Module 01 Core Configuration

Partner Workshop Support:
NetScaler ADC Fundamentals

David Jimenez
Senior Technical Readiness Specialist
Agenda
Day 1 (NetScaler Fundamental Concepts)
Module 1 Core Configuration (Lab)

Module 2 Traffic Management (Lab)
Module 3 SSL (Lab)
Day 2 (NetScaler Intermediate Concepts)
Module 4 Optimization (Slides)

Module 5 - Rewrite and Responder (Labs)
Module 6 DataStream (Labs)
Module 7 SDX (Slides)
Module 8 Troubleshooting (Slides)
2012 Citrix | Confidential Do Not Distribute
Core Configuration
Hardware and Components
NetScaler Hardware
MPX 5500
VPX
MPX 7500 and MPX 9500

MPX 10500/12500/15000/15500
MPX 17000/17500/19500/21500
SDX
Differences Between MPX and VPX

Three main differences exist between MPX and VPX:
System capacity
Performance
Tagged VLAN Configuration
NetScaler VPX system capacity:

No hardware SSL acceleration
Processing not offloaded to dedicated silicon
When to Use Which?

NetScaler Appliances
NetScaler VPX
Gig+ performance
Labs/test environments
High volume SSL Offload
Development environments
>100 SSL VPN CCUs
Datacenter-in-a-box
FIPS requirements
CPU-intensive workloads
Physical device security
Frequently moved apps

Fast/remote deployment
NetScaler SDX
Instances, not partitions
Complete CPU isolation
Complete memory isolation
Version independence
High availability independence
Lifecycle independence
Architecture
Overview of the NetScaler Architecture

The NetScaler design is based on a layered model between the
NetScaler Kernel, and the BSD Operating System
The NetScaler Kernel operates below the BSD Kernel, and controls
Timeslicing for BSD

Network access
SNMP and syslog processing
SSL Offload
BSD manages
The boot process
Filesystem access
Long-term logging
Initial Setup
Networking Concepts
Network Topologies
One-Armed
One-armed topologies have several benefits
Simple, one physical interface and no risk of bridge loops

May make use of one or many VLANs with 802.1q tagging
Can make use of Link Aggregation to satisfy bandwidth requirements
Very few failure modes, easing HA failure analysis
If you are able to, one-armed topologies are the preferred method of
deploying NetScaler in most environments, and is what we will use today
Network Topologies
Two-Armed
Two-armed topologies work in situations where one-armed doesnt
Allows layer 3 style deployments with split subnets (as shown)

Allow layer 2 style deployments with one subnet on both sides
Supports transparent compression and SSL offload
Support USIP or Use Source IP processing without server changes
The most common implementation of two-armed topologies are when a

NetScaler is replacing another legacy two-armed device in a network
NetScaler Owned IP Addresses

The NetScaler uses a set of IP addresses to communicate with other
devices
These IP addresses also enable NetScaler to abstract backend
servers and multiplex connections
IP addresses owned by NetScaler are:
NSIP
MIP
SNIP
VIP
GSLB
NetScaler IP Address
Mapped IP Address
Subnet IP Address
Virtual IP Address/Vserver IP Address
Site IP Address

NetScaler IP Address (NSIP)
Unique IP address of NetScaler system
Commonly referred to as management IP address
NetScaler can be accessed via this IP address
The NetScaler can only possess a single NetScaler IP address
Added when configuring NetScaler for first time
Reboot NetScaler system after modifying this IP address
The NetScaler IP address is mandatory configuration

Mapped IP Address (MIP)
Mapped IP addresses (MIP) are used for server-side connections
(communicating with servers) and Reverse NAT
The Mapped IP address is NOT the IP address of the NetScaler
system
Refer to the Using Mapped IP Addresses section of documentation
for more details regarding the management of MIPs

Subnet IP Address (SNIP)
This allows the user to access a NetScaler system from an external
host that resides on another subnet
When SNIP address is added, a corresponding route entry is made in
the route table.
Only one such entry is made per subnet, and the route entry
corresponds to the first IP address added in the subnet
Unlike NSIP and MIP, it is not mandatory to specify the Subnet IP
address (SNIP) during the initial configuration of the NetScaler
system

