NetScaler SDX

Provision NetScaler instances

Note:

Console Advisory Connect is enabled by default, after you install or upgrade the NetScaler SDX appliance to release 13.1. For more details, see Data governance and Console Advisory Connect.

You can provision one or more NetScaler instances on the SDX appliance by using the Management Service. The number of instances that you can install depends on the license you have purchased. If the number of instances added is equal to the number specified in the license, the Management Service does not allow provisioning more NetScaler instances.

Note:

You can configure up to 20 VPX instances on a network interface independent of the underlying hardware platform.

Provisioning a NetScaler VPX instance on the SDX appliance comprises the following steps.

  1. Define an admin profile to attach to the NetScaler instance. This profile specifies the user credentials that are used by the Management Service to provision the ADC instance and later, to communicate with the instance to retrieve configuration data. You can also use the default admin profile.
  2. Upload the .xva image file to the Management Service.
  3. Add a NetScaler instance using the Provision NetScaler wizard in the Management Service. The Management Service implicitly deploys the NetScaler instance on the SDX appliance and then downloads configuration details of the instance.

Warning

Make sure that you modify the provisioned network interfaces or VLANS of an instance using the Management Service instead of performing the modifications directly on the instance.

Create an admin profile

Admin profiles specify the user credentials that are used by the Management Service when provisioning the NetScaler instances. These credentials are later used when communicating with the instances to retrieve configuration data. The user credentials specified in an admin profile are also used by the client when logging on to the NetScaler instances through the CLI or GUI.

Admin profiles also enable you to specify that the Management Service and a VPX instance communicate with each other only over a secure channel or using HTTP.

The default admin profile for an instance specifies the default admin user name. This profile cannot be modified or deleted. However, you must override the default profile by creating a user-defined admin profile and attaching it to the instance when you provision the instance. The Management Service administrator can delete a user-defined admin profile if it is not attached to any NetScaler instance.

Important

Do not change the password directly on the VPX instance. If you do so, the instance becomes unreachable from the Management Service. To change a password, first create an admin profile, and then modify the NetScaler instance, selecting this profile from the Admin Profile list.

To change the password of NetScaler instances in a high availability setup, first change the password on the instance designated as the secondary node. Then change the password on the instance designated as the primary node. Remember to change the passwords only by using the Management Service.

Create an admin profile

  1. On the Configuration tab, in the navigation pane, expand NetScaler Configuration, and then click Admin Profiles.

  2. In the Admin Profiles pane, click Add.

  3. The Create Admin Profile dialog box appears.

Admin profile SNMP

Set the following parameters:

  • Profile Name: name of the admin profile. The default profile name is nsroot. You can create user-defined profile names.
  • Password: the password used to log on to the NetScaler instance. Maximum length: 31 characters.
  • SSH Port: set the SSH port. The default port is 22.
  • Use global settings for NetScaler communication: Select if you want the setting to be defined in the System Settings for the communication between the Management Service and the NetScaler instance. You can clear this box and change the protocol to HTTP or HTTPS.

    • Select the http option to use HTTP protocol for the communication between the Management Service and the NetScaler instance.

    • Select the https option to use the secure channel for the communication between the Management Service and the NetScaler instance.

4. Under SNMP, select the version. If you select v2, go to step 5. If you select v3, go to step 6.

5. Under SNMP v2, add the SNMP Community name.

6. Under SNMP v3, add Security Name and Security Level.

7. Under Timeout Settings, specify the value.

8. Click Create, and then click Close. The admin profile that you created appears in the Admin Profiles pane.

If the value in the Default column is true the default profile is the admin profile. If the value is false, a user-defined profile is the admin profile.

If you do not want to use a user-defined admin profile, you can remove it from the Management Service. To remove a user-defined admin profile, in the Admin Profiles pane, select the profile you want to remove, and then click Delete.

Upload a NetScaler .xva image

A .xva file is required for adding a NetScaler VPX instance.

Upload the NetScaler SDX .xva files to the SDX appliance before provisioning the VPX instances. You can also download a .xva image file to a local computer as a backup. The .xva image file format is: NSVPX-XEN-ReleaseNumber-BuildNumber_nc.xva.

In the NetScaler XVA Files pane, you can view the following details.

  • Name: Name of the .xva image file. The file name contains the release and the build number. For example, the file name NSVPX-XEN-13.1-49.13_nc_64.xva.gz refers to release 13.1 build 49.13.
  • Last Modified: Date when the .xva image file was last modified.
  • Size: Size, in MB, of the .xva image file.

