Introduction
This document describes Cisco Nexus 7000 RISE integration with Citrix NetScaler.
The Cisco® Remote Integrated Services Engine (RISE) is an innovative solution that allows any Citrix NetScaler service appliance, whether physical or virtual, to appear as a virtual line card on the Cisco Nexus® 7000 Series Switches. Cisco RISE establishes a communication path between the network data plane and the service appliance. This tight integration simplifies service deployment and optimizes application data paths, resulting in increased operation efficiency in the data center.
The main benefits of Cisco RISE include the following:
● Enhanced appliance availability: Cisco RISE enables efficient management of the service appliance by obtaining real-time route updates from the service appliance, thereby reducing the likelihood of dropped routes for application traffic. By taking advantage of the extended control plane, Cisco RISE can provide faster convergence and recovery from service failures at both the application and device levels. Cisco RISE also enhances the day-0 experience through autodiscovery and bootstrapping, reducing the need for administrator involvement.
● Data-path optimization: Administrators can use a broad range of Cisco RISE capabilities to automate and optimize delivery of network services in a dynamic data center. In Application Delivery Controllers (ADCs), automated policy-based routing (APBR) enables the appliance to obtain the Cisco Nexus switch parameters it needs to automatically implement the routes. These routes are learned dynamically whenever new applications are provisioned. APBR eliminates the need for administrators to manually configure policy-based routes to redirect server response traffic to the ADC while preserving the client’s source IP address.
● Cisco RISE also enables control-plane integration with Cisco Prime™ Network Analysis Module (NAM) 2300 platform appliances, simplifying the operating experience for network administrators. Integrated with Cisco Nexus 7000 Series Switches, Cisco Prime NAM delivers application visibility, performance analytics, and deeper network intelligence. This visibility empowers the administrator to effectively manage delivery of distributed applications. Cisco RISE integration will evolve to extend visibility transparently across multiple virtual device contexts (VDCs) on the switch, further improving operation agility and simplicity. Scalability and flexibility: Cisco RISE can be deployed across Cisco Nexus 7000 Series Switches and allows service appliances to run in VDCs, thereby allowing independent service instances to be deployed in a variety of ways such as one-to-many, many-to-one, and a countless variety of many-to-many configurations to support any multitenant scenario.
● Increased business agility: Cisco RISE can adapt to growing data center and customer demands by provisioning resources in real time. Cisco RISE also reduces the time needed to roll out new services, eliminating the need to redesign the network, and responds dynamically to changing customer requirements.
Requirements
Basic understanding of NXOS and RISE
Basic understanding of NetScaler.
Components Used
The information in this document is based on these software and hardware versions:
- Nexus 7010 software NXOS 6.2(16)
- Citrix NetScaler NSMPX-11500. Software version: NS11.1: Build 50.10.nc
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Topology
Overview
In the lab, we have below devices:
- Two servers running Windows 2008 R2: IIS as web server. Each server has a test web page
- Nexus 7000 switch: RISE service running on this switch, redirects HTTP traffic to NetScaler
- Citrix NetScaler: performs traffic load balancing
- Management test PC
In this lab, NetScaler has USIP enabled to provide below benefits:
– Web server logs can use true IP address to increase traceability
– Web server has the flexibility to use real IP address to control who can access what
– Web application requires client IP for it’s own logging purposes
– Web application requires client IP for authentication
Without USIP, all HTTP request source IP address would appear come from NetScaler.
With USIP enabled, the traffic flow is as below:
- On the PC, open web browser and go to http://40.40.41.101/test.html.
- The HTTP request will reach Nexus 7000. N7K will redirect the traffic to NetScaler.
- NetScaler sends the request to one of the server.
- Server HTTP response reaches N7K but the source IP address is server's real address e.g. source IP address can be 30.30.32.35 or 30.30.31.33. Because N7K has RISE configured, it will NOT directly send the response to PC. Instead, it uses PBR lookup and sends the HTTP response to NetScaler again. This makes sure that the traffic flow is not broken.
- NetScaler change the HTTP response source IP address to VIP 40.40.41.101 and sends the HTTP response back to PC
Configure
Nexus 7010 configuration
feature ospf
feature pbr
feature interface-vlan
feature hsrp
feature rise
vlan 1,99,125,130,132,201
route-map _rise-system-rmap-Vlan125 permit 1 !- - - - - >Generated by RISE. Manual configuration is NOT required.
match ip address _rise-system-acl-20.20.21.5-Vlan125 !- - - - - >Generated by RISE. Manual configuration is NOT required.
set ip next-hop 20.20.21.5 !- - - - - >Generated by RISE. Manual configuration is NOT required.
route-map _rise-system-rmap-Vlan132 permit 1 !- - - - - >Generated by RISE. Manual configuration is NOT required.
