For Module 2, connect to your assigned Hyper-V Manager console and verify that the
following virtual machines are running. If any of the virtual machines are not running, use
Hyper-V Manager to turn them on. Otherwise, Hyper-V Manager will not be needed for the
rest of the module.
• NYC-ADC-001
In this exercise, you will learn to configure a Virtual IP, VLANs, and Mac-based Forwarding.
You will use the Citrix ADC Configuration Utility GUI to perform this exercise.
Step Action
1. Connect to the Citrix ADC NYC-ADC-001 configuration utility at http://192.168.10.101.
Wait a few seconds for the ping output to display and confirm connectivity with backend addresses
(in the 192.168.30.0/24 network).
• Click Close and Close to close the ping utility.
10
CNS-223-1I Citrix ADC 13.x Essentials
Note: All the virtual IP addresses in this Citrix ADC host will be in the 172.21.10.0 /24 subnet. This
exercise adds the initial VIP 172.21.10.101 and defines the subnet. The subnet is being configured for
association with the VLAN in a later exercise.
4. Verify that the following IP addresses are displayed in the IPV4s IP Address list under
System > Network > IPs:
• 192.168.10.101 (NSIP)
• 192.168.10.111 (SNIP)
• 172.21.10.101 (VIP)
5. Create a VLAN for the Frontend Network where the VIPs reside and associate it with the frontend
interface 1/1.
• Browse to System > Network > VLANs.
• Click Add.
6. Create VLAN 2 and bind it to interface 1/1 and the IP subnet 172.21.10.101 /24:
• Enter 2 in the VLAN ID field.
• Select the 1/1 checkbox on the Interface Bindings tab. The Tagged field checkbox
should remain unselected.
• Click IP Bindings tab.
• Select 172.21.10.101 checkbox to associate the VIP and its subnet with the VLAN.
• Click Create.
Note: Binding interface 1/1 with VLAN 2 removes it from the default VLAN 1 on the Citrix ADC. Binding
the virtual IP 172.21.10.101 /24 with the VLAN also forces all virtual IPs in this network to be
associated with the MAC address of interface 1/1 only.
If the wrong Interface or IP address is bound to VLAN 2 students may lose access to the Citrix ADC
management interface. Use Hyper-V Manager to access the console for NYC-ADC-001 and remove
the VLAN and reconfigure the correct VLAN from the CLI.
7. Verify VLAN configuration:
• View VLAN summary at System > Network > VLANs.
• Verify that VLAN 1 is associated with bound interfaces 0/1 and LO/1.
• Verify that VLAN 2 is associated with bound interface 1/1.
RESULT: The NSIP, SNIP, and VLAN 1 are accessible from the backend interface 0/1. All VIPs and VLAN
2 are accessible via the frontend interface 1/1.
11
CNS-223-1I Citrix ADC 13.x Essentials
Note: We are enabling Mac Based Forwarding to simplify our routing table. MBF should only be used
in certain environments and specific network set up. Certain features like PBR will not work with MBF.
9. Test Connectivity from the Citrix ADC to a backend network address:
• Browse to System > Diagnostics.
• Click Ping (under Utilities).
Use the following parameters to verify connectivity:
• Type 192.168.30.51 in Host Name field.
• Type 3 in the Count field.
• Click Run.
Wait a few seconds for the ping output to display and confirm connectivity with backend addresses
(in the 192.168.30.0/24 network).
Key Takeaways:
• A default route is specified to guarantee access to the NSIP and the management
network.
• IP addresses on the Citrix ADC are owned by all interface (by default). To restrict
access to specific IP addresses and a specific interface, use a VLAN.
• The NSIP is associated with the NSLAN. By default, the NSVLAN is the native VLAN on
the appliance, VLAN 1. While the NSVLAN can be changed, it is preferable to keep it
on VLAN1. Since all interfaces are also associated with VLAN 1, the NSIP is accessible
from all interfaces by default.
• An interface can only participate in a single port-based VLAN at a time. By binding an
interface with a VLAN, you can limit which interfaces do or do not have access to the
native VLAN. As a result, access to the NSIP can be limited to only specific interfaces
as appropriate.
12
CNS-223-1I Citrix ADC 13.x Essentials
• Configure VLAN 2 and restrict access to interface 1/1 and the Virtual IP range.
• Enable MAC-based forwarding mode.
Step Action
1. Connect to NYC-ADC-001 using the new NSIP (192.168.10.101) using SSH (PuTTY).
Note: All of the virtual IP addresses this Citrix ADC will host will be in the 172.21.10.0 /24 subnet. This
exercise adds the initial VIP 172.21.10.101 and defines the subnet. The subnet is being configured for
association with the VLAN in a later exercise.
4. Configure a VLAN:
RESULT: The NSIP, SNIP, and VLAN 1 are accessible from the "backend" interface (0/1). All VIPs
are accessible via the "frontend" interface (1/1).
Note: Binding interface 1/1 with VLAN 2 removes it from the default VLAN 1 on the Citrix ADC.
Binding the virtual IP 172.21.10.101 /24 with the VLAN also forces all Virtual IP addresses in this
network to be associated with the MAC address of interface 1/1 only.
If the wrong interface or IP address is bound to VLAN 2, students may lose access to the Citrix ADC
management interface. In that case, use Hyper-V Manager to access the console for NYC-ADC-001
and remove the VLAN and reconfigure the correct VLAN from the CLI.
Verify that interfaces 0/1 and the loopback interface (LO/1) are still part of VLAN 1.
Verify that interface 1/1 and the Subnet IP are associated with VLAN 2.
13
CNS-223-1I Citrix ADC 13.x Essentials
Note: We are enabling MAC-based Forwarding (MBF) to simplify our routing table. MBF should only
be used in certain environments and specific network set up. Certain features like Policy Based
Routing (PBR) will not work with MBF.
7. Verify connectivity again:
ping -c 3 192.168.30.51
8. Save the Citrix ADC configuration:
save ns config
Key Takeaways:
• A default route is specified to guarantee access to the NSIP and the management
network.
• IP addresses on the Citrix ADC are owned by all interfaces (by default). To restrict
access to specific IP addresses and a specific interface, use a VLAN.
• The NSIP is associated with the NSLAN. By default, the NSVLAN is the native VLAN on
the appliance, VLAN 1. While the NSVLAN can be changed, we recommend keeping it
on VLAN1. Since all interfaces are also associated with VLAN 1, the NSIP is accessible
from all interfaces by default.
• An interface can only participate in a single port-based VLAN at a time. By binding an
interface with a VLAN, you can limit which interfaces do or do not have access to the
native VLAN. As a result, access to the NSIP can be limited to only specific interfaces
as appropriate.
14