Product Documentation

Partitioning a NetScaler

Nov 20, 2017

Important

  • Only superusers are authorized to create and configure admin partitions.
  • Unless specified otherwise, configurations to set up an admin partition must be done from the default partition.

By partitioning a NetScaler appliance, you are in-effect creating multiple instances of a single NetScaler appliance. Each instance has its own configurations and the traffic of each of these partitions is isolated from the other by assigning each partition a dedicated VLAN or a shared VLAN.

A partitioned NetScaler has one default partition and the admin partitions that are created. To set up an admin partition, you must first create a partition with the relevant resources (memory, maximum bandwidth, and connections). Then, specify the users that can access the partition and the level of authorization for each of the users on the partition.

Partition Resource Limiting

In a partitioned NetScaler appliance, a network administrator can create a partition with partition resources such as memory, bandwidth, and connection limit configured as unlimited. This is done by specifying Zero as the partition resource value, where Zero indicates the resource is unlimited on the partition and it can be consumed up to system limits. Partition resource configuration is useful when you migrate a traffic domain deployment to an administrative partition or if you do not know about resource allocation limit for a partition in a given deployment.

Resource limit for an administrative partition is as follows:

1.  Partition memory. This is the maximum allocated memory for a partition. You must make sure to specify the values when creating a partition.

Note: From NetScaler 12.0 onwards, when you create a partition, you must the set the memory limit as Zero or if a partition is already created with a specific memory limit, you can reduce the limit to any value or set the limit as Zero.

Parameter: maxMemLimit

Maximum memory is allocated in megabytes in a partition.  A zero value indicates the memory is unlimited on the partition and it can consume up to the system limits.

Default value: 10

2.  Partition bandwidth. Maximum allocated bandwidth for a partition. If you specify a limit, make sure it is within the appliance’s licensed throughput. Otherwise, you are not limiting the bandwidth that can be used by the partition. The specified limit is accountable for the bandwidth that the application requires. If the application bandwidth exceeds the specified limit, packets are dropped.

Note: From NetScaler 12.0 onwards, when you can create a partition, you can set the partition bandwidth limit to Zero or if a partition is already created with a specific bandwidth, you can reduce bandwidth or set the limit as Zero.

Parameter: maxBandwidth

Maximum bandwidth is allocated in Kbps in a partition. A zero value indicates the bandwidth is unrestricted. That is, the partition can consume up to the system limits.

Default value: 10240

Maximum Value: 4294967295

3. Partition connection. Maximum number of concurrent connections that can be open in a partition. The value must accommodate the maximum simultaneous flow expected within the partition. The partition connections are accounted from the partition quota memory. Previously, the connections were accounted from the default partition quota memory. It is configured only on the client-side, not on the back-end server-side TCP connections. New connections cannot be established beyond this configured value.

Note: From NetScaler 12.0 onwards, you can create a partition with number of open connections set to Zero or if you have already created a partition with a specific number of open connections, you can reduce the connection limit or set the limit as Zero.

Parameter: maxConnections

Maximum number of concurrent connections that can be open in the partition. A zero value indicates no limit on number of open connections. 

Default value: 1024

Minimum value: 0

Maximum Value: 4294967295

VLAN Configuration

VLANs can be bound to a partition as a “Dedicated” VLAN or a “Shared” VLAN. Based on your deployment, you can bind a VLAN to a partition to isolate its network traffic from other partitions.

Dedicated VLAN – A VLAN bound only to one partition with “Sharing” option disabled and must be a tagged VLAN. For example, in a client-server deployment, for security reasons a system administrator creates a dedicated VLAN for each partition on the server side.

Shared VLAN – A VLAN bound (shared across) to multiple partitions with “Sharing” option enabled. For example, in a client-server deployment, if the system administrator does not have control over the client side network, a VLAN is created and shared across multiple partitions.

A Shared VLAN can be used across multiple partitions. Once created, it can be bound to one or more administrative partitions. By default, a shared vlan is bound to the default partition. It cannot be bound explicitly. For example, you can create partition 1, partition 2 and then configure a VLAN as shared across default partition and partition 1 or between partition 1 and partition 2.

Note: If a NetScaler Virtual Appliance is deployed on a ESX platform, you must enable the Promiscuous mode for shared VLANs with partition. Otherwise, if the traffic is through a dedicated VLAN, you must enable the VLAN with Portgroup properties of the virtual switch.

Important

Citrix recommends you to bind a Dedicated or Shared VLAN to multiple partitions. You can bind only a tagged VLAN to a partition. If there are untagged VLANs, you must enable them as “Shared” VLANs and then bind them to other partitions. This ensures that you control traffic packets (for example, LACP, LLDP, and xSTP packets) handled in the default partition. If you have already bound an untagged VLAN for a partition in 11.0, see “Deployment procedure for upgrading a sharable VLAN to NetScaler 11.1 software” procedure.