Virtual Server IP Address (VIP)
The Virtual Server IP address (VIP) is the IP address associated with
a vserver
This is the normal method for configuring explicit services
Like SNIP, it is not mandatory to specify the Virtual Server IP address
during the initial configuration of the NetScaler
ARP and ICMP attributes on this IP address allow users to host the
same vserver on multiple NetScaler systems that reside on the same
broadcast domain

GSLB Site IP Address
Use the add GSLB site command to add this IP address
This address is used for GSLB local site configuration
Cluster IP Address (CLIP)
Use the add CLIP command to add this IP address
This address is used for cluster configuration
NetScaler System Networking Overview

The NetScaler system is fundamentally a TCP proxy at layer 4 that reuses
connections to the server
This reuse is done by proxying, at layer 3, the IP address of the client that the
server sees
Client IP Address to Virtual IP Address
Client
Client
IP
Citrix
NetScaler
VIP
MIP/SNIP
Backend
Server
Server
IP
NetScaler Networking
Citrix
Citrix NetScaler
NetScaler
Typical
Typical Network
Network Endpoint
Endpoint
Device
Device
NIC 1
IP Address 1IP
Address n
NIC 2
NIC 1
MAC 1
MAC 2
IP Address 1
IP Address 2
Subnet B
Each data interface

(MAC) sends and
receives for a bound
IP address
MAC 1
NIC 2
MAC 2
Subnet A
Each data interface

(MAC) can send and
receive for all IP
addresses
NetScaler Modes
Layer-3 mode
Layer-2 mode
MAC-Based forwarding
USIP
Routing Traffic Using Layer 3 Mode

Layer 3 mode:
Is enabled by default
Used to make traffic routing decisions
Routing Traffic Using Layer 2 Mode

The NetScaler system forwards data that is not addressed to its MAC address
when running in Layer 2 mode
The exceptions to this forwarding behavior are:
Broadcasts received on an interface associated with a VLAN
ICMP and UDP traffic that exceeds the value set for packet rate filters
Note: L2 mode should be avoided
MAC-Based Forwarding Mode

VIP: vserver-LB-1
IP address: 10.102.29.13
Router 1
MAC address: 00:01::e6:ff0d:69
IP address: 10.10.1.2
IP and MAC
addresses
are cached
Router 2
Server 1
Service: service-ANY-1
Server 2
Service: service-ANY-2
Sending a Client IP Address to Servers and Use

Source IP Mode
The NetScaler system supports the insertion of a Custom HTTP Header, which
will have the original IP address of the client that can be extracted for logging or
by applications that need it
Use Source IP (USIP) mode:
Is OFF by default
Must have surge protection disabled
Should be avoided
Reverse Network Address Translation

Reverse Network Address Translation (RNAT) allows server side addresses to
be translated to the MIP or a SNIP address of the NetScaler system when
servers send data through the system
File Transfer Protocol (FTP) is supported by RNAT
RNAT Example
Packet received by the client after RNAT
Packet generated by the backend server
Source IP Address
Destination IP Address
Source IP Address
100.100.100.1
200.200.200.1
192.168.1.1
200.200.200.1
Internet
Private Network
Client
(200.200.200.1)
Source IP Address
200.200.200.1
NetScaler MIP
Address
(100.100.100.1)
100.100.100.1
Response packet from client
Backend Server
(192.168.1.1)
Source IP Address
200.200.200.1
192.168.1.1
Packet received by the server after RNAT
Command Line Basics
GUI / CLI
Access the GUI by going to NSIP
Access the CLI through SSH client (PuTTY)
Access file system through SFTP client (WinSCP)
Key CLI Commands

> show run
> show route
> show ns feature
> show ns mode
> show ha node
> show license
Running Config, Saved Config

ns.conf loaded on startup
Changes reflected in running config
Changes must be committed to saved config
CLI Configuration Toolset

On-board Command Line Interface NSCLI
Default shell for nsroot user
Command hierarchy
Basic commands at the top

(service, vserver, vlan, system, tunnel, vpn...)
Remaining commands in functional sub-groups
(lb, ssl, cs, cr, dos, snmp)
Verb-object style
Commands stored in /nsconfig/ns.conf via

save config command
FreeBSD shell
Command Line Interfaces

> NSCLI
e.g., train_73>
# FreeBSD
e.g., root@ns#
To get here from the NSCLI
> shell
Use this command to move to the FreeBSD command prompt, where FreeBSD commands
may be entered
Press the <Control> + <D> keys or type exit to return to the Citrix NetScaler system CLI
prompt
CLI Look and Feel

Command abbreviation
The first few letters of a CLI command are sufficient to invoke it, provided they are
unique. For example, enter sh for the command show
Command completion
Entering a partial command followed by a question mark displays all commands
matching the partial command. For example, entering sh? displays shell, show and
shutdown (on successive lines)
Command help
Help displays a syntax description of any CLI command
Command history
History displays up to the last 100 previous commands
NSCLI - Command Abbreviation

Command abbreviation
Group name is (usually) optional.
<action> and <entity> can be shortened to shortest unique prefix
Spaces between <action>, <cmdgroup> and <entity> are optional.
Example 1:
> add policy expression
> add expression
> add exp
> ae
Example 2:
> show lb vservers
> shlbv (group name needed, as "shcsv" also exists)
CLI - Look and Feel

CLI Navigation
Familiar file system access through the BSD shell
<Tab> key
Command Completion
<?> key
Help, matching commands with the same prefix
<Ctrl>+<a> keys
Moves cursor to the beginning of the line
<Ctrl>+<e> keys
Moves cursor to the end of the line
<Ctrl>+<u> keys
Clears the entire line, regardless of cursor position
CLI - Additional Features

NSCLI can indicate the location of a syntax error with carets
> add vserver vs1 htto 10.101.4.99 80
^^^^
ERROR: invalid argument value [serviceType, htto]
> add server s1
^
ERROR: required argument missing
Usage: add server <name> <IPAddress> [-state ( ENABLED | DISABLED )]
CLI - Additional Features

Built in Help and MAN
> help <commandName> for full usage of a specific command

> help <groupName>
for brief usage of a group of commands
> help -all
for brief usage of all NSCLI commands
> man <command> full syntax and description of command
NetScaler help is ALWAYS correct (driven by the NSCLI parser)
CLI - MAN Pages

Additional syntax over help statements
Issued from the CLI
> man add system user
NSCLI - Show Example

> show interface 1/1
Interface 1/1 (NIC 1/dc1) Digital 21143-xD Fast Ethernet
flags=0xc000 <ENABLED, UP, autoneg, HAMON, 802.1q>
MTU=1514, native vlan=1, MAC=00:c0:95:ca:68:61, uptime 152h06m52s
Requested: media AUTO, speed AUTO, duplex AUTO, fctl NONE
Actual: media UTP, speed 100, duplex FULL, fctl NONE
RX: Pkts(17286791) Bytes(1045065936) Errs(0) Drops(279372)
TX: Pkts(2968184) Bytes(377036331) Errs(0) Drops(1)
NIC: InDisc(0) OutDisc(0) Fctls(0) Hangs(0)
Done
CLI - Example Commands

> show info
> set ns config httpport 80
> show runningconfig
> add ns ip 10.0.100.43 255.255.255.0
Add a subnet IP on a directly attached network

> set rnat 10.0.100.0
Enable RNAT for a private network

> show route
Show routes
> shell
Access FreeBSD prompt

> batch fileName lb.txt outFile error.log
Execute all the lines in lb.txt as cli commands, and capture output in error.log
> reboot
> quit
Licensing
NetScaler Offerings
Packaged for broad adoption for all users
Enterprise
Platinum
Edition
Edition
Edition
Comprehensive L47
load balancing and
optimizes
expensive server
and network
resources to reduce
cost Do Not Distribute
2012 Citrix | Confidential
Web application
delivery solution
providing advanced
traffic management
and powerful
application
acceleration
Web application
delivery solution
designed to deliver
mission-critical
applications with
web application
firewall security,
fastest
Standard
NetScaler Licensing
Appliance licensing
One license per appliance
(physical or virtual)
Ability to upgrade throughput via a
license within each physical
MPX/SDX appliance
License file determines the
available features and system
performance limits to enable on the
appliance
License Files
NetScaler MPX
License File
MyCitrix
NetScaler VPX
Activated and downloaded to

the appliance from MyCitrix, a
self-service portal
No central license server
License File
License file hosted on the

NetScaler appliance
NetScaler SDX
License File
Instance License
Files
NetScaler Feature
Matrix
NetScaler Platform Availability

Mod
el
MPX
MPX
MPX
Standa Enterpri Platinu
rd
se
m
SDX
Mod
el
MPX
Standa
rd
MPX
MPX
Enterpri Platinu
se
m
SDX
5500
YES
YES
YES
NO
17550
YES
YES
YES
YES
7500
YES
YES
YES
NO
18500
YES
YES
YES
YES
9500
YES
YES
YES
NO
19500
YES
YES
YES
YES
9700
YES
YES
YES
NO
19550
YES
YES
YES
YES
10500
YES
YES
YES
NO
20550
YES
YES
YES
YES
11500
YES
YES
YES
YES
21500
YES
YES
YES
YES
12500
YES
YES
YES
NO
21550
YES
YES
YES
YES
13500
YES
YES
YES
YES
14500
YES
YES
YES
YES
15500
YES
YES
YES
NO
16500
YES
YES
YES
YES
17500
YES
YES
YES
YES
NetScaler Accessories Availability

MPX5500
MPX7500-9500
MPX10500-15500
MPX17500-21550
Power supply AC
Power supply DC
Not available
Not available
Available
Available
Available
Available
Available
Not available
Rail kit (standard)
Available
Available
Available
Rail kit tool less 24 inch

Rail adaptor (round hole)
Rail adaptor (2 post rack)
Short rail kit
Hard disk drive
Solid state HDD
Flash card
HDD+FC
SFP fiber SR 4-pack
SFP fiber LR single
SFP copper
10G SFP+ SR (300m) - single
10G SFP+ LR (10km) - single
Available
Available
Available
Not available
Available
Not available
Available
Available
Not available
Not available
Not available
Not available
Not available
Available
Available
Available
Not available
Available
Not available
Available
Available
Available
Available
Available
Not available
Not available
Not available
Available
Available
Available
Available
Not available
Available
Available
Available
Available
Available
Available
Available
Not available
Available
Available
Available
Available
Available
Not available
Not available
Not available
Not available
Not available
Available
Available
Software License Option Availability

NetScaler Software License
Options
Edition
(Via software license; New per unit license

pricing)
Standard
Enterprise
Platinum
AppCompress
GSLB
Application Firewall
AppCache (MPX 5500/7500, 7000 series)
AppCache (excluding MPX 5500/7500, 7000 series)
EdgeSight for NetScaler
Additional Cost
Additional Cost
N/A
N/A
N/A
N/A
Included
Included
Additional Cost
Additional Cost
Additional Cost
Additional Cost
Included
Included
Included
Included
Included
Included
NetScaler Cloud Bridge Pricing

NetScaler Cloud Bridge
Offering
HTTP
Throughput
Branch Repeater VPX

License Entitlements
10 Mpbs
1 Branch Repeater VPX 10
Cloud Bridge VPX 200
200 Mbps
Cloud Bridge MPX 7500
500 Mpbs
Cloud Bridge VPX 10
NetScaler Cloud Bridge Feature Comparisons

Product Features
NetScaler CloudBridge
L4-7 Traffic Management (NS-S TM functionality)
Global Server Load Balancing
Site-to-Site WAN Optimization (via inclusion of BRVPX)
Secure, transparent L2/3 Bridge
Access Gateway (SSL VPN)

Content Compression (user-facing)
Content Caching (user-facing)
Web Application Firewall
EdgeSight for NetScaler
NetScaler VPX Availability

5 VPX appliances available
VPX Express* 1 mbps (Free)
VPX10 10 mbps
VPX200 200 mbps
VPX1000 1 gbps
VPX3000 3 gbps
All platform licenses available in all models (Standard, Enterprise,
Platinum)
*Not available in Service Provider Licensing

NetScaler MPX FIPS Pricing

Model
Standard
Edition
Enterprise
Edition
Platinum
Edition
NS 9010 FIPS
N/A
YES
YES
MPX 9700 FIPS
YES
YES
YES
MPX 10500 FIPS
YES
YES
YES
MPX 12500 FIPS
YES
YES
YES
MPX 15500 FIPS
YES
YES
YES
Citrix Application Firewall Availability

Application Firewall
Platforms
App
App
App
App
App
Firewall
Firewall
Firewall
Firewall
Firewall
5500 Platform
7500 Platform
9500 Platform
10500 Platform
12500 Platform
MPX
12500
Throughput
500 Mpbs
1 Gbps
2 Gbps
3 Gbps
5 Gbps
MPX
10500
MPX
9500
MPX
5500
MPX
7500
NetScaler Upgrades
NetScaler - Platform Upgrade Availability
MPX
MPX
Via software license
MPX
MPX
MPX
MPX
MPX
MPX
MPX
MPX
MPX
MPX
MPX
MPX
MPX
MPX
MPX
MPX
MPX
MPX
MPX
7500 to MPX 9500

10500 to MPX 12500
11500 to MPX 13500
11500 to MPX 14500
10500 to MPX 15500
11500 to MPX 16500
11500 to MPX 18500
12500 to MPX 15500
11500 to MPX 20500
17500 to MPX 19500
13500 to MPX 14500
13500 to MPX 16500
13500 to MPX 18500
13500 to MPX 20500
14500 to MPX 16500
14500 to MPX 18500
14500 to MPX 20500
16500 to MPX 18500
17500 to MPX 21500
Standa
rd
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
Enterpri Platinu Via software

license
se
m
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
MPX 16500
20500
MPX 18500
20500
MPX 17550
19550
MPX 17550
20550
MPX 17550
21550
MPX 19550
20550
MPX 19550
21550
MPX 20550
21550
MPX 19500
21500
to MPX
to MPX
to MPX
to MPX
to MPX
to MPX
to MPX
to MPX
to MPX
Standa
rd
Enterpri Platinu
se
m
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
NetScaler - Platform Upgrade Availability

SDX
Platinu
m
SDX 11500 to SDX 13500
YES
SDX 13500 to SDX 14500
YES
SDX 14500 to SDX 16500
YES
SDX 16500 to SDX 18500
YES
SDX 18500 to SDX 20500
YES
SDX 17500 to SDX 19500
YES
SDX 19500 to SDX 21500
YES
SDX 17550 to SDX 19550
YES
SDX 19550 to SDX 20550
YES
SDX 20550 to SDX 21550
YES
Note: NetScaler SDX with clustering not

available at this time
NetScaler MPX to SDX Platform Conversion

OS and License
update*
Available
MPX 11500 to SDX 11500
YES
MPX 17550 to SDX 17550
YES
MPX 13500 to SDX 13500
YES
MPX 19550 to SDX 19550
YES
MPX 14500 to SDX 14500
YES
MPX 20550 to SDX 20550
YES
MPX 16500 to SDX 16550
YES
MPX 21550 to SDX 21550
YES
MPX 17500 to SDX 17500
YES
MPX 19550 to SDX 19550
YES
MPX 18500 to SDX 18500
YES
MPX 20550 to SDX 20550
YES
MPX 19500 to SDX 19500
YES
MPX 21500 to SDX 21500
YES
MPX 20500 to SDX 20500
YES
MPX 21550 to SDX 21550
YES
*Requires an update kit
OS and License update Available
Citrix Application Firewall Edition Upgrades

Application Firewall Platform
Upgrades
MPX
12500
Throughput
Upgrade

MPX 7500 to MPX 9500
MPX 10500 to MPX 12500
1Gbp to 2 Gbps
3 Gbps to 5 Gbps
MPX
10500
MPX
9500
MPX
7500
License
Upgrad
e
License
Upgrad
e
Citrix Application Firewall - Pay-as-you-grow

Platform and Burst Pack Upgrade Availability
Model
Upgrade
Charge
to MPX 15500
Upgrade
Charge to
MPX 19500
Upgrade
Charge to
MPX 21500
MPX 10500
Available
----
----
MPX 12500
Available
----
----
MPX 17500
----
Available
Available
MPX 19500
----
-----
Available
MPX 21500
----
----
----
Model
Burst License
to MPX 15500
Burst License
to MPX 19500
Burst License
to MPX
21500
MPX 10500
Available
----
----
MPX 12500
Available
----
----
MPX 17500
----
----
Available
MPX 19500
----
-----
Available
MPX 21500
----
----
----
Citrix Volume Licensing
Commercial: EASY
SMB Customers
No Customer Discounts
Advisor Rewards Eligible
Commercial: ELA
Medium to Large
Businesses
Customer Discounts based
on Initial Purchase
Advisor Rewards Eligible
ELA 7 Require AVP, GEO
VP and Finance Controller
approval
Public Sector
Education Academic
and Non-Profit
Institutions
GSA Federal, State,
and Local Government
entities inside the United
States
GELA other
Government programs,
outside the United States
NetScaler - Burst Pack Upgrade Pricing
MPX 7500 to
MPX 9500
(1 Gb 3 Gb)
MPX 10500
to MPX
15500
(5 Gb 15
Gb)
MPX 11500
to MPX
18500
(5 Gb 30
Gb)
MPX 12500
to MPX
15500
(8 Gb 15
Gb)
MPX 13500
to MPX
18500
(12 Gb 30
Gb)
MPX 14500
to MPX
18500
(16 Gb 30
Gb)
MPX 16500 MPX 17500 MPX 17550 MPX 19500 MPX 19550 MPX 20550
VPX100 to
to MPX
to MPX
to MPX
to MPX
to MPX
to MPX
VPX3000
18500
21500
21550
21500
21550
21550
(1 Gb 3
(20 Gb
(20 Gb
(20 Gb
(35 Gb
(30 Gb
(40 Gb
Gb)
30 Gb)
50 Gb)
50 Gb)
50 Gb)
50 Gb)
50 Gb)
Notes:
A 90-day license used to accommodate above average traffic conditions and reassess permanent capacity requirements
Licenses are purchased in quantity of one
For Burst Licenses, use a web key obtained via email to generate Burst License via http://www.mycitrix.com.
There are no associated maintenance
NetScaler - Burst Pack Upgrade Availability

NetScaler Burst 90-Day
with Cluster
STD
ENT
PLT

with Cluster
STD
ENT
PLT

with Cluster
STD
ENT
PLT
MPX 7500 to MPX 9500
YES
YES
YES
MPX 17500 to MPX 21500
YES
YES
YES
SDX 11500 to SDX 20500
N/A
N/A
YES
MPX 10500 to MPX 15500
YES
YES
YES
MPX 19500 to MPX 21500
YES
YES
YES
N/A
N/A
YES
MPX 12500 to MPX 15500
YES
YES
YES
MPX 17550 to MPX 21550
YES
YES
YES
N/A
N/A
YES
MPX 11500 to MPX 18500
YES
YES
YES
MPX 19550 to MPX 21550
N/A
N/A
YES
N/A
N/A
YES
MPX 13500 to MPX 18500
YES
YES
YES
MPX 20550 to MPX 21550
N/A
N/A
YES
N/A
N/A
YES
MPX 14500 to MPX 18500
YES
YES
YES
SDX 17500 to SDX 21500
YES
YES
YES
N/A
N/A
YES
MPX 16500 to MPX 18500
YES
YES
YES
SDX 19500 to SDX 21500
N/A
N/A
YES
N/A
N/A
YES
MPX 11500 to MPX 20500
YES
YES
YES
VPX 1000 to VPX 3000
N/A
N/A
YES
N/A
N/A
YES
MPX 13500 to MPX 20500
YES
YES
YES
N/A
N/A
YES
MPX 14500 to MPX 20500
YES
YES
YES
N/A
N/A
YES
MPX 16500 to MPX 20500
YES
YES
YES
YES
YES
YES
MPX 18500 to MPX 20500
YES
YES
YES
YES
YES
YES
SDX 11500 to SDX 18500

SDX 13500 to SDX 18500
SDX 14500 to SDX 18500
SDX 16500 to SDX 18500
SDX 13500 to SDX 20500

SDX 14500 to SDX 20500
SDX 16500 to SDX 20500
SDX 18500 to SDX 20500
SDX 17550 to SDX 21550
SDX 19550 to SDX 21550
SDX 20550 to SDX 22550
High Availability
High Availability Topics
High Availability Concepts

Typical Configurations
Node and Interface Configuration
Managing HA
Failover Dos and Don'ts
Replacing Failed Node
Software Upgrade
Monitoring HA
HA - Concepts
NetScaler High Availability (HA) is a base functionality
Does not need to be enabled
Does need to be configured
NetScaler HA pair is a single logical unit for traffic handling
Active Standby topology

Two nodes = Primary and Secondary
Separate NSIP, interface configurations
Co-managed pool of MIPs, VIPs, SNIPs
Monitored interfaces and HW

Local health check
HA - Concepts
Negotiation
Whos in charge?
Propagation
Commands sent from Primary to Secondary
Synchronization
Configuration synchronized between Primary and Secondary
HA - Design Considerations
By default management and heartbeat sent via L2
Distance between nodes is not a limitation
L2 connectivity between the two HA nodes must allow the heartbeat to be
received within 3 seconds by default
HA - Typical Configuration
Note: Mapped IP is shared

between the failover pair
(single logical unit)
HA - Configuration Process
Starting with two new systems
NS-A and NS-B
Setup overview
Setup NS-A
Basic IP and HA configuration, no traffic features

