citrix netscaler 1000v getting started guide, release 10...getting started with netscaler 1000v the...

Citrix NetScaler 1000V Getting Started GuideCitrix NetScaler 10.5December 11, 2014

Cisco Systems, Inc.www.cisco.com

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices.

http://www.cisco.com

http://www.cisco.com/go/offices

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.

The following information is for FCC compliance of Class B devices: This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If the equipment causes interference to radio or television reception, which can be determined by turning the equipment off and on, users are encouraged to try to correct the interference by using one or more of the following measures:

• Reorient or relocate the receiving antenna.

• Increase the separation between the equipment and receiver.

• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.

• Consult the dealer or an experienced radio/TV technician for help.

Modifications to this product not authorized by Cisco could void the FCC approval and negate your authority to operate the product.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

Citrix and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries. All other product names, company names, marks, logos, and symbols are trademarks of their respective owners.

© 2014 Cisco Systems, Inc. All rights reserved.

http://www.cisco.com/go/trademarks

Contents

Getting Started with NetScaler 1000V.......................................................... 7Understanding NetScaler 1000V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Switching Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Security and Protection Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Optimization Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Where Does a NetScaler Appliance Fit in the Network?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Citrix NetScaler as a Packet Forwarding Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8How a NetScaler Communicates with Clients and Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Understanding NetScaler-Owned IP Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9How Traffic Flows Are Managed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Traffic Management Building Blocks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12A Simple Load Balancing Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Understanding Virtual Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13Understanding Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Understanding Policies and Expressions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16Processing Order of Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Features at a Glance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

Application Switching and Traffic Management Features. . . . . . . . . . . . . . . . . . . . . . . . 18Application Acceleration Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21Application Security and Firewall Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

NetScaler 1000V Licensing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Installing NetScaler 1000V Virtual Appliances on Nexus 1010/1110 . . . . . . . . . . . . . . . . . . . . . . .23

Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Installing the VSBs in a High Availability Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Installing NetScaler 1000V in High Availability Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . .25Verifying NetScaler 1000V Installation in High Availability Mode. . . . . . . . . . . . . . . . .28Installing the License and Verifying the Resources in High Availability Mode. . . 32

Installing NetScaler 1000V in Standalone Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Installing NetScaler 1000V as a Standalone VSB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Verifying NetScaler 1000V Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Installing the License and Verifying the Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

Replacing a Nexus Node in a High Availability Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

iii

Configuring a Replacement Primary Nexus Node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Configuring a Replacement Secondary Nexus Node. . . . . . . . . . . . . . . . . . . . . . . . . . . . .51

Installing SSL Card as an Field Replacement Unit (FRU). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Allocating bandwidth for crypto-offload. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Installing NetScaler 1000V Virtual Appliances on Linux-KVM Platform. . . . . . . . . . . . . . . . . . . . 58Prerequisites for Installing NetScaler VPX Virtual Appliances on Linux-KVMPlatform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59

Networking Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Properties Of Source Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Module Required. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61

Limitations and Usage Guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61General Recommendations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62

Provisioning the NetScaler 1000V Virtual Appliance by using OpenStack. . . . . . . . . . . .62Provisioning the NetScaler 1000V Virtual Appliance by using OpenStackUsing Command Line Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Provisioning the NetScaler 1000V Virtual Appliance by using OpenStackDashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Provisioning the NetScaler Virtual Appliance by using the Virtual MachineManager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Adding Additional Interfaces to NetScaler VPX by using Virtual MachineManager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72

Provisioning the NetScaler Virtual Appliance by using the virsh Program. . . . . . . . . . . . 76Adding Additional Interfaces to NetScaler VPX using virsh Program. . . . . . . . . . . . 78

Installing NetScaler 1000V Virtual Appliances on VMware ESX. . . . . . . . . . . . . . . . . . . . . . . . . . . .79Prerequisites for Installing NetScaler Virtual Appliances on VMware. . . . . . . . . . . . . . . . . 80Installing NetScaler 1000V on VMware ESX 5.0 or 5.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80

To install NetScaler 1000V on VMware ESX 5.0 or 5.1 by using VMwarevSphere Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Verifying NetScaler 1000V Installation on VMware ESX. . . . . . . . . . . . . . . . . . . . . . . . . 88Installing the License and Verifying the Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88

Upgrading to a Later Build within Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Upgrading a Standalone NetScaler Appliance to a Later Build. . . . . . . . . . . . . . . . . . . . . . . .90

To upgrade a standalone NetScaler appliance running release to a laterbuild by using the command line interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90To upgrade a standalone NetScaler running release to a later build by usingthe configuration utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Upgrading a NetScaler High Availability Pair to a Later Build. . . . . . . . . . . . . . . . . . . . . . . . . 93To upgrade a NetScaler high availability pair to a later build by using thecommand line interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Contents

iv

Downgrading to an Earlier Build within Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95Downgrading a Standalone NetScaler to an Earlier Build. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

To downgrade a standalone NetScaler to an earlier build. . . . . . . . . . . . . . . . . . . . . . . . 95Downgrading a NetScaler High Availability Pair to an Earlier Build. . . . . . . . . . . . . . . . . . . 96

Setting Up vPath on the NetScaler 1000V VPX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96How vPath Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Step 1: Configuring vPath on a NetScaler. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

To configure vPath on a NetScaler by using the command line interface. . . . . . . .98To configure vPath on a NetScaler by using the graphical user interface. . . . . . . .98

Step 2: Configuring Load Balancing of Backend Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98Step 3: Binding Backend Servers to a Port Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99

To bind backend servers to a port profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Behavioral Aspects of NetScaler with vPath. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

NetScaler Features not Supported on the NetScaler 1000V Virtual Appliance. . . . . . . . . . . 102Configuring a NetScaler 1000V Virtual Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103NetScaler 1000V FAQs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

General. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104NetScaler 1000V installed on Cisco Nexus 1010/1110. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104NetScaler 1000V installed on VMware ESX 5.0/5.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Troubleshooting a NetScaler 1000V installed on a Nexus 1010/1110 appliance. . . . . . . . . 106

Getting Started with Citrix NetScaler 1000V

v

Contents

vi

Getting Started with NetScaler 1000V

The NetScaler 1000V virtual appliance is an application delivery controller thatoptimizes, secures, and controls the delivery of all enterprise and cloud services. Youcan deploy it as a VSB on a Nexus 1010/1110 cloud services platform or as a virtualmachine on VMware ESX platform. After installing the VSB or VM, set up vPath on thevirtual appliance so that it can communicate with the servers.

The NetScaler 1000V virtual appliance supports many of the features of a physicalNetScaler appliance. For a list of the features not supported, see "NetScaler Featuresnot Supported on Nexus 1010/1110 and VMware ESX."

For more information about Nexus 1010/1110, see "http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/white_paper_c07-603623.html."

For more information about VMware ESX, see "http://www.vmware.com."

Understanding NetScaler 1000VA NetScaler 1000V virtual appliance is an application switch that performs application-specific traffic analysis to intelligently distribute, optimize, and secure Layer 4-Layer 7(L4–L7) network traffic for web applications. For example, a NetScaler bases loadbalancing decisions on individual HTTP requests instead of on long-lived TCPconnections, so that the failure or slowdown of a server is managed much more quicklyand with less disruption to clients.

Switching FeaturesWhen deployed in front of application servers, a NetScaler ensures optimal distributionof traffic by the way in which it directs client requests. Administrators can segmentapplication traffic according to information in the body of an HTTP or TCP request, andon the basis of L4–L7 header information such as URL, application data type, or cookie.Numerous load balancing algorithms and extensive server health checks improveapplication availability by ensuring that client requests are directed to the appropriateservers.

Security and Protection FeaturesNetScaler security and protection features protect web applications from ApplicationLayer attacks. A NetScaler allows legitimate client requests and can block maliciousrequests. It provides built-in defenses against denial-of-service (DoS) attacks andsupports features that protect against legitimate surges in application traffic thatwould otherwise overwhelm the servers. An available built-in firewall protects webapplications from Application Layer attacks, including buffer overflow exploits, SQL

7

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/white_paper_c07-603623.html


http://www.vmware.com

injection attempts, cross-site scripting attacks, and more. In addition, the firewallprovides identity theft protection by securing confidential corporate information andsensitive customer data.

Optimization FeaturesOptimization features offload resource-intensive operations, such as Secure SocketsLayer (SSL) processing, data compression, client keep-alive, TCP buffering, and thecaching of static and dynamic content from servers. This improves the performance ofthe servers in the server farm and therefore speeds up applications. A NetScalersupports several transparent TCP optimizations, which mitigate problems caused byhigh latency and congested network links, accelerating the delivery of applicationswhile requiring no configuration changes to clients or servers.

Where Does a NetScaler Appliance Fit in theNetwork?

A NetScaler appliance resides between the clients and the servers, so that clientrequests and server responses pass through it. In a typical installation, virtual serversconfigured on the appliance provide connection points that clients use to access theapplications behind the appliance. In this case, the appliance owns public IP addressesthat are associated with its virtual servers, while the real servers are isolated in aprivate network. It is also possible to operate the appliance in a transparent mode asan L2 bridge or L3 router, or even to combine aspects of these and other modes.

Citrix NetScaler as a Packet Forwarding DeviceA NetScaler appliance can function as a packet forwarding device, and this mode ofoperation is called L3 mode. With L3 mode enabled, the appliance forwards anyreceived unicast packets that are destined for an IP address that does not belong to theappliance, if there is a route to the destination. The appliance can also route packetsbetween VLANs.

In both modes of operation, L2 and L3, the appliance generally drops packets that arein:

w Multicast frames

w Unknown protocol frames destined for an appliance's MAC address (non-IP and non-ARP)

w Spanning Tree protocol (unless BridgeBPDUs is ON)

For a non-TCP service, if the client receives a full sized packet (1500 bytes), then theNetScaler sends an ICMP error (fragmentation needed error) to the client. By default,ICMP error-message generation is enabled. You can change the state by using thefollowing command: set L3param -icmpErrGenerate (ENABLED ¦ DISABLED). After theerror is generated, the NetScaler IP fragments the original packet, vPath encapsulateseach of the individual fragments and sends it back to the server.


8

How a NetScaler Communicates with Clients andServers

A NetScaler appliance is usually deployed in front of a server farm and functions as atransparent TCP proxy between clients and servers, without requiring any client-sideconfiguration. This basic mode of operation is called Request Switching technology andis the core of NetScaler functionality. Request Switching enables an appliance tomultiplex and offload the TCP connections, maintain persistent connections, andmanage traffic at the request (application layer) level. This is possible because theappliance can separate the HTTP request from the TCP connection on which therequest is delivered.

Depending on the configuration, an appliance might process the traffic beforeforwarding the request to a server. For example, if the client attempts to access asecure application on the server, the appliance might perform the necessary SSLprocessing before sending traffic to the server.

To facilitate efficient and secure access to server resources, an appliance uses a set ofIP addresses collectively known as NetScaler-owned IP addresses. To manage yournetwork traffic, you assign NetScaler-owned IP addresses to virtual entities thatbecome the building blocks of your configuration. For example, to configure loadbalancing, you create virtual servers to receive client requests and distribute them toservices, which are entities representing the applications on your servers.

