CNS-223-1I Implement Citrix ADC 13.

CNS-223-1I Implement Citrix

ADC 13.x

Basic Networking

Lab Manual- Version 5.0

1
CNS-223-1I Implement Citrix ADC 13.x

PUBLISHED BY
Citrix Systems, Inc.
851 West Cypress Creek Road Fort
Lauderdale, Florida 33309 USA
http://www.citrix.com

Copyright © 2020 by Citrix Systems, Inc.

All rights reserved. Citrix, the Citrix logo are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries,
and may be registered with the U.S. Patent and Trademark Office and in other countries. [Citrix ADC.] All other marks
appearing herein are the property of their respective owners.

Citrix Systems, Inc. (Citrix) makes no representations or warranties with respect to the content or use of this
publication. Citrix specifically disclaims any expressed or implied warranties, merchantability or fitness for any
particular purpose. Citrix reserves the right to make any changes in specifications and other information contained
in this publication without prior notice and without obligation to notify any person or entity of such revisions or
changes.

No part of the publication may be reproduced or transmitted in any form or by any means, electronic or mechanical,
including photocopying, recording or information storage and retrieval systems, for any purpose other than the
purchaser’s personal use, without express written permission of.

2
CNS-223-1I Implement Citrix ADC 13.x

Credits Page
Title Name
Architect Jesse Wilson
Product Managers Lissette Jimenez
Technical Solutions Developers Aman Sharma
Anton Mayers
Shruti V. Dhamale
Ravindra G Hunashimarad
Uma Upraity
Offering Manager Amit Ben-Chanoch
Instructional Designer Jayshree Nair
Graphics Designer Ryan Flowers
Publication Services Rahul Mohandas
Special Thanks Layer8 Training

3
CNS-223-1I Implement Citrix ADC 13.x

Contents
Credits Page ........................................................................................................................................................... 3
Lab Manual Overview............................................................................................................................................. 5
Lab Environment Overview .................................................................................................................................... 6
Module 2: Basic Networking ................................................................................................................................... 8
Exercise 2-1: Configuring Networking (GUI)....................................................................................................... 10
Exercise 2-1: Configuring Networking (CLI) ........................................................................................................ 12

4
CNS-223-1I Implement Citrix ADC 13.x

Lab Manual Overview

In this Lab Manual, you will get valuable hands-on experience with Citrix ADC and its features.
This Lab Manual will enable you to work with product components and perform the required
steps for initial configuration, High Availability, Load Balancing, and SSL Offload.
Lab exercises are provided for the both the Citrix ADC Configuration Utility (GUI) and the Citrix
ADC CLI. Students only need to perform one set of labs, either all GUI or all CLI for a given
module. The other set of exercises may be used for reference. Identify how to connect to the
Citrix ADCs for each set of lab exercises.
We recommend that you use Chrome to connect to the Citrix ADC Configuration Utility when
using the GUI to perform labs
When testing web content, any browser may be used. However, you may find it simpler to
make management connections in one browser, such as Chrome, and perform application
testing in another browser, such as Firefox.
When performing lab exercises from the CLI, you will need to connect to the Citrix ADC
Management IPs (above) using SSH. The lab environment uses PuTTY as the SSH client and
WinSCP as the SFTP/SCP client.
Before starting exercises in each module, determine if you will be working in the GUI or CLI for
that module. You are encouraged to explore both versions of the lab exercises, but the
exercises are written so that only one set of exercises (GUI or CLI) can be performed at any one
time, not both.
Each exercise will identify which Citrix ADC or Management IP to connect to and which account
to use for logon if not the default account (nsroot/nsroot). We also recommended that you
save the configuration at the end of each exercise unless the exercise states otherwise.