VLAN Implementation

In a partitioned (multi-tenant) NetScaler appliance, a system administrator can isolate the traffic flowing to a particular partition or partitions by binding one or more VLANs to each partition.  A VLAN can be dedicated to one partition or Shared across multiple partitions. 

Dedicated VLANs

To isolate the traffic flowing into a partition, create a VLAN and associate it with the partition.  The VLAN is then visible only to the associated partition, and the traffic flowing through the VLAN is classified and processed only in the associated partition. 

localized image

To implement a dedicated VLAN for a particular partition, do the following.

  1. Add a VLAN (V1).
  2. Bind a network interface to VLAN as a tagged network interface.
  3. Create a partition (P1).
  4. Bind partition (P1) to the dedicated VLAN (V1).

To add a VLAN by using the command line interface

At the command prompt, type:

Adding a VLAN Copy

add vlan <id>

Example

add vlan V1

To bind a VLAN by using the command line interface

At the command prompt, type:

Binding a VLAN Copy

bind vlan <id> -ifnum <interface> -tagged

Example

bind vlan V1 –ifnum 1/8 -tagged

To create a partition by using the command line interface

At the command prompt, type:

Creating a Partion Copy

Add ns partition <partition name> [-maxBandwidth <positive_integer>] [-maxConn <positive_integer>] [-maxMemLimit <positive_integer>]

Example

Add ns partition P1 –maxBandwidth 200 –maxconn 50 –maxmemlimit 90

Done

To bind a partition to a VLAN by using the command line interface

At the command prompt, type:

Binding a Partition Copy

bind partition <partition-id> -vlan <vlan>

Example

bind partition P1 –vlan V1

To configure a dedicated VLAN by using the NetScaler GUI

  1. Navigate to Configuration > System > Network > VLANs and click Add to create a VLAN.
  2. On the Create VLAN page, set the following parameters:
    1. VLAN ID
    2. Alias Name
    3. Maximum Transmission Unit
    4. Dynamic Routing
    5. IPv6 Dynamic Routing
    6. Partitions Sharing
  3. In the Interface Bindings section, select one or more interfaces and bind it to the VLAN.
  4. In the IP Bindings section, select one or more IP addresses and bind to the VLAN.
  5. Click OK and Done.

Shared VLANs

In a shared VLAN configuration, each partition has a MAC address, and traffic received on the shared VLAN is classified by MAC address. Only a Layer3 VLAN is recommended because it can restrict the subnet traffic. A partition MAC address is applicable and important only for a shared VLAN deployment.

Note: Shared VLAN in a partitioned appliance does not support dynamic routing protocol. 

The following diagram shows how a VLAN (VLAN 10) is shared across two partitions. 

localized image

To deploy a shared VLAN configuration, do the following:

  1. Create a VLAN with the sharing option ‘enabled’, or enable the sharing option on an existing VLAN. By default, the option is ‘disabled’.
  2. Bind partition interface to shared VLAN.
  3. Create the partitions, each with its own PartitionMAC address.
  4. Bind the partitions to the shared VLAN.

To configure a shared VLAN by using the command line interface

At the command prompt, type one of the following commands to add a new VLAN or set the sharing parameter of an existing VLAN:

Configuring a Shared VLAN Copy

add vlan <id> [-sharing (ENABLED | DISABLED)]

set vlan <id> [-sharing (ENABLED | DISABLED)]

Examples

add vlan V1 –sharing ENABLED

set vlan V1 –sharing ENABLED

 

To bind a partition to a Shared VLAN by using the command line interface

At the command prompt, type:

Binding a partition Copy

bind partition <partition-id> -vlan <id>

Example

bind partition P1 –vlan 

To create a shared partition by using the command line interface

At the command prompt, type:

Creating a Shared Partition Copy

Add ns partition <partition name> [-maxBandwidth <positive_integer>] [-maxConn <positive_integer>] [-maxMemLimit <positive_integer>] -partitionMAC<mac_addr>

 

Example

Add ns partition P1 –maxBandwidth 200 –maxconn 50 –maxmemlimit 90 -partitionMAC<mac_addr

Done

To configure an existing partition as a shared partition by using the command line interface

At the command prompt, type:

Configuring an Existing Partition Copy

set ns partition <partition name> [-partitionMAC<mac_addr>]

Example

set ns partition P1 –partitionMAC 22:33:44:55:66:77

To bind partitions to a shared VLAN by using the command line interface

At the command prompt, type:

bind partition <partition-id> -vlan <id>

bind partition <partition-id> -vlan <id>

Example

bind partition P1 –vlan V1

bind partition P2 –vlan V1

bind partition P3 –vlan V2

bind partition P4 –vlan V1

To configure Shared VLAN by using the NetScaler GUI

  1. Navigate to Configuration > System > Network > VLANs and then select a VLAN profile and click Edit to set the partition sharing parameter.
  2. On the Create VLAN page, select the Partitions Sharing checkbox.
  3. Click OK and then Done.

