Provisioning Citrix ADC instances
You can provision one or more Citrix ADC instances on the SDX appliance by using Management Service. The number of instances that you can install depends on the license you have purchased. If the number of instances added is equal to the number specified in the license, the Management Service does not allow provisioning more Citrix ADC instances.
To provision Citrix ADC instances on the SDX appliance,
- You need to define an admin profile to attach to the Citrix ADC instance. This profile specifies the user credentials that are used by the Management Service to provision the Citrix ADC instance and later, to communicate with the instance to retrieve configuration data. You can also use the default admin profile.
- Next, you need to upload the .xva image file to the Management Service.
- After uploading the .xva file, you can begin adding Citrix ADC instances using the Management Service. The Management Service implicitly deploys the Citrix ADC instances on the SDX appliance and then downloads configuration details of the instances.
Make sure that you modify the provisioned network interfaces or VLANS of an instance using the Management Service instead of performing the modifications directly on the instance.
Create an admin profile
Admin profiles specify the user credentials that are used by the Management Service when provisioning the Citrix ADC instances, and later when communicating with the instances to retrieve configuration data. The user credentials specified in an admin profile are also used by the client when logging on to the Citrix ADC instances through the CLI or the configuration utility.
Admin profiles also enable you to specify that the Management Service and a VPX instance should communicate with each other only over a secure channel or using HTTP.
The default admin profile for an instance specifies a user name of nsroot, and the password is also nsroot. This profile cannot be modified or deleted. However, you should override the default profile by creating a user-defined admin profile and attaching it to the instance when you provision the instance. The Management Service administrator can delete a user-defined admin profile if it is not attached to any Citrix ADC instance.
Important: Do not change the password directly on the VPX instance. If you do so, the instance becomes unreachable from the Management Service. To change a password, first create a new admin profile, and then modify the Citrix ADC instance, selecting this profile from the Admin Profile list.
To change the password of Citrix ADC instances in a high availability setup, first change the password on the instance designated as the secondary node, and then change the password on the instance designated as the primary node. Remember to change the passwords only by using the Management Service.
To create an admin profile
1. On the Configuration tab, in the navigation pane, expand NetScaler Configuration, and then click Admin Profiles.
2. In the Admin Profiles pane, click Add.
3. The Create Admin Profile dialog box appears.
Set the following parameters:
- Profile Name: name of the admin profile. The default profile name is nsroot. You can create user-defined profile names.
- Password: the password used to log on to the Citrix ADC instance. Maximum length: 31 characters.
- SSH Port: set the SSH port. The default port is 22.
- Select Use global settings for NetScaler communication checkbox, if you want the setting to be defined in the System Settings for the communication between the Management Service and the Citrix ADC instance. You can uncheck this box and change the protocol to HTTP or HTTPS.
- Select http option to use HTTP protocol for the communication between the Management Service and the Citrix ADC instance.
- Select https option to use secure channel for the communication between the Management Service and the Citrix ADC instance
4. Under SNMP, select the version. If you select v2, go to step 5. If you select v3, go to step 6.
5. Under SNMP v2, add the SNMP Community name.
6. Under SNMP v3, add Security Name and Security Level.
7. Under Timeout Settings, specify the value.
8. Click Create, and then click Close. The admin profile you created appears in the Admin Profiles pane.
If the value in the Default column is true the default profile is the admin profile. If the value is false, a user-defined profile is the admin profile.
If you do not want to use a user-defined admin profile, you can remove it from the Management Service. To remove a user-defined admin profile, in the Admin Profiles pane, select the profile you want to remove, and then click Delete.
Upload a Citrix ADC .xva image
You have to upload the Citrix ADC SDA .xva files to the SDX appliance before provisioning the Citrix ADC instances. You can also download an .xva image file to a local computer as a backup. The .xva image file format is: NSVPX-XEN-ReleaseNumber-BuildNumber_nc.xva
Note: By default, an .xva image file based on the Citrix ADC 9.3 release is available on the SDX appliance.
In the NetScaler XVA Files pane, you can view the following details.
Name of the .xva image file. The file name contains the release and build number. For example, the file name NSVPX-XEN-9.3-25_nc.xva refers to release 9.3 build 25.
Date when the .xva image file was last modified.
Size, in MB, of the .xva image file.