5
CNS-223-1I Citrix ADC 13.x Essentials

Lab Environment Overview

LAB DIAGRAM

SERVER LIST

Virtual Machine Domain FQDN IP Address Description

Name
NYC-ADS-001 NYC-ADS- 192.168.30.11 Domain Controller
001.workspacelab.com (Workspacelab.com)
NYC-ADS-002 NYC-ADS- 192.168.30.12 Domain Controller 2
002.workspacelab.com (Workspacelab.com)
NYC-LMP-001 NYC-LMP- 192.168.30.61 MYSQL Database Server
001.workspacelab.com
NYC-LMP-002 NYC-LMP- 192.168.30.62 MYSQL Database Server
002.workspacelab.com
NYC-WEB-RED NYC-WEB- 192.168.30.51 Web Server
RED.workspacelab.com
NYC-WEB-BLU NYC-WEB- 192.168.30.52 Web Server
BLU.workspacelab.com
NYC-WEB-GRN NYC-WEB- 192.168.30.53 Web Server

6
CNS-223-1I Citrix ADC 13.x Essentials

GRN.workspacelab.com

NYC-WEB-REMOTE NYC-WEB- 172.22.15.41 Web Server

REMOTE.workspacelab.com
Student Desktop - 192.168.10.254 Hyper-V host and landing
desktop. All labs performed from
this system.
Citrix ADC List

Virtual Machine NSIP Address Subnet IP (SNIP) Address Description

Name
NYC-ADC-001 192.168.100.1 /16 N/A Citrix ADC initial configuration starts
(Initial) as an “out-of-box” MPX appliance
with the default NSIP address
specified. This will be changed in the
first exercise.
NYC-ADC-001 192.168.10.101 SNIP1: 192.168.10.111 (traffic) NYC-ADC-001 is the principal Citrix
SNIP2: 192.168.10.103 (mgmt) ADC for most exercises. It will be in
an HA Pair with NYC-ADC-002, and
they will be managed using the
shared SNIP 192.168.10.103.
NYC-ADC-002 192.168.10.102 Secondary member of HA Pair with
NYC-ADC-001.
CREDENTIALS LIST: Training Domain Users and Groups

User Name Groups Password Description

administrator Domain Admins Password1 Domain administrator account which

can be used to access domain
controllers. Otherwise, not needed in
class.
trainNSAdmin Training_NSAdmins Password1 Domain account used in Citrix ADC
delegated administration exercise.
trainNSOperator Training_NSOperators Password1 Domain account used in Citrix ADC
delegated administration exercise.
trainADUser Domain Users Password1 Domain account used as LDAP BindDN
service account.
training\Contractor Contractors Password1 Domain account available for Citrix
ADC demonstrations.

CREDENTIALS LIST: Citrix ADC Local Accounts

User Name Delegated Admin Password Description

Role

nsroot superuser nsroot Built-in Citrix ADC account that will be

used for all exercises.
testuser custom Password1 Test account for delegated
administration.

7
CNS-223-1I Citrix ADC 13.x Essentials

padmin1 Partition Admin Password1 Test account for Admin Partitions

exercise.
padmin2 Partition Admin Password1 Test account for Admin partitions
exercise.

Module 2: Basic Networking

Introduction:

After the initial Citrix ADC configuration, you are tasked with configuring the Citrix ADC with
networking access. The Citrix ADC is configured with a two-interface inline configuration.

The Citrix ADC needs to be configured with a default gateway for the Citrix ADC
Management network (192.168.10.0/24). Through the management network, the Citrix ADC
will also have access to the Backend Network (192.168.30.0/24). Virtual IP addresses will be
hosted in the Frontend network (172.21.10.0/24).
In this environment, interface 1/1 is associated with the Frontend Network and interface
0/1 is associated with the Management and Backend Networks.

Figure 1: Simplified Lab Network Diagram

During the networking configuration of the NYC-ADC-001, you need to address multiple
configuration objectives.

Initial networking already completed in Module 1:

• Configure a SNIP for application traffic (192.168.10.111/24).

