Product Documentation

Partitioning a NetScaler

Aug 31, 2016

Important

  • Only superusers are authorized to create and configure admin partitions.
  • Unless specified otherwise, configurations to set up an admin partition must be done from the default partition.

By partitioning a NetScaler appliance, you are in-effect creating multiple instances of a single NetScaler appliance. Each instance has its own configurations and the traffic of each of these partitions is isolated from the other by assigning each partition a dedicated VLAN or a shared VLAN.

A partitioned NetScaler has one default partition and the admin partitions that are created. To set up an admin partition, you must first create a partition with the relevant resources (memory, maximum bandwidth, and connections). Then, specify the users that can access the partition and the level of authorization for each of the users on the partition.

VLANs can be bound to a partition as a “Dedicated” VLAN or a “Shared” VLAN. Based on your deployment, you can bind a VLAN to a partition to isolate its network traffic from other partitions.

Dedicated VLAN – A VLAN bound only to one partition with “Sharing” option disabled and must be a tagged VLAN. For example, in a client-server deployment, for security reasons a system administrator creates a dedicated VLAN for each partition on the server side.

Shared VLAN – A VLAN bound (shared across) to multiple partitions with “Sharing” option enabled. For example, in a client-server deployment, if the system administrator does not have control over the client side network, a VLAN is created and shared across multiple partitions.

Important

Citrix recommends you to bind a Dedicated or Shared VLAN to multiple partitions. You can bind only a tagged VLAN to a partition. If there are untagged VLANs, you must enable them as “Shared” VLANs and then bind them to other partitions. This ensures that you control traffic packets (for example, LACP, LLDP, and xSTP packets) handled in the default partition. If you have already bound an untagged VLAN for a partition in 11.0, see “Deployment procedure for upgrading a sharable VLAN to NetScaler 11.1 software” procedure.

VLAN Implementation

In a partitioned (multi-tenant) NetScaler appliance, a system administrator can isolate the traffic flowing to a particular partition or partitions by binding one or more VLANs to each partition.  A VLAN can be dedicated to one partition or Shared across multiple partitions. 

Dedicated VLANs

To isolate the traffic flowing into a partition, create a VLAN and associate it with the partition.  The VLAN is then visible only to the associated partition, and the traffic flowing through the VLAN is classified and processed only in the associated partition. 

localized image

To implement a dedicated VLAN for a particular partition, do the following.

  1. Add a VLAN (V1).
  2. Bind a network interface to VLAN as a tagged network interface.
  3. Create a partition (P1).
  4. Bind partition (P1) to the dedicated VLAN (V1).

To add a VLAN by using the command line interface

At the command prompt, type:

Adding a VLAN 복사

add vlan <id>

Example

add vlan V1

To bind a VLAN by using the command line interface

At the command prompt, type:

Binding a VLAN 복사

bind vlan <id> -ifnum <interface> -tagged

Example

bind vlan V1 –ifnum 1/8 -tagged

To create a partition by using the command line interface

At the command prompt, type:

Creating a Partion 복사

Add ns partition <partition name> [-maxBandwidth <positive_integer>] [-maxConn <positive_integer>] [-maxMemLimit <positive_integer>]

Example

Add ns partition P1 –maxBandwidth 200 –maxconn 50 –maxmemlimit 90

Done

To bind a partition to a VLAN by using the command line interface

At the command prompt, type:

Binding a Partition 복사

bind partition <partition-id> -vlan <vlan>

Example

bind partition P1 –vlan V1

To configure a dedicated VLAN by using the NetScaler GUI

  1. Navigate to Configuration > System > Network > VLANs and click Add to create a VLAN.
  2. On the Create VLAN page, set the following parameters:
    1. VLAN ID
    2. Alias Name
    3. Maximum Transmission Unit
    4. Dynamic Routing
    5. IPv6 Dynamic Routing
    6. Partitions Sharing
  3. In the Interface Bindings section, select one or more interfaces and bind it to the VLAN.
  4. In the IP Bindings section, select one or more IP addresses and bind to the VLAN.
  5. Click OK and Done.

Shared VLANs

In a shared VLAN configuration, each partition has a MAC address, and traffic received on the shared VLAN is classified by MAC address. Using a Layer3 VLAN is recommended, because it can restrict the subnet traffic.

The following diagram shows how a VLAN (VLAN 10) is shared across two partitions. 

localized image

To deploy a shared VLAN configuration, do the following:

  1. Create a VLAN with the sharing option ‘enabled’, or enable the sharing option on an existing VLAN. By default, the option is ‘disabled’.
  2. Bind partition interface to shared VLAN.
  3. Create the partitions, each with its own PartitionMAC address.
  4. Bind the partitions to the shared VLAN.

To configure a shared VLAN by using the command line interface

At the command prompt, type one of the following commands to add a new VLAN or set the sharing parameter of an existing VLAN:

Configuring a Shared VLAN 복사

add vlan <id> [-sharing (ENABLED | DISABLED)]

set vlan <id> [-sharing (ENABLED | DISABLED)]

Examples

add vlan V1 –sharing ENABLED

set vlan V1 –sharing ENABLED

 

To bind a partition to a Shared VLAN by using the command line interface

At the command prompt, type:

Binding a partition 복사

bind partition <partition-id> -vlan <id>

Example

bind partition P1 –vlan 

To create a shared partition by using the command line interface

At the command prompt, type:

Creating a Shared Partition 복사

Add ns partition <partition name> [-maxBandwidth <positive_integer>] [-maxConn <positive_integer>] [-maxMemLimit <positive_integer>] -partitionMAC<mac_addr>

 

Example

Add ns partition P1 –maxBandwidth 200 –maxconn 50 –maxmemlimit 90 -partitionMAC<mac_addr

Done

To configure an existing partition as a shared partition by using the command line interface

At the command prompt, type:

Configuring an Existing Partition 복사

set ns partition <partition name> [-partitionMAC<mac_addr>]

Example

set ns partition P1 –partitionMAC 22:33:44:55:66:77

To bind partitions to a shared VLAN by using the command line interface

At the command prompt, type:

bind partition <partition-id> -vlan <id>

bind partition <partition-id> -vlan <id>

Example

bind partition P1 –vlan V1

bind partition P2 –vlan V1

bind partition P3 –vlan V2

bind partition P4 –vlan V1

To configure Shared VLAN by using the NetScaler GUI

  1. Navigate to Configuration > System > Network > VLANs and then select a VLAN profile and click Edit to set the partition sharing parameter.
  2. On the Create VLAN page, select the Partitions Sharing checkbox.
  3. Click OK and then Done.

Supporting VMACs on an SDX Platform

For shared VLAN to work in a partitioned deployment on a NetScaler SDX platform, you must log on to a Storage Virtualization Manager (SVM) appliance and assign each partition's MAC (VMAC) to a NetScaler VPX appliance.

Rate limits for an admin partition are as follows:

  • Maximum memory limit. Must be configured as the memory that will be required for each admin partition. You must make sure that you set the appropriate value when creating the partition.

    Once an admin partition is created, the memory limit cannot be decreased. The memory limit can however be increased when required or more specifically, when there is execution failure due to insufficient memory in a partition; provided sufficient memory is available in the default partition. 

    Note: From NetScaler 11.0 Build 64.x onwards, you can set the memory limit to a minimal value of 5 MB, when creating the admin partition. This setting can be useful for lighter deployments of the NetScaler appliance.
  • Maximum bandwidth. The maximum bandwidth that can be used by an admin partition. This value must be limited to the appliance's licensed throughput. Otherwise, in effect, you are NOT limiting the bandwidth that can be used by the admin partition.

    It must be configured such that it accounts for the bandwidth that the application requires. If the application bandwidth exceeds the configured value, packets will be dropped. It accounts for incoming and outgoing packets.

    The maximum bandwidth can be increased or decreased when required.

    Note: 
    • The default value is 10240 kbps, minimum value is 0, and maximum value is 4294967295 kbps.

    • Setting this parameter to its minimum value (0) means that you are not assigning any bandwidth to the partition. Traffic received for this partition will be dropped.

    • This is not the guaranteed bandwidth available for the admin partition. After a partition is configured with a maximum bandwidth value, the actual bandwidth assigned depends on the appliance's licensed throughput.
  • Maximum number of connections. Must be configured such that it accounts for the maximum simultaneous flows expected within a partition. It is configured only on the client-side and not on the back-end server-side TCP connections. New connections cannot be established beyond this configured value.

    The maximum number of connections can be increased or decreased when required.

Note: When the bandwidth and number of connections crosses the threshold value, if SNMP is configured, traps will be sent with the relevant information.

메모

  • After creating a partition, inform the users that the NetScaler configurations they perform will be isolated from users who are not members of the partition.
  • Make sure the relevant users, command policies, VLANs, and bridgegroups are available on the NetScaler appliance.
  • For deployments that have large size of NetScaler configuration and large quantum of traffic, Citrix advises that you increase the default values for the maximum memory limit, maximum bandwidth, and maximum number of connections.

To partition a NetScaler by using the command line interface

On the command prompt, do the following:

  1. Create a partition and configure the NetScaler resources for that partition.

    add ns partition <partitionName> [-maxBandwidth <positive_integer>] [-maxConn <positive_integer>] [-maxMemLimit <positive_integer>]

    Note: Check the rate limiting content provided above for tips to update the maximum memory limit, maximum bandwidth, and maximum number of connections.

  2. Associate the appropriate users with the partition.

    bind system user <name> -partitionName <string>

  3. Specify the level of authorization for each user by associating one of the following command policies: partition-operator, partition-read-only, partition-network, and partition-admin.

    bind system user <name> <policyName> <priority>

  4. Configure the VLAN through which traffic for this partition must be routed. You can use bridgegroups instead of VLANs to route the traffic.

    • Add the VLAN and bind the required interfaces to it.

      add vlan <id>

      bind vlan <id> -ifnum <interface>

      Note: When a VLAN is bound to an admin partition, its IP address bindings are lost. To make sure that the VLAN continues to have the IP address, create the IP address on the admin partition and then bind it to that VLAN.

    OR

    • Add the bridgegroup and bind the required VLANs to it.

      add bridgegroup <id>

      bind bridgegroup <id> -vlan <id>

  5. Bind the VLAN or bridgegroup to the partition.

    bind ns partition <partitionName> -vlan <positive_ integer>

    OR

    bind ns partition <partitionName> -bridgegroup <positive_ integer>

    Note: Use the show vlan or the show bridgegroup command to view the partitions associated with that VLAN or bridgegroup.
  6. Verify the configurations of the partition.

    show ns partition <partitionName>

    Note: You can also use the stat ns partition command to view partition configurations.
  7. Save the configuration.

    save ns config

To partition a NetScaler by using the configuration utility

On the Configuration tab of the graphical user interface:

  1. Navigate to System > Partition Administration, click Add and do the following:
    1. Create and configure the resources for the admin partition.
    2. Specify the VLANs or bridgegroups to be associated with the partition.
    3. Associate user(s) with the partition.
      Note: Make sure you bind users who are not yet associated with partition type command policies.
  2. Navigate to System > User Administration, and to the partition user, bind the appropriate command policy. The command policy must be one of the partition- entries. The choice depends on the level of authorization you intend the user to have.
  3. Save the configuration.