The Citrix ADC T1 models provide advanced features and a powerful policy configuration language that allow for evaluation of complex decision in runtime.
While it is not possible to evaluate all capabilities that are potentially unlocked by the T1000 features and policy configuration guide, technical receipes consider implementation of various requirements brought in by Telco operators. Feel free to re-use the “recipes” as is or adapt to your environment.
Per-user Connection Limit
The Citrix ADC T1 model can be configured to limit the number of connections per unique subscriber IP. With the below configuration, N concurrent TCP connections per IP (CLIENT.IP.SRC) is allowed. For every attempt for connection beyond the configured threshold, T1 sends an RST. For maximum 2 concurrent connections per user:
add stream selector streamSel_usrlimit CLIENT.IP.SRC add ns limitIdentifier limitId_usrlimit -threshold 2 -mode CONNECTION -selectorName streamSel_usrlimit add responder policy respPol_usrlimit "SYS.CHECK_LIMIT(\"limitId_usrlimit\")" RESET bind lb vserver vsrv-wireless -policyName respPol_usrlimit -priority 1 -gotoPriorityExpression END <!--NeedCopy-->
Smooth Insertion/Deletion of Vserver
Many operators concern about TCP connections disruption when the Citrix ADC T1 model is activated inline for TCP optimization or when it is disabled for maintenance purposes. To avoid breaking existing connections when vserver is introduced, the following configuration needs to be applied before configuring or activating vserver for TCP optimization:
add ns acl acl-ingress ALLOW –vlan 100 add forwardingSession fwd-ingress –aclname acl-ingress apply ns acls <!--NeedCopy-->
Forwarding sessions are effective on top of routing (either static or dynamic or PBR) and create session entries for traffic that is routed (L3 mode). Any existing connection is handled by forwarding session due to corresponding sessions, and upon vserver introduction it starts capturing only new TCP connections.
ACLs can be configured to capture only specific ports like vserver, in order to avoid creating sessions for unnecessary traffic, which is memory consuming. Another option is to remove specific configuration after vserver activation.
For maintenance purposes, vserver should be disabled and its state appears as OUT OF SERVICE. When this happens, the vserver terminates all connections immediately by default. To make vserver to still serve the existing connections and not accept new, the following configuration should be applied:
set lb vserver vsrv-wireless –downStateFlush DISABLED <!--NeedCopy-->
New connections go through the routing table, and corresponding session entries are created due to forwarding sessions.
Policy-Based TCP Profiling
Policy-based TCP Profile selection allows operators to configure TCP profile dynamically for clients coming from different traffic domains (i.e. 3G or 4G). Some of the QoS metrics are different for these traffic domains, and in order to achieve better performance, you need to change some of the TCP parameter dynamically. Consider a case where clients coming from 3G and 4G hit same vserver and use same TCP profile, which have negative impact on some client’s performance. AppQoE functionality can classify these clients and dynamically change TCP profile on vserver.
enable feature AppQoE add ns tcpProfile nstcpprofile1 -WS ENABLED -SACK ENABLED -WSVal 8 -mss 1460 -maxBurst 30 -initialCwnd 16 -oooQSize 15000 -minRTO 800 -slowStartIncr 1 -bufferSize 4000000 -flavor BIC -KA ENABLED -sendBuffsize 4000000 -rstWindowAttenuate ENABLED -spoofSynDrop ENABLED -frto ENABLED -maxcwnd 1000000 -fack ENABLED -tcpmode ENDPOINT add ns tcpProfile nstcpprofile2 -WS ENABLED -SACK ENABLED -WSVal 8 -mss 1460 -maxBurst 15 -initialCwnd 16 -oooQSize 15000 -minRTO 800 -slowStartIncr 1 -bufferSize 128000 -flavor BIC -KA ENABLED -sendBuffsize 6000000 -rstWindowAttenuate ENABLED -spoofSynDrop ENABLED -frto ENABLED -maxcwnd 64000 -fack ENABLED -tcpmode ENDPOINT add appqoe action action_1 -priority HIGH -tcpprofile nstcpprofile1 add appqoe action action_2 -priority HIGH -tcpprofile nstcpprofile2 add appqoe policy appqoe_4G -rule "CLIENT.VLAN.ID.EQ(100)" -action action_1 add appqoe policy appqoe_3G -rule "CLIENT.VLAN.ID.EQ(200)" -action action_2 bind lb vserver vsrv-wireless -policyName appqoe_4G -priority 100 bind lb vserver vsrv-wireless -policyName appqoe_3G -priority 110 <!--NeedCopy-->
The Citrix ADC T1 model is capable to receive the subscriber information dynamically through Gx or Radius or Radius and Gx interface and apply different TCP profile on a per-subscriber basis.
add appqoe action action_1 -priority HIGH -tcpprofile nstcpprofile1 add appqoe action action_2 -priority HIGH -tcpprofile nstcpprofile2 add appqoe policy appqoe_4G -rule "SUBSCRIBER.RULE_ACTIVE(\"3G\")" -action action_1 add appqoe policy appqoe_3G -rule "SUBSCRIBER.RULE_ACTIVE(\"4G\")" -action action_2 <!--NeedCopy-->
For integration of the Citrix ADC T1 model with operator control-plane network, see Telco Subscriber Management.