• Configure a default route for the Citrix ADC Management Network (gateway
192.168.10.1).
Requirements for this scenario:

• Test connectivity to the Backend Network (192.168.30.0/24).

8
CNS-223-1I Citrix ADC 13.x Essentials

• Implement a VLAN configuration and prevent access to the NSIP address from the
Frontend Network and the associated interface (1/1).

• Enable MAC-based forwarding to ensure that traffic returns over the same interface
it was received.

About the VLAN Configuration:

This Citrix ADC is being deployed in an inline configuration where interface 1/1 will act as
the frontend interface with access to the 172.21.10.0/24 (Frontend) network and interface
0/1 will act as the backend interface with access to the 192.168.10.0/24 (Management) and
192.168.30.0/24 (Backend) networks.

The NSIP will continue to be associated with the native VLAN (VLAN 1). But the frontend
interface (1/1) will be associated with VLAN 2, which will remove it from the native VLAN.
This will isolate interface 1/1 from accessing the NSIP. With only one interface remaining
associated with VLAN 1, this effectively isolates the NSIP (and other management SNIPs) to
only being accessible from VLAN 1 over interface 0/1.

Additional requirements for this scenario:

• Configure VLAN 2 on the Citrix ADC and restrict it to interface 1/1 only.
• Associate a network with VLAN 2 and interface 1/1 for frontend resources. The
Frontend Network will be hosting virtual IP addresses only, so no additional Subnet
IP addresses will be required. Instead, create an initial virtual IP address
172.21.10.101 with a 255.255.255.0 Netmask and bind it to VLAN 2. This will limit
access to all virtual IP addresses in the 172.21.10.0 /24 network that will be
configured in later exercises to interface 1/1 and VLAN 2 only.
VLAN Configuration Summary:
VLAN Interface IP Address and Netmask Details
1 0/1 <Default> NSIP and SNIPs in 192.168.10.0 /24 network.

Accessible to backend resources

2 1/1 172.21.10.101 /24 Frontend VIP Network

After completing this lab module, you will be able to:

• Configure interface, IP address, and route properties on the Citrix ADC. Bind IP
addresses and interfaces to VLANs to manage traffic flow.
This module contains the following exercise using the Citrix ADC Configuration Utility GUI
and the Citrix ADC CLI:

• Exercise 2-1: Configuring Networking

9
CNS-223-1I Citrix ADC 13.x Essentials

Before you Begin:

Estimated time to complete this lab: 10 minutes

Virtual Machines required for this module

For Module 2, connect to your assigned Hyper-V Manager console and verify that the
following virtual machines are running. If any of the virtual machines are not running, use
Hyper-V Manager to turn them on. Otherwise, Hyper-V Manager will not be needed for the
rest of the module.

• NYC-ADC-001

Exercise 2-1: Configuring Networking (GUI)

Introduction:

In this exercise, you will learn to configure a Virtual IP, VLANs, and Mac-based Forwarding.
You will use the Citrix ADC Configuration Utility GUI to perform this exercise.

In this exercise, you will perform the following tasks:

• Test network connectivity.

• Configure VLAN 2 and restrict access to interface 1/1 and the Virtual IP range.
• Enable MAC-based Forwarding mode.

Step Action
1. Connect to the Citrix ADC NYC-ADC-001 configuration utility at http://192.168.10.101.

Log on to the utility using the following credentials:

• User Name: nsroot

• Password: nsroot
2. Test Connectivity from the Citrix ADC to a backend network address:
• Browse to System > Diagnostics.
• Click Ping (under Utilities).
Use the following parameters:
• Type 192.168.30.51 in Host name field.
• Type 3 in Count field.
• Click Run.

Wait a few seconds for the ping output to display and confirm connectivity with backend addresses
(in the 192.168.30.0/24 network).
• Click Close and Close to close the ping utility.