Understanding NetScaler-Owned IP AddressesTo function as a proxy, a NetScaler appliance uses a variety of IP addresses. The keyNetScaler-owned IP addresses are:NetScaler IP (NSIP) address

The NSIP address is the IP address for management and general system access to theappliance itself, and for communication between appliances in a high availabilityconfiguration.

Virtual server IP (VIP) addressA VIP address is the IP address associated with a virtual server. It is the public IPaddress to which clients connect. An appliance managing a wide range of traffic mayhave many VIPs configured.

Subnet IP (SNIP) addressA SNIP address is used in connection management and server monitoring. You canspecify multiple SNIP addresses for each subnet. SNIP addresses can be bound to aVLAN.

IP SetAn IP set is a set of IP addresses, which are configured on the appliance as SNIP . AnIP set is identified with a meaningful name that helps in identifying the usage of theIP addresses contained in it.

Net ProfileA net profile (or network profile) contains an IP address or an IP set. A net profilecan be bound to load balancing or content switching virtual servers, services, service


9

groups, or monitors. During communication with physical servers or peers, theappliance uses the addresses specified in the profile as source IP addresses.

How Traffic Flows Are ManagedBecause a NetScaler appliance functions as a TCP proxy, it translates IP addressesbefore sending packets to a server. When you configure a virtual server, clients connectto a VIP address on the NetScaler instead of directly connecting to a server. Asdetermined by the settings on the virtual server, the appliance selects an appropriateserver and sends the client's request to that server. By default, the appliance uses aSNIP address to establish connections with the server, as shown in the following figure.


10

Figure 1-1. Virtual Server Based Connections

In the absence of a virtual server, when an appliance receives a request, ittransparently forwards the request to the server. This is called the transparent mode ofoperation. When operating in transparent mode, an appliance translates the source IPaddresses of incoming client requests to the SNIP address but does not change thedestination IP address. For this mode to work, L2 or L3 mode has to be configuredappropriately.

For cases in which the servers need the actual client IP address, the appliance can beconfigured to modify the HTTP header by inserting the client IP address as anadditional field, or configured to use the client IP address instead of a SNIP address forconnections to the servers.


11

Traffic Management Building BlocksThe configuration of a NetScaler appliance is typically built up with a series of virtualentities that serve as building blocks for traffic management. The building blockapproach helps separate traffic flows. Virtual entities are abstractions, typicallyrepresenting IP addresses, ports, and protocol handlers for processing traffic. Clientsaccess applications and resources through these virtual entities. The most commonlyused entities are virtual servers and services. Virtual servers represent groups ofservers in a server farm or remote network, and services represent specific applicationson each server.

Most features and traffic settings are enabled through virtual entities. For example,you can configure an appliance to compress all server responses to a client that isconnected to the server farm through a particular virtual server. To configure theappliance for a particular environment, you need to identify the appropriate featuresand then choose the right mix of virtual entities to deliver them. Most features aredelivered through a cascade of virtual entities that are bound to each other. In thiscase, the virtual entities are like blocks being assembled into the final structure of adelivered application. You can add, remove, modify, bind, enable, and disable thevirtual entities to configure the features. The following figure shows the conceptscovered in this section.

Figure 1-2. How Traffic Management Building Blocks Work

A Simple Load Balancing ConfigurationIn the example shown in the following figure, the NetScaler appliance is configured tofunction as a load balancer. For this configuration, you need to configure virtualentities specific to load balancing and bind them in a specific order. As a load balancer,


12

an appliance distributes client requests across several servers and thus optimizes theutilization of resources.

The basic building blocks of a typical load balancing configuration are services and loadbalancing virtual servers. The services represent the applications on the servers. Thevirtual servers abstract the servers by providing a single IP address to which the clientsconnect. To ensure that client requests are sent to a server, you need to bind eachservice to a virtual server. That is, you must create services for every server and bindthe services to a virtual server. Clients use the VIP address to connect to a NetScalerappliance. When the appliance receives client requests sent to the VIP address, itsends them to a server determined by the load balancing algorithm. Load balancinguses a virtual entity called a monitor to track whether a specific configured service(server plus application) is available to receive requests.

Figure 1-3. Load Balancing Virtual Server, Services, and Monitors

In addition to configuring the load balancing algorithm, you can configure severalparameters that affect the behavior and performance of the load balancingconfiguration. For example, you can configure the virtual server to maintainpersistence based on source IP address. The appliance then directs all requests fromany specific IP address to the same server.

Understanding Virtual ServersA virtual server is a named NetScaler entity that external clients can use to accessapplications hosted on the servers. It is represented by an alphanumeric name, virtualIP (VIP) address, port, and protocol. The name of the virtual server is of only localsignificance and is designed to make the virtual server easier to identify. When a client


13

attempts to access applications on a server, it sends a request to the VIP instead of theIP address of the physical server. When the appliance receives a request at the VIPaddress, it terminates the connection at the virtual server and uses its own connectionwith the server on behalf of the client. The port and protocol settings of the virtualserver determine the applications that the virtual server represents. For example, aweb server can be represented by a virtual server and a service whose port andprotocol are set to 80 and HTTP, respectively. Multiple virtual servers can use the sameVIP address but different protocols and ports.

Virtual servers are points for delivering features. Most features, like compression,caching, and SSL offload, are normally enabled on a virtual server. When the appliancereceives a request at a VIP address, it chooses the appropriate virtual server by theport on which the request was received and its protocol. The appliance then processesthe request as appropriate for the features configured on the virtual server.

In most cases, virtual servers work in tandem with services. You can bind multipleservices to a virtual server. These services represent the applications running onphysical servers in a server farm. After the appliance processes requests received at aVIP address, it forwards them to the servers as determined by the load balancingalgorithm configured on the virtual server. The following figure illustrates theseconcepts.

Figure 1-4. Multiple Virtual Servers with a Single VIP Address

The preceding figure shows a configuration consisting of two virtual servers with acommon VIP address but different ports and protocols. Each of the virtual servers hastwo services bound to it. The services s1 and s2 are bound to VS_HTTP and represent


14

the HTTP applications on Server 1 and Server 2. The services s3 and s4 are bound toVS_SSL and represent the SSL applications on Server 2 and Server 3 (Server 2 providesboth HTTP and SSL applications). When the appliance receives an HTTP request at theVIP address, it processes the request as specified by the settings of VS_HTTP and sendsit to either Server 1 or Server 2. Similarly, when the appliance receives an HTTPSrequest at the VIP address, it processes it as specified by the settings of VS_SSL and itsends it to either Server 2 or Server 3.

Virtual servers are not always represented by specific IP addresses, port numbers, orprotocols. They can be represented by wildcards, in which case they are known aswildcard virtual servers. For example, when you configure a virtual server with awildcard instead of a VIP, but with a specific port number, the appliance intercepts andprocesses all traffic conforming to that protocol and destined for the predefined port.For virtual servers with wildcards instead of VIPs and port numbers, the applianceintercepts and processes all traffic conforming to the protocol.

Virtual servers can be grouped into the following categories:

Load balancing virtual serverReceives and redirects requests to an appropriate server. Choice of the appropriateserver is based on which of the various load balancing methods the user configures.

Cache redirection virtual serverRedirects client requests for dynamic content to origin servers, and requests forstatic content to cache servers. Cache redirection virtual servers often work inconjunction with load balancing virtual servers.

Content switching virtual serverDirects traffic to a server on the basis of the content that the client has requested.For example, you can create a content switching virtual server that directs all clientrequests for images to a server that serves images only. Content switching virtualservers often work in conjunction with load balancing virtual servers.

SSL virtual serverReceives and decrypts SSL traffic, and then redirects to an appropriate server.Choosing the appropriate server is similar to choosing a load balancing virtual server.

Understanding ServicesServices represent applications on a server. While services are normally combined withvirtual servers, in the absence of a virtual server, a service can still manageapplication-specific traffic. For example, you can create an HTTP service on aNetScaler appliance to represent a web server application. When the client attempts toaccess a web site hosted on the web server, the appliance intercepts the HTTP requestsand creates a transparent connection with the web server.

In service-only mode, an appliance functions as a proxy. It terminates clientconnections, uses a SNIP address to establish a connection to the server, and translatesthe destination IP addresses of incoming client requests to a SNIP address. Although theclients send requests directly to the IP address of the server, the server sees them ascoming from the SNIP address. The appliance translates the IP addresses, portnumbers, and sequence numbers.


15

A service is also a point for applying features. Consider the example of SSLacceleration. To use this feature, you must create an SSL service and bind an SSLcertificate to the service. When the appliance receives an HTTPS request, it decryptsthe traffic and sends it, in clear text, to the server. Only a limited set of features canbe configured in the service-only case.

Services use entities called monitors to track the health of applications. Every servicehas a default monitor, which is based on the service type, bound to it. As specified bythe settings configured on the monitor, the appliance sends probes to the application atregular intervals to determine its state. If the probes fail, the appliance marks theservice as down. In such cases, the appliance responds to client requests with anappropriate error message or re-routes the request as determined by the configuredload balancing policies.

Understanding Policies and ExpressionsA policy defines specific details of traffic filtering and management on a NetScaler. Itconsists of two parts: the expression and the action. The expression defines the typesof requests that the policy matches. The action tells the NetScaler what to do when arequest matches the expression. As an example, the expression might be to match aspecific URL pattern to a type of security attack, with the action being to drop or resetthe connection. Each policy has a priority, and the priorities determine the order inwhich the policies are evaluated.

When a NetScaler receives traffic, the appropriate policy list determines how toprocess the traffic. Each policy on the list contains one or more expressions, whichtogether define the criteria that a connection must meet to match the policy.

For all policy types except Rewrite policies, a NetScaler implements only the firstpolicy that a request matches, not any additional policies that it might also match. ForRewrite policies, the NetScaler evaluates the policies in order and, in the case ofmultiple matches, performs the associated actions in that order. Policy priority isimportant for getting the results you want.

Processing Order of FeaturesDepending on requirements, you can choose to configure multiple features. Forexample, you might choose to configure both compression and SSL offload. As a result,an outgoing packet might be compressed and then encrypted before being sent to theclient.

The following figure shows the L7 packet flow in the NetScaler.


16

Figure 1-5. L7 Packet Flow Diagram

The following figure shows the DataStream packet flow in the NetScaler. DataStream issupported for MySQL and MS SQL databases.


17

Figure 1-6. DataStream Packet Flow Diagram

Features at a GlanceCitrix NetScaler features can be configured independently or in combinations toaddress specific needs. Although some features fit more than one category, thenumerous NetScaler features can generally be categorized as application switching andtraffic management features, application acceleration features, and applicationsecurity and firewall features.

To understand the order in which the features perform their processing, see "ProcessingOrder of Features."

Application Switching and Traffic Management FeaturesSSL Offloading

Transparently offloads SSL encryption and decryption from web servers, freeingserver resources to service content requests. SSL places a heavy burden on anapplication's performance and can render many optimization measures ineffective.SSL offload and acceleration allow all the benefits of Citrix Request Switchingtechnology to be applied to SSL traffic, ensuring secure delivery of web applicationswithout degrading end-user performance.

