VM-Series Firewall with L3 Interfaces Between the NetScaler
VPX and the Servers
Deploying the firewall with L3 interfaces between the
NetScaler VPX and the servers allows you to scale more easily as
you deploy new servers and new subnets. You can deploy multiple
instances of the firewall to manage traffic to each new subnet and
then configure the firewalls as a high availability pair, if needed.
Using an L3 interface allows you make minimal changes to the
SDX server/network configuration because the SNIP to reach the servers
is removed from the NetScaler VPX and is configured on the VM-Series
firewall. With this approach, only one data interface is used on
the VM-Series firewall, hence only one zone can be defined. As a
result, when defining the policy rules you must specify the source
and destination IP address/subnets across which to enforce security
rules. For details, see Deploy
the VM-Series Firewall Using L3 Interfaces.
In this example, the public IP address that the clients connect
to (VIP on the NetScaler VPX), is 192.168.1.10. For providing access
to the servers on subnet 192.168.2.x, the configuration on the VPX
references the subnets (SNIP) 192.168.1.1 and 192.168.2.1. Based
on your network configuration and default routes, the routing on
servers might need to be changed.
When you set up the VM-Series firewall, you must add a data interface
(for example eth1/1), and assign two IP addresses to the interface.
One IP address must be on the same subnet as the VIP and the other
must be on the same subnet as the servers. In this example, the
IP addresses assigned to the data interfaces are 192.168.1.2 and
192.168.2.1. Because only one data interface is used on the VM-Series
firewall, all traffic belongs to a single zone, and all intra zone
traffic is implicitly allowed in policy. Therefore, when defining
the policy rules you must specify the source and destination IP
address/subnets across which to enforce security rules.
Even after you add the VM-Series firewall on the SDX server,
the IP address that the clients continue to connect to is the VIP
of the NetScaler VPX (192.168.1.10). However, to route all traffic
through the firewall, on the NetScaler VPX you must define a route
to the subnet 192.168.2.x. In this example, to access the servers
this route must reference the IP address 192.168.1.2 assigned to
the data interface on the VM-Series firewall. Now all traffic destined
for the servers is routed from the NetScaler VPX to the firewall
and then on to the servers. The return traffic uses the interface
192.168.2.1 on the VM-Series and uses the SNIP 192.168.1.1 as its
For security compliance, if USIP (Use client Source IP)
is enabled on the NetScaler VPX, then the VM-Series firewall requires
a default route that points to the SNIP 192.168.1.1, in this example.
If a default NAT (mapped/SNIP) IP address is used, then you do not
need to define a default route on the VM-Series firewall.