VXLAN Configuration

In a partitioned NetScaler appliance, similar to configuring a VLAN, you can configure a VXLAN in the default partition. After configuring a VXLAN, you can bind it to an administrative partition or If a VXLAN is extending a VLAN that is bound to a partition, the appliance binds the VXLAN to the partition under the same broadcasting domain. This is applicable in unbinding a VLAN that unbinds a VXLAN from the partition.

For more information about how VXLAN works in a NetScaler appliance, see http://docs.citrix.com/en-us/netscaler/11/networking/vxlans.html.

Also, for more information on how VLAN works in a partitioned NetScaler appliance, see http://docs.citrix.com/en-us/netscaler/11-1/admin-partition/admin-partition-setup.html.

Points to Remember before Configuring a VXLAN

Remember the following points before you configure a VXLAN in a partitioned NetScaler appliance:

  • When you extend a VLAN over VXLAN, make sure VLAN is bound to the partition.
  • Only a partition administrator must configure the IP and dynamic routing for the VXAN in the administrative partition.

A shared VXLAN is not supported in a partitioned appliance and so a VXLAN cannot be tagged to a shared VLAN or you cannot make a VLAN a shared one when it is tagged to a VXLAN

Supportable VXLAN Configurations

Following are the supportable VXLAN configurations.

Case 1: Extending VLAN over a VXLAN in the same broadcast domain

Follow the steps given below to extend a VLAN over a VXLAN and vice versa within the same broadcast domain:

1. Add a VLAN in the default partition

command Copy

Add vlan <id>

2. Extend VLAN over a VXLAN within the same broadcast domain.

command Copy

Add vxlan <vxlan id> –vlan <id>

3.  Configure a peer vtep to carry all BUM (broadcast unknown multicast) traffic. Note: the vtep address can be multicast addresss.

command Copy

add bridgetable -mac <mac_addr> -vxlan <positive_integer> -vtep

<ip_addr> [-vni <positive_integer>] [-deviceVlan <positive_integer>]

4. Bind IP addresses to VXLAN.

command Copy

Bind vxlan <id> [-srcIP <ip_addr>] [-IPAddress <ip_addr|ipv6_addr|*> [<netmask>]] 

5. Bind VLAN to an administrative partition. 

command Copy

Bind partition <partition-id> -vxlan <id>

Example Copy

Add vlan 3000

Add vxlan 3000 –vlan 10

Add bridgetable –mac 00:00:00:00:00:00 –vxlan 3000 -vtep 10.102.58.8 –vni 11

Bind vxlan 3000 – srcIP 10.102.101.15

Bind partition p1 –vlan 10

Case 2: Binding a VXLAN to a partition

Follow the steps given below to bind a VXLAN to an administrative partition.

1. Add a VXLAN in the default partition.

command Copy

add vxlan <id> [-vlan <positive_integer>] [-port <port>]

2. Configure bridge table and vxlan settings in the partition. 

command Copy

add bridgetable -mac <mac_addr> -vxlan <positive_integer> -vtep

 <ip_addr> [-vni <positive_integer>] [-deviceVlan <positive_integer>]

3. Bind partition to VXLAN. 

command Copy

Bind partition <partition-id> -vxlan <id> [-vlan <positive_integer>] [-port <port>]  

Example Copy

Add vxlan 3000

add bridgetable - mac 00:00:00:00:00:00 -vxlan 3000 -vtep 10.102.58.8

Bind partition p1 –vxlan 3000

Case 3: Setting VXLAN and VLAN (bound to a partition) in the same broadcast domain

Follow the steps given below to set VXLAN and VLAN in the same broadcast domain.

1. Add a VLAN in the default partition.

command Copy

Add vlan <id> 

2. Bind VLAN to a specific partition.

command Copy

Bind partition <partition-id> -vxlan <id> [-vlan <positive_integer>] [-port <port>]  

3. Add a VXLAN to the default partition.

command Copy

add vxlan <id> [-vlan <positive_integer>] [-port <port>]

4. Configure the bridge table and vxlan settings in the partition.

command Copy

add bridgetable -mac <mac_addr> -vxlan <positive_integer> -vtep

 <ip_addr> [-vni <positive_integer>] [-deviceVlan <positive_integer>]

Example Copy

Add vlan 3000

Bind partition p1 –vlan 3000

Add vxlan 3000

add bridgetable - mac 00:00:00:00:00:00 -vxlan 3000 -vtep 10.102.58.8

Case 4: Configure Multicast tunnel for a VXLAN

1. Add a VXLAN to the default partition.

command Copy

add vxlan <id> [-vlan <positive_integer>] [-port <port>]

