Product Documentation

Partitioning a NetScaler

Feb 29, 2016


  • Only superusers are authorized to create and configure admin partitions.
  • Unless specified otherwise, configurations to set up an admin partition must be done from the default partition.

By partitioning a NetScaler appliance, you are in-effect creating multiple instances of a single NetScaler appliance. Each instance has its own configurations and the traffic of each of these partitions is isolated from the other by assigning each partition a dedicated VLAN.

A partitioned NetScaler has one default partition and the admin partitions that are created. To set up an admin partition, you must first create a partition with the relevant resources (memory, maximum bandwidth, and connections). Then, specify the users that can access the partition and the level of authorization for each of the users on the partition.

Finally, assign a VLAN to the partition so that the traffic for that partition is isolated and segregated.


Citrix recommends that you bind only tagged VLANs to partitions. This ensures that control traffic packets (for example, LACP, LLDP, and xSTP packets) are handled in the default partition.

Rate limits for an admin partition are as follows:

  • Maximum memory limit. Must be configured as the memory that will be required for each admin partition. You must make sure that you set the appropriate value when creating the partition.

    Once an admin partition is created, the memory limit cannot be decreased. The memory limit can however be increased when required or more specifically, when there is execution failure due to insufficient memory in a partition; provided sufficient memory is available in the default partition. 

    Note: From NetScaler 11.0 Build 64.x onwards, you can set the memory limit to a minimal value of 5 MB, when creating the admin partition. This setting can be useful for lighter deployments of the NetScaler appliance.
  • Maximum bandwidth. The maximum bandwidth that can be used by an admin partition. This value must be limited to the appliance's licensed throughput. Otherwise, in effect, you are NOT limiting the bandwidth that can be used by the admin partition.

    It must be configured such that it accounts for the bandwidth that the application requires. If the application bandwidth exceeds the configured value, packets will be dropped. It accounts for incoming and outgoing packets.

    The maximum bandwidth can be increased or decreased when required.

    • The default value is 10240 kbps, minimum value is 0, and maximum value is 4294967295 kbps.

    • Setting this parameter to its minimum value (0) means that you are not assigning any bandwidth to the partition. Traffic received for this partition will be dropped.

    • This is not the guaranteed bandwidth available for the admin partition. After a partition is configured with a maximum bandwidth value, the actual bandwidth assigned depends on the appliance's licensed throughput.
  • Maximum number of connections. Must be configured such that it accounts for the maximum simultaneous flows expected within a partition. It accounts for client-side and server-side TCP connections. New connections cannot be established beyond this configured value.

    The maximum number of connections can be increased or decreased when required.

Note: When the bandwidth and number of connections crosses the threshold value, if SNMP is configured, traps will be sent with the relevant information.


  • After creating a partition, inform the users that the NetScaler configurations they perform will be isolated from users who are not members of the partition.
  • Make sure the relevant users, command policies, VLANs, and bridgegroups are available on the NetScaler appliance.
  • For deployments that have large size of NetScaler configuration and large quantum of traffic, Citrix advises that you increase the default values for the maximum memory limit, maximum bandwidth, and maximum number of connections.

To partition a NetScaler by using the command line interface

On the command prompt, do the following:

  1. Create a partition and configure the NetScaler resources for that partition.

    add ns partition <partitionName> [-maxBandwidth <positive_integer>] [-maxConn <positive_integer>] [-maxMemLimit <positive_integer>]

    Note: Check the rate limiting content provided above for tips to update the maximum memory limit, maximum bandwidth, and maximum number of connections.

  2. Associate the appropriate users with the partition.

    bind system user <name> -partitionName <string>

  3. Specify the level of authorization for each user by associating one of the following command policies: partition-operator, partition-read-only, partition-network, and partition-admin.

    bind system user <name> <policyName> <priority>

  4. Configure the VLAN through which traffic for this partition must be routed. You can use bridgegroups instead of VLANs to route the traffic.

    • Add the VLAN and bind the required interfaces to it.

      add vlan <id>

      bind vlan <id> -ifnum <interface>

      Note: When a VLAN is bound to an admin partition, its IP address bindings are lost. To make sure that the VLAN continues to have the IP address, create the IP address on the admin partition and then bind it to that VLAN.


    • Add the bridgegroup and bind the required VLANs to it.

      add bridgegroup <id>

      bind bridgegroup <id> -vlan <id>

  5. Bind the VLAN or bridgegroup to the partition.

    bind ns partition <partitionName> -vlan <positive_ integer>


    bind ns partition <partitionName> -bridgegroup <positive_ integer>

    Note: Use the show vlan or the show bridgegroup command to view the partitions associated with that VLAN or bridgegroup.
  6. Verify the configurations of the partition.

    show ns partition <partitionName>

    Note: You can also use the stat ns partition command to view partition configurations.
  7. Save the configuration.

    save ns config

To partition a NetScaler by using the configuration utility

On the Configuration tab of the graphical user interface:

  1. Navigate to System > Partition Administration, click Add and do the following:
    1. Create and configure the resources for the admin partition.
    2. Specify the VLANs or bridgegroups to be associated with the partition.
    3. Associate user(s) with the partition.
      Note: Make sure you bind users who are not yet associated with partition type command policies.
  2. Navigate to System > User Administration, and to the partition user, bind the appropriate command policy. The command policy must be one of the partition- entries. The choice depends on the level of authorization you intend the user to have.
  3. Save the configuration.