Connect NS-A to network
Setup NS-B
Basic IP and HA configuration, no traffic features

Connect NS-B to network
Verify HA Status
NS-A primary, NS-B secondary

Configure traffic handling features on primary
Secondary will be automatically synchronized

HA - Node and Interface Setup

On each Citrix NetScaler in the pair, create a node ID pointing to the other
Citrix NetScaler
Node ID must be unique integer
Node ID does not set any precedence for primary
Command: add node <ID> <IP>
Node creation example

Assume NS-A at NSIP 10.10.1.4, NS-B at NSIP 10.10.1.8
On NS-A: add node 2 10.10.1.8
On NS-B: add node 1 10.10.1.4
Interface management (automatic)

Disable all unused interfaces
Command: disable interface <int> where <int> is, e.g., 1/3
HA - GUI
HA - Completing Setup
Verify negotiation
NS-A primary, NS-B secondary
Enter rest of configuration ON PRIMARY

Servers, services, VIPs, monitors, etc.
save config on primary

Verify propagation of configuration ON SECONDARY NetScaler
> show runningconfig
Reboot both systems, one at a time
Verify correct failover functionality
HA - Show Node Information

> show node
1)
Node ID:
0
IP: 10.102.1.172
Master State: Primary
Node State: UP
Sync state: SUCCESS.
Enabled Interfaces: <list of interfaces >
HA monitor ON Interfaces:<list of interfaces >
Disabled Interfaces:<list of interfaces >
Interfaces causing Partial Failure: <list of interfaces >
SSL card status: UP/DOWN
HA - Managing Configurations
set node command
> set node [hastatus (ENABLE | STAYSECONDARY | DISABLE )] [
hasync ( ENABLE | DISABLE )]
STAYSECONDARY - Holds node secondary, even if primary goes down
DISABLE - Hold node secondary and do not synchronize to primarys configuration
force failover command

> force failover
Executed from either NS in the HA pair
HA - Force Synchronization
> force ns synch
Will not work when:
Executed on Standalone System
HA is Disabled
HA Synchronization is disabled
Issued on either node, Primary or Secondary
HA - Failover Dos and Don'ts

Do not connect two NetScaler systems by a cross-over cable
Risk of bridge loop
Be sure all unused interfaces are disabled

> disable interface <x/y>
> nsroot password synchronization

Both nodes need same password for the nsroot account
Not required for root or nsmaint accounts
HA - Failover Dos and Don'ts

Ancillary Files Synchronization
Configuration files in the NS file system must be present in the same location on both
nodes of the HA pair
Use scp for secure file transfer:

A typical command might look something like this:
# scp myfile.txt nsroot@192.168.100.200:/var/tmp/myfile.txt
It is not recommended to run HA with different versions.

For upgrade testing keep the NS with the older build powered off during the test period.
To failover power off the *newer* NS and power on *older* Citrix NetScaler
HA - Replacing a Failed Node

Cleanup
Issue "save config" on working primary unit
Recover any debug information from defective unit
Remove defective unit from network
Configure replacement offline

Configure the replacement unit as in initial HA setup
Add working primary as a node
Force the replacement unit to stay secondary
Connect the replacement

Verify secondary status
Populate all environmental files from primary
Verify configuration synchronization
Release the replacement unit from forced secondary state

HA - Upgrade Procedure
Perform rolling upgrade
Open two telnet or SSH sessions side by side

Follow Upgrade Procedure to upgrade Secondary
On Primary, force failover
Verify failover was successful and former Secondary is now Primary
Upgrade former Primary
HA - Improper VLAN Sync.

