Module_01_Core_Configuration

advertisement
Partner Workshop Support:
NetScaler ADC Fundamentals
David Jimenez
Senior Technical Readiness Specialist
Agenda
Day 1 (NetScaler Fundamental Concepts)
Module 1 – Core Configuration (Lab)
Module 2 – Traffic Management (Lab)
Module 3 – SSL (Lab)
Day 2 (NetScaler Intermediate Concepts)
Module 4 – Optimization (Slides)
Module 5 - Rewrite and Responder (Labs)
Module 6 – DataStream (Labs)
Module 7 – SDX (Slides)
Module 8 – Troubleshooting (Slides)
© 2012 Citrix | Confidential – Do Not Distribute
Core Configuration
Hardware and Components
NetScaler Hardware
MPX 5500
VPX
MPX 7500 and MPX 9500
MPX 10500/12500/15000/15500
MPX 17000/17500/19500/21500
© 2012 Citrix | Confidential – Do Not Distribute
SDX
Differences Between MPX and VPX
• Three main differences exist between MPX and VPX:
ᵒ System capacity
ᵒ Performance
ᵒ Tagged VLAN Configuration
• NetScaler VPX system capacity:
ᵒ No hardware SSL acceleration
ᵒ Processing not offloaded to dedicated silicon
© 2012 Citrix | Confidential – Do Not Distribute
When to Use Which?
NetScaler Appliances
NetScalerVPX
• Gig+ performance
• Labs/test environments
• High volume SSL Offload
• Development environments
• >100 SSL VPN CCUs
• “Datacenter-in-a-box”
• FIPS requirements
• CPU-intensive workloads
• Physical device security
• Frequently moved apps
• Fast/remote deployment
© 2012 Citrix | Confidential – Do Not Distribute
NetScaler SDX
• Instances, not partitions
• Complete CPU isolation
• Complete memory isolation
• Version independence
• High availability independence
• Lifecycle independence
© 2012 Citrix | Confidential – Do Not Distribute
Architecture
Overview of the NetScaler Architecture
• The NetScaler design is based on a layered model between the
NetScaler Kernel, and the BSD Operating System
• The NetScaler Kernel operates below the BSD Kernel, and controls
ᵒ
ᵒ
ᵒ
ᵒ
Timeslicing for BSD
Network access
SNMP and syslog processing
SSL Offload
• BSD manages
ᵒ The boot process
ᵒ Filesystem access
ᵒ Long-term logging
© 2012 Citrix | Confidential – Do Not Distribute
Initial Setup
Networking Concepts
Network Topologies
One-Armed
2. User Request
1. User Request
Public/Front
VLAN
4. Response
3. Response
Private/Server
VLAN
• One-armed topologies have several benefits
ᵒ
ᵒ
ᵒ
ᵒ
Simple, one physical interface and no risk of bridge loops
May make use of one or many VLANs with 802.1q tagging
Can make use of Link Aggregation to satisfy bandwidth requirements
Very few failure modes, easing HA failure analysis
If you are able to, one-armed topologies are the preferred method of
deploying NetScaler in most environments, and is what we will use today
© 2012 Citrix | Confidential – Do Not Distribute
Network Topologies
Two-Armed
Public/Front
VLAN
1. User Request
2. User Request
4. Response
3. Response
Private/Server
VLAN
• Two-armed topologies work in situations where one-armed
doesn’t
ᵒ
ᵒ
ᵒ
ᵒ
Allows layer 3 style deployments with split subnets (as shown)
Allow layer 2 style deployments with one subnet on both sides
Supports transparent compression and SSL offload
Support USIP or Use Source IP processing without server changes
The most common implementation of two-armed topologies are when a
NetScaler is replacing another legacy two-armed device in a network
© 2012 Citrix | Confidential – Do Not Distribute
NetScaler Owned IP Addresses
• The NetScaler uses a set of IP addresses to communicate with other
devices
• These IP addresses also enable NetScaler to abstract backend servers
and multiplex connections
• IP addresses owned by NetScaler are:
ᵒ NSIP
NetScaler IP Address
ᵒ MIP
Mapped IP Address
ᵒ SNIP
Subnet IP Address
ᵒ VIP
Virtual IP Address/Vserver IP Address
ᵒ GSLB
Site IP Address
© 2012 Citrix | Confidential – Do Not Distribute
NetScaler Owned IP Addresses
• NetScaler IP Address (NSIP)
ᵒ Unique IP address of NetScaler system
ᵒ Commonly referred to as management IP address
ᵒ NetScaler can be accessed via this IP address
ᵒ The NetScaler can only possess a single NetScaler IP address
ᵒ Added when configuring NetScaler for first time
ᵒ Reboot NetScaler system after modifying this IP address
ᵒ The NetScaler IP address is mandatory configuration
© 2012 Citrix | Confidential – Do Not Distribute
NetScaler Owned IP Addresses
• Mapped IP Address (MIP)
ᵒ Mapped IP addresses (MIP) are used for server-side connections
(communicating with servers) and Reverse NAT
ᵒ The Mapped IP address is NOT the IP address of the NetScaler
system
ᵒ Refer to the Using Mapped IP Addresses section of documentation
for more details regarding the management of MIPs
© 2012 Citrix | Confidential – Do Not Distribute
NetScaler Owned IP Addresses
• Subnet IP Address (SNIP)
ᵒ This allows the user to access a NetScaler system from an external
host that resides on another subnet
ᵒ When SNIP address is added, a corresponding route entry is made in
the route table.