2. Configure the bridge table and vxlan settings in the default partition for multicast tunnel. Note: the vtep address can be multicast addresss.

command Copy

add bridgetable -mac <mac_addr> -vxlan <positive_integer> -vtep

 <ip_addr> [-vni <positive_integer>] [-deviceVlan <positive_integer>]

3. Bind VXLAN to a partition.

command Copy

Bind partition <partition-id> -vxlan <id> [-vlan <positive_integer>] [-port <port>]  

Example Copy

Add vxlan 3000

add bridgetable -mac 00:00:00:00:00:00 -vxlan 3000 -vtep 225.0.0.2 -deviceVlan 30

Bind partition p1 –vxlan 3000

Configuration Steps

Configuring a VXLAN on a partitioned appliance consists of the following tasks.

  1. Adding or Removing a VXLAN
  2. Setting Ports for a VXLAN
  3. Binding a VXLAN to a Partition

Configuring by using the command line interface

To create a VXLAN by using the command line interface

At the command prompt, type:

command Copy

add vxlan <id> [-vlan <positive_integer>] [-port <port>]

show vxlan <id>

To set ports for VXLAN by using the command line interface

At the command prompt, type:

command Copy

add vxlan 12345 -port 1234 

To bind VXLAN to a partition by using the command line interface

At the command prompt, type:

command Copy

bind partition p1 -vxlan 12345  

Note

In a partitioned NetScaler appliance, Virtual Router Redundancy Protocol (VRRP) is supported on non-shared VLANs only. This protocol is blocked on a shared VLAN (tagged or untagged) bound to a default or any administrative partition.

To understand how VRRP works in an active-active configuration, see http://docs.citrix.com/en-us/netscaler/11-1/networking/interfaces/active-active-mode-using-vrrp.html.

Supporting VMACs on an SDX Platform

For shared VLAN to work in a partitioned deployment on a NetScaler SDX platform, you must log on to a Storage Virtualization Manager (SVM) appliance and assign each partition's MAC (VMAC) to a NetScaler VPX appliance.

To partition a NetScaler by using the command line interface

On the command prompt, do the following:

  1. Create a partition and configure the NetScaler resources for that partition.

    add ns partition <partitionName> [-maxBandwidth <positive_integer>] [-maxConn <positive_integer>] [-maxMemLimit <positive_integer>]

    Note: Check the rate limiting content provided above for tips to update the maximum memory limit, maximum bandwidth, and maximum number of connections.

  2. Associate the appropriate users with the partition.

    bind system user <name> -partitionName <string>

  3. Specify the level of authorization for each user by associating one of the following command policies: partition-operator, partition-read-only, partition-network, and partition-admin.

    bind system user <name> <policyName> <priority>

  4. Configure the VLAN through which traffic for this partition must be routed. You can use bridgegroups instead of VLANs to route the traffic.

    • Add the VLAN and bind the required interfaces to it.

      add vlan <id>

      bind vlan <id> -ifnum <interface>

      Note: When a VLAN is bound to an admin partition, its IP address bindings are lost. To make sure that the VLAN continues to have the IP address, create the IP address on the admin partition and then bind it to that VLAN.

    OR

    • Add the bridgegroup and bind the required VLANs to it.

      add bridgegroup <id>

      bind bridgegroup <id> -vlan <id>

  5. Bind the VLAN or bridgegroup to the partition.

    bind ns partition <partitionName> -vlan <positive_ integer>

    OR

    bind ns partition <partitionName> -bridgegroup <positive_ integer>

    Note: Use the show vlan or the show bridgegroup command to view the partitions associated with that VLAN or bridgegroup.
  6. Verify the configurations of the partition.

    show ns partition <partitionName>

    Note: You can also use the stat ns partition command to view partition configurations.
  7. Save the configuration.

    save ns config

To partition a NetScaler by using the configuration utility

On the Configuration tab of the graphical user interface:

  1. Navigate to System > Partition Administration, click Add and do the following:
    1. Create and configure the resources for the admin partition.
    2. Specify the VLANs or bridgegroups to be associated with the partition.
    3. Associate user(s) with the partition.
      Note: Make sure you bind users who are not yet associated with partition type command policies.
  2. Navigate to System > User Administration, and to the partition user, bind the appropriate command policy. The command policy must be one of the partition- entries. The choice depends on the level of authorization you intend the user to have.
  3. Save the configuration.

Note

  • After creating a partition, inform the users that the NetScaler configurations they perform will be isolated from users who are not members of the partition.
  • Make sure the relevant users, command policies, VLANs, and bridgegroups are available on the NetScaler appliance.
  • For deployments that have large size of NetScaler configuration and large quantum of traffic, Citrix advises that you increase the default values for the maximum memory limit, maximum bandwidth, and maximum number of connections.