Citrix: Separating NetScaler Management and Data Traffic for DISA STIGs
NetScaler natively separates out management vs data communication through two different types of IP address. A NetScaler IP (NSIP) can be considered the management IP of the NetScaler and is used for management access (GUI, SSH, Telnet, etc.). It is also used to source various other management traffic including:
- LDAP, Radius, TACACS, Kerberos authentication
- Perl Monitors
- GSLB synchronization
- High Availability Traffic
- NetScaler MAS communication
A Subnet IP (SNIP) is mainly used to source data traffic from the NetScaler to other devices. When a NetScaler is initially setup, it will generally contain a single NSIP and a single SNIP. On creation of the NSIP, the NetScaler will create a default route (0.0.0.0/0) using the configured NSIP network gateway. When a SNIP is created, a direct route will be created from that SNIP to its Layer-2 network. This means that by default, to contact an IP that is not on a SNIP network, the NetScaler will always send data through the NSIP router. This is not desirable if you are attempting to separate all management and data packets!
Read the entire article here, Separating NetScaler Management and Data Traffic for DISA STIGs
Via the fine folks at Citrix Systems, Inc.