11.2.8. Configuration management¶
11.2.8.1. Saving the configuration of NetScaler VPX (hereafter, Load Balancer)¶
Login to the Management Portal of Load Balancer.
From the [ Configuration ] tab, select [ System ] → [ Diagnostics ].
Select [ View Configuration ] → [ Running configuration ].
Select [ Save text to a file ].
To save nsrunning.conf, select [ Save ].
Specify the file name and select [ Save ].
Open the saved file and check that the configuration is saved.
Note
From Version:11.0-67.12, login to NetScaler by ssh became possible. Therefore, you can also take the following steps. Login by ssh. Execute [ show ns runningConfig ] and copy the result.
For login method by ssh, refer to Login to NetScaler VPX <https://ecl.ntt.com/en/documents/tutorials/rsts/LoadBalancer/netscaler-vpx/login.html>.
When you open the file with Notepad application in Windows, the screen may appear collapsed due to the difference of the line feed code. Even in this case, the configuration is saved.
11.2.8.2. Advance preparations to restore the Load Balancer configuration¶
Configuration modification
- Deletion of a command line based on functions prohibited by Service Provider.
For the functions prohibited, refer to “Restrictions” section of Load Balancer Service Descriptions .
For major deletion targets, their examples are given in and after the next section. If you execute a command related to these functions trying to restore, you will have an error response of [ ERROR: Not authorized to execute this command ]. If this error response is given, please understand that it is a function that the provider prohibits its change.
Note
- Reference: Other notes when restoring
For your information, the following types of errors are observed relatively often.
[ ERROR: Feature(s) not licensed ] — Function(s) included in Netscaler as a default but not usable by the Standard Edition license in use.
[ Warning: Feature(s) not enabled ] — Function(s) included in Netscaler as a default but not enabled by the customer.
[ ERROR: Resource already exists ] [ ERROR: Operation not permitted ] [ Warning: Current certificate replaces the previous binding ] — Function(s) included in Netscaler as a default and without a need of re-entry.
Deletion target sample in 1
Configuration example |
Reasons of deletion target |
Reasons of prohibition |
Response at the time of execution |
| set ns config -IPAddress 100.xx.xx.xx -netmask 255.255.240.0 | Already set by the provider |
CRUD not allowed for the Management IP |
ERROR: Not authorized to execute this command |
| add route 0.0.0.0 0.0.0.0 100.xx.xx.xx | Already set by the provider |
CRUD not allowed for the DefaultGateway of the Provider IP |
ERROR: Not authorized to execute this command |
add ns acl IN_PROVIDER_MGMT_11 ALLOW -srcIP = 100.xx.xx.xx-100.xx.xx.xx -destIP = 100.xx.xx.xx-100.xx.xx.xx -destPort = xxxx -protocol TCP -interface 0/1 -priority 11 -kernelstate SFAPPLIED61
~
add ns acl IN_PROVIDER_MGMT_99 DENY -interface 0/1 -priority 99 -kernelstate SFAPPLIED61
|
Already set by the provider |
CRUD not allowed for the ACL of the Provider Management NW |
ERROR: Not authorized to execute this command |
add ns pbr OUT_PROVIDER_MGMT_11 ALLOW -srcIP = 100.xx.xx.xx-100.xx.xx.xx -destIP = 100.xx.xx.xx-100.xx.xx.xx -destPort = xxxx -nextHop 100.xx.xx.xx -protocol TCP -interface 0/1 -priority 11 -kernelstate SFAPPLIED61
~
add ns pbr OUT_PROVIDER_MGMT_99 DENY -interface 0/1 -priority 99 -kernelstate SFAPPLIED61
|
Already set by the provider |
CRUD not allowed for the PBR of the Provider Management NW |
ERROR: Not authorized to execute this command |
| bind ssl service nshttps-100.x.x.x-443 -certkeyName ns-server-certificate | Already set by the provider |
CRUD not allowed for the Provider IP |
ERROR: Not authorized to execute this command |
| bind ssl service nsrpcs-100.x.x.x-3008 -certkeyName ns-server-certificate | Already set by the provider |
CRUD not allowed for the Provider IP |
ERROR: Not authorized to execute this command |
| bind ssl service nshttps-100.x.x.x-443 -eccCurveName P_256 | Already set by the provider |
CRUD not allowed for the Provider IP |
ERROR: Not authorized to execute this command |
| bind ssl service nshttps-100.x.x.x-443 -eccCurveName P_384 | Already set by the provider |
CRUD not allowed for the Provider IP |
ERROR: Not authorized to execute this command |
| bind ssl service nshttps-100.x.x.x-443 -eccCurveName P_224 | Already set by the provider |
CRUD not allowed for the Provider IP |
ERROR: Not authorized to execute this command |
| bind ssl service nshttps-100.x.x.x-443 -eccCurveName P_521 | Already set by the provider |