Access Control ListsCompares incoming packets to Access Control Lists (ACLs). If a packet matches anACL rule, the action specified in the rule is applied to the packet. Otherwise, thedefault action (ALLOW) is applied and the packet is processed normally. For theappliance to compare incoming packets to the ACLs, you have to apply the ACLs. AllACLs are enabled by default, but you have to apply them in order for the NetScaler


18

to compare incoming packets against them. If an ACL is not required to be a part ofthe lookup table, but still needs to be retained in the configuration, it should bedisabled before the ACLs are applied. A NetScaler does not compare incomingpackets to disabled ACLs.

Load BalancingLoad balancing decisions are based on a variety of algorithms, including round robin,least connections, weighted least bandwidth, weighted least packets, minimumresponse time, and hashing based on URL, domain source IP, or destination IP. Boththe TCP and UDP protocols are supported, so the NetScaler can load balance alltraffic that uses those protocols as the underlying carrier (for example, HTTP, HTTPS,UDP, DNS, NNTP, and general firewall traffic). In addition, the NetScaler can maintainsession persistence based on source IP, cookie, server, group, or SSL session. It allowsusers to apply custom Extended Content Verification (ECV) to servers, caches,firewalls and other infrastructure devices to ensure that these systems arefunctioning properly and are providing the right content to users. It can also performhealth checks using ping, TCP, or HTTP URL, and the user can create monitors basedon Perl scripts.

Traffic DomainsTraffic domains provide a way to create logical ADC partitions within a singleNetScaler appliance. They enable you to segment network traffic for differentapplications. You can use traffic domains to create multiple isolated environmentswhose resources do not interact with each other. An application belonging to aspecific traffic domain communicates only with entities, and processes traffic, withinthat domain. Traffic belonging to one traffic domain cannot cross the boundary ofanother traffic domain. Therefore, you can use duplicate IP addresses on theappliance as long as an addresses is not duplicated within the same domain.

Network Address Translation

Network address translation (NAT) involves modification of the source and/ordestination IP addresses, and/or the TCP/UDP port numbers, of IP packets that passthrough the NetScaler appliance. Enabling NAT on the appliance enhances thesecurity of your private network, and protects it from a public network such as theInternet, by modifying your network's source IP addresses when data passes throughthe NetScaler.

The NetScaler appliance supports the following types of network address translation:

INAT—In Inbound NAT (INAT), an IP address (usually public) configured on theNetScaler appliance listens to connection requests on behalf of a server. For arequest packet received by the appliance on a public IP address, the NetScalerreplaces the destination IP address with the private IP address of the server. In otherwords, the appliance acts as a proxy between clients and the server. INATconfiguration involves INAT rules, which define a 1:1 relationship between the IPaddress on the NetScaler appliance and the IP address of the server.

RNAT—In Reverse Network Address Translation (RNAT), for a session initiated by aserver, the NetScaler appliance replaces the source IP address in the packetsgenerated by the server with an IP address (type SNIP) configured on the appliance.The appliance thereby prevents exposure of the server's IP address in any of thepackets generated by the server. An RNAT configuration involves an RNAT rule, which


19

specifies a condition. The appliance performs RNAT processing on those packets thatmatch the condition.

Stateless NAT46 Translation—Stateless NAT46 enables communication between IPv4and IPv6 networks, by way of IPv4 to IPv6 packet translation and vice versa, withoutmaintaining any session information on the NetScaler appliance. A stateless NAT46configuration involves an IPv4-IPv6 INAT rule and an NAT46 IPv6 prefix.

Stateful NAT64 Translation—The stateful NAT64 feature enables communicationbetween IPv4 clients and IPv6 servers through IPv6 to IPv4 packet translation, andvice versa, while maintaining session information on the NetScaler appliance. Astateful NAT64 configuration involves an NAT64 rule and an NAT64 IPv6 prefix.

Multipath TCP SupportNetScaler appliances support Multipath TCP (MPTCP). MPTCP is a TCP/IP protocolextension that identifies and uses multiple paths available between hosts to maintainthe TCP session. You must enable MPTCP on a TCP profile and bind it to a virtualserver. When MPTCP is enabled, the virtual server functions as an MPTCP gatewayand converts MPTCP connections with the clients to TCP connections that itmaintains with the servers.

Content SwitchingDetermines the server to which to send the request on the basis of configuredcontent switching policies. Policy rules can be based on the IP address, URL, andHTTP headers. This allows switching decisions to be based on user and devicecharacteristics such as who the user is, what type of agent is being used, and whatcontent the user requested.

TCP OptimizationYou can use TCP profiles to optimize TCP traffic. TCP profiles define the way thatNetScaler virtual servers process TCP traffic. Administrators can use the built-in TCPprofiles or configure custom profiles. After defining a TCP profile, you can bind it toa single virtual server or to multiple virtual servers.

Some of the key optimization features that can be enabled by TCP profiles are:

w TCP keep-alive—Checks the operational status of the peers at specified timeintervals to prevent the link from being broken.

w Selective Acknowledgment (SACK)— Improves the performance of datatransmission, especially in long fat networks (LFNs).

w TCP window scaling— Allows efficient transfer of data over long fat networks(LFNs).

DataStream

The NetScaler DataStream feature provides an intelligent mechanism for requestswitching at the database layer by distributing requests on the basis of the SQL querybeing sent.

When deployed in front of database servers, a NetScaler ensures optimal distributionof traffic from the application servers and Web servers. Administrators can segmenttraffic according to information in the SQL query and on the basis of databasenames, user names, character sets, and packet size.


20

You can configure load balancing to switch requests according to load balancingalgorithms, or you can elaborate the switching criteria by configuring contentswitching to make a decision based on SQL query parameters, such as user name,database names, and command parameters. You can further configure monitors totrack the states of database servers.

The advanced policy infrastructure on the NetScaler appliance includes expressionsthat you can use to evaluate and process the requests. The advanced expressionsevaluate traffic associated with MySQL database servers. You can use request-basedexpressions (expressions that begin with MYSQL.CLIENT and MYSQL.REQ) inadvanced policies to make request switching decisions at the content switchingvirtual server bind point and response-based expressions (expressions that begin withMYSQL.RES) to evaluate server responses to user-configured health monitors.

Note: DataStream is supported for MySQL and MS SQL databases.

Application Acceleration FeaturesAppCompress

Uses the gzip compression protocol to provide transparent compression for HTML andtext files. The typical 4:1 compression ratio yields up to 50% reduction in bandwidthrequirements out of the data center. It also results in significantly improved end-userresponse time, because it reduces the amount of data that must be delivered to theuser’s browser.

Cache RedirectionManages the flow of traffic to a reverse proxy, transparent proxy, or forward proxycache farm. Inspects all requests, and identifies non-cacheable requests and sendsthem directly to the origin servers over persistent connections. By intelligentlyredirecting non-cacheable requests back to the origin web servers, the NetScalerappliance frees cache resources and increases cache hit rates while reducing overallbandwidth consumption and response delays for these requests.

AppCacheHelps optimize web content and application data delivery by providing a fast in-memory HTTP/1.1 and HTTP/1.0 compliant web caching for both static and dynamiccontent. This on-board cache stores the results of incoming application requests evenwhen an incoming request is secured or the data compressed, and then reuses thedata to fulfill subsequent requests for the same information. By serving data directlyfrom the on-board cache, the appliance can reduce page regeneration times byeliminating the need to funnel static and dynamic content requests to the server.

TCP BufferingBuffers the server’s response and delivers it to the client at the client’s speed, thusoffloading the server faster and thereby improving the performance of web sites.

Application Security and Firewall FeaturesDenial of Service Attack (DoS) Defense

Detects and stops malicious distributed denial-of-service (DDoS) attacks and othertypes of malicious attacks before they reach your servers, preventing them from


21

affecting network and application performance. The NetScaler appliance identifieslegitimate clients and elevates their priority, leaving suspect clients unable toconsume a disproportionate percentage of resources and cripple your site. Theappliance provides application-level protection from the following types of maliciousattacks:

w SYN flood attacks

w Pipeline attacks

w Teardrop attacks

w Land attacks

w Fraggle attacks

w Zombie connection attacks

The appliance aggressively defends against these types of attacks by preventing theallocation of server resources for these connections. This insulates servers from theoverwhelming flood of packets associated with these events.

The appliance also protects network resources from ICMP based attacks by usingICMP rate limiting and aggressive ICMP packet inspection. It performs strong IPreassembly, drops a variety of suspicious and malformed packets, and applies AccessControl Lists (ACLs) to site traffic for further protection.

Content FilteringProvides protection from malicious attacks for web sites at the Layer 7 level. Theappliance inspects each incoming request according to user-configured rules basedon HTTP headers, and performs the action the user configured. Actions can includeresetting the connection, dropping the request, or sending an error message to theuser’s browser. This allows the appliance to screen unwanted requests and reducesyour servers’ exposure to attacks.

This feature can also analyze HTTP GET and POST requests and filter out known badsignatures, allowing it to defend your servers against HTTP-based attacks.

ResponderFunctions like an advanced filter and can be used to generate responses from theappliance to the client. Some common uses of this feature are generation of redirectresponses, user defined responses, and resets.

RewriteModifies HTTP headers and body text. You can use the rewrite feature to add HTTPheaders to an HTTP request or response, make modifications to individual HTTPheaders, or delete HTTP headers. It also enables you to modify the HTTP body inrequests and responses.

When the appliance receives a request or sends a response, it checks for rewriterules, and if applicable rules exist, it applies them to the request or response beforepassing it on to the web server or client computer.

Priority QueuingPrioritizes user requests to ensure that the most important traffic is serviced firstduring surges in request volume. You can establish priority based on request URLs,


22

cookies, or a variety of other factors. The appliance places requests in a three-tierqueue based on their configured priority, enabling business-critical transactions toflow smoothly even during surges or site attacks.

Surge ProtectionRegulates the flow of user requests to servers and controls the number of users thatcan simultaneously access the resources on the servers, queuing any additionalrequests once your servers have reached their capacity. By controlling the rate atwhich connections can be established, the appliance blocks surges in requests frombeing passed on to your servers, thus preventing site overload.

Application FirewallProtects applications from misuse by hackers and malware, such as cross sitescripting attacks, buffer overflow attacks, SQL injection attacks, and forcefulbrowsing, by filtering traffic between each protected web server and users thatconnect to any web site on that web server. The application firewall examines alltraffic for evidence of attacks on web server security or misuse of web serverresources, and takes the appropriate action to prevent these attacks fromsucceeding.

NetScaler 1000V LicensingYou can use a NetScaler 1000V virtual appliance for 120 days without a license. Untilyou install a license, throughput is limited to 500 Mbps. At the end of the trial period,you must purchase and install a valid license on the virtual appliance. NetScaler 1000Vlicensing is separate from Citrix-distributed NetScaler VPX licensing. For licenseinstallation instructions in standalone mode on Nexus 1010/1110, see "Installing theLicense and Verifying the Resources." For license installation instructions in HA mode onNexus 1010/1110, see "Installing the License and Verifying the Resources in HighAvailability Mode." For license installation instructions on VMware ESX, see "Installingthe License and Verifying the Resources on VMware ESX."

All types of license require 20 GB of disk space and seven virtual network interfaces(five data, one management, and one internal).