ᵒ Only one such entry is made per subnet, and the route entry
corresponds to the first IP address added in the subnet
ᵒ Unlike NSIP and MIP, it is not mandatory to specify the Subnet IP
address (SNIP) during the initial configuration of the NetScaler
system
© 2012 Citrix | Confidential – Do Not Distribute
NetScaler Owned IP Addresses
• Virtual Server IP Address (VIP)
ᵒ The Virtual Server IP address (VIP) is the IP address associated with
a vserver
ᵒ This is the normal method for configuring explicit services
ᵒ Like SNIP, it is not mandatory to specify the Virtual Server IP address
during the initial configuration of the NetScaler
ᵒ ARP and ICMP attributes on this IP address allow users to host the
same vserver on multiple NetScaler systems that reside on the same
broadcast domain
© 2012 Citrix | Confidential – Do Not Distribute
NetScaler Owned IP Addresses
• GSLB Site IP Address
ᵒ Use the add GSLB site command to add this IP address
ᵒ This address is used for GSLB local site configuration
• Cluster IP Address (CLIP)
ᵒ Use the add CLIP command to add this IP address
ᵒ This address is used for cluster configuration
© 2012 Citrix | Confidential – Do Not Distribute
NetScaler System Networking Overview
• The NetScaler system is fundamentally a TCP proxy at layer 4 that reuses
connections to the server
• This reuse is done by proxying, at layer 3, the IP address of the client that the
server sees
© 2012 Citrix | Confidential – Do Not Distribute
Client IP Address to Virtual IP Address
Client
Client
IP
© 2012 Citrix | Confidential – Do Not Distribute
Citrix
NetScaler
VIP
MIP/SNIP
Backend
Server
Server
IP
NetScaler Networking
Citrix NetScaler
Typical Network Endpoint
Device
NIC 1
IP Address 1…IP
Address n
NIC 2
NIC 1
MAC 1
MAC 2
IP Address 1
IP Address 2
Subnet B
Each data interface
(MAC) sends and
receives for a bound
IP address
© 2012 Citrix | Confidential – Do Not Distribute
MAC 1
NIC 2
MAC 2
Subnet A
Each data interface
(MAC) can send and
receive for all IP
addresses
NetScaler Modes
• Layer-3 mode
• Layer-2 mode
• MAC-Based forwarding
• USIP
© 2012 Citrix | Confidential – Do Not Distribute
Routing Traffic Using Layer 3 Mode
Layer 3 mode:
• Is enabled by default
• Used to make traffic routing decisions
© 2012 Citrix | Confidential – Do Not Distribute
Routing Traffic Using Layer 2 Mode
• The NetScaler system forwards data that is not addressed to its MAC address
when running in Layer 2 mode
• The exceptions to this forwarding behavior are:
ᵒ Broadcasts received on an interface associated with a VLAN
ᵒ ICMP and UDP traffic that exceeds the value set for packet rate filters
Note: L2 mode should be avoided
© 2012 Citrix | Confidential – Do Not Distribute
MAC-Based Forwarding Mode
VIP: vserver-LB-1
IP address: 10.102.29.13
Router 1
MAC address: 00:01::e6:ff0d:69
IP address: 10.10.1.2
IP and MAC
addresses
are cached
Router 2
MAC address: 00:01::e6:ff0d:67
IP address: 10.10.1.1
Server 1
© 2012 Citrix | Confidential – Do Not Distribute
Service: service-ANY-1
Server 2
MAC address: 00:01::e6:ff0d:68
Service: service-ANY-2
IP address: 10.10.1.1
IP address: 10.10.1.1
Sending a Client IP Address to Servers and Use
Source IP Mode
• The NetScaler system supports the insertion of a Custom HTTP Header, which
will have the original IP address of the client that can be extracted for logging or
by applications that need it
• Use Source IP (USIP) mode:
ᵒ Is OFF by default
ᵒ Must have surge protection disabled
ᵒ Should be avoided
© 2012 Citrix | Confidential – Do Not Distribute
Reverse Network Address Translation
• Reverse Network Address Translation (RNAT) allows server side addresses to
be translated to the MIP or a SNIP address of the NetScaler system when
servers send data through the system
• File Transfer Protocol (FTP) is supported by RNAT
© 2012 Citrix | Confidential – Do Not Distribute
RNAT Example
Packet received by the client after RNAT
Packet generated by the backend server
Source IP Address
Destination IP Address
Source IP Address
Destination IP Address
100.100.100.1
200.200.200.1
192.168.1.1
200.200.200.1
Internet
Private Network
Client
(200.200.200.1)
Source IP Address
200.200.200.1
Backend Server
(192.168.1.1)
NetScaler MIP
Address
(100.100.100.1)
Destination IP Address
100.100.100.1
Response packet from client
© 2012 Citrix | Confidential – Do Not Distribute
Source IP Address
Destination IP Address
200.200.200.1
192.168.1.1
Packet received by the server after RNAT
Command Line Basics
GUI / CLI
• Access the GUI by going to NSIP
• Access the CLI through SSH client (PuTTY)
• Access file system through SFTP client (WinSCP)
© 2012 Citrix | Confidential – Do Not Distribute
Key CLI Commands
• > show run
• > show route
• > show ns feature
• > show ns mode
• > show ha node
• > show license
© 2012 Citrix | Confidential – Do Not Distribute
Running Config, Saved Config
• ns.conf loaded on startup
• Changes reflected in running config
• Changes must be committed to saved config
© 2012 Citrix | Confidential – Do Not Distribute
CLI Configuration Toolset
• On-board Command Line Interface NSCLI
ᵒ Default shell for nsroot user
ᵒ Command “hierarchy”
•
•
•
•
•
Basic commands at the top
(service, vserver, vlan, system, tunnel, vpn...)