CRUD not allowed for the Provider IP |
ERROR: Not authorized to execute this command |
| bind ssl service nsrpcs-100.x.x.x-3008 -eccCurveName P_256 | Already set by the provider |
CRUD not allowed for the Provider IP |
ERROR: Not authorized to execute this command |
| bind ssl service nsrpcs-100.x.x.x-3008 -eccCurveName P_384 | Already set by the provider |
CRUD not allowed for the Provider IP |
ERROR: Not authorized to execute this command |
| bind ssl service nsrpcs-100.x.x.x-3008 -eccCurveName P_224 | Already set by the provider |
CRUD not allowed for the Provider IP |
ERROR: Not authorized to execute this command |
| bind ssl service nsrpcs-100.x.x.x-3008 -eccCurveName P_521 | Already set by the provider |
CRUD not allowed for the Provider IP |
ERROR: Not authorized to execute this command |
| add system group user-admin-group -timeout 1800 | Already set by the provider |
CRUD not allowed for group |
ERROR: Not authorized to execute this command |
| add system group user-read-group -timeout 1800 | Already set by the provider |
CRUD not allowed for group |
ERROR: Not authorized to execute this command |
| bind system group provider-group -userName provider-ctrl | Already set by the provider |
CRUD not allowed for Group |
ERROR: Not authorized to execute this command |
| bind system group provider-group -userName provider-dev | Already set by the provider |
CRUD not allowed for Group |
ERROR: Not authorized to execute this command |
| bind system group provider-group -policyName superuser 1 | Already set by the provider |
CRUD not allowed for Group |
ERROR: Not authorized to execute this command |
| bind system group provider-ope-group -userName provider-ope | Already set by the provider |
CRUD not allowed for Group |
ERROR: Not authorized to execute this command |
| bind system group provider-ope-group -policyName ProviderOpe-only 10 | Already set by the provider |
CRUD not allowed for Group |
ERROR: Not authorized to execute this command |
| bind system group user-admin-group -userName user-admin | Already set by the provider |
CRUD not allowed for Group (duplicated) |
ERROR: User already bound to system group |
bind system group user-admin-group -policyName ProviderAccount-deny 10
~
bind system group user-admin-group -policyName ProviderALL-allow 199
|
Already set by the provider |
CRUD not allowed for Group |
ERROR: Not authorized to execute this command |
| bind system group user-read-group -userName user-read | Already set by the provider |
CRUD not allowed for Group (duplicated) |
ERROR: User already bound to system group |
bind system group user-read-group -policyName ProviderTD-deny 10
~
bind system group user-read-group -policyName ProviderRead-only 99
|
Already set by the provider |
CRUD not allowed for Group |
ERROR: Not authorized to execute this command |
| set interface 1/1 -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0 -intftype “KVM Virtio” -ifnum 1/1 | Already set by the provider |
CRUD not allowed for interface |
ERROR: Not authorized to execute this command |
| set interface 1/2 -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0 -intftype “KVM Virtio” -ifnum 1/2 | Already set by the provider |
CRUD not allowed for interface |
ERROR: Not authorized to execute this command |
| set interface 1/3 -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0 -intftype “KVM Virtio” -ifnum 1/3 | Already set by the provider |
CRUD not allowed for interface |
ERROR: Not authorized to execute this command |
| set interface 1/4 -haMonitor OFF -state DISABLED -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0 -intftype “KVM Virtio” -ifnum 1/4 | Already set by the provider |
CRUD not allowed for interface |
ERROR: Not authorized to execute this command |
| set interface LO/1 -haMonitor OFF -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0 -intftype Loopback -ifnum LO/1 | Already set by the provider |
CRUD not allowed for interface |
ERROR: Not authorized to execute this command |
| add ns trafficDomain 10 -aliasName user-data-plane | Already set by the provider |
CRUD not allowed for TD |
ERROR: Not authorized to execute this command |
| bind ns trafficDomain 10 -vlan 20 | Already set by the provider |
CRUD not allowed for TD/VLAN |
ERROR: Not authorized to execute this command |
| bind ns trafficDomain 10 -vlan 10 | Already set by the provider |
CRUD not allowed for TD/VLAN |
ERROR: Not authorized to execute this command |
| bind ns trafficDomain 10 -vlan 30 | Already set by the provider |
CRUD not allowed for TD/VLAN |
ERROR: Not authorized to execute this command |
| add vlan 10 | Already set by the provider |