To upload a Citrix ADC .xva file
- On the Configuration tab, in the navigation pane, expand NetScaler Configuration, and then click XVA Files.</span>
- In the NetScaler XVA Files pane, click Upload.</span>
- In the Upload Citrix ADC instance XVA dialog box, click Browse and select the XVA image file that you want to upload.</span>
- Click Upload. The XVA image file appears in the NetScaler XVA Files pane after it is uploaded.</span>
To create a backup by downloading a Citrix ADC .xva file
- In the NetScaler Build Files pane, select the file that you want to download, and then click Download.</span>
- In the File Download message box, click Save.</span>
- In the Save As message box, browse to the location where you want to save the file, and then click Save.</span>
Add a Citrix ADC instance
When you add Citrix ADC instances from the Management Service, you need to provide values for some parameters, and the Management Service implicitly configures these settings on the Citrix ADC instances.
Typically, the Management Service and the management address (NSIP) of the VPX instance are in the same subnetwork, and communication is over a management interface. However, if the Management Service and the instance are in different subnetworks, you have to specify a VLAN ID at the time of provisioning a VPX instance, so that the instance can be reached over the network when it starts. If your deployment requires that the NSIP not be accessible through any interface other than the one selected at the time of provisioning the VPX instance, select the NSVLAN option.
Citrix recommends the default setting—NSVLAN not selected. You cannot change this setting after you have provisioned the Citrix ADC instance.
Note: For a high availability setup (active-active or active-standby), Citrix recommends that you configure the two Citrix ADC instances on different SDX appliances. Make sure that the instances in the setup have identical resources, such as CPU, memory, interfaces, packets per second (PPS), and throughput.
Name* The host name assigned to the Citrix ADC instance.
IP Address* The Citrix ADC IP (NSIP) address at which you access a Citrix ADC instance for management purposes. A Citrix ADC instance can have only one NSIP. You cannot remove an NSIP address.
Netmask* The subnet mask associated with the NSIP address.
Gateway* The default gateway that you must add on the Citrix ADC instance if you want access through SSH or the configuration utility from an administrative workstation or laptop that is on a different network.
Nexthop* The alternate IP address for the static route in VPX that should be used to establish connection with the Management Service, if the default route is not available.
XVA File* The .xva image file that you need to provision. This file is required only when you add a Citrix ADC instance.
Feature License* Specifies the license you have procured for the Citrix ADC. The license could be Standard, Enterprise, and Platinum or Secure Web Gateway.
Note: * indicates required fields.
You need to buy a separate license (SDX 2-Instance Add-On Pack for Secure Web Gateway) for Citrix Secure Web Gateway (SWG) instances on SDX appliances. This instance pack is different from SDX platform license or SDX instance pack.
For more information about deploying a Citrix SWG instance on an SDX appliance, see Deploying a Citrix Secure Web Gateway Instance on an SDX Appliance.
Admin Profile* The profile you want to attach to the Citrix ADC instance. This profile specifies the administrator (nsroot) user credentials that are used by the Management Service to provision the Citrix ADC instance and later, to communicate with the instance to retrieve configuration data. The user credentials used in this profile are also used while logging on to the Citrix ADC instance by using the GUI or the CLI. It is recommended that you change the default password of the admin profile. This is done by creating a new profile with a user-defined password. For more information, see Creating Admin Profiles above.
Description Add a description or comments related to the administrator profile.
Total Memory (MB)* The total memory allocated to the Citrix ADC instance.
#SSL chips* Number of SSL chips assigned to the Citrix ADC instance. SSL chips cannot be shared. The instance is restarted if you modify this value.
Throughput (Mbps)* The total throughput allocated to the Citrix ADC instance. The total used throughput should be less than or equal to the maximum throughput allocated in the SDX license. If the administrator has already allocated full throughput to multiple instances, no further throughput can be assigned to any new instance.
Packets per second* The maximum number of packets that the instance can receive per second.
CPU Assign a dedicated core or cores to the instance, or the instance shares a core with other instance(s). If you select shared, then one core is assigned to the instance but the core might be shared with other instances if there is a shortage of resources. Reboot affected Instances if CPU cores are reassigned. Restart the instances on which CPU cores are reassigned to avoid any performance degradation.
From SDX release 11.1.x.x (MR4), if you are using SDX 25000xx platform, you can assign a maximum of 16 cores to an instance. Also, if you are using SDX 2500xxx platform, you can assign a maximum of 11 cores to an instance.
Note: For an instance, the maximum throughput that you configure is 180 Gbps.