Remaining commands in functional sub-groups
(lb, ssl, cs, cr, dos, snmp…)
Verb-object style
ᵒ Commands stored in /nsconfig/ns.conf via
save config command
• FreeBSD shell
© 2012 Citrix | Confidential – Do Not Distribute
Command Line Interfaces
• > NSCLI
e.g., train_73>
• # FreeBSD
e.g., root@ns#
ᵒ To get here from the NSCLI
ᵒ
> shell
• Use this command to move to the FreeBSD command prompt, where FreeBSD commands
may be entered
• Press the <Control> + <D> keys or type “exit” to return to the Citrix NetScaler system CLI
prompt
© 2012 Citrix | Confidential – Do Not Distribute
CLI Look and Feel
• Command abbreviation
ᵒ The first few letters of a CLI command are sufficient to invoke it, provided they are
unique. For example, enter sh for the command show
• Command completion
ᵒ Entering a partial command followed by a question mark displays all commands
matching the partial command. For example, entering sh? displays shell, show and
shutdown (on successive lines)
• Command help
ᵒ Help displays a syntax description of any CLI command
• Command history
ᵒ History displays up to the last 100 previous commands
© 2012 Citrix | Confidential – Do Not Distribute
NSCLI - Command Abbreviation
• Command abbreviation
ᵒ Group name is (usually) optional.
ᵒ <action> and <entity> can be shortened to shortest unique prefix
ᵒ Spaces between <action>, <cmdgroup> and <entity> are optional.
• Example 1:
> add policy expression
> add expression
> add exp
> ae
• Example 2:
> show lb vservers
> shlbv (group name needed, as "shcsv" also exists)
© 2012 Citrix | Confidential – Do Not Distribute
CLI - Look and Feel
• CLI Navigation
ᵒ Familiar file system access through the BSD shell
<Tab> key
Command Completion
<?> key
Help, matching commands with the same prefix
<Ctrl>+<a> keys
Moves cursor to the beginning of the line
<Ctrl>+<e> keys
Moves cursor to the end of the line
<Ctrl>+<u> keys
Clears the entire line, regardless of cursor position
© 2012 Citrix | Confidential – Do Not Distribute
CLI - Additional Features
• NSCLI can indicate the location of a syntax error with carets
ᵒ > add vserver vs1 htto 10.101.4.99 80
^^^^
ᵒ ERROR: invalid argument value [serviceType, htto]
ᵒ > add server s1
^
ᵒ ERROR: required argument missing
ᵒ Usage: add server <name> <IPAddress> [-state ( ENABLED | DISABLED )]
© 2012 Citrix | Confidential – Do Not Distribute
CLI - Additional Features
• Built in Help and MAN
ᵒ
ᵒ
ᵒ
ᵒ
> help <commandName> for full usage of a specific command
> help <groupName>
for brief usage of a group of commands
> help -all
for brief usage of all NSCLI commands
> man <command>
full syntax and description of command
• NetScaler help is ALWAYS correct (driven by the NSCLI parser)
© 2012 Citrix | Confidential – Do Not Distribute
CLI - MAN Pages
• Additional syntax over help statements
• Issued from the CLI
ᵒ
> man add system user
© 2012 Citrix | Confidential – Do Not Distribute
NSCLI - Show Example
> show interface 1/1
Interface 1/1 (NIC 1/dc1) Digital 21143-xD Fast Ethernet
flags=0xc000 <ENABLED, UP, autoneg, HAMON, 802.1q>
MTU=1514, native vlan=1, MAC=00:c0:95:ca:68:61, uptime 152h06m52s
Requested: media AUTO, speed AUTO, duplex AUTO, fctl NONE
Actual: media UTP, speed 100, duplex FULL, fctl NONE
RX: Pkts(17286791) Bytes(1045065936) Errs(0) Drops(279372)
TX: Pkts(2968184) Bytes(377036331) Errs(0) Drops(1)
NIC: InDisc(0) OutDisc(0) Fctls(0) Hangs(0)
Done
© 2012 Citrix | Confidential – Do Not Distribute
CLI - Example Commands
> show info
> set ns config –httpport 80
> show runningconfig
> add ns ip 10.0.100.43 255.255.255.0
Add a subnet IP on a directly attached network
> set rnat 10.0.100.0
Enable RNAT for a private network
> show route
Show routes
> shell
Access FreeBSD prompt
> batch –fileName lb.txt –outFile error.log
Execute all the lines in lb.txt as cli commands, and capture output in error.log
> reboot
> quit
© 2012 Citrix | Confidential – Do Not Distribute
Licensing
NetScaler Offerings
Packaged for broad adoption for all users
Standard
Enterprise
Platinum
Edition
Edition
Edition
Comprehensive L4-7
load balancing and
optimizes expensive server
and network resources to
reduce cost
Web application delivery
solution providing
advanced traffic
management and powerful
application acceleration
Web application delivery
solution designed to
deliver mission-critical
applications with web
application firewall
security, fastest
performance, and lowest
cost
© 2012 Citrix | Confidential – Do Not Distribute
NetScaler Licensing
Appliance licensing
• One license per appliance
(physical or virtual)
• Ability to upgrade throughput via a
license within each physical
MPX/SDX appliance
• License file determines the
available features and system
performance limits to enable on the
appliance
© 2012 Citrix | Confidential – Do Not Distribute
License Files
NetScaler MPX
Activated and downloaded to the
appliance from MyCitrix, a self-service
portal
License File
MyCitrix
NetScaler VPX
No central license server
License File
NetScaler SDX
License File
License file hosted on the NetScaler
appliance
+
Instance License
Files
NetScaler Feature
Matrix
© 2012 Citrix | Confidential – Do Not Distribute
NetScaler – Platform Availability
Model
MPX
Standard
MPX
Enterprise
MPX
Platinum
SDX
Model
MPX
Standard
MPX
Enterprise
MPX
Platinum
SDX
5500
YES
YES
YES
NO
17550
YES
YES
YES
YES
7500
YES
YES
YES
NO
18500
YES
YES
YES
YES
9500
YES
YES
YES
NO
19500
YES
YES
YES
YES
9700
YES
YES
YES
NO
19550
YES
YES
YES
YES
10500
YES
YES
YES
NO
20550
YES
YES
YES
YES
11500
YES
YES
YES
YES
12500
YES
YES
YES
NO
21500
YES
YES
YES
YES
13500
YES
YES
YES
YES
21550
YES
YES
YES
YES
14500
YES
YES
YES
YES
15500
YES
YES
YES
NO
16500
YES
YES
YES
YES
17500
YES
YES
YES
YES
© 2012 Citrix | Confidential – Do Not Distribute
NetScaler Accessories Availability
Power supply AC
Power supply DC
Rail kit (standard)
Rail kit tool less 24 inch
Rail adaptor (round hole)
Rail adaptor (2 post rack)
Short rail kit
Hard disk drive
Solid state HDD
Flash card
HDD+FC
SFP fiber SR 4-pack
SFP fiber LR single
SFP copper
10G SFP+ SR (300m) - single
10G SFP+ LR (10km) - single
MPX5500
MPX7500-9500
MPX10500-15500
MPX17500-21550
Not available
Not available
Available
Available
Available
Available
Not available
Available
Not available
Available
Available
Not available
Not available
Not available
Not available
Not available
Available
Available
Available
Available
Available
Available
Not available
Available
Not available
Available
Available
Available
Available
Available
Not available
Not available
Available
Available
Available
Not available
Available
Available
Available
Available
Not available
Available
Available
Available
Available
Available
Available
Available
Available
Not available
© 2012 Citrix | Confidential – Do Not Distribute
Not available
Available
Available
Available
Available
Available
Not available
Not available
Not available
Not available
Not available
Available
Available
Software License Option Availability
NetScaler Software License Options
(Via software license; New per unit license pricing)
AppCompress
GSLB
Application Firewall
AppCache (MPX 5500/7500, 7000 series)
AppCache (excluding MPX 5500/7500, 7000 series)
EdgeSight for NetScaler
© 2012 Citrix | Confidential – Do Not Distribute