Important: The internal interface (0/2) is used for communication between theNetScaler 1000V virtual appliance and the Nexus 1010/1110 appliance. Do notconfigure it to carry any data or control traffic. The 0/2 interface is not available on theNetScaler 1000V virtual appliance hosted on a VMware ESX appliance.

Installing NetScaler 1000V Virtual Applianceson Nexus 1010/1110

NetScaler 1000V on Nexus 1010/1110 can be deployed in a standalone mode or in a highavailability (HA) mode. If you deploy NetScaler 1000V virtual appliances in an HA mode,Citrix recommends that you deploy them on separate Nexus 1010/1110 appliances thatare deployed in HA mode.


23

If one of the Nexus nodes in an HA setup goes down and is replaced, a new NetScaler1000V node must be installed on the new Nexus node. Then, the configuration of thenew NetScaler 1000V node must be synchronized with the configuration of the existingNetScaler 1000V node.

You should assign only pass-through interfaces to NetScaler 1000V for data ports. Apass-through interface is owned by the VSB and cannot be shared by other VSBs. Withpass-through interfaces, use Cisco's Flexible Network option (described as "NetworkOption 5" in the white paper available at "http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/white_paper_c07-603623.html.") You can assign ashared interface to the management port (0/1).

After you install NetScaler 1000V on Nexus 1010/1110, set up vPath on the new VM sothat it can communicate with the servers. For more information about vPATH, see "Setting Up vPath on the NetScaler 1000V."

PrerequisitesBefore you begin installing NetScaler 1000V as a VSB, be sure to:

w Install the Cisco Nexus 1010/1110 Virtual Services Appliance and connect it to thenetwork. For instructions, see the Cisco Nexus 1010 Virtual Services ApplianceHardware Installation Guide.

w Log on to the CLI in EXEC mode.

w Know the name of the NetScaler 1000V VSB that you want to create.

w Know the name of the OVA file that you will use.

w Know the Management IP address, subnet mask, default gateway, and logoncredentials.

w If deploying NetScaler 1000V VSBs in a high availability (HA) mode, first deployNexus 1010/1110 appliances in HA mode.

w For an HA deployment, know the management IP address and host name of theprimary node and the secondary node.

w Verify that the Cisco Nexus 1010/1110 appliance and NetScaler 1000V VSB share thesame management VLAN.

Note:Do not change the management VLAN on a VSB. The management VLAN is inheritedfrom Cisco Nexus 1010/1110, so any changes to the management VLAN are appliedto the Cisco Nexus 1010/1110 and all of its hosted VSBs.

Note: NetScaler1000V gets provisioned with nine virtual interfaces from 10.5-52.xrelease onwards on Nexus1010/1110 Platforms. Releases prior to 10.5.52x getprovisioned with seven virtual interfaces.


24



Installing the VSBs in a High Availability SetupNetScaler 1000V appliances in high availability (HA) mode should be installed onseparate Nexus appliances in an HA setup. After deploying the VSBs and assigningresources to the them, verify that installation was successful and the configuration isas you intended.

If you have not purchased a license, the trial usage period begins with installation. Ifyou have purchased a license, install it and then verify that resources are correctlyallocated.

The following topics describe the installation tasks:

1. Installing NetScaler 1000V in High Availability Mode on page 25

2. Verifying NetScaler 1000V Installation in High Availability Mode on page 28

3. Installing the License and Verifying the Resources in High Availability Mode on page32

Installing NetScaler 1000V in High Availability Mode1. Deploy NetScaler 1000V.

switch# configure terminalEnter configuration commands, one per line. End with CNTL/Z. switch(config)# virtual-service-blade nsvsb1switch(config-vsb-config)# virtual-service-blade-type new NetScaler1000V-NEXUS-10.5-52.3_nc.ovaNote: It can take a while to finish OVA extract operation. Please be patient..

2. Assign VLANs to the virtual interfaces.

The physical interface can be assigned in two modes, the pass-through mode andthe shared mode.

Pass-through mode: In pass-through mode, a physical Ethernet interface isdedicated to a single virtual interface on the Nexus appliance. All the trafficreceived at the Ethernet interface is passed to a single virtual device.

In the following example, VLAN 2 is assigned to data ports ns_intf_1 throughns_intf_7. VLAN 1, the management VLAN on Nexus 1010/1110, is assigned tons_intf_0. The port channel that is used as the Nexus management interface(PortChannel1 in this example) is assigned to ns_intf_0.

switch(config-vsb-config)# interface ns_intf_0 vlan 1switch(config-vsb-config)# interface ns_intf_1 vlan 2switch(config-vsb-config)# interface ns_intf_2 vlan 2 switch(config-vsb-config)# interface ns_intf_3 vlan 2switch(config-vsb-config)# interface ns_intf_4 vlan 2switch(config-vsb-config)# interface ns_intf_5 vlan 2switch(config-vsb-config)# interface ns_intf_6 vlan 2switch(config-vsb-config)# interface ns_intf_7 vlan 2


25

ns_intf_0 is the management port for NetScaler 1000V. You should configure thedata and management interfaces of NetScaler 1000V on Nexus 1010/1110 inseparate VLANs.

Shared mode: In shared mode, a physical Ethernet interface is shared amongdifferent virtual interface on the Nexus appliance. Each virtual device has a VLANassigned to it. There are different ways in which the traffic is diverted to a virtualdevice:

• When a data-frame arrives at the Ethernet interface with a VLAN tag same asthat of the virtual device VLAN number, the data-frame is passed to thatparticular virtual device.

• When a data-frame arrives with no VLAN tag on a physical Ethernet interface ,the frame is forwarded to all the virtual interfaces sharing the same nativeVLAN as the physical interface.

The following example shows the configuration in the shared mode.


3. Assign the physical interface

In the following example for pass-through, only two of the five data ports assignedto NetScaler 1000V are being used. Therefore, only two interfaces, ns_intf_1 andns_intf_2, are bound to physical port Ethernet3 and Ethernet4, respectively, inpass-through mode.

switch(config-vsb-config)# interface ns_intf_0 uplink PortChannel1switch(config-vsb-config)# interface ns_intf_1 uplink Ethernet3switch(config-vsb-config)# interface ns_intf_1 mode passthroughswitch(config-vsb-config)# interface ns_intf_2 uplink Ethernet4switch(config-vsb-config)# interface ns_intf_2 mode passthrough

In the pass-through mode, if ports Ethernet3 and Ethernet4 are also being used byanother VSB, the following error message appears:

ERROR: Assigned uplink is a passthrough interface which cannotbe shared.If this error message appears, release these data ports from that VSB.


26

The following example shows the shared mode.

switch(config-vsb-config)# interface ns_intf_1 uplink Ethernet3switch(config-vsb-config)# interface ns_intf_2 uplink Ethernet4

4. Assign uplink physical interfaces to the remaining virtual interfaces of this VSB.

You should assign the management port (PortChannel1 in the above examples) asthe uplink port to the unused data ports (ns_intf_3, ns_intf_4, ns_intf_5, ns_intf_6,and ns_intf_7 in the above examples).

switch(config-vsb-config)# interface ns_intf_3 uplink PortChannel1switch(config-vsb-config)# interface ns_intf_4 uplink PortChannel1switch(config-vsb-config)# interface ns_intf_5 uplink PortChannel1switch(config-vsb-config)# interface ns_intf_6 uplink PortChannel1switch(config-vsb-config)# interface ns_intf_7 uplink PortChannel1

5. From the Nexus 1010/1110 command line, disable any unused virtual interfaces ofNetScaler 1000V.

Loops can be created within NetScaler 1000V if multiple interfaces in theNetScaler 1000V virtual appliance are connected to the same uplink interface onNexus.

The commands in the following example disable VsbEthernet1/5, VsbEthernet1/6,and VsbEthernet1/7, VsbEthernet1/8, VsbEthernet1/9 corresponding to the unusedinterfaces ns_intf_3, ns_intf_4, ns_intf_5, ns_intf_6, and ns_intf_7 on NetScaler1000V. After installing the VSB, log on to the VSB, and disable these unusedinterfaces.

switch(config-vsb-config)# interface VsbEthernet1/5switch(config-if)# shutswitch(config-if)# interface VsbEthernet1/6switch(config-if)# shutswitch(config-if)# interface VsbEthernet1/7switch(config-if)# shutswitch(config-if)# interface VsbEthernet1/8switch(config-if)# shutswitch(config-if)# interface VsbEthernet1/9switch(config-if)# shut

6. Enter basic configuration parameters for NetScaler 1000V. When prompted, selecttrue for an HA setup, and then specify the IP address and network for the peernode.

switch(config-vsb-config)# enableEnter vsb image: [NetScaler1000V-NEXUS-10.5-52.3_nc.ova] NS HA [true/false]: [true]


27

Management IP version [V4|V6]: [V4]Enter Primary IPv4 address: 10.217.205.30Enter Primary subnet mask: 255.255.252.0Primary IPv4 address of the default gateway: 10.217.204.1Enter Secondary IPv4 address: [0.0.0.0] 10.217.205.31Enter Secondary subnet mask: [0.0.0.0] 255.255.255.0Enter Secondary IPv4 address of the default gateway: [0.0.0.0] 10.217.204.1Enter Primary HostName: ns-primaryEnter Secondary HostName: ns-secondaryEnter the password for 'nsroot': nsroot----Details entered----NS HA [true/false]: : trueManagement IP version [V4|V6]: : V4Enter Primary IPv4 address: : 10.217.205.30Enter Primary subnet mask: : 255.255.252.0Primary IPv4 address of the default gateway: : 10.217.204.1Enter Secondary IPv4 address: : 10.217.205.31Enter Secondary subnet mask: : 255.255.252.0Enter secondary IPv4 address of the default gateway: : 10.217.204.1Enter Primary HostName: : ns-primaryEnter Secondary HostName: : ns-secondaryEnter the password for 'nsroot': : nsrootDo you want to continue installation with entered details (Y/N)? [Y]Note: VSB installation is in progress, please use show virtual-service-blade commands to check the installation status.Note: VSB installation may take upto 5 minutes.

Verifying NetScaler 1000V Installation in High AvailabilityModeAfter installing NetScaler 1000V, log on to the Nexus console and verify that the VSBhas installed correctly. Then, verify that you are able to log on to the NetScaler VSB.