To upload a NetScaler .xva file

  1. On the Configuration tab, in the navigation pane, expand NetScaler Configuration, and then click XVA Files.
  2. In the NetScaler XVA Files pane, click Upload.
  3. In the Upload NetScaler instance XVA dialog box, click Browse and select the XVA image file that you want to upload.
  4. Click Upload. The XVA image file appears in the NetScaler XVA Files pane after it is uploaded.

To create a backup by downloading a NetScaler .xva file

  1. In the NetScaler Build Files pane, select the file that you want to download, and then click Download.
  2. In the File Download message box, click Save.
  3. In the Save As message box, browse to the location where you want to save the file, and then click Save.

Add a NetScaler instance

When you add NetScaler instances from the Management Service, you need to provide values for some parameters. The Management Service implicitly configures these settings on the NetScaler instances.

SDX instance details

  • Name: Assign a name to the NetScaler instance.

  • Select Manage through internal network to enable an independent internal always-on connectivity between the SDX Management Service and the VPX instance. This feature is supported in 13.0-36.27 and higher version of VPX instances running on the SDX appliance.

  • Select an IPv4 or IPv6 address or both IPv4 and IPv6 addresses to access the NetScaler VPX instance for the management purpose. A NetScaler instance can have only one management IP (NSIP). You cannot remove an NSIP address.

  • Assign a netmask, default gateway, and next hop to Management Service for the IP address.

  • The Gateway and Nexthop to Management Service fields are optional under either of the following conditions, when VPX is provisioned with version 13.0–88.9 or 13.1–37.8, and their higher versions:

    • When Manage through internal network is enabled.
    • When the configured IPv4 address is in the same subnet as the Management Service IP address.

VPX IP details

Next, add the XVA file, Admin Profile, and a description for the instance.

Note: For a high availability setup (active-active or active-standby), Citrix recommends that you configure the two NetScaler VPX instances on different SDX appliances. Make sure that the instances in the setup have identical resources, such as CPU, memory, interfaces, packets per second (PPS), and throughput.

License allocation

In this section, specify the license you have procured for the NetScaler. The license can be Standard, Enterprise, and Platinum.

Note: An asterisk indicates required fields.

SDX VPX license allocation

If you need bandwidth-bursting ability, select Burstable under Allocation Mode. For more information, see Bandwidth Metering in SDX.

Crypto allocation

Starting with release 12.1 48.13, the interface to manage crypto capacity has changed. For more information, see Manage crypto capacity.

Resource allocation

For a VPX instance running on SDX, you have only one management CPU by default. Starting from release 14.1 build 21.x, if you have two or more dedicated cores, you can add one more management CPU when you provision or edit a VPX instance. This feature requires both SDX and VPX to be on software version 14.1-21.x and later.

Under Resource allocation, assign total memory, packets per second, and CPU.

To add an extra management CPU:

  1. Select Dedicated (2 core) or more from the CPU list.
  2. Select the Add an extra management CPU option.

SDX VPX resource allocation

CPU Assign a dedicated core or cores to the instance, or the instance shares a core with other instances. If you select shared, then one core is assigned to the instance but the core might be shared with other instances if there is a shortage of resources. Reboot affected Instances if CPU cores are reassigned. Restart the instances on which CPU cores are reassigned to avoid any performance degradation.

Note: For an instance, the maximum throughput that you configure is 180 Gbps.

The following table lists the supported VPX, Single bundle image version, and the number of cores you can assign to an instance:

Platform Name Total Cores Total Cores Available for VPX Provisioning Maximum Cores That Can Be Assigned to a Single Instance
SDX 8015, SDX 8400, and SDX 8600 4 3 3
SDX 8900 8 7 7
SDX 11500, SDX 13500, SDX 14500, SDX 16500, SDX 18500, and SDX 20500 12 10 5
SDX 11515, SDX 11520, SDX 11530, SDX 11540, and SDX 11542 12 10 5
SDX 17500, SDX 19500, and SDX 21500 12 10 5
SDX 17550, SDX 19550, SDX 20550, and SDX 21550 12 10 5
SDX 14020, SDX 14030, SDX 14040, SDX 14060, SDX 14080, and SDX 14100 12 10 5
SDX 22040, SDX 22060, SDX 22080, SDX 22100, and SDX 22120 16 14 7
SDX 24100 and SDX 24150 16 14 7
SDX 14020 40G, SDX 14030 40G, SDX 14040 40G, SDX 14060 40G, SDX 14080 40G, and SDX 14100 40G 12 10 10
SDX 14020 FIPS, SDX 14030 FIPS, SDX 14040 FIPS, SDX 14060 FIPS, SDX 14080 FIPS, and SDX 14100 FIPS 12 10 5
SDX 14040 40S, SDX 14060 40S, SDX 14080 40S, and SDX 14100 40S 12 10 10
SDX 25100A, 25160A, 25200A 20 18 9
SDX 25100-40G, 25160-40G, 25200-40G 20 18 16
SDX 26100, 26160, 26200, 26250 28 26 16
SDX 26100-50S, 26160-50S, 26200-50S, 26250-50S 28 26 16
SDX 26100-100G, 26160-100G, 26200-100G, 26250-100G 28 26 25
SDX 15000 16 14 14
SDX 15000-50G 16 14 14
SDX 9100 10 9 9
SDX 16000 32 30 16

Note:

Dedicated cores map to the number of packet engines running on the instance. For a VPX instance created with dedicated cores, an additional CPU is assigned for management.

Instance administration

You can create an admin user for the VPX instance by selecting Add Instance Administration under Instance Administration.

Instance admin

Add the following details:

User name: The user name for the NetScaler instance administrator. This user has superuser access but does not have access to networking commands to configure VLANs and interfaces.

Password: The password for the user name.

Shell/Sftp/Scp Access: The access allowed to the NetScaler instance administrator. This option is selected by default.

Network settings

  • Allow L2 Mode: You can allow L2 mode on the NetScaler instance. Select Allow L2 Mode under Networking Settings. Before you log on to the instance and enable L2 mode. For more information, see Allowing L2 Mode on a NetScaler instance.

    Network settings

    Note:

    • If you disable L2 mode for an instance from the Management Service, you must log on to the instance and disable L2 mode from that instance. Failure to do so might cause all the other NetScaler modes to be disabled after you restart the instance
    • After an ADC instance is provisioned on SDX, you cannot delete an interface or channel from the ADC instance. However, you can add an interface or channel to the ADC instance.
  • Interface 0/1 and 0/2: By default, interface 0/1 and 0/2 are selected for management LA.

  • VLAN tag: Specify a VLAN ID for the management interface. Next, add data interfaces.

    Note:

    The interface IDs of interfaces that you add to an instance do not necessarily correspond to the physical interface numbering on the SDX appliance. If the first interface that you associate with instance 1 is interface 1/4, it appears as interface 1/1 when you view the interface settings on the instance. The numbering changes because it is the first interface that you associated with instance 1.

Add-data-interface

  • Allow untagged traffic: Select the Allow untagged traffic check box to enable the NetScaler instance to process the untagged traffic.

    Note:

    When the SDX appliance version is 13.1-24.x or later and the NetScaler instance version is earlier than 13.1-24.x, the ADC instance processes the untagged traffic on the Mellanox interfaces even if the Allow untagged traffic check box is cleared.

  • Allowed VLANs: Specify a list of VLAN IDs that can be associated with a NetScaler instance.

  • MAC Address Mode: Assign a MAC address. Select from one of the following options:

    • Default: Citrix Hypervisor assigns a MAC address.
    • Custom: Choose this mode to specify a MAC address that overrides the generated MAC address.
    • Generated: Generate a MAC address by using the base MAC address set earlier. For information about setting a base MAC address, see Assigning a MAC Address to an Interface.
  • VMAC Settings (IPv4 and IPv6 VRIDs to configure Virtual MAC)

    • VRID IPV4: The IPv4 VRID that identifies the VMAC. Possible values: 1–255. For more information, see Configuring VMACs on an Interface.
    • VRID IPV6: The IPv6 VRID that identifies the VMAC. Possible values: 1–255. For more information, see Configuring VMACs on an Interface.

Management VLAN settings

Typically, the Management Service and the management address (NSIP) of the VPX instance are in the same subnetwork, and communication is over a management interface. However, if the Management Service and the instance are in different subnetworks, you have to specify a VLAN ID at the time of provisioning a VPX instance. This ID is required so that the instance can be reached over the network when it starts. If your deployment requires that the NSIP is accessible only by the interface selected at the time of provisioning the VPX instance, select the NSVLAN option.

If NSVLAN option is selected, you cannot change this setting after you have provisioned the NetScaler instance.