The following table lists the supported VPX, Single bungle image version, and the number of cores you can assign to an instance:
|Platform Name||Total Cores||Total Cores Available for VPX Provisioning||Maximum Cores That Can Be Assigned to a Single Instance|
|SDX 8015, SDX 8400, and SDX 8600||4||3||3|
|SDX 11500, SDX 13500, SDX 14500, SDX 16500, SDX 18500, and SDX 20500||12||10||5|
|SDX 11515, SDX 11520, SDX 11530, SDX 11540, and SDX 11542||12||10||5|
|SDX 17500, SDX 19500, and SDX 21500||12||10||5|
|SDX 17550, SDX 19550, SDX 20550, and SDX 21550||12||10||5|
|SDX 14020, SDX 14030, SDX 14040, SDX 14060, SDX 14080 and SDX 14100||12||10||5|
|SDX 22040, SDX 22060, SDX 22080, SDX 22100, and SDX 22120||16||14||7|
|SDX 24100 and SDX 24150|
|SDX 14020 40G, SDX 14030 40G, SDX 14040 40G, SDX 14060 40G, SDX 14080 40G and SDX 14100 40G||12||10||10|
|SDX 14020 FIPS, SDX 14030 FIPS, SDX 14040 FIPS, SDX 14060 FIPS, SDX 14080 FIPS and SDX 14100. FIPS||12||10||5|
|SDX 14040 40S, SDX 14060 40S, SDX 14080 40S and SDX 14100 40S||12||10||5|
|SDX 25100A, 25160A, 25200A||20||18||9|
|SDX 25100-40G, 25160-40G, 25200-40G||20||18||16 (if version is 11.1-51.x or higher); 9 (if version is 11.1-50.x or lower; all versions of 11.0 and 10.5)|
|SDX 26100, 26160, 26200, 26250||28||26||13|
The user name for the Citrix ADC instance administrator. This user has superuser access, but does not have access to networking commands to configure VLANs and interfaces.
Password* The password for the instance administrator’s user name.
Confirm Password* The password for the instance administrator’s user name.
Shell/Sftp/Scp Access* The access allowed to the Citrix ADC instance administrator.
Allow L2 Mode Allow L2 mode on the Citrix ADC instance. Select this option before you log on to the instance and enable L2 mode. For more information, see Allowing L2 Mode on a Citrix ADC instance.
Note: If you disable L2 mode for an instance from the Management Service, you must log on to the instance and disable L2 mode from that instance. Failure to do so might cause all the other NetScaler modes to be disabled after you restart the instance
Management LA Select to associate the management channel to the instance.
VLAN Tag Specify a VLAN ID for the management channel member interfaces.
Interface Settings This specifies the network interfaces assigned to a Citrix ADC instance. You can selectively assign interfaces to an instance. For each interface, if you select Tagged, specify a VLAN ID.
Important: The interface IDs of interfaces that you add to an instance do not necessarily correspond to the physical interface numbering on the SDX appliance. For example, if the first interface that you associate with instance 1 is SDX interface 1/4, it appears as interface 1/1 when you log on to the instance and view the interface settings, because it is the first interface that you associated with instance 1.
- If a non-zero VLAN ID is specified for a Citrix ADC instance interface, all the packets transmitted from the Citrix ADC instance through that interface will be tagged with the specified VLAN ID. If you want incoming packets meant for the Citrix ADC instance that you are configuring to be forwarded to the instance through a particular interface, you must tag that interface with a VLAN ID and ensure that the incoming packets specify that VLAN ID.
- For an interface to receive packets with multiple VLAN tags, you must specify a VLAN ID of 0 for the interface, and you must specify the required VLAN IDs for the Citrix ADC instance interface.
VLAN ID An integer that uniquely identifies the VLAN. Minimum value: 2. Maximum value: 4095.
Allowed VLANs Specify a list of VLAN IDs that can be associated with a Citrix ADC instance.
VRID IPV4 The IPv4 VRID that identifies the VMAC. Possible values: 1 to 255. For more information, see Configuring VMACs on an Interface.
VRID IPV6 The IPv6 VRID that identifies the VMAC. Possible values: 1 to 255. For more information, see Configuring VMACs on an Interface.
MAC Address Mode Assign a MAC address. Select from one of the following options:
- Default—XenServer assigns a MAC address.
- Custom—SDX Administrator assigns a MAC address. The SDX administrator can use this setting to override the generated MAC address.
- Generated—Generate a MAC address by using the base MAC address set earlier. For information about setting a base MAC address, see Assigning a MAC Address to an Interface.
