Thursday, April 12, 2012

NetScaler MAC Based Forwarding

In the situation where you have deployed your NetScaler with 2 NICs, one connected to the DMZ network and the other one is connected to your Internal network, depending on your configuration, you might need to enable the MAC Based Forwarding on NetScaler

You probably assign the NSIP on your Internal Network, MIP on your Intenal Network, SNIP and VIPs on your DMZ Network (for example for publishing CAG/SSL VPN). You then trying to access your NetScaler services from your Internal Network. This means your traffic from the Internal network goes to your default gateway (e.g. the firewall) which then forwarded to the VIP on DMZ Network. NetScaler then accept the traffic, however, the returning traffic will not going back to through the firewall (e.g. NetScaler default gateway), it will be going to the other NetScaler's NIC that connects to Internal network. This will create asymmetric routing, and most router/firewall will drop the packets.

To avoid this, usually enabling the MAC Based Forwarding (MBF) will fix this.

The following is the definition of MBF:

With MAC-based forwarding (MBF) enabled, when a request reaches the NetScaler appliance, the appliance remembers the source MAC address of the frame and uses it as the destination MAC address for the resulting replies. MAC-based forwarding can be used to avoid multiple-route/ARP lookups and to avoid asymmetrical packet flows. MAC-based forwarding may be required when the NetScaler is connected to multiple stateful devices, such as VPNs or firewalls, because it ensures that the return traffic is sent to the same device that the initial traffic came from.

To enable it, from the NetScaler Console:

enable ns mode mbf

No comments: