VLAN configuration for admin partitions

VLANs can be bound to a partition as a “Dedicated” VLAN or a “Shared” VLAN. Based on your deployment, you can bind a VLAN to a partition to isolate its network traffic from other partitions.

Dedicated VLAN – A VLAN bound only to one partition with the “Sharing” option disabled and must be a tagged VLAN. For example, in a client-server deployment, for security reasons a system administrator creates a dedicated VLAN for each partition on the server side.

Shared VLAN – A VLAN bound (shared across) to multiple partitions with the “Sharing” option enabled. For example, in a client-server deployment, if the system administrator do not have control over the client side network, a VLAN is created and shared across multiple partitions.

Shared VLAN can be used across multiple partitions. It is created in the default partition and you can bind a shared VLAN to multiple partitions. By default, a shared VLAN is bound to the default partition implicitly and hence it cannot be bound explicitly.


  • A NetScaler appliance deployed on any hypervisor (ESX, KVM, Xen, and Hyper-V) platform must comply with both the following conditions in a partition setup and traffic domain:

    • Enable the promiscuous mode, MAC changes, MAC spoofing, or forged transmit for shared VLANs with partition.
    • Enable the VLAN with portgroup properties of the virtual switch, if the traffic is through a dedicated VLAN.
  • Citrix recommends you to bind a Dedicated or Shared VLAN to multiple partitions. You can bind only a tagged VLAN to a partition. If there are untagged VLANs, you must enable them as “Shared” VLANs and then bind them to other partitions. It ensures that you control traffic packets (for example, LACP, LLDP, and xST P packets) handled in the default partition. If you have already bound an untagged VLAN for a partition in 11.0, see “Deployment procedure for upgrading a sharable VLAN to NetScaler 11.1 software” procedure.

In a partitioned (multitenant) NetScaler appliance, a system administrator can isolate the traffic flowing to a particular partition or partitions. It is done by binding one or more VLANs to each partition. A VLAN can be dedicated to one partition or shared across multiple partitions.

Dedicated VLANs

To isolate the traffic flowing into a partition, create a VLAN and associate it with the partition. The VLAN is then visible only to the associated partition, and the traffic flowing through the VLAN is classified and processed only in the associated partition.

Dedicated VLAN admin partition

To implement a dedicated VLAN for a particular partition, do the following.

  1. Add a VLAN (V1).
  2. Bind a network interface to VLAN as a tagged network interface.
  3. Create a partition (P1).
  4. Bind partition (P1) to the dedicated VLAN (V1).

Configure the following by using the CLI

  • Create a VLAN

    add vlan <id>


    add vlan 100
  • Bind a VLAN

    bind vlan <id> -ifnum <interface> -tagged


    bind vlan 100 –ifnum 1/8 -tagged
  • Create a partition

    Add ns partition <partition name> [-maxBandwidth <positive_integer>][-maxConn <positive_integer>] [-maxMemLimit <positive_integer>]


    Add ns partition P1 –maxBandwidth 200 –maxconn 50 –maxmemlimit 90

  • Bind a partition to a VLAN

    bind partition <partition-id> -vlan <id>


    bind partition P1 –vlan 100

Configure a dedicated VLAN by using the NetScaler GUI

  1. Navigate to Configuration > System > Network > VLANs* and click Add to create a VLAN.
  2. On the Create VLAN page, set the following parameters:

    • VLAN ID
    • Alias Name
    • Maximum Transmission Unit
    • Dynamic Routing
    • IPv6 Dynamic Routing
    • Partitions Sharing
  3. In the Interface Bindings section, select one or more interfaces and bind it to the VLAN.
  4. In the IP Bindings section, select one or more IP addresses and bind to the VLAN.
  5. Click OK and Done.

Shared VLAN

In a shared VLAN configuration, each partition has a MAC address, and traffic received on the shared VLAN is classified by MAC address. Only a Layer3 VLAN is recommended because it can restrict the subnet traffic. A partition MAC address is applicable and important only for a shared VLAN deployment.

The following diagram shows how a VLAN (VLAN 10) is shared across two partitions.

Shared VLAN admin partition

To deploy a shared VLAN configuration, do the following:

  1. Create a VLAN with the sharing option ‘enabled’, or enable the sharing option on an existing VLAN. By default, the option is ‘disabled’.
  2. Bind partition interface to shared VLAN.
  3. Create the partitions, each with its own PartitionMAC address.
  4. Bind the partitions to the shared VLAN.

Configure a shared VLAN by using the CLI

At the command prompt, type one of the following commands to add VLAN or set the sharing parameter of an existing VLAN:

add vlan <id> [-sharing (ENABLED | DISABLED)]

set vlan <id> [-sharing (ENABLED | DISABLED)]

add vlan 100 –sharing ENABLED

set vlan 100 –sharing ENABLED

Bind a partition to a Shared VLAN by using the CLI

At the command prompt, type:

bind partition <partition-id> -vlan <id>

bind partition P1 –vlan 100

add ns partition P1 –maxBandwidth 200 –maxconn 50   –maxmemlimit 90 -partitionMAC<mac_addr


Configure a Partition MAC Address by using the CLI

set ns partition <partition name> [-partitionMAC<mac_addr>]

set ns partition P1 –partitionMAC 22:33:44:55:66:77

Bind partitions to a shared VLAN by using the CLI

bind partition <partition-id> -vlan <id>

bind partition <partition-id> -vlan <id>

bind partition P1 –vlan 100

bind partition P2 –vlan 100

bind partition P3 –vlan 100

bind partition P4 –vlan 100

Configure Shared VLAN by using the NetScaler GUI

  1. Navigate to Configuration > System > Network > VLANs and then select a VLAN profile and click Edit to set the partition sharing parameter.

