Introduction to Citrix NetScaler SDX

book

Article ID: CTX226732

calendar_today

Updated On:

Description

Introduction to NetScaler SDX

NetScaler SDX is a hardware-based Application Delivery Appliance for enterprise and cloud datacenters. It supports hosting of multiple NetScaler instances on a single hardware and can thus be used for the purpose of Multi-tenancy.

NetScaler SDX Components

XenServer: This is the Hypervisor
Service VM (SVM): Provides services like creation/modification/deletion of VPXs. Acts as a management interface for the SDX.
NetScaler VPX: Provisioned on the SDX to provide multi-tenant solution.
3rd Party VPXs: Third-party VPXs like TrendMicro, PaloAlto, Websense, etc can also be hosted on SDX.

NetScaler SDX Licensing

When the SVM is started on SDX platform, the license determines the total system performance and the number of VPX instance allowed. Feature licenses are configured when the NetScaler VPX instance is created. The license information is stored in XenStore and is referenced when the VPX is started. On SVM you should have platinum license but on VPX it can be standard/enterprise/platinum license. NetScaler SDX license are stored in /mpsconfig/license directory of the XenServer.

NetScaler SDX Network Traffic Behavior

Instances can directly communicate with the virtual NIC’s. SDX can support 64 virtual NIC’s which can be allocated to the instances.
Each VPX instance has dedicated VF (virtual function) and hence the performance is not impacted by other instances.
VLAN filtering provides segregation of data between instances. VLAN filtering is enabled by default on the NetScaler SDX appliance. For example, if you have configured two NetScaler VPX instances on two different VLANs and you enable VLAN filtering, one instance cannot view the other instance's traffic.
- If VLAN filtering is disabled, all of the instances can see the tagged or untagged broadcast packets, but the packets are dropped at the software level.
- If VLAN filtering is enabled, each tagged broadcast packet reaches only the instance that belongs to the corresponding tagged VLAN.
- If none of the instances belong to the corresponding tagged VLAN, the packet is dropped at the hardware level (NIC).

A receive packet that successfully passed MAC address filtering is then subjected to VLAN header filtering:

If the packet does not have a VLAN header, it passes to the next filtering stage
If VLAN filtering is disabled, the packet is forwarded to the next filtering stage
If the packet has a VLAN header, and it matches an enabled host VLAN filter, the packet is forwarded to the next filtering stage
Otherwise, the packet is dropped

The following examples illustrates how a VLAN ID is verified:

Case 1	When the VF has a VLAN set from the SVM then below points are true irrespective of VLAN filtering enabled/disabled: If VM tries to set the same then VLAN silently ignore the request as the VLAN filter is already programmed If VM tries to set different VLAN, then error is returned
Case 2	When VF does not have VLAN set from the SVM: If VLAN filtering is Disabled and VM tries to set VLAN on VF, silently ignore the request. If VLAN filtering is Enabled and VM tries to set VLAN on VF, add the VLAN filter if resources available

If in a deployment the VPX instance needs to communicate with network segment that is in other VLANs than the default VLAN then there is no need to configure the VLAN settings on SVM while provisioning the instance. In this case you mention the VLAN settings on the VPX device wherein we create a VLAN, bind interface to it, and enable tagging on the interface. Refer to CTX138822 - How to Change the NetScaler VLAN on NetScaler SDX for more information.

If the native VLAN of a VPX instance on SDX is different from the native VLAN of the upstream switch then we need to change the NSVLAN in the VLAN settings of the instance from SVM so that it matches with the upstream device. For example if the upstream switch has VLAN20 as native VLAN then the NSVLAN ID on NetScaler VPX instance should be 20. (This is only for management).

NSVLAN is the VLAN to which the subnet of NSIP is bound. If SVM and NSIP of instance are in different subnets, then we need to specify the VLAN when provisioning the instance. We specify this in the NSVLAN “Create NetScaler instance” dialog box.

VLAN tags configured for Individual interfaces are propagated to Link Aggregation [i.e. 1/1 and 1/2 has VLAN tag 2 and we form an LA channel using those interfaces, tagged configuration is propagated to LA on forming a channel]

SVM disallows the creation of a channel if there are different tags values across the interfaces:
- Allow Physical interfaces to bind if they are part of same VLAN domain
- Derive LA VLAN ID from slaves, while forming channels
- During course of operation, VLAN configuration is done on LA only and propagated to LA slaves
- On unbind, physical interfaces will carry LA VLAN configuration

NetScaler SDX Configuration

Refer to the following Citrix Documentation links:

Initial configuration: https://docs.netscaler.com/en-us/sdx/current-release/getting-started-management-service.html
Configuring and Managing NetScaler Instances: https://docs.netscaler.com/en-us/sdx/current-release/configuring-managing-netscaler-instance

Link Aggregation on NetScaler SDX

Type	Description	Managements Ports (0/x)	Data Ports (1/x, 10/x, ...)
Active-Active	Source level balancing (SLB). Outgoing traffic is balanced based on traffic on participating interfaces. Each packet with new source MAC is sent on an interface with least traffic. No Switch configuration required.	X
Active-Passive	One of the interfaces is active at any time. When it fails, a new active interface is chosen. No switch configuration required.	X
LACP	Interfaces in a LACP channel are treated as a single interface and provides throughput aggregation, load balancing and failover. Switch to be configured for LACP. LACP PDU exchange happens between XenServer and Switch. VPX maintains a shadow LACP state machine of exchanges between XenServer and Switch.	X	X
Static (Manual)	Created as Manual in VPX and as Active-Passive in XenServer. VPX uses both the interfaces as long as they are UP. No switch configuration required.		X

Management VLAN Settings on NetScaler SDX

VLAN	VLAN Type	Tag Setting	Interfaces	Description
<id>	NSVLAN		[list of interfaces]	Creates an L3 VLAN (VLAN with an IP bound) with NSIP bound to it. Only interfaces in the selected list receive NSIP subnet traffic. NSIP subnet traffic is in native VLAN, and hence untagged
<id>	NSVLAN	Tagged	[list of interfaces]	Creates an L3 VLAN (VLAN with an IP bound) with NSIP bound to it. Only interfaces in the selected list receive NSIP subnet traffic. NSIP subnet traffic is expected to be tagged traffic
<id>	L2VLAN		[list of interfaces]	Useful when no management ports are assigned to VPX. Enables separation of management traffic from data traffic on data ports. Creates an L2 VLAN (VLAN without IP bound) Only interfaces in the selected list receive traffic for this VLAN This VLAN is native and hence traffic on this VLAN is untagged
<id>	L2VLAN	Taggall	[list of interfaces]	Useful when no management ports are assigned to VPX. Enables separation of management traffic from data traffic on data ports. Creates an L2 VLAN (VLAN without IP bound) Only interfaces in the selected list receive traffic for this VLAN The VLAN even if native is treated as tagged. (when is this useful?)

Issue/Introduction

This article has all the basic information that is required to understand and configure Citrix NetScaler SDX.

Additional Information

CTX200084 - General Information on NetScaler SDX LOM
CTX233122 - How to upgrade SDX appliance from 10.5 to 12.0 Version

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"