Edition
Standard
Enterprise
Platinum
Additional Cost
Additional Cost
N/A
N/A
N/A
N/A
Included
Included
Additional Cost
Additional Cost
Additional Cost
Additional Cost
Included
Included
Included
Included
Included
Included
NetScaler Cloud Bridge Pricing
HTTP Throughput
Branch Repeater VPX License
Entitlements
Cloud Bridge VPX 10
10 Mpbs
1 Branch Repeater VPX 10
Cloud Bridge VPX 200
200 Mbps
4 Branch Repeater VPX 45
Cloud Bridge MPX 7500
500 Mpbs
10 Branch Repeater VPX 45
NetScaler Cloud Bridge Offering
© 2012 Citrix | Confidential – Do Not Distribute
NetScaler Cloud Bridge Feature Comparisons
Product Features
NetScaler CloudBridge
L4-7 Traffic Management (NS-S TM functionality)

Global Server Load Balancing

Site-to-Site WAN Optimization (via inclusion of BRVPX)

Secure, transparent L2/3 Bridge

Access Gateway (SSL VPN)
Content Compression (user-facing)
Content Caching (user-facing)
Web Application Firewall
EdgeSight for NetScaler
© 2012 Citrix | Confidential – Do Not Distribute
NetScaler VPX Availability
• 5 VPX appliances available
• VPX Express* – 1 mbps (Free)
• VPX10 – 10 mbps
• VPX200 – 200 mbps
• VPX1000 – 1 gbps
• VPX3000 – 3 gbps
• All platform licenses available in all models (Standard,
Enterprise, Platinum)
*Not available in Service Provider Licensing
© 2012 Citrix | Confidential – Do Not Distribute
NetScaler MPX FIPS Pricing
Model
Standard Edition
Enterprise Edition
Platinum Edition
NS 9010 FIPS
N/A
YES
YES
MPX 9700 FIPS
YES
YES
YES
MPX 10500 FIPS
YES
YES
YES
MPX 12500 FIPS
YES
YES
YES
MPX 15500 FIPS
YES
YES
YES
© 2012 Citrix | Confidential – Do Not Distribute
Citrix Application Firewall Availability
Application Firewall Platforms
App Firewall 5500 Platform
App Firewall 7500 Platform
App Firewall 9500 Platform
App Firewall 10500 Platform
App Firewall 12500 Platform
MPX
12500
Throughput
500 Mpbs
1 Gbps
2 Gbps
3 Gbps
5 Gbps
MPX
10500
MPX 9500
MPX 7500
MPX 5500
© 2012 Citrix | Confidential – Do Not Distribute
NetScaler Upgrades
NetScaler - Platform Upgrade Availability
MPX
MPX
Via software license
MPX 7500 to MPX 9500
MPX 10500 to MPX 12500
MPX 11500 to MPX 13500
MPX 11500 to MPX 14500
MPX 10500 to MPX 15500
MPX 11500 to MPX 16500
MPX 11500 to MPX 18500
MPX 12500 to MPX 15500
MPX 11500 to MPX 20500
MPX 17500 to MPX 19500
MPX 13500 to MPX 14500
MPX 13500 to MPX 16500
MPX 13500 to MPX 18500
MPX 13500 to MPX 20500
MPX 14500 to MPX 16500
MPX 14500 to MPX 18500
MPX 14500 to MPX 20500
MPX 16500 to MPX 18500
MPX 17500 to MPX 21500
Standard
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
© 2012 Citrix | Confidential – Do Not Distribute
Enterprise Platinum Via software license
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
MPX 16500 to MPX 20500
MPX 18500 to MPX 20500
MPX 17550 to MPX 19550
MPX 17550 to MPX 20550
MPX 17550 to MPX 21550
MPX 19550 to MPX 20550
MPX 19550 to MPX 21550
MPX 20550 to MPX 21550
MPX 19500 to MPX 21500
Standard
YES
YES
YES
YES
YES
YES
YES
YES
YES
Enterprise Platinum
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
NetScaler - Platform Upgrade Availability
SDX
Via software license
Platinum
SDX 11500 to SDX 13500
YES
SDX 13500 to SDX 14500
YES
SDX 14500 to SDX 16500
YES
SDX 16500 to SDX 18500
YES
SDX 18500 to SDX 20500
YES
SDX 17500 to SDX 19500
YES
SDX 19500 to SDX 21500
YES
SDX 17550 to SDX 19550
YES
SDX 19550 to SDX 20550
YES
SDX 20550 to SDX 21550
YES
© 2012 Citrix | Confidential – Do Not Distribute
Note: NetScaler SDX with clustering not
available at this time
NetScaler – MPX to SDX Platform Conversion
OS and License update*
Available
OS and License update
Available
MPX 11500 to SDX 11500
YES