CRUD not allowed for VLAN |
ERROR: Not authorized to execute this command |
| add vlan 20 | Already set by the provider |
CRUD not allowed for VLAN |
ERROR: Not authorized to execute this command |
| add vlan 30 | Already set by the provider |
CRUD not allowed for VLAN |
ERROR: Not authorized to execute this command |
| bind vlan 10 -ifnum 1/1 | Already set by the provider |
CRUD not allowed for VLAN |
ERROR: Not authorized to execute this command |
| bind vlan 10 -IPAddress 172.x.x.x 255.255.255.0 -td 10 | Already set by the provider |
CRUD not allowed for VLAN |
ERROR: Operation not permitted |
| bind vlan 20 -ifnum 1/2 | Already set by the provider |
CRUD not allowed for VLAN |
ERROR: Not authorized to execute this command |
| bind vlan 20 -IPAddress 172.x.x.x 255.255.255.0 -td 10 | Already set by the provider |
CRUD not allowed for VLAN |
ERROR: Operation not permitted |
| bind vlan 30 -ifnum 1/3 | Already set by the provider |
CRUD not allowed for VLAN |
ERROR: Not authorized to execute this command |
| bind vlan 30 -IPAddress 172.x.x.x 255.255.255.0 -td 10 | Already set by the provider |
CRUD not allowed for VLAN |
ERROR: Operation not permitted |
| set nd6RAvariables -vlan 1 | NetScaler Default value |
CRUD not allowed for VLAN |
ERROR: Not authorized to execute this command |
| set ipsec parameter -lifetime 28800 | NetScaler Default value |
CRUD not allowed for IPSEC |
ERROR: Not authorized to execute this command |
| add route 0.0.0.0 0.0.0.0 172.x.x.x -td 10 | Already set by the provider |
CRUD not allowed for the DefaultGateway |
ERROR: Not authorized to execute this command |
| set dns parameter -dns64Timeout 1000 | NetScaler Default value |
CRUD not allowed for DNS |
ERROR: Not authorized to execute this command |
add dns nsRec . a.root-servers.net -TTL 3600000
~
add dns nsRec . m.root-servers.net -TTL 3600000
|
NetScaler Default value |
CRUD not allowed for DNS |
ERROR: Not authorized to execute this command |
add dns addRec a.root-servers.net 198.x.x.x -TTL 3600000
~
add dns addRec m.root-servers.net 202.x.x.x -TTL 3600000
|
NetScaler Default value |
CRUD not allowed for DNS |
ERROR: Not authorized to execute this command |
11.2.8.3. Restoring a Load Balancer configuration¶
Note
As a prerequisite, it is assumed that a Load Balancer which restores configuration files is created newly and its interface is connected with logical networks.
In this restoring procedure, it is assumed that rewriting will be made with the saved configuration settings. If there is any old configuration, etc., it is necessary to delete or modify them.
If intending to create a Load Balancer with another address such as when the IP connected with the interface is different, modify the settings of various IPs and IP addresses contained in various settings such as load balancing-related settings (virtual server, service, server), based on the address design to change in advance.
To confirm by difference if the restored configuration is what you wanted, we would recommend to keep the original configuration in your side before the new configuration is applied.
You cannot transfer the SSL Certificate by this procedure. The SSL Certificate stored by the customer has to be imported separately to NetScaler VPX.
Login to the Management Portal of Load Balancer.
From the [ Configuration ] tab, select [ System ] → [ Diagnostics ].
Select [ Utilities ] → [ Command line interface ].
Command Line Interface (CLI) screen will be displayed.
From the saved configuration, copy the command line(s) that you want to restore.
Note
Paste the copied command line to [ Command ] on the Command Line Interface (CLI) screen.
Check that executed commend is normally set in NetScaler VPX.
Check that the contents of the setting are reflected.
Note
From the [ Configuration ] tab, move to [ System ] → [ Diagnostics ] → [ View Configuration ] → [ Running Configuration ], and compare [ Running Configuration ] displayed and [ Running Configuration ] before the setting to see if the intended setting is entered.
We would recommend to check the differences of configurations to see if intended settings are entered between before and after the restoration. The configuration has not been saved at Step 8, the configuration set by restart will return to the condition before you restored.
We would also recommend to check the operation of NetScaler VPX after restoration, at Step 8.
Press the [ Save ] button in the upper right corner on the screen to save the configuration.
Note
From Version:11.0-67.12, login to NetScaler by ssh became possible. Therefore, you can also execute [ save ns config ] to save the configuration.