Netscaler and routing

Something I’ve been planning to write for a while but with all the stuff happening lately, its hard to keep track. So this is a question that comes by now and then, how does netscaler handle route entries ?

Now a Netscaler often sits between many differnet networks with a leg in DMZ, one in the internal sone and other sones. Some deployments might be two-armed with more network attached to the Netscaler, and some require it to only be using one vlan because of security requirements.


Now what decides which network the Netscaler uses to communicate with the backend servers? Since Netscaler is a L3 device it uses IP and routing tables to determine where to go.

When you are deploying a Netscaler, one of the requirements is to setup a default gateway and a subnet IP. When you add a default gateway a route entry will be added to it automatically. This route entry looks like this


Which essentially says, all traffic which I have no information about will be sent to my default gateway which is
So if my Netscaler sits on the IP with a prefix of / 24 and the Netscaler needs to get in touch with, then the Netscaler will go trough the default gateway.

Now also when you add a subnet-IP another route entry is added automatically where the subnet IP itself is listed as a gateway IP for reaching another subnet. This Netscaler has two SNIPs. one in the network and another in the network


So all traffic destined to the network is tunneled trough the network. Another thing that is these route entries have a prefix of /24. Meaning that the Netscaler can contact if it needs to get in touch with an IP within that range.

Then this means that the Netscaler might have multiple paths to other subnets ? Since my default-gateway might also have access to 31 and the 88 network. Like other layer 3 devices like Cisco looks at the prefix and then decides which is closest to the target. Netscaler operates only at the cost to get to the remote location. (Thanks to Andrew for that)


Now the default gateway route has a cost of 0


But the SNIP’s have a non-existing cost value


Meaning that they are prefered paths. If I was to have multiple SNIP’s which has access to a back-end service it might also get a conflict, this can be resolved using Net-profiles, this allows you to define which source ip adress should be used to connect to the back-end services.

Create: Net-Profile


Attach Net-Profile to a service


But what if you are required to use a one-armed deployment ? and need access to several backend networks for the service/probes to work properly.

Then you need to add a new static route which might look like this. This static route entry says the following. “If you need to access the network you need to contact


This new route will be listed as a static route and will have the same cost as the default gateway, but since this gateway sits closer to the targets in the 89. network it will be prefered over the default gateway.

So hopefully this clears up some confusion for people out there! Smilefjes

You May Also Like

About the Author: Marius Sandbu

Leave a Reply

Your email address will not be published. Required fields are marked *