Ensure that NetScalers VLAN configuration is done after configuring the Citrix
NetScaler with the High Availability setup
For NetScaler systems in High Availability setup, synchronization does not work
properly when only one Citrix NetScaler system has a VLAN configuration
HA - Retrieving Lost Configuration

If the primary NetScaler system is unable to send the configuration to the
secondary NetScaler system because of any network error, then the secondary
NetScaler may not have an accurate configuration and may not behave
correctly if failover occurs
In this situation, you can retrieve the original primary systems configuration
from a back-up copy present on the NetScalers disk
HA - Retrieving Lost Configuration

NetScaler saves the last four copies of the ns.conf file in the /nsconfig directory
These are named ns.conf.0, ns.conf.1, and so on
The ns.conf.0 file contains the latest configuration
HA - Connection Failover / Mirroring

Connection failover allows a TCP connection, established through a primary
node, to remain active after failover
By default, two Citrix NetScaler systems that comprise an HA pair do not
exchange any information pertaining to existing packet flows
i.e., TCP sessions on the primary are lost during failover
Ensures that the new primary maintains a relationship between incoming

packets, belonging to the previously established connections, after failover
Backups and Upgrades
Code Upgrade
Overview
Code upgrades are done by uploading a compressed tar file, extracting it, then
running an install script
Through the GUI, this is handled behind the scenes, but it can be done
manually as well
Downgrades are handled the same way, but risk having parts of the
configuration dropped due to additional configuration directives.
In some cases, old boot files will need to be removed manually via the BSD
shell, as indicated by an error on the install
Code Upgrade Instructions
To start the upgrade process through the GUI, go to the Diagnostics tab under
System and select the Upgrade Wizard button
Next, point to the upgrade file (.tgz) located locally or on the appliance:

Next select the correct license to apply:

Then upgrade the documentation file if available and then proceed apply the
upgrade and reboot:
LAB Module 1 Exercise 1

To begin the lab, browse to:
http://training.mycitrixcloud.net/geoilt
Enter you business email and this session code:
NETSCALER-WORKSHOP
Work better. Live better.

Module 01 Core Configuration

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Module 01 Core Configuration

Caricato da

Copyright:

Formati disponibili

Partner Workshop Support:

NetScaler ADC Fundamentals

Module 1 Core Configuration (Lab)

Day 2 (NetScaler Intermediate Concepts)

Module 4 Optimization (Slides)

2012 Citrix | Confidential Do Not Distribute

Hardware and Components

MPX 7500 and MPX 9500

Differences Between MPX and VPX

NetScaler VPX system capacity:

2012 Citrix | Confidential Do Not Distribute

When to Use Which?

High volume SSL Offload

>100 SSL VPN CCUs

Physical device security

Frequently moved apps

2012 Citrix | Confidential Do Not Distribute

2012 Citrix | Confidential Do Not Distribute

Overview of the NetScaler Architecture

Timeslicing for BSD

One-armed topologies have several benefits

Simple, one physical interface and no risk of bridge loops

Two-armed topologies work in situations where one-armed doesnt

Allows layer 3 style deployments with split subnets (as shown)

The most common implementation of two-armed topologies are when a

NetScaler Owned IP Addresses

2012 Citrix | Confidential Do Not Distribute

NetScaler Owned IP Addresses

2012 Citrix | Confidential Do Not Distribute

NetScaler Owned IP Addresses

2012 Citrix | Confidential Do Not Distribute

NetScaler Owned IP Addresses

2012 Citrix | Confidential Do Not Distribute

NetScaler Owned IP Addresses

2012 Citrix | Confidential Do Not Distribute

NetScaler Owned IP Addresses

2012 Citrix | Confidential Do Not Distribute

NetScaler System Networking Overview

2012 Citrix | Confidential Do Not Distribute

Client IP Address to Virtual IP Address

2012 Citrix | Confidential Do Not Distribute

Each data interface

Each data interface

2012 Citrix | Confidential Do Not Distribute

Routing Traffic Using Layer 3 Mode

2012 Citrix | Confidential Do Not Distribute

Routing Traffic Using Layer 2 Mode

Note: L2 mode should be avoided

2012 Citrix | Confidential Do Not Distribute

MAC-Based Forwarding Mode

2012 Citrix | Confidential Do Not Distribute

MAC address: 00:01::e6:ff0d:68

Sending a Client IP Address to Servers and Use

2012 Citrix | Confidential Do Not Distribute

Reverse Network Address Translation

2012 Citrix | Confidential Do Not Distribute

Packet generated by the backend server

Response packet from client

2012 Citrix | Confidential Do Not Distribute

Packet received by the server after RNAT

Command Line Basics

2012 Citrix | Confidential Do Not Distribute

Key CLI Commands

2012 Citrix | Confidential Do Not Distribute