  2. On the Create VLAN page, select the Partitions Sharing check box.

  3. Click OK and then Done.

Shared VLAN in a partitioned deployment on a NetScaler SDX appliance

Log on to a Storage Virtualization Manager (SVM) appliance and assign each partition’s MAC (VMAC) to a NetScaler VPX appliance.

  • Maximum memory limit. Must be configured as the memory that is required for each admin partition. Make sure that you set the appropriate value when creating the partition.

    Once an admin partition is created, the memory limit cannot be decreased. The memory limit can however be increased when required or more specifically, when there is execution failure due to insufficient memory in a partition. It is done provided sufficient memory is available in the default partition.


From NetScaler 11.0 build 64.x onwards, you can set the memory limit to a minimal value of 5 MB, when creating the admin partition. It can be useful for lighter deployments of the NetScaler appliance.

  • Maximum bandwidth. The maximum bandwidth that is used by an admin partition. This value must be limited to the appliance’s licensed throughput. Otherwise, in effect, you are NOT limiting the bandwidth that is used by the admin partition.

    It must be configured such that it accounts for the bandwidth that the application requires. If the application bandwidth exceeds the configured value, packets are dropped. It accounts for incoming and outgoing packets. The maximum bandwidth can be increased or decreased when required.


  • The default value is 10240 kbps, minimum value is 0, and maximum value is 4294967295 kbps.
  • Setting this parameter to its minimum value (0) means that you are not assigning any bandwidth to the partition. Traffic received for this partition is dropped.
  • It is not the guaranteed bandwidth available for the admin partition. After a partition is configured with a maximum bandwidth value, the actual bandwidth assigned depends on the appliance’s licensed throughput.
  • Maximum number of connections. Must be configured such that it accounts for the maximum simultaneous flows expected within a partition. It is configured only on the client-side and not on the back-end server-side TCP connections. New connections cannot be established beyond this configured value.

    The maximum number of connections can be increased or decreased when required.


  • When the bandwidth and number of connections crosses the threshold value, if SNMP is configured, traps are sent with the relevant information.

  • After creating a partition, inform the users that the NetScaler configurations they perform will be isolated from users who are not members of the partition.

  • Make sure the relevant users, command policies, VLANs, and bridge groups are available on the NetScaler appliance.

  • For deployments that have a large size of NetScaler configuration and large quantum of traffic, Citrix recommends you to increase the default values for the maximum memory limit, maximum bandwidth, and maximum number of connections.

  • Shared VLAN in a partitioned appliance does not support the dynamic routing protocol.

Configure shared VLAN by using the NetScaler CLI

  • Create a partition and configure the NetScaler resources for that partition.

    add ns partition <partitionName> [-maxBandwidth <positive_integer>] [-maxConn <positive_integer>] [-maxMemLimit <positive_integer>]


Check the rate limiting content provided for tips to update the maximum memory limit, maximum bandwidth, and maximum number of connections.

  • Associate the appropriate users with the partition.

    bind system user <name> -partitionName <string>

  • Specify the level of authorization for each user by associating one of the following command policies: partition operator, partition-read-only, partition-network, and partition-admin.

    bind system user <name> <policyName> <priority>

  • Configure the VLAN through which traffic for this partition must be routed. You can use bridge groups instead of VLANs to route the traffic.

    • Add the VLAN and bind the required interfaces to it.

       -  add vlan <id>
       -  bind vlan <id> if num <interface>


      When a VLAN is bound to an admin partition, its IP address bindings are lost. To make sure that the VLAN continues to have the IP address, create the IP address on the admin partition and then bind it to that VLAN.


    • Add the bridge group and bind the required VLANs to it.

       -  add bridgegroup <id>
       -  bind bridgegroup <id> -vlan <id>
  • Bind the VLAN or bridge group to the partition.

     bind ns partition <partitionName> -vlan <positive_integer>


     bind ns partition <partitionName> -bridgegroup <positive_integer>


    Use the show VLAN or the show bridge group command to view the partitions associated with that VLAN or bridge group.

  • Verify the configurations of the partition.

     show ns partition <partitionName>


    You can also use the stat ns partition command to view partition configurations.

  • Save the configuration.

     save ns config

Configure Shared VLAN by using the NetScaler GUI

  • Navigate to System > Partition Administration, click Add, and do the following:

    • Create and configure the resources for the admin partition.

    • Specify the VLANs or bridge groups to associate with partition.

    • Associate users with the partition.


      Make sure you bind users who are not yet associated with partition type command policies.

  • Navigate to System > User Administration, and to the partition user, bind the appropriate command policy. The command policy must be one of the partition-entries. The choice depends on the level of authorization you intend the user to have.

  • Save the configuration.

VLAN configuration for admin partitions