10
CNS-223-1I Citrix ADC 13.x Essentials

3. Configure a Virtual IP range using a virtual IP with a subnet mask.

Add a virtual IP:

• Browse to System > Network > IPs.
• Click Add.
Create an IP address (VIP1):
• Type 172.21.10.101 in the IP Address field.
• Type 255.255.255.0 in the Netmask field.
• Select Virtual IP from the IP Type drop-down list box.
• Deselect Enable Management Access control to support the below-listed applications.
• Click Yes to confirm the setting.
• Click Create.

Note: All the virtual IP addresses in this Citrix ADC host will be in the 172.21.10.0 /24 subnet. This
exercise adds the initial VIP 172.21.10.101 and defines the subnet. The subnet is being configured for
association with the VLAN in a later exercise.
4. Verify that the following IP addresses are displayed in the IPV4s IP Address list under
System > Network > IPs:
• 192.168.10.101 (NSIP)
• 192.168.10.111 (SNIP)
• 172.21.10.101 (VIP)
5. Create a VLAN for the Frontend Network where the VIPs reside and associate it with the frontend
interface 1/1.
• Browse to System > Network > VLANs.
• Click Add.
6. Create VLAN 2 and bind it to interface 1/1 and the IP subnet 172.21.10.101 /24:
• Enter 2 in the VLAN ID field.
• Select the 1/1 checkbox on the Interface Bindings tab. The Tagged field checkbox
should remain unselected.
• Click IP Bindings tab.
• Select 172.21.10.101 checkbox to associate the VIP and its subnet with the VLAN.
• Click Create.

Note: Binding interface 1/1 with VLAN 2 removes it from the default VLAN 1 on the Citrix ADC. Binding
the virtual IP 172.21.10.101 /24 with the VLAN also forces all virtual IPs in this network to be
associated with the MAC address of interface 1/1 only.
If the wrong Interface or IP address is bound to VLAN 2 students may lose access to the Citrix ADC
management interface. Use Hyper-V Manager to access the console for NYC-ADC-001 and remove
the VLAN and reconfigure the correct VLAN from the CLI.
7. Verify VLAN configuration:
• View VLAN summary at System > Network > VLANs.
• Verify that VLAN 1 is associated with bound interfaces 0/1 and LO/1.
• Verify that VLAN 2 is associated with bound interface 1/1.
RESULT: The NSIP, SNIP, and VLAN 1 are accessible from the backend interface 0/1. All VIPs and VLAN
2 are accessible via the frontend interface 1/1.

11
CNS-223-1I Citrix ADC 13.x Essentials

8. Enable MAC-based Forwarding (MBF) mode:

• Browse to System > Settings.
• Click Configure Modes.
• Select MAC based forwarding checkbox.
• Leave existing modes selected.
• Click OK.

Note: We are enabling Mac Based Forwarding to simplify our routing table. MBF should only be used
in certain environments and specific network set up. Certain features like PBR will not work with MBF.
9. Test Connectivity from the Citrix ADC to a backend network address:
• Browse to System > Diagnostics.
• Click Ping (under Utilities).
Use the following parameters to verify connectivity:
• Type 192.168.30.51 in Host Name field.
• Type 3 in the Count field.
• Click Run.
Wait a few seconds for the ping output to display and confirm connectivity with backend addresses
(in the 192.168.30.0/24 network).

• Click Close and Close to exit the ping utility.

10. Save the Citrix ADC configuration and confirm.

Key Takeaways:
• A default route is specified to guarantee access to the NSIP and the management
network.
• IP addresses on the Citrix ADC are owned by all interface (by default). To restrict
access to specific IP addresses and a specific interface, use a VLAN.
• The NSIP is associated with the NSLAN. By default, the NSVLAN is the native VLAN on
the appliance, VLAN 1. While the NSVLAN can be changed, it is preferable to keep it
on VLAN1. Since all interfaces are also associated with VLAN 1, the NSIP is accessible
from all interfaces by default.
• An interface can only participate in a single port-based VLAN at a time. By binding an
interface with a VLAN, you can limit which interfaces do or do not have access to the
native VLAN. As a result, access to the NSIP can be limited to only specific interfaces
as appropriate.