match ip address _rise-system-acl-20.20.21.5-Vlan132 !- - - - - >Generated by RISE. Manual configuration is NOT required.
set ip next-hop 20.20.21.5 !- - - - - >Generated by RISE. Manual configuration is NOT required.
interface Vlan99
description RISE control VLAN SVI
no shutdown
mtu 9216
no ip redirects
ip address 20.20.99.2/24
no ipv6 redirects
ip ospf passive-interface
hsrp version 2
hsrp 99
preempt
priority 110
ip 20.20.99.1
interface Vlan125
description RISE server 1 VLAN SVI
no shutdown
ip address 30.30.31.1/24
ip policy route-map _rise-system-rmap-Vlan125 !- - - - - >Generated by RISE. Manual configuration is NOT required.
interface Vlan130
description RISE testing PC VLAN SVI
no shutdown
ip address 100.100.100.1/24
interface Vlan132
description RISE server 2 VLAN SVI
no shutdown
ip address 30.30.32.1/24
ip policy route-map _rise-system-rmap-Vlan132 !- - - - - >Generated by RISE. Manual configuration is NOT required.
interface Vlan201
description RISE Data VLAN SVI
no shutdown
mtu 9216
no ip redirects
ip address 20.20.21.2/24
no ipv6 redirects
ip ospf passive-interface
hsrp version 2
hsrp 201
preempt
priority 110
ip 20.20.21.1
interface Ethernet9/1
description connect to Testing PC
switchport
switchport access vlan 130
no shutdown
interface Ethernet9/2
description connect to Server 1
switchport
switchport access vlan 125
no shutdown
interface Ethernet9/3
description connect to Server 2
switchport
switchport access vlan 132
no shutdown
interface Ethernet10/1
description connect to NetScaler
switchport
switchport mode trunk
switchport trunk allowed vlan 99,201
spanning-tree port type edge
no shutdown
service vlan-group 21 201
service type rise name ns21 mode indirect
vlan 99
vlan group 21
ip 20.20.99.5 255.255.255.0
no shutdown
NetScaler configuration
#Configure NSIP, this is also the IP used by N7K for RISE
set ns config -IPAddress 20.20.99.5 -netmask 255.255.255.0
#Configure NSVLAN 99 and bind it to LACP channel LA/1
set ns config -nsvlan 99 -ifnum LA/1
# Enable RISE
enable ns feature WL SP LB CS CMP PQ SSL HDOSP REWRITE RISE
enable ns mode FR L3 USIP CKA TCPB Edge USNIP PMTUD RISE_APBR RISE_RHI
#Configure interfaces
set interface 10/1 -mtu 9000 -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0 -intftype "Intel 10G" -ifnum LA/1
add channel LA/1 -tagall ON -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0
set channel LA/1 -mtu 9000 -tagall ON -throughput 0 -lrMinThroughput 0 -bandwidthHigh 0 -bandwidthNormal 0
bind channel LA/1 10/1
#Add RISE control and data VLANs
add vlan 99
add vlan 201
#Configure RISE data VLAN IP address and bind interface to data VLAN
add ns ip 10.66.91.170 255.255.254.0 -vServer DISABLED -mgmtAccess ENABLED #This is for management only
add ns ip 20.20.21.5 255.255.255.0 -vServer DISABLED
bind vlan 201 -ifnum LA/1 -tagged #Need to be tagged because N7K E10/1 is configured as trunk port.
bind vlan 201 -IPAddress 20.20.21.5 255.255.255.0
# Configure Virtual Servers.
add ns ip 40.40.41.101 255.255.255.0 -type VIP -snmp DISABLED -hostRoute ENABLED -hostRtGw 20.20.21.5 -metric 100 -vserverRHILevel NONE -vserverRHIMode RISE
add server SERV-2 30.30.32.35
add server SERV-1 30.30.31.33
add service SVC-1-tcpHTTP SERV-1 TCP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip YES -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA YES -TCPB NO -CMP NO
add service SVC-2-tcpHTTP SERV-2 TCP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip YES -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA YES -TCPB NO -CMP NO
add lb vserver VSRV-40-tcpHTTP TCP 40.40.41.101 80 -persistenceType NONE -connfailover STATEFUL -cltTimeout 180
add lb vserver VSRV-40-tcpHTTPS TCP 40.40.41.101 443 -persistenceType NONE -connfailover STATEFUL -cltTimeout 180
bind lb vserver VSRV-40-tcpHTTP SVC-1-tcpHTTP
bind lb vserver VSRV-40-tcpHTTP SVC-2-tcpHTTP
#Configure route
add route 0.0.0.0 0.0.0.0 20.20.21.1
add route 10.0.0.0 255.0.0.0 10.66.91.1 # - - - - > For management only
add route 30.30.31.0 255.255.255.0 20.20.21.1
add route 30.30.32.0 255.255.255.0 20.20.21.1
#configure RISE to run in indirect mode
set rise param -indirectMode ENABLED
#Save config and reboot
save ns config
reboot
Are you sure you want to restart NetScaler (Y/N)? [N]:y
Server
This example uses Microsoft Windows 2008 R2 IIS as Web server. Please follow Windows documentation on how to configure IIS.