MAC Address Specify a MAC address that overrides the generated MAC address. Used with the Custom mode setting.
NSVLAN A VLAN to which the subnet of the NSIP address is bound. The NSIP subnet is available only on interfaces that are associated with the NSVLAN. Select this check box if your deployment requires that the NSIP not be accessible through any interface other than the one you select in the VLAN Settings dialog box. This setting cannot be changed after the Citrix ADC instance is provisioned.
- HA heartbeats will be sent only on the interfaces that are part of the NSVLAN.
- You can configure an NSVLAN only from VPX XVA build 9.3-53.4 and later.
Important: If NSVLAN is not selected, running the “clear config full” command on the VPX instance deletes the VLAN configuration.
Tagged Designate all interfaces associated with the VLAN as 802.1q tagged interfaces.
Note: If you select tagged, make sure that management interfaces 0/1 and 0/2 are not added.
Interfaces Bind the selected interfaces to the VLAN.
To provision a Citrix ADC instance
On the Configuration tab, in the navigation pane, expand NetScaler Configuration, and then click Instances.</span>
In the Citrix ADC instances pane, click Add.</span>
In the Provision NetScaler Wizard follow the instructions on the screen.</span>
Click Create, and then click Close. The provisioning progress and any failures, such as failure to assign a virtual function to the VPX instance, are displayed.</span>
To modify the values of the parameters of a provisioned Citrix ADC instance, in the Citrix ADC instances pane, select the instance that you want to modify, and then click Modify. In the Modify NetScaler Wizard, modify the parameters.
Note: If you modify the following parameters: number of SSL chips, interfaces, memory, and feature license, the Citrix ADC instance implicitly stops and restarts to bring these parameters into effect.
You cannot modify the Image and User Name parameters.
If you want to remove a Citrix ADC instance provisioned on the SDX appliance, in the Citrix ADC instances pane, select the instance that you want to remove, and then click Delete. In the Confirm message box, click Yes to remove the Citrix ADC instance.
Restrict VLANs to specific virtual interfaces
The SDX appliance administrator can enforce specific 802.1Q VLANs on the virtual interfaces associated with Citrix ADC instances. This capability is especially helpful in restricting the usage of 802.1Q VLANs by the instance administrators. If two instances belonging to two different companies are hosted on an SDX appliance, you can restrict the two companies from using the same VLAN ID, so that one company does not see the other company’s traffic. If an instance administrator, while provisioning or modifying a VPX instance, tries to assign an interface to an 802.1Q VLAN, a validation is performed to verify that the VLAN ID specified is part of the allowed list.
By default, any VLAN ID can be used on an interface. To restrict the tagged VLANs on an interface, specify the VLAN IDs in the Network Settings at the time of provisioning a Citrix ADC instance, or later by modifying the instance. To specify a range, separate the IDs with a hyphen (for example 10-12). If you initially specify some VLAN IDs but later delete all of them from the allowed list, you can use any VLAN ID on that interface. In effect, you have restored the default setting.
After creating a list of allowed VLANs, the SDX administrator does not have to log on to an instance to create the VLANs. The administrator can add and delete VLANs for specific instances from the Management Service.
Important: If L2 mode is enabled, the administrator must take care that the VLAN IDs on different Citrix ADC instances do not overlap.
To specify the permitted VLAN IDs
- In the Provision NetScaler Wizard or the Modify NetScaler Wizard, on the Network Settings page, in the Allowed VLANs text box, specify the VLAN ID(s) allowed on this interface. Use a hyphen to specify a range. For example, 2-4094.</span>
- Follow the instructions in the wizard.</span>
- Click Finish, and then click Close.</span>
To configure VLANs for an instance from the Management Service
- On the Configuration tab, navigate to NetScaler > Instances.
- Select an instance, and then click VLAN.
- In the details pane, click Add.
- In the Create NetScaler VLAN dialog box, specify the following parameters:
- VLAN ID—An integer that uniquely identifies the VLAN to which a particular frame belongs. The Citrix ADC supports a maximum of 4094 VLANs. ID 1 is reserved for the default VLAN.
- IPV6 Dynamic Routing—Enable all IPv6 dynamic routing protocols on this VLAN. Note: For the ENABLED setting to work, you must log on to the instance and configure IPv6 dynamic routing protocols from the VTYSH command line.
- Select the interfaces that should be part of the VLAN.
- Click Create, and then click Close.
For more information about how to provision a VPX instance, see this video.