MPX 17550 to SDX 17550
YES
MPX 13500 to SDX 13500
YES
MPX 19550 to SDX 19550
YES
MPX 14500 to SDX 14500
YES
MPX 20550 to SDX 20550
YES
MPX 16500 to SDX 16550
YES
MPX 21550 to SDX 21550
YES
MPX 17500 to SDX 17500
YES
MPX 19550 to SDX 19550
YES
MPX 18500 to SDX 18500
YES
MPX 20550 to SDX 20550
YES
MPX 19500 to SDX 19500
YES
MPX 21500 to SDX 21500
YES
MPX 20500 to SDX 20500
YES
MPX 21550 to SDX 21550
YES
*Requires an update kit
© 2012 Citrix | Confidential – Do Not Distribute
Citrix Application Firewall – Edition Upgrades
Application Firewall Platform Upgrades
MPX
12500
Throughput
Upgrade
Via software license
MPX 7500 to MPX 9500
MPX 10500 to MPX 12500
1Gbp to 2 Gbps
3 Gbps to 5 Gbps
MPX
10500
MPX
9500
MPX
7500
© 2012 Citrix | Confidential – Do Not Distribute
License
Upgrade
License
Upgrade
Citrix Application Firewall - “Pay-as-you-grow”
Platform and “Burst Pack” Upgrade Availability
Model
Upgrade Charge
to MPX 15500
MPX 10500
Available
----
----
MPX 12500
Available
----
----
MPX 17500
----
Available
Available
MPX 19500
----
-----
Available
MPX 21500
----
----
----
Model
Burst License to
MPX 15500
Burst License to
MPX 19500
Burst License to
MPX 21500
MPX 10500
Available
----
----
MPX 12500
Available
----
----
MPX 17500
----
----
Available
MPX 19500
----
-----
Available
MPX 21500
----
----
----
© 2012 Citrix | Confidential – Do Not Distribute
Upgrade Charge to Upgrade Charge to
MPX 19500
MPX 21500
Citrix Volume Licensing
Commercial: EASY
• SMB Customers
• No Customer Discounts
• Advisor Rewards Eligible
Commercial: ELA
• Medium to Large
Businesses
• Customer Discounts based
on Initial Purchase
• Advisor Rewards Eligible
• ELA 7 – Require AVP, GEO
VP and Finance Controller
approval
© 2012 Citrix | Confidential – Do Not Distribute
Public Sector
• Education – Academic
and Non-Profit
Institutions
• GSA – Federal, State,
and Local Government
entities inside the United
States
• GELA – other
Government programs,
outside the United States
NetScaler - “Burst Pack” Upgrade Pricing
MPX 7500 to MPX MPX 10500 to
9500
MPX 15500
(1 Gb 3 Gb)
(5 Gb  15 Gb)
MPX 11500 to
MPX 18500
(5 Gb  30 Gb)
MPX 12500 to
MPX 15500
(8 Gb  15 Gb)
MPX 13500 to
MPX 14500 to
MPX 18500
MPX 18500
(12 Gb  30 Gb) (16 Gb  30 Gb)
MPX 16500 to MPX 17500 to MPX 17550 to MPX 19500 to MPX 19550 to MPX 20550 to
VPX100 to
MPX 18500
MPX 21500
MPX 21550
MPX 21500
MPX 21550
MPX 21550
VPX3000
(20 Gb  30 (20 Gb  50 (20 Gb  50 (35 Gb  50
(30 Gb  50 (40 Gb  50
(1 Gb  3 Gb)
Gb)
Gb)
Gb)
Gb)
Gb)
Gb)
Notes:
• A 90-day license used to accommodate above average traffic conditions and reassess permanent capacity requirements
• Licenses are purchased in quantity of one
• For Burst Licenses, use a web key obtained via email to generate Burst License via http://www.mycitrix.com.
• There are no associated maintenance
© 2012 Citrix | Confidential – Do Not Distribute
NetScaler - “Burst Pack” Upgrade Availability
NetScaler Burst 90-Day
with Cluster
STD
ENT
PLT
NetScaler Burst 90-Day
with Cluster
STD
ENT
PLT
NetScaler Burst 90-Day
with Cluster
STD
ENT
PLT
MPX 7500 to MPX 9500
YES
YES
YES
MPX 17500 to MPX 21500
YES
YES
YES
SDX 11500 to SDX 20500
N/A
N/A
YES
MPX 10500 to MPX 15500
YES
YES
YES
MPX 19500 to MPX 21500
YES
YES
YES
N/A
N/A
YES
MPX 12500 to MPX 15500
YES
YES
YES
MPX 17550 to MPX 21550
YES
YES
YES
N/A
N/A
YES
MPX 11500 to MPX 18500
YES
YES
YES
MPX 19550 to MPX 21550
N/A
N/A
YES
N/A
N/A
YES
MPX 13500 to MPX 18500
YES
YES
YES
MPX 20550 to MPX 21550
N/A
N/A
YES
N/A
N/A
YES
MPX 14500 to MPX 18500
YES
YES
YES
SDX 17500 to SDX 21500
YES
YES
YES
N/A
N/A
YES
MPX 16500 to MPX 18500
YES
YES
YES
SDX 19500 to SDX 21500