VPX management VLAN setting

Note:

  • HA heartbeats are sent only on the interfaces that are part of the NSVLAN.

Important: If NSVLAN is not selected, running the “clear config full” command on the VPX instance deletes the VLAN configuration.

Click Done to provision the NetScaler VPX appliance.

Edit a NetScaler instance

To edit the parameter values of a provisioned NetScaler instance:

  1. Navigate to NetScaler > Instances.
  2. Select the instance that you want to edit, and then click Edit.
  3. In the Configure NetScaler page, edit the values.

When a NetScaler instance has a blank gateway field, you can edit the instance only under one of the following conditions:

  • When the NetScaler instance is reachable from the Management Service.
  • Manage through internal network is enabled.

These conditions are imposed to ensure that the NetScaler instance is reachable during the edit operation.

Notes:

  • You can edit the VPX instance and add one more management CPU only if you have two or more dedicated cores and both the VPX and SDX are on release 14.1 and build 21.x and later.

  • Selecting the Add an extra management CPU option for a VPX with the release earlier than 14.1-21.x results in an error. Upgrade the VPX instance to release 14.1-21.x and later to use this feature.

    Management CPU error

  • Before you downgrade a VPX instance to a build earlier than 14.1-21.x, you must disable the Add an extra management CPU option. Otherwise, the performance of the VPX instance is impacted.

  • If the Add an extra management CPU option is not disabled and the VPX instance is downgraded to a version earlier than 14.1-21.x, an alarm is generated.

Points to note:

  • If you modify the following parameters: number of SSL chips, interfaces, memory, and feature license, the NetScaler instance implicitly stops and restarts to bring these parameters into effect.
  • You cannot modify the Image and User Name parameters.
  • Interfaces or channels cannot be deleted from the ADC instance. However, new interfaces or channels can be added to the ADC instance.
  • To remove an ADC instance provisioned on the SDX appliance, in the NetScaler instances pane, select the instance that you want to remove, and then click Delete. In the Confirm message box, click Yes to remove the NetScaler instance.

Restrict VLANs to specific virtual interfaces

The SDX appliance administrator can enforce specific 802.1Q VLANs on the virtual interfaces associated with NetScaler instances. This capability is especially helpful in restricting the usage of 802.1Q VLANs by the instance administrators. If two instances belonging to two different companies are hosted on an SDX appliance, you can restrict the two companies from using the same VLAN ID. By doing so, one company does not see the other company’s traffic. If an instance administrator tries to assign an interface to an 802.1Q VLAN, a validation is performed to verify that the VLAN ID specified is part of the allowed list.

By default, any VLAN ID can be used on an interface. To restrict the tagged VLANs on an interface, specify the VLAN IDs in the Network Settings at the time of provisioning a NetScaler instance. You can also specify it later by modifying the instance. To specify a range, separate the IDs with a hyphen (for example 10–12). If you initially specify some VLAN IDs but later delete all of them from the allowed list, you can use any VLAN ID on that interface. In effect, you have restored the default setting.

After creating a list of allowed VLANs, the SDX administrator does not have to log on to an instance to create the VLANs. The administrator can add and delete VLANs for specific instances from the Management Service.

Important: If L2 mode is enabled, the administrator must take care that the VLAN IDs on different NetScaler instances do not overlap.

To specify the permitted VLAN IDs

  1. In the Provision ADC Wizard or the Modify ADC Wizard, on the Network Settings page, in Allowed VLANs, specify one or more VLAN IDs allowed on this interface. Use a hyphen to specify a range. For example, 2–4094.
  2. Follow the instructions in the wizard.
  3. Click Finish, and then click Close.

To configure VLANs for an instance from the Management Service

  1. On the Configuration tab, navigate to NetScaler > Instances.
  2. Select an instance, and then click VLAN.
  3. In the details pane, click Add.
  4. In the Create NetScaler VLAN dialog box, specify the following parameters:
    • VLAN ID—An integer that uniquely identifies the VLAN to which a particular frame belongs. The NetScaler supports a maximum of 4094 VLANs. ID 1 is reserved for the default VLAN.
    • IPV6 Dynamic Routing—Enable all IPv6 dynamic routing protocols on this VLAN. Note: For the ENABLED setting to work, you must log on to the instance and configure IPv6 dynamic routing protocols from the VTYSH command line.
  5. Select the interfaces that must be part of the VLAN.
  6. Click Create, and then click Close.
Provision NetScaler instances