At Consulting Services, we are seeing more and more Cisco ACE and CSM deployments being converted to the Citrix NetScaler environments. One common question that pops up frequently is regarding the straight conversion when the ACE/CSM was deployed in ‘Single Subnet Bridging Mode’ (For CSM, please refer to, and for ACE, refer to

In ‘Single Subnet Bridging Mode’, the client side VLAN and server side VLAN share the same L3 network, as shown below from the Cisco doc.

The deployment mode shown above is not the same as a typical Two-Arm deployment mode, where the server VLAN and client VLAN are on their respective L3 networks and the ADC (e.g. NetScaler, CSM, or ACE) routes traffic between the two arms, as shown below, which in Cisco’s term, is called Secure Router Mode. (

As the fundamentals of Routing and Switching imply, for ‘Single Subnet Bridging Mode’ to work correctly, the ADC effectively swaps the VLAN tags between server and client VLANs when it bridges traffic between them.

To do the ‘swapping’, the NetScaler feature ‘Bridge Groups’ must be used. For example, if the client VLAN is 100 and server VLAN is 200. In order for the NetScaler to bridge traffic between the two VLAN(s), consider using the following configuration.

add vlan 100 -aliasName Client_VLAN
add vlan 200 -aliasName Server_VLAN
add bridgegroup 1
bind bridgegroup 1 -vlan 100
bind bridgegroup 1 -vlan 200

A SNIP can be bound to the Bridge Group, and as a result, the NetScaler uses this SNIP to communicate to the backend servers. In this deployment, no L2 or L3 mode is required to be enabled.

In deployments where backend servers must also reach outside of its own subnet, the servers’ default gateway will need to be configured as the aforementioned SNIP and L3 mode be enabled.

For certain deployments where changing default gateway is administratively prohibitive, consider the following example.

In the above diagram, let’s suppose that Backend has default gateway set to Router (second icon to Client). In this case Backend will send out a broadcast ARP request, asking the MAC address of the Router IP. This broadcast ARP request must pass through the NetScaler before it reaches the Router, as the NetScaler is physical inline to bridge traffic between server and client VLAN, as discussed previously.

The NetScaler drops the broadcast request causing the Router not to see it and subsequently not to respond with an ARP reply. The NetScaler drops the ARP request since L2 mode is turned off by default. With L2 mode turned off, the NetScaler will drop packets destined to MAC or IP addresses that it doesn’t own.

To ensure ARP request reaches Router and all necessary L2/L3 network flow, L2 mode must be enabled in this case.

After L2 mode is enabled, we have the following options,

  1. With L2 + Bridge Group Proxy ARP (Disabled), the ARP entry for Router IP on Backend is Router’s MAC (in GREEN).
  2. With L2 + L3 + Bridge Group Proxy ARP (Enabled), the ARP entry for Router IP is NetScaler’s MAC (in RED)

‘Bridge Group Proxy ARP’ option below can be found at System -> Network -> Configure Layer 2 Parameters

As a side note, Traffic Domain, DSR (Direct Server Return) and USIP mode can all be achieved when a direct conversion is needed.

However, it is my own view that ‘Single Subnet Bridging Mode’ be adjusted to Two-Arm mode whereby the ADC routes between connected networks, instead of bridging.