N/A
N/A
YES
N/A
N/A
YES
MPX 11500 to MPX 20500
YES
YES
YES
VPX 1000 to VPX 3000
N/A
N/A
YES
N/A
N/A
YES
MPX 13500 to MPX 20500
YES
YES
YES
N/A
N/A
YES
MPX 14500 to MPX 20500
YES
YES
YES
N/A
N/A
YES
MPX 16500 to MPX 20500
YES
YES
YES
YES
YES
YES
MPX 18500 to MPX 20500
YES
YES
YES
YES
YES
YES
© 2012 Citrix | Confidential – Do Not Distribute
SDX 11500 to SDX 18500
SDX 13500 to SDX 18500
SDX 14500 to SDX 18500
SDX 16500 to SDX 18500
SDX 13500 to SDX 20500
SDX 14500 to SDX 20500
SDX 16500 to SDX 20500
SDX 18500 to SDX 20500
SDX 17550 to SDX 21550
SDX 19550 to SDX 21550
SDX 20550 to SDX 22550
High Availability
High Availability Topics
• High Availability Concepts
• Typical Configurations
• Node and Interface Configuration
• Managing HA
• Failover Do’s and Don'ts
• Replacing Failed Node
• Software Upgrade
• Monitoring HA
© 2012 Citrix | Confidential – Do Not Distribute
HA - Concepts
• NetScaler High Availability (HA) is a base functionality
ᵒ Does not need to be enabled
ᵒ Does need to be configured
• NetScaler HA pair is a single logical unit for traffic handling
ᵒ
ᵒ
ᵒ
ᵒ
Active – Standby topology
Two nodes = Primary and Secondary
Separate NSIP, interface configurations
Co-managed pool of MIPs, VIPs, SNIPs
• “Monitored” interfaces and HW
ᵒ Local health check
© 2012 Citrix | Confidential – Do Not Distribute
HA - Concepts
• Negotiation
ᵒ Who’s in charge?
• Propagation
ᵒ Commands sent from Primary to Secondary
• Synchronization
ᵒ Configuration synchronized between Primary and Secondary
© 2012 Citrix | Confidential – Do Not Distribute
HA - Design Considerations
• By default management and heartbeat sent via L2
• Distance between nodes is not a limitation
• L2 connectivity between the two HA nodes must allow the heartbeat to be
received within 3 seconds by default
© 2012 Citrix | Confidential – Do Not Distribute
HA - Typical Configuration
Note: Mapped IP is shared
between the failover pair
(single logical unit)
© 2012 Citrix | Confidential – Do Not Distribute
HA - Configuration Process
• Starting with two new systems
ᵒ NS-A and NS-B
• Setup overview
ᵒ Setup NS-A
• Basic IP and HA configuration, no traffic features
• Connect NS-A to network
ᵒ Setup NS-B
• Basic IP and HA configuration, no traffic features
• Connect NS-B to network
ᵒ Verify HA Status
• NS-A primary, NS-B secondary
ᵒ Configure traffic handling features on primary
• Secondary will be automatically synchronized
© 2012 Citrix | Confidential – Do Not Distribute
HA - Node and Interface Setup
• On each Citrix NetScaler in the pair, create a node ID pointing to the other
Citrix NetScaler
ᵒ Node ID must be unique integer
ᵒ Node ID does not set any precedence for primary
ᵒ Command: “add node <ID> <IP>
• Node creation example
ᵒ Assume NS-A at NSIP 10.10.1.4, NS-B at NSIP 10.10.1.8
ᵒ On NS-A: add node 2 10.10.1.8
ᵒ On NS-B: add node 1 10.10.1.4
• Interface management (automatic)
ᵒ Disable all unused interfaces
ᵒ Command: “disable interface <int>” where <int> is, e.g., “1/3”
© 2012 Citrix | Confidential – Do Not Distribute
HA - GUI
© 2012 Citrix | Confidential – Do Not Distribute
HA - Completing Setup
• Verify negotiation
ᵒ NS-A primary, NS-B secondary
• Enter “rest” of configuration ON PRIMARY
ᵒ Servers, services, VIPs, monitors, etc.
• “save config” on primary
• Verify propagation of configuration ON SECONDARY NetScaler
> show runningconfig
• Reboot both systems, one at a time
ᵒ Verify correct failover functionality
© 2012 Citrix | Confidential – Do Not Distribute
HA - Show Node Information
> show node
1)
Node ID:
IP:
0
10.102.1.172
Master State: Primary
Node State: UP
Sync state: SUCCESS.
Enabled Interfaces: <list of interfaces >
HA monitor ON Interfaces:<list of interfaces >
Disabled Interfaces:<list of interfaces >
Interfaces causing Partial Failure: <list of interfaces >
SSL card status: UP/DOWN
© 2012 Citrix | Confidential – Do Not Distribute
HA - Managing Configurations
• “set node” command
> set node [–hastatus (ENABLE | STAYSECONDARY | DISABLE )] [–
hasync ( ENABLE | DISABLE )]
ᵒ STAYSECONDARY - Holds node secondary, even if primary goes down
ᵒ DISABLE - Hold node secondary and do not synchronize to primary’s configuration
• “force failover” command
> force failover
• Executed from either NS in the HA pair
© 2012 Citrix | Confidential – Do Not Distribute
HA - Force Synchronization
> force ns synch
• Will not work when:
ᵒ Executed on Standalone System
ᵒ HA is Disabled
ᵒ HA Synchronization is disabled
• Issued on either node, Primary or Secondary
© 2012 Citrix | Confidential – Do Not Distribute
HA - Failover Do’s and Don'ts
• Do not connect two NetScaler systems by a cross-over cable
ᵒ Risk of bridge loop
• Be sure all unused interfaces are disabled
> disable interface <x/y>
> nsroot password synchronization
ᵒ Both nodes need same password for the nsroot account
ᵒ Not required for root or nsmaint accounts
© 2012 Citrix | Confidential – Do Not Distribute
HA - Failover Do’s and Don'ts
• Ancillary Files – Synchronization
ᵒ Configuration files in the NS file system must be present in the same location on both
nodes of the HA pair
• Use “scp” for secure file transfer:
ᵒ A typical command might look something like this:
# scp myfile.txt nsroot@192.168.100.200:/var/tmp/myfile.txt
• It is not recommended to run HA with different versions.
ᵒ For upgrade testing keep the NS with the older build powered off during the test period.
To failover power off the *newer* NS and power on *older* Citrix NetScaler
© 2012 Citrix | Confidential – Do Not Distribute
HA - Replacing a Failed Node
• Cleanup
ᵒ Issue "save config" on working primary unit
ᵒ Recover any debug information from defective unit
ᵒ Remove defective unit from network
• Configure replacement offline
ᵒ Configure the replacement unit as in initial HA setup
• Add working primary as a node
ᵒ Force the replacement unit to stay secondary
• Connect the replacement
ᵒ Verify secondary status
ᵒ Populate all environmental files from primary
ᵒ Verify configuration synchronization
• Release the replacement unit from forced secondary state
© 2012 Citrix | Confidential – Do Not Distribute
HA - Upgrade Procedure
Perform “rolling upgrade”
• Open two telnet or SSH sessions side by side
• Follow Upgrade Procedure to upgrade Secondary
• On Primary, “force failover”
• Verify failover was successful and former Secondary is now Primary
• Upgrade former Primary
© 2012 Citrix | Confidential – Do Not Distribute
HA - Improper VLAN Sync.
• Ensure that NetScaler’s VLAN configuration is done after configuring the Citrix
NetScaler with the High Availability setup
• For NetScaler systems in High Availability setup, synchronization does not
work properly when only one Citrix NetScaler system has a VLAN configuration
© 2012 Citrix | Confidential – Do Not Distribute
HA - Retrieving Lost Configuration
• If the primary NetScaler system is unable to send the configuration to the
secondary NetScaler system because of any network error, then the secondary
NetScaler may not have an accurate configuration and may not behave
correctly if failover occurs
• In this situation, you can retrieve the original primary system’s configuration
from a back-up copy present on the NetScaler’s disk
© 2012 Citrix | Confidential – Do Not Distribute
HA - Retrieving Lost Configuration
• NetScaler saves the last four copies of the ns.conf file in the /nsconfig directory
• These are named ns.conf.0, ns.conf.1, and so on
• The ns.conf.0 file contains the latest configuration
© 2012 Citrix | Confidential – Do Not Distribute
HA - Connection Failover / Mirroring
• Connection failover allows a TCP connection, established through a primary
node, to remain active after failover
• By default, two Citrix NetScaler systems that comprise an HA pair do not
exchange any information pertaining to existing packet flows
ᵒ i.e., TCP sessions on the primary are lost during failover
• Ensures that the new primary maintains a relationship between incoming
packets, belonging to the previously established connections, after failover
© 2012 Citrix | Confidential – Do Not Distribute
Backups and Upgrades
Code Upgrade
Overview
• Code upgrades are done by uploading a compressed tar file, extracting it, then
running an install script
• Through the GUI, this is handled behind the scenes, but it can be done
manually as well
• Downgrades are handled the same way, but risk having parts of the
configuration dropped due to additional configuration directives.
• In some cases, old boot files will need to be removed manually via the BSD
shell, as indicated by an error on the install
© 2012 Citrix | Confidential – Do Not Distribute
Code Upgrade Instructions
• To start the upgrade process through the GUI, go to the Diagnostics tab under
System and select the “Upgrade Wizard” button
• Next, point to the upgrade file (.tgz) located locally or on the appliance:
© 2012 Citrix | Confidential – Do Not Distribute
Code Upgrade Instructions
• Next select the correct license to apply:
© 2012 Citrix | Confidential – Do Not Distribute
Code Upgrade Instructions
• Then upgrade the documentation file if available and then proceed apply the
upgrade and reboot:
© 2012 Citrix | Confidential – Do Not Distribute
LAB – Module 1 – Exercise 1
To begin the lab, browse to:
http://training.mycitrixcloud.net/geoilt
Enter you business email and this session code:
NETSCALER-WORKSHOP
© 2012 Citrix | Confidential – Do Not Distribute
Work better. Live better.
Download