Once IIS is installed, you can access the webserver VIP directly without creating extra web page. In this documentation, to demonstrate failover, we create one testing page "test.html" on each server under IIS home dir (by default c:\inetpub\wwwroot). The content of the testing page is as below:
Server 1 testing page content: "This is server 1"
Server 2 testing page content: "This is server 2"
Verify
Use this section in order to confirm that your configuration works properly.
Verify on PC
1. Open web browser and go to http://40.40.41.101/test.html. It should display one of the testing page.
2. Shutdown Server 1. Repeat step 1. It should display "This is server 2"
3. Bring Server 1 online and shutdown server 2. Repeat step 1 again. It should display "This is server 1"
Verify on N7K
STLD1-630-01.05-N7K-RU21# show ip route static
IP Route Table for VRF "default"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
40.40.41.101/32, ubest/mbest: 1/0 - - - - - - - - >RHI injected routes
*via 20.20.21.5, Vlan201, [100/0], 03:18:00, static
STLD1-630-01.05-N7K-RU21# show route-map
route-map _rise-system-rmap-Vlan125, permit, sequence 1 - - -- - - - - - >Generated by NetScaler.
Match clauses:
ip address (access-lists): _rise-system-acl-20.20.21.5-Vlan125
Set clauses:
ip next-hop 20.20.21.5
route-map _rise-system-rmap-Vlan132, permit, sequence 1 - - -- - - - - - >Generated by NetScaler.
Match clauses:
ip address (access-lists): _rise-system-acl-20.20.21.5-Vlan132
Set clauses:
ip next-hop 20.20.21.5
STLD1-630-01.05-N7K-RU21# sho access-lists dynamic - - - - - >Dynamic ACL download from NetScaler (or pushed by Netscaler)
IP access list __urpf_v4_acl__
10 permit ip any any
IPv6 access list __urpf_v6_acl__
10 permit ipv6 any any
IP access list _rise-system-acl-20.20.21.5-Vlan125
10 permit tcp 30.30.31.33/32 eq 443 any
20 permit tcp 30.30.31.33/32 eq www any
IP access list _rise-system-acl-20.20.21.5-Vlan132
10 permit tcp 30.30.32.35/32 eq 443 any
20 permit tcp 30.30.32.35/32 eq www any
IP access list sl_def_acl
statistics per-entry
10 deny tcp any any eq telnet syn
20 deny tcp any any eq www syn
30 deny tcp any any eq 22 syn
40 permit ip any any
STLD1-630-01.05-N7K-RU21# show run int vl 132
!Command: show running-config interface Vlan132
!Time: Mon Mar 27 03:44:13 2017
version 6.2(16)
interface Vlan132
no shutdown
ip address 30.30.32.1/24
ip policy route-map _rise-system-rmap-Vlan132 - - - - - >APBR, this command was generated by RISE
STLD1-630-01.05-N7K-RU21# show run int vl 125
!Command: show running-config interface Vlan125
!Time: Mon Mar 27 03:44:16 2017
version 6.2(16)
interface Vlan125
no shutdown
ip address 30.30.31.1/24
ip policy route-map _rise-system-rmap-Vlan125 - - - - - >APBR, this command was generated by RISE
STLD1-630-01.05-N7K-RU21#
TLD1-630-01.05-N7K-RU21# show rise
Name Slot Vdc Rise-Ip State Interface
Id Id
--------------- ---- --- --------------- ------------ ----------------
ns21 300 1 20.20.99.5 active N/A
RHI Configuration
ip prefix len nhop ip weight vlan vrf slot-id
--------------- ---------- --------------- ------ ---- ---------- -------
40.40.41.101 32 20.20.21.5 100 201 default 300 - - - - > RHI
APBR Configuration - - - - > APBR
rs ip rs port protocol nhop ip rs nhop apbr state slot-id
--------------- ------- -------- --------------- -------- ---------- -------
30.30.31.33 80 TCP 20.20.21.5 Vlan125 ADD DONE 300
30.30.31.33 443 TCP 20.20.21.5 Vlan125 ADD DONE 300
30.30.32.35 80 TCP 20.20.21.5 Vlan132 ADD DONE 300
30.30.32.35 443 TCP 20.20.21.5 Vlan132 ADD DONE 300