Exercise 2-1: Configuring Networking (CLI)

Introduction:
In this exercise, you will learn to configure a virtual IP, VLANs, and MAC-based forwarding.
You will use the command-line interface to perform this exercise.

In this exercise, you will perform the following tasks:

• Test network connectivity.

12
CNS-223-1I Citrix ADC 13.x Essentials

• Configure VLAN 2 and restrict access to interface 1/1 and the Virtual IP range.
• Enable MAC-based forwarding mode.

Step Action
1. Connect to NYC-ADC-001 using the new NSIP (192.168.10.101) using SSH (PuTTY).

Log on to the utility using the following credentials:

User Name: nsroot

Password: nsroot
2. Verify connectivity before making changes:
ping -c 3 192.168.30.51
3. Add a virtual IP address to the Citrix ADC:
add ns ip 172.21.10.101 255.255.255.0 -type VIP

Note: All of the virtual IP addresses this Citrix ADC will host will be in the 172.21.10.0 /24 subnet. This
exercise adds the initial VIP 172.21.10.101 and defines the subnet. The subnet is being configured for
association with the VLAN in a later exercise.
4. Configure a VLAN:

• Create the VLAN: (for frontend network) add vlan 2

• Bind the VLAN to the frontend interface:
bind vlan 2 -ifnum 1/1
• Bind the Subnet IP address to this VLAN (to source traffic from the Citrix ADC to the backend
servers):
bind vlan 2 -ipAddress 172.21.10.101 255.255.255.0

RESULT: The NSIP, SNIP, and VLAN 1 are accessible from the "backend" interface (0/1). All VIPs
are accessible via the "frontend" interface (1/1).

Note: Binding interface 1/1 with VLAN 2 removes it from the default VLAN 1 on the Citrix ADC.
Binding the virtual IP 172.21.10.101 /24 with the VLAN also forces all Virtual IP addresses in this
network to be associated with the MAC address of interface 1/1 only.
If the wrong interface or IP address is bound to VLAN 2, students may lose access to the Citrix ADC
management interface. In that case, use Hyper-V Manager to access the console for NYC-ADC-001
and remove the VLAN and reconfigure the correct VLAN from the CLI.

5. Verify the VLAN Configuration:

show vlan

Verify that interfaces 0/1 and the loopback interface (LO/1) are still part of VLAN 1.
Verify that interface 1/1 and the Subnet IP are associated with VLAN 2.

13
CNS-223-1I Citrix ADC 13.x Essentials

6. Enable MAC-based forwarding:

enable ns mode mbf
or
enable ns mode MACbasedforwarding

Note: We are enabling MAC-based Forwarding (MBF) to simplify our routing table. MBF should only
be used in certain environments and specific network set up. Certain features like Policy Based
Routing (PBR) will not work with MBF.
7. Verify connectivity again:
ping -c 3 192.168.30.51
8. Save the Citrix ADC configuration:
save ns config

Key Takeaways:
• A default route is specified to guarantee access to the NSIP and the management
network.
• IP addresses on the Citrix ADC are owned by all interfaces (by default). To restrict
access to specific IP addresses and a specific interface, use a VLAN.
• The NSIP is associated with the NSLAN. By default, the NSVLAN is the native VLAN on
the appliance, VLAN 1. While the NSVLAN can be changed, we recommend keeping it
on VLAN1. Since all interfaces are also associated with VLAN 1, the NSIP is accessible
from all interfaces by default.
• An interface can only participate in a single port-based VLAN at a time. By binding an
interface with a VLAN, you can limit which interfaces do or do not have access to the
native VLAN. As a result, access to the NSIP can be limited to only specific interfaces
as appropriate.

14