1. Use the show command to verify that the VSB has installed correctly.Following is the output in the pass-through mode:

switch(config-vsb-config)# sh virtual-service-blade name nsvsb1virtual-service-blade nsvsb1 Description: Slot id: 1 Host Name: nsvsb1 Management IP: 10.217.205.30 VSB Type Name : NetScaler1000V-105523.1 Configured vCPU: 2 Operational vCPU: 2 Configured Ramsize: 2048 Operational Ramsize: 2048 Disksize: 20 Configured CryptoOffload Bandwidth: 0 Operational CryptoOffload Bandwidth: 0 Configured CryptoOffload VF: 0


28

Operational CryptoOffload VF: 0

Heartbeat: 68906

Legends: P - Passthrough------------------------------------------------------------------------------------ Interface Type MAC VLAN State Uplink-Interface Pri Sec Oper Adm------------------------------------------------------------------------------------VsbEthernet1/1 ns_intf_0 0002.3d71.0e82 1 up up Po1 Po1 internal NA NA up VsbEthernet1/3 ns_intf_1 0002.3d71.0e83 11 up up Eth3(P)Eth3(P) VsbEthernet1/4 ns_intf_2 0002.3d71.0e84 12 up up Eth4(P)Eth4(P) VsbEthernet1/5 ns_intf_3 0002.3d71.0e85 13 down down Po1 Po1 VsbEthernet1/6 ns_intf_4 0002.3d71.0e86 14 down down Po1 Po1 VsbEthernet1/7 ns_intf_5 0002.3d71.0e87 15 down down Po1 Po1 VsbEthernet1/8 ns_intf_6 0002.3d71.0e88 16 down down Po1 Po1 VsbEthernet1/9 ns_intf_7 0002.3d71.0e89 17 down down Po1 Po1 virtual-service-blade:HA Role: Primary HA Status: ACTIVE Status: VSB POWERED ON Location: PRIMARY SW version: NetScaler NS10.5: Build 52.3.nc, Date: Sep 3 2014, 22:58:07

HA Role: Secondary HA Status: STANDBY Status: VSB POWERED ON Location: SECONDARY SW version: NetScaler NS10.5: Build 52.3.nc, Date: Sep 3 2014, 22:58:07 7 VSB Info: Netscaler VPX

Following is the output in the shared mode:

switch(config-vsb-config)# sh virtual-service-blade name nsvsb1virtual-service-blade nsvsb1 Description: Slot id: 1 Host Name: nsvsb1 Management IP: 10.217.205.30 VSB Type Name : NetScaler1000V-105523.1


29

Configured vCPU: 2 Operational vCPU: 2 Configured Ramsize: 2048 Operational Ramsize: 2048 Disksize: 20 Configured CryptoOffload Bandwidth: 0 Operational CryptoOffload Bandwidth: 0 Configured CryptoOffload VF: 0 Operational CryptoOffload VF: 0

Heartbeat: 68906

Legends: P - Passthrough------------------------------------------------------------------------------------ Interface Type MAC VLAN State Uplink-Interface Pri Sec Oper Adm------------------------------------------------------------------------------------VsbEthernet1/1 ns_intf_0 0002.3d71.0e82 1 up up Po1 Po1 internal NA NA NA up VsbEthernet1/3 ns_intf_1 0002.3d71.0e83 11 up up Eth3(P)Eth3(P) VsbEthernet1/4 ns_intf_2 0002.3d71.0e84 12 up up Eth4(P)Eth4(P) VsbEthernet1/5 ns_intf_3 0002.3d71.0e85 13 down down Po1 Po1 VsbEthernet1/6 ns_intf_4 0002.3d71.0e86 14 down down Po1 Po1 VsbEthernet1/7 ns_intf_5 0002.3d71.0e87 15 down down Po1 Po1 VsbEthernet1/8 ns_intf_6 0002.3d71.0e88 16 down down Po1 Po1VsbEthernet1/9 ns_intf_7 0002.3d71.0e89 17 down down Po1 Po1 virtual-service-blade:HA Role: Primary HA Status: ACTIVE Status: VSB POWERED ON Location: PRIMARY SW version: NetScaler NS10.5: Build 52.3.nc, Date: Sep 3 2014, 22:58:07

HA Role: Secondary HA Status: STANDBY Status: VSB POWERED ON Location: SECONDARY SW version: NetScaler NS10.5: Build 52.3.nc, Date: Sep 3 2014, 22:58:07 VSB Info: Netscaler VPX

2. Log on to NetScaler 1000V.


30

Only one virtual CPU will be shown, because the license is not yet installed on theVSB.

switch(config-vsb-config)# login virtual-service-blade nsvsb1Telnet escape character is '^\'.Trying 127.1.0.18...Connected to 127.1.0.18.Escape character is '^\'.

login: nsrootPassword:Copyright (c) 1992-2008 The FreeBSD Project.Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved.

Done> sh ver NetScaler NS10.5: Build 52.3.nc, Date: Sep 3 2014, 22:58:07 Done> stat cpu

CPU statisticsID Usage 1 0 Done>

3. Verify the configuration of the primary NetScaler 1000V node.

> show node1) Node ID: 0 IP: 10.217.205.30 (ns-primary) Node State: UP Master State: Primary Fail-Safe Mode: OFF INC State: DISABLED Sync State: ENABLED Propagation: ENABLED Enabled Interfaces : 0/1 0/2 1/1 1/2 1/3 1/4 1/5 1/6 1/7 Disabled Interfaces : None HA MON ON Interfaces : 0/1 0/2 1/1 1/2 1/3 1/4 1/5 1/6 1/7 Interfaces on which heartbeats are not seen : 0/2 1/1 1/2 1/3 1/4 1/5 1/6 1/7 Interfaces causing Partial Failure: None SSL Card Status: NOT PRESENT Hello Interval: 200 msecs Dead Interval: 3 secs Node in this Master State for: 0:0:8:20 (days:hrs:min:sec)


31

2) Node ID: 1 IP: 10.217.205.31 Node State: UP Master State: Secondary Fail-Safe Mode: OFF INC State: DISABLED Sync State: SUCCESS Propagation: ENABLED Enabled Interfaces : 0/1 0/2 1/1 1/2 1/3 1/4 1/5 1/6 1/7 Disabled Interfaces : None HA MON ON Interfaces : 0/1 0/2 1/1 1/2 1/3 1/4 1/5 1/6 1/7 Interfaces on which heartbeats are not seen : 0/2 1/1 1/2 1/3 1/4 1/5 1/6 1/7 Interfaces causing Partial Failure: None SSL Card Status: NOT PRESENT

Local node information: Critical Interfaces: 0/1 0/2 1/1 1/2 1/3 1/4 1/5 1/6 1/7 Done

4. Log on to the primary and secondary NetScaler 1000V appliances, and from thecommand line interface disable any unused interfaces on NetScaler 1000V.In the following example, interfaces 1/3, 1/4, 1/5, 1/6, 1/7 are the same virtualinterfaces ns_intf_3, ns_intf_4, ns_intf_5, ns_intf_6, and ns_intf_7 which weredisabled on the Nexus 1010/1110 appliance by using the shut command.

> dis int 1/[3-7]interface "1/3" disabledinterface "1/4" disabledinterface "1/5" disabledinterface "1/6" disabledinterface "1/7" disabledDone

Installing the License and Verifying the Resources in HighAvailability ModeYou can use NetScaler 1000V without a license for 120 days, with throughput limited to500 Mbps. If you have purchased a license, install it after verifying that NetScaler1000V has been correctly installed. You can install the license by using the commandline interface (CLI) or the configuration utility (GUI).

To install the license and verify the resources by using the commandline interface

1. Shutdown NetScaler 1000V. At the Nexus 1010/1110 console, type: switch (config-vsb-config)# shut.

2. Allocate resources for NetScaler 1000V on Nexus 1010/1110.


32

The following example allocates 4 vCPUs and 12288 MB of RAM.

switch (config-vsb-config)# numcpu 4switch (config-vsb-config)# ramsize 12288

3. Restart NetScaler 1000V. At the Nexus 1010/1110 console, type: switch (config-vsb-config)# no shut.

4. Upload the license to the /nsconfig/licence directory on the NetScaler 1000Vappliances in a high availability (HA) setup.

> shellroot@ns# cd /nsconfig/licenseCopy the new license file to this directory.>

5. Restart the virtual appliances.In an HA setup, first restart the secondary node, and then restart the primarynode.

> rebootAre you sure you want to restart NetScaler (Y/N)? [N]:YDone>

Copyright (c) 1992-2008 The FreeBSD Project.Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994The Regents of the University of California. All rights reserved. Done>

6. Verify that the resources are allocated according to the license installed.In the following example, three CPUs are allocated.

> stat cpu

CPU statisticsID Usage 3 0 2 01 0 Done>

To install the license and verify the resources by using theconfiguration utilityPerform the following procedure for each NetScaler 1000V appliance in a highavailability (HA) setup.

1. On the Configuration tab, navigate to System > Licenses.


33

2. In the details pane, click Manage Licenses.

3. Click Update Licenses.

4. Click Browse. Navigate to the location of the license files, select the license file,and then click Open.

5. Click Reboot to apply the license.

6. In the Reboot dialog box, click OK to proceed with the changes, or click Close tocancel the changes.

7. In a web browser, type the IP address of the NetScaler 1000V virtual appliance.

8. In User Name and Password, type the administrator credentials.

9. On the Dashboard tab, click the arrow next to System Overview and select CPU.Verify that the resources are allocated according to the license installed.

Installing NetScaler 1000V in Standalone ModeYou can install a NetScaler 1000V virtual appliance in standalone mode on a standaloneNexus 1010/1110 appliance, or on either the primary or secondary appliance in a highavailability pair. After deploying the VSB and assigning resources to it, verify thatinstallation was successful and the configuration is as you intended.

If you have not purchased a license, the trial usage period begins with installation. Ifyou have purchased a license, install it and then verify that resources are correctlyallocated.

The following topics describe the installation tasks:

1. Installing NetScaler 1000V as a Standalone VSB on page 34

2. Verifying NetScaler 1000V Installation on page 38

3. Installing the License and Verifying the Resources on page 41

Installing NetScaler 1000V as a Standalone VSB1. Deploy NetScaler 1000V.





34












switch(config-vsb-config)# interface ns_intf_0 uplink PortChannel1


35

switch(config-vsb-config)# interface ns_intf_1 uplink Ethernet3switch(config-vsb-config)# interface ns_intf_1 mode passthroughswitch(config-vsb-config)# interface ns_intf_2 uplink Ethernet4switch(config-vsb-config)# interface ns_intf_2 mode passthrough







switch(config-vsb-config)# interface ns_intf_3 uplink PortChannel1switch(config-vsb-config)# interface ns_intf_4 uplink PortChannel1switch(config-vsb-config)# interface ns_intf_5 uplink PortChannel1switch(config-vsb-config)# interface ns_intf_6 uplink PortChannel1switch(config-vsb-config)# interface ns_intf_7 uplink PortChannel1




switch(config-vsb-config)# interface VsbEthernet1/5switch(config-if)# shut


36

switch(config-if)# interface VsbEthernet1/6switch(config-if)# shutswitch(config-if)# interface VsbEthernet1/7switch(config-if)# shutswitch(config-if)# interface VsbEthernet1/8switch(config-if)# shutswitch(config-if)# interface VsbEthernet1/9switch(config-if)# shut

6. Enter basic configuration parameters for NetScaler 1000V.

• If the VSB is installed in standalone mode on a primary Nexus appliance, use theenable primary command.

• If the VSB is installed in standalone mode on a secondary Nexus appliance, usethe enable secondary command.

• If the VSB is installed in standalone mode on a standalone Nexus appliance, usethe enable command.

Specify HA as false.

The following example uses the enable primary command with HA as false,because NetScaler 1000V is being installed in standalone mode on a primary Nexusappliance.

switch(config-vsb-config)# enable primaryEnter vsb image: [NetScaler1000V-NEXUS-10.5-52.3_nc.ova] NS HA [true/false]: [true] falseManagement IP version [V4|V6]: [V4] Enter Primary IPv4 address: 10.217.205.45Enter Primary subnet mask: 255.255.252.0Primary IPv4 address of the default gateway: 10.217.204.1Enter Secondary IPv4 address: [0.0.0.0]Enter Secondary subnet mask: [0.0.0.0] Enter Secondary IPv4 address of the default gateway: [0.0.0.0] Enter Primary HostName: nsvsb1Enter the password for 'nsroot': nsroot----Details entered----NS HA [true/false]: : falseManagement IP version [V4|V6]: : V4Enter Primary IPv4 address: : 10.217.205.45Enter Primary subnet mask: : 255.255.252.0Primary IPv4 address of the default gateway: : 10.217.204.1Enter Secondary IPv4 address: : 0.0.0.0Enter Secondary subnet mask: : 0.0.0.0Enter secondary IPv4 address of the default gateway: : 0.0.0.0Enter Primary HostName: : nsvsb1Enter the password for 'nsroot': : nsrootDo you want to continue installation with entered details (Y/N)? [Y]Note: VSB installation is in progress, please use show virtual-service-blade commands to check the installation status.Note: VSB installation may take upto 5 minutes.


37

Verifying NetScaler 1000V InstallationAfter installing NetScaler 1000V, log on to the Nexus console and verify that the VSBhas installed correctly. Then, verify that you are able to log on to the NetScaler VSB.

1. Use the show command to verify that the VSB has installed correctly.

Following is the example of output in the pass-through mode:

switch(config-vsb-config)# sh virtual-service-blade name nsvsb1 virtual-service-blade nsvsb1 Description: Slot id: 1 Host Name: nsvsb1 Management IP: 10.217.205.45 VSB Type Name : NetScaler1000V-105523.1 Configured vCPU: 2 Operational vCPU: 2 Configured Ramsize: 2048 Operational Ramsize: 2048 Disksize: 20 Heartbeat: 96

Legends: P - Passthrough08------------------------------------------------------------------------------------ Interface Type MAC VLAN State Uplink-Interface Pri- Sec- Oper Adm mary ondary------------------------------------------------------------------------------------VsbEthernet1/1 ns_intf_0 0002.3d70.fc02 1 up up Po1 Po1internal NA NA NA up VsbEthernet1/3 ns_intf_1 0002.3d70.fc03 11 up up Eth3(P) Eth3(P)VsbEthernet1/4 ns_intf_2 0002.3d71.fc04 12 up up Eth4(P) Eth4(P)VsbEthernet1/5 ns_intf_3 0002.3d71.fc05 13 down down Po1 Po1VsbEthernet1/6 ns_intf_4 0002.3d71.fc06 14 down down Po1 Po1VsbEthernet1/7 ns_intf_5 0002.3d71.fc07 15 down down Po1 Po1VsbEthernet1/8 ns_intf_6 0002.3d71.fc08 16 down down Po1 Po1VsbEthernet1/9 ns_intf_7 0002.3d71.fc09 17 down down Po1 Po1HA Role: Primary HA Status: STANDBY Status: VSB POWERED ON Location: PRIMARY SW version: NetScaler NS10.5: Build 52.3.nc, Date:


38

Sep 3 2014, 22:58:07 HA Role: Secondary HA Status: NONE Status: VSB NOT PRESENT Location: SECONDARY SW version: VSB Info:NetScaler VPX

Following is the example of output in the shared mode:

switch(config-vsb-config)# sh virtual-service-blade name nsvsb1 virtual-service-blade nsvsb1 Description: Slot id: 1 Host Name: nsvsb1 Management IP: 10.217.205.45 VSB Type Name : NetScaler1000V-105523.1 Configured vCPU: 2 Operational vCPU: 2 Configured Ramsize: 2048 Operational Ramsize: 2048 Disksize: 20 Heartbeat: 96

Legends: P - Passthrough08------------------------------------------------------------------------------------ Interface Type MAC VLAN State Uplink-Interface Pri- Sec- Oper Adm mary ondary------------------------------------------------------------------------------------VsbEthernet1/1 ns_intf_0 0002.3d70.fc02 1 up up Po1 Po1internal NA NA NA up VsbEthernet1/3 ns_intf_1 0002.3d70.fc03 11 up up Eth1 Eth1VsbEthernet1/4 ns_intf_2 0002.3d71.fc04 12 up up Eth2 Eth2VsbEthernet1/5 ns_intf_3 0002.3d71.fc05 13 down down Po1 Po1VsbEthernet1/6 ns_intf_4 0002.3d71.fc06 14 down down Po1 Po1VsbEthernet1/7 ns_intf_5 0002.3d71.fc07 15 down down Po1 Po1VsbEthernet1/8 ns_intf_6 0002.3d71.fc08 16 down down Po1 Po1VsbEthernet1/9 ns_intf_7 0002.3d71.fc09 17 down down Po1 Po1HA Role: Primary HA Status: STANDBY Status: VSB POWERED ON


39

Location: PRIMARY SW version: NetScaler NS10.5: Build 52.3.nc, Date: Sep 3 2014, 22:58:07 HA Role: Secondary HA Status: NONE Status: VSB NOT PRESENT Location: SECONDARY SW version: VSB Info:NetScaler VPX

2. Log on to NetScaler 1000V.Only one virtual CPU will be shown, because the license is not yet installed on theVSB.





3. Verify the configuration of the NetScaler 1000V node.

> show node1) Node ID: 0 IP: 10.217.205.45 (vpx) Node State: UP Master State: Primary Fail-Safe Mode: OFF Enabled Interfaces : 0/1 0/2 1/1 1/2 1/3 1/4 1/5 1/6 1/7 Disabled Interfaces : None


40

SSL Card Status: NOT PRESENT Hello Interval: 200 msecs Dead Interval: 3 secs Node in this Master State for: 0:0:8:20 (days:hrs:min:sec)Local node information: Critical Interfaces: 0/1 0/2 1/1 1/2 1/3 1/4 1/5 1/6 1/7Done

4. From the NetScaler command line interface, disable any unused interfaces on theNetScaler VSB.In the following example, interfaces 1/3, 1/4, 1/5, 1/6, and 1/7 are the samevirtual interfaces (ns_intf_3, ns_intf_4, ns_intf_5, ns_intf_6, and ns_intf7) thatwere disabled on the Nexus 1010/1110 appliance by using the shut command.

> dis int 1/[3-7]interface "1/3" disabledinterface "1/4" disabledinterface "1/5" disabledinterface "1/6" disabledinterface "1/7" disabledDone

Installing the License and Verifying the ResourcesYou can use NetScaler 1000V without a license for 120 days, with throughput limited to500 Mbps. The trial usage period begins with installation. If you have purchased alicense, install it after verifying that NetScaler 1000V has been correctly installed. Youcan install the license by using the command line interface (CLI) or the configurationutility (GUI).


1. Shutdown the NetScaler 1000V appliance. At the Nexus 1010/1110 console, type:switch (config-vsb-config)# shut.




3. Restart the NetScaler 1000V appliance. At the Nexus 1010/1110 console, type:switch (config-vsb-config)# no shut.

4. Upload the license to the /nsconfig/licence directory on NetScaler 1000V.



41

5. Restart the virtual appliance.




> stat cpu


To install the license and verify the resources by using theconfiguration utility










Replacing a Nexus Node in a High Availability SetupA Nexus 1010/1110 appliance has primary and secondary roles and active and standbystates. If one of the nodes in a high availability setup fails and you replace it, the


42

installation procedure is the same for either a primary or a secondary node, but theconfiguration procedure is not.

1. Deploy NetScaler 1000V.












43





switch(config-vsb-config)# interface ns_intf_0 uplink PortChannel1switch(config-vsb-config)# interface ns_intf_1 uplink Ethernet3switch(config-vsb-config)# interface ns_intf_1 mode passthroughswitch(config-vsb-config)# interface ns_intf_2 uplink Ethernet4switch(config-vsb-config)# interface ns_intf_2 mode passthrough







switch(config-vsb-config)# interface ns_intf_3 uplink PortChannel1switch(config-vsb-config)# interface ns_intf_4 uplink PortChannel1switch(config-vsb-config)# interface ns_intf_5 uplink PortChannel1


44

switch(config-vsb-config)# interface ns_intf_6 uplink PortChannel1switch(config-vsb-config)# interface ns_intf_7 uplink PortChannel1




switch(config-vsb-config)# interface VsbEthernet1/5switch(config-if)# shutswitch(config-if)# interface VsbEthernet1/6switch(config-if)# shutswitch(config-if)# interface VsbEthernet1/7switch(config-if)# shutswitch(config-if)# interface VsbEthernet1/8switch(config-if)# shutswitch(config-if)# interface VsbEthernet1/9switch(config-if)# shut

6. Perform one of the following procedures, as appropriate:

• Configuring a replacement primary Nexus node

• Configuring a replacement secondary Nexus node

Configuring a Replacement Primary Nexus NodeIf the primary Nexus node goes down, the secondary Nexus node becomes active. If youreplace the failed primary node, you must synchronize the configuration of theNetScaler 1000V VSB on the secondary Nexus node to the NetScaler 1000V VSB on thenew primary Nexus node.

1. Enter enable primary.

switch# configure terminalEnter configuration commands, one per line. End with CNTL/Z. switch(config)# virtual-service-blade nsvsb1switch (config-vsb-config)# virtual-service-blade-type new NetScaler1000V-NEXUS-10.5-52.3_nc.ovaNote: It can take awhile to finish OVA extract operation. Please be patient..switch (config-vsb-config)# enable primaryEnter vsb image: [NetScaler1000V-NEXUS-10.5-52.3_nc.ova]NS HA [true/false]: [true]Management IP version [V4|V6]: [V4]Enter Primary IPv4 address: 10.217.205.30


45

Enter Primary subnet mask: 255.255.252.0Primary IPv4 address of the default gateway: 10.217.204.1Enter Secondary IPv4 address: [0.0.0.0] 10.217.205.31Enter Secondary subnet mask: [0.0.0.0] 255.255.252.0Enter secondary IPv4 address of the default gateway: [0.0.0.0] 10.217.204.1Enter Primary HostName: ns-primaryEnter Secondary HostName: ns-secondaryEnter the password for 'nsroot': nsroot----Details entered----NS HA [true/false]: : trueManagement IP version [V4|V6]: : V4Enter Primary IPv4 address: : 10.217.205.30Enter Primary subnet mask: : 255.255.252.0Primary IPv4 address of the default gateway: : 10.217.204.1Enter Secondary IPv4 address: : 10.217.205.31Enter Secondary subnet mask: : 255.255.252.0Enter secondary IPv4 address of the default gateway: : 10.217.204.1Enter Primary HostName: : ns-primaryEnter Secondary HostName: : ns-secondaryEnter the password for 'nsroot': : nsrootDo you want to continue installation with entered details (Y/N)? [Y]Note: VSB installation is in progress, please use show virtual-service-blade commands to check the installation status.Note: VSB installation may take upto 5 minutes.

2. Use the show command to verify that the VSB has installed correctly.Following is the output in the pass-through mode:

switch(config-vsb-config)# sh virtual-service-blade name nsvsb1virtual-service-blade nsvsb1 Description: Slot id: 1 Host Name: nsvsb1 Management IP: 10.217.205.30 VSB Type Name : NetScaler1000V-105523.1 Configured vCPU: 2 Operational vCPU: 2 Configured Ramsize: 2048 Operational Ramsize: 2048 Disksize: 20 Configured CryptoOffload Bandwidth: 0 Operational CryptoOffload Bandwidth: 0 Configured CryptoOffload VF: 0 Operational CryptoOffload VF: 0

Heartbeat: 68906

Legends: P - Passthrough------------------------------------------------------------------------------------ Interface Type MAC VLAN State Uplink-Interface


46

Pri Sec Oper Adm------------------------------------------------------------------------------------VsbEthernet1/1 ns_intf_0 0002.3d71.0e82 1 up up Po1 Po1 internal NA NA up VsbEthernet1/3 ns_intf_1 0002.3d71.0e83 11 up up Eth3(P)Eth3(P) VsbEthernet1/4 ns_intf_2 0002.3d71.0e84 12 up up Eth4(P)Eth4(P) VsbEthernet1/5 ns_intf_3 0002.3d71.0e85 13 down down Po1 Po1 VsbEthernet1/6 ns_intf_4 0002.3d71.0e86 14 down down Po1 Po1 VsbEthernet1/7 ns_intf_5 0002.3d71.0e87 15 down down Po1 Po1 VsbEthernet1/8 ns_intf_6 0002.3d71.0e88 16 down down Po1 Po1 VsbEthernet1/9 ns_intf_7 0002.3d71.0e89 17 down down Po1 Po1 virtual-service-blade:HA Role: Primary HA Status: ACTIVE Status: VSB POWERED ON Location: PRIMARY SW version: NetScaler NS10.5: Build 52.3.nc, Date: Sep 3 2014, 22:58:07





47

Heartbeat: 68906

Legends: P - Passthrough------------------------------------------------------------------------------------ Interface Type MAC VLAN State Uplink-Interface Pri Sec Oper Adm------------------------------------------------------------------------------------VsbEthernet1/1 ns_intf_0 0002.3d71.0e82 1 up up Po1 Po1 internal NA NA NA up VsbEthernet1/3 ns_intf_1 0002.3d71.0e83 11 up up Eth3(P)Eth3(P) VsbEthernet1/4 ns_intf_2 0002.3d71.0e84 12 up up Eth4(P)Eth4(P) VsbEthernet1/5 ns_intf_3 0002.3d71.0e85 13 down down Po1 Po1 VsbEthernet1/6 ns_intf_4 0002.3d71.0e86 14 down down Po1 Po1 VsbEthernet1/7 ns_intf_5 0002.3d71.0e87 15 down down Po1 Po1 VsbEthernet1/8 ns_intf_6 0002.3d71.0e88 16 down down Po1 Po1VsbEthernet1/9 ns_intf_7 0002.3d71.0e89 17 down down Po1 Po1 virtual-service-blade:HA Role: Primary HA Status: ACTIVE Status: VSB POWERED ON Location: PRIMARY SW version: NetScaler NS10.5: Build 52.3.nc, Date: Sep 3 2014, 22:58:07





48





> show node1) Node ID: 0 IP: 10.217.205.30 (ns-primary) Node State: UP Master State: Primary Fail-Safe Mode: OFF INC State: DISABLED Sync State: ENABLED Propagation: ENABLED Enabled Interfaces : 0/1 0/2 1/1 1/2 1/3 1/4 1/5 1/6 1/7 Disabled Interfaces : None HA MON ON Interfaces : 0/1 0/2 1/1 1/2 1/3 1/4 1/5 1/6 1/7 Interfaces on which heartbeats are not seen : 0/2 1/1 1/2 1/3 1/4 1/5 1/6 1/7 Interfaces causing Partial Failure: None SSL Card Status: NOT PRESENT Hello Interval: 200 msecs Dead Interval: 3 secs Node in this Master State for: 0:0:8:20 (days:hrs:min:sec)2) Node ID: 1 IP: 10.217.205.31 Node State: UP Master State: Secondary Fail-Safe Mode: OFF INC State: DISABLED Sync State: SUCCESS Propagation: ENABLED Enabled Interfaces : 0/1 0/2 1/1 1/2 1/3 1/4 1/5 1/6 1/7


49

Disabled Interfaces : None HA MON ON Interfaces : 0/1 0/2 1/1 1/2 1/3 1/4 1/5 1/6 1/7 Interfaces on which heartbeats are not seen : 0/2 1/1 1/2 1/3 1/4 1/5 1/6 1/7 Interfaces causing Partial Failure: None SSL Card Status: NOT PRESENT













> stat cpu

CPU statisticsID Usage 3 0


50

2 01 0 Done>

Configuring a Replacement Secondary Nexus NodeIf you replace a failed secondary node, you must synchronize the configuration of theNetScaler 1000V VSB on the primary Nexus node to the new secondary Nexus node.

1. Enter enable secondary.

switch# configure terminalEnter configuration commands, one per line. End with CNTL/Z. switch(config)# virtual-service-blade nsvsb1switch (config-vsb-config)# virtual-service-blade-type new NetScaler1000V-NEXUS-10.5-52.3_nc.ovaNote: Note: It can take awhile to finish OVA extract operation. Please be patient..switch (config-vsb-config)# enable secondaryEnter vsb image: [NetScaler1000V-NEXUS-10.5-52.3_nc.ova]NS HA [true/false]: [true]Management IP version [V4|V6]: [V4]Enter Primary IPv4 address: 10.217.205.30Enter Primary subnet mask: 255.255.252.0Primary IPv4 address of the default gateway: 10.217.204.1Enter Secondary IPv4 address: [0.0.0.0] 10.217.205.31Enter Secondary subnet mask: [0.0.0.0] 255.255.252.0Enter secondary IPv4 address of the default gateway: [0.0.0.0] 10.217.204.1Enter Primary HostName: ns-primaryEnter Secondary HostName: ns-secondaryEnter the password for 'nsroot': nsroot----Details entered----NS HA [true/false]: : trueManagement IP version [V4|V6]: : V4Enter Primary IPv4 address: : 10.217.205.30Enter Primary subnet mask: : 255.255.252.0Primary IPv4 address of the default gateway: : 10.217.204.1Enter Secondary IPv4 address: : 10.217.205.31Enter Secondary subnet mask: : 255.255.252.0Enter secondary IPv4 address of the default gateway: : 10.217.204.1Enter Primary HostName: : ns-primaryEnter Secondary HostName: : ns-secondaryEnter the password for 'nsroot': : nsrootDo you want to continue installation with entered details (Y/N)? [Y]Note: VSB installation is in progress, please use show virtual-service-blade commands to check the installation status.Note: VSB installation may take upto 5 minutes.

2. Use the show command to verify that the VSB has installed correctly.


51

Following is the output in the pass-through mode:


Heartbeat: 68906

Legends: P - Passthrough------------------------------------------------------------------------------------ Interface Type MAC VLAN State Uplink-Interface Pri Sec Oper Adm------------------------------------------------------------------------------------VsbEthernet1/1 ns_intf_0 0002.3d71.0e82 1 up up Po1 Po1 internal NA NA up VsbEthernet1/3 ns_intf_1 0002.3d71.0e83 11 up up Eth3(P)Eth3(P) VsbEthernet1/4 ns_intf_2 0002.3d71.0e84 12 up up Eth4(P)Eth4(P) VsbEthernet1/5 ns_intf_3 0002.3d71.0e85 13 down down Po1 Po1 VsbEthernet1/6 ns_intf_4 0002.3d71.0e86 14 down down Po1 Po1 VsbEthernet1/7 ns_intf_5 0002.3d71.0e87 15 down down Po1 Po1 VsbEthernet1/8 ns_intf_6 0002.3d71.0e88 16 down down Po1 Po1 VsbEthernet1/9 ns_intf_7 0002.3d71.0e89 17 down down Po1 Po1 virtual-service-blade:HA Role: Primary HA Status: ACTIVE Status: VSB POWERED ON Location: PRIMARY SW version: NetScaler NS10.5: Build 52.3.nc, Date: Sep 3 2014, 22:58:07


52




Heartbeat: 68906

Legends: P - Passthrough------------------------------------------------------------------------------------ Interface Type MAC VLAN State Uplink-Interface Pri Sec Oper Adm------------------------------------------------------------------------------------VsbEthernet1/1 ns_intf_0 0002.3d71.0e82 1 up up Po1 Po1 internal NA NA NA up VsbEthernet1/3 ns_intf_1 0002.3d71.0e83 11 up up Eth3(P)Eth3(P) VsbEthernet1/4 ns_intf_2 0002.3d71.0e84 12 up up Eth4(P)Eth4(P) VsbEthernet1/5 ns_intf_3 0002.3d71.0e85 13 down down Po1 Po1 VsbEthernet1/6 ns_intf_4 0002.3d71.0e86 14 down down Po1 Po1 VsbEthernet1/7 ns_intf_5 0002.3d71.0e87 15 down down Po1 Po1 VsbEthernet1/8 ns_intf_6 0002.3d71.0e88 16 down down Po1 Po1VsbEthernet1/9 ns_intf_7 0002.3d71.0e89 17 down down Po1 Po1


53

virtual-service-blade:HA Role: Primary HA Status: ACTIVE Status: VSB POWERED ON Location: PRIMARY SW version: NetScaler NS10.5: Build 52.3.nc, Date: Sep 3 2014, 22:58:07








> show node1) Node ID: 0 IP: 10.217.205.30 (ns-primary) Node State: UP


54

Master State: Primary Fail-Safe Mode: OFF INC State: DISABLED Sync State: ENABLED Propagation: ENABLED Enabled Interfaces : 0/1 0/2 1/1 1/2 1/3 1/4 1/5 1/6 1/7 Disabled Interfaces : None HA MON ON Interfaces : 0/1 0/2 1/1 1/2 1/3 1/4 1/5 1/6 1/7 Interfaces on which heartbeats are not seen : 0/2 1/1 1/2 1/3 1/4 1/5 1/6 1/7 Interfaces causing Partial Failure: None SSL Card Status: NOT PRESENT Hello Interval: 200 msecs Dead Interval: 3 secs Node in this Master State for: 0:0:8:20 (days:hrs:min:sec)2) Node ID: 1 IP: 10.217.205.31 Node State: UP Master State: Secondary Fail-Safe Mode: OFF INC State: DISABLED Sync State: SUCCESS Propagation: ENABLED Enabled Interfaces : 0/1 0/2 1/1 1/2 1/3 1/4 1/5 1/6 1/7 Disabled Interfaces : None HA MON ON Interfaces : 0/1 0/2 1/1 1/2 1/3 1/4 1/5 1/6 1/7 Interfaces on which heartbeats are not seen : 0/2 1/1 1/2 1/3 1/4 1/5 1/6 1/7 Interfaces causing Partial Failure: None SSL Card Status: NOT PRESENT








> shellroot@ns# cd /nsconfig/license


55

Copy the new license file to this directory.>





> stat cpu


Installing SSL Card as an Field ReplacementUnit (FRU)

Installing a separate SSL card helps in offloading the SSL encryption process to aseparate hardware card which results in better SSL performance. The following tablelists the different Nexus I/O configuration for which an SSL card can be installed.

S.No

Model Fixed LoM PCIe Slot (fullheight)

PCIe Slot (halfheight)

1 Nexus 1110x 2x1G SSL card 4x1G

2 Nexus 1110x 2x1G 2 x 10G SFP+ SSL card

Complete the following steps to install the SSL card in the PCIe slot of Nexus 1110x.The steps mentioned are for replacing the 1G card of Nexus 1110x with SSL card.

Prerequisite: Make sure that the FRU kit is shipped with the full height bracket. Thefull height bracket is required if you are planning to install the SSL card in the fullheight slot.


56

1. Shutdown the Nexus 1110x appliance.

2. Remove the top cover of the appliance. To remove the top cover, loosen the greenrear top cover screw and push down and out on the green tabs.

3. Locate the PCIe slot 2 on the back panel of the appliance.

4. Lift out the quad port 1G card from the PCIe slot 2 and remove it from the risercard.

5. Take the SSL card and insert it into the riser card and insert it back into the PCIeslot 2.

6. Re-install the top cover and tighten the green color top cover screw.

7. Power on the appliance.

After the SSL card is installed, allocate a bandwidth for crypto-offload based on yourlicense type. For example, If you are using a 1GBPS license, allocate a bandwidth of1000 MB.


57

Allocating bandwidth for crypto-offloadTo allocate a bandwidth, type crypto-offload <tps value in MB> command at thecommand line interface.

Switch(config)# virtual-service-blade vpx1263Switch(config-vsb-config)# crypto-offload ? <10-30000> Bandwidth in MBSwitch(config-vsb-config)# crypto-offload 1000

If the VSB is already switched on but virtual function (VF) is not assigned, complete thefollowing steps to assign VF to VSB:

1. Shutdown the VSB.

Nexus-01-M(config)# virtual-service-blade vpx1263Nexus-01-M(config-vsb-config)# shutdown

2. Type the crypto-offload <tps value in MB> command at the command lineinterface.

3. Power on the VSB.

Nexus-01-M(config)# virtual-service-blade vpx1263Nexus-01-M(config-vsb-config)# no shutdown

Installing NetScaler 1000V Virtual Applianceson Linux-KVM Platform

To set up NetScaler VPX for the Linux-KVM platform, you can use the graphical VirtualMachine Manager (Virt-Manager) application. If you prefer the Linux-KVM commandline, you can use the virsh program.

The host Linux operating system must be installed on suitable hardware by usingvirtualization tools such as KVM Module and QEMU. The number of virtual machines(VMs) that can be deployed on the hypervisor depends on the application requirementand the chosen hardware.

You can provision a NetScaler 1000V instance in the following two environments:

w OpenStack environment

w Linux-KVM platform. You can use either of the following tools to install NetScaler1000V on a Linux-KVM platform:

• Virtual Machine Manager

• Virsh

After you provision a NetScaler virtual appliance, you can add additional interfaces.


58

Prerequisites for Installing NetScaler VPX VirtualAppliances on Linux-KVM PlatformNetworking Requirements

NetScaler VPX supports only virtIO para-virtualized network interfaces.

Source Interface and ModesThe source device type can be either Bridge or MacVTap. In case of MacVTap, fourmodes are possible - VEPA, Bridge, Private and Pass-through.

The following tables list the types of interfaces that you can use and the supportedtraffic types.

For best performance by the NetScaler instance, make sure that the gro and lrocapabilities are switched off on the source interfaces

Table 1-1. Interface Types

Interface Type Considerations

Source: Bridge w Linux Bridge.

w Ebtables and iptables settings on hostLinux might filter the traffic on thebridge if you do not choose thecorrect setting or disable IPtableservices.

Source: MacVTap

Mode : VEPAw Better performance than a bridge.

w Interfaces from the same lower devicecan be shared across the VMs.

w Inter-VM communication using thesame lower device is possible only ifupstream or downstream switchsupports VEPA mode.

Source: MacVTap

Mode : Privatew Better performance than a bridge.

w Interfaces from the same lower devicecan be shared across the VMs.

w Inter-VM communication using thesame lower device is not possible.

Source: MacVTap

Mode : Bridgew Better as compared to bridge.


59

Interface Type Considerations

w Interfaces out of same lower devicecan be shared across the VMs.

w Inter-VM communication using thesame lower device is possible, if lowerdevice link is UP.

Source: MacVTap

Mode : Pass-throughw Better as compared to bridge.

w Interfaces out of same lower devicecannot be shared across the VMs.

w Only one VM can use the lowerdevice.

S - Supported.

NS - Not Supported.

Properties Of Source InterfacesMake sure that you switch off the generic-receive-offload (gro) and large-receive-offload (lro) capabilities of the source interfaces. To switch off the gro and lrocapabilities, run the following commands at the host Linux shell prompt.

ethtool - k eth6 gro off

ethool - k eth6 lro off

Example

[root@localhost ~]# ethtool -k eth6 Offload parameters for eth6: rx-checksumming: on tx-checksumming: on scatter-gather: on tcp-segmentation-offload: on udp-fragmentation-offload: off generic-segmentation-offload: on generic-receive-offload: off large-receive-offload: off rx-vlan-offload: on tx-vlan-offload: on ntuple-filters: off receive-hashing: on[root@localhost ~]#

Example


60

If the host Linux bridge is used as a source device, as in the following example, groand lro capabilities must be switched off on the vnet interfaces, which are the virtualinterfaces connecting the host to the guest VMs.

[root@localhost ~]# brctl show eth6_brbridge name bridge id STP enabled interfaceseth6_br 8000.00e0ed1861ae no eth6 vnet0 vnet2[root@localhost ~]#

In the above example, the two virtual interfaces are derived from the eth6_br andare represented as vnet0 and vnet2. Run the following commands to switch off groand lro capabilities on these interfaces.

ethtool –K vnet0 gro off ethtool –K vnet2 gro off ethtool –K vnet0 lro off ethtool –K vnet2 lro off

Module RequiredFor better network performance, make sure the vhost_net module is present in theLinux host. To check the existence of vhost_net module, run the following commandon the Linux host :

Ismod | grep "vhost_net"If vhost_net is not yet running, enter the following command to run it:

modprobe vhost_net

Limitations and Usage GuidelinesGeneral Recommendations

To avoid unpredictable behavior, apply the following recommendations:

w Do not change the MTU of the vnet interface associated with the NetScaler VM. Shutdown the NetScaler VM before modifying any configuration parameters, such asInterface modes or CPU.

w Do not force a shutdown of the NetScaler VM. That is, do not use the Force offcommand.

w Any configurations done on the host Linux might or might not be persistent,depending on your Linux distribution settings. You can choose to make theseconfigurations persistent to ensure consistent behavior across reboots of host Linuxoperating system.

w The .raw file has to be unique for each of the NetScaler VPX instance provisioned.


61

LimitationsA NetScaler VPX setup on the NS 1000V-KVM platform has the following limitations:

w VLAN tagging is not supported on Netscaler-VPX operating on MacVTap-Bridge,MacVTap-Private, MacVTap-VEPA, or MacVTap-Passthrough interface Mode.

w LACP is not supported on Netscaler VPX operating in Bridge, MacVTap-Bridge,MacVTap-Private, or MacVTap-VEPA interface mode.

w Live Migration of the Netscaler VPX running on KVM is not supported.

w When a VLAN tagged packet destined for a guest VM is received on an Intel IXGBE10G interface of a KVM host running on Red Hat Enterprise Linux (RHEL) 6.4, theIXGBE driver of this distribution strips the VLAN tag before sending it to the guestVM (in this case, NetScaler VPX). Because of this host behavior, a NetScaler VPXinstance running on RHEL6.4 does not receive the intended VLAN tagged packets.

Provisioning the NetScaler 1000V Virtual Applianceby using OpenStack

You can provision a NetScaler 1000V instance in an Openstack environment either byusing the OpenStack command line interface or the OpenStack dashboard or GUI.

Provisioning a NetScaler instance, optionally involves using data from the config drive.Config drive is a special configuration drive that attaches to the instance when itboots. This configuration drive can be used to pass networking configuration likemanagement IP address, network mask, default gateway etc, which the instance canmount and access before you configure the network settings for the instance.

When OpenStack provisions a NetScaler instance, it confirms the presence of configdrive by reading the label information on the attached drive. The drive should have aspecific OpenStack label.

If the config drive is detected, the instance attempts to read the following informationfrom the file name specified in the nova boot command. In the steps mentioned below,the file is referred as userdata:

w Management IP address

w Network mask

w Default gateway

Once the parameters are successfully read, they are populated in the NetScaler stack.This helps in managing the instance remotely. If the parameters are not readsuccessfully or the config drive is not available, the instance transitions to the defaultbehavior, which is:

w The instance attempts to retrieve the IP address information from DHCP

w If DHCP fails or times-out, the instance comes up with default network configuration(192.168.100.1/16)


62

Provisioning the NetScaler 1000V Virtual Appliance byusing OpenStack Using Command Line InterfaceYou can provision a NetScaler appliance in an OpenStack environment. Provisioning aNetScaler Virtual Appliance on OpenStack involves the following three steps:

1. Extracting the .raw file from the .ova file

2. Building an OpenStack image from the raw image

3. Provisioning a NetScaler instance

To provision a NetScaler instance in an OpenStack environment, complete the followingsteps:

1. Extract the .raw file from the .ova file.

tar xvzf NetScaler1000V-KVM-10.5-49.3_nc.ova NetScaler1000V-KVM.xmlNetScaler1000V-KVM-10.5-49.3_nc.rawchecksum.txt

2. Build an OpenStack image using the .raw file extracted in step 1.

glance image-create --name="NS-VPX-10-1-127-1 " --property hw_disk_bus=ide --is-public=true --container-format=bare --disk-format=raw < NetScaler1000V-KVM-10.1-127.1_nc.raw

In the above command, NS-VPX-10-1-127-1 is the name of the OpenStack imagethat you want to create. NetScaler1000V-KVM-10.1-127.1_nc.raw is theraw file that was extracted from the ova file. The raw file is the input for creatingthe OpenStack image.

The following illustration provides a sample output for the glance image-createcommand.


63

3. After an OpenStack image is created, provision the NetScaler virtual applianceinstance.

nova boot --image NS-VPX-10-1-127-1 --config-drive=true --user-data ./userdata.txt --flavor m1.medium --nic net-id=b8c5acee-36b7-4517-af0e-80f8729aa82e vpx10_1_u

In the above command, userdata.txt is the file which contains the details like,IP address, netmask, and default gateway for the NetScaler instance. Theuserdata file is a user customizable file. vpx10_1_u is the name of the virtualappliance that you want to provision.

The following illustration gives a sample output of the nova boot command.


64

The following illustration shows a sample of the xml file. The values within the<PropertySection> </PropertySection> tags are the values which is userconfigurable and holds the information like, IP address, netmask, and defaultgateway.

<?xml version="1.0" encoding="UTF-8" standalone="no"?><Environment xmlns:oe="http://schemas.dmtf.org/ovf/environment/1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" oe:id="" xmlns="http://schemas.dmtf.org/ovf/environment/1"><PlatformSection><Kind>NOVA</Kind><Version>2013.1</Version><Vendor>Openstack</Vendor><Locale>en</Locale></PlatformSection><PropertySection> <Property oe:key="com.citrix.netscaler.ovf.version" oe:value="