Citrix ADC | Source IP Selection for LLB with and without RNAT

This article is to explain how source ip for egress traffic is selected with Link Load Balancing for different scenarios – with and without RNAT.

To be able to understand the various scenarios, familiarity with LLB and RNAT is recommended as a prerequisite. Please refer to the links in the “Additional Resources” section to familiarize yourself with these features.


Reference Network topology:


Scenario-1

SNIP-1: [1.1.1.1], SNIP-2 [2.2.2.2], RNAT – [NOT CONFIGURED]

Traffic Flow:

  • Client traffic reaches ADC
  • ADC picks a Service based on Load Balancing Method e.g. Service-1
  • Source IP: SNIP-1 is used as it is from same subnet as Service-1, SNIP-2 will be used if Service-2 is selected

Result – Traffic exists via ISP-1 with an IP of 1.1.1.2, expected to return on same path


Scenario-2

SNIP-1: [1.1.1.1], SNIP-2 [NOT CONFIGURED], RNAT – [NOT CONFIGURED]

Traffic Flow:

  • Client traffic reaches ADC
  • ADC picks a Service based on Load Balancing Method, if Service-1 is selected flow will be same as above.
  • If Service-2 is selected which does not have a SNIP in same subnet..
  • Source IP: SNIP-1 is used as it is the only SNIP available.

ResultTraffic exists via ISP-2 with an IP of 1.1.1.2 (ISP-1 IP Pool) – This will either cause asymentric traffic i.e. outbound traffic via ISP-2, Inbound Via ISP-2 or could be dropped by ISP-2 for VLAN / source IP mismatch issues.

Scenario-3

SNIP-1: [1.1.1.1], SNIP-2 [2.2.2.2],

RNAT – [10.10.10.100 ==> 1.1.1.3]

RNAT – [10.10.10.100 ==> 2.2.2.3]

Traffic Flow:

  • Client traffic reaches ADC
  • ADC picks a Service based on Load Balancing Method e.g. Service-1
  • Source IP: If the client IP is 10.10.10.100 src ip of 1.1.1.3 will be used and (if Service-2 was selected 2.2.2.3 would have been used) RNAT takes preference over SNIP

Result: Traffic exists via ISP-1 with an IP of 1.1.1.3, expected to return on same.

Scenario-4

SNIP-1: [1.1.1.1], SNIP-2 [2.2.2.2],

RNAT – [10.10.10.100 ==> 2.2.2.3]

Traffic Flow:

  • Client traffic reaches ADC
  • ADC picks a Service based on Load Balancing Method e.g. Service-1
  • Source IP: If the client IP is 10.10.10.100 src ip of 2.2.2.3 is used (RNAT takes preference over SNIP)

Result: Traffic exists via ISP-1 with an IP of 2.2.2.3 (ISP-2 IP Pool) , this can cause the same effects as Scenario-2


Summary: In order to avoid potential issue like asymmetric routing and traffic drop by ISP due to source IP / VLAN mismatches, refer to the two point below.

If not using RNAT –Ensure that a SNIP exists in each Service (ISP) subnet, refer Scenario-1, this ensures the right source IP is used based on the Egress ISP

If using RNAT – Ensure one RNAT statement exists for each Service bound to the LLB, refer Scenario-3.

A Common misconception is that if you want a client to always exist via ISP-X then rnat the client to an IP from ISP-X subnet (something like Scenario-4). But this is NOT CORRECT. The LB decision is not influenced by RNAT configuration. The rnat will take effect but the LB decision can pick another link ISP-Y causing outcomes described in Scenario-2 / Scenario-4 which may not be ideal.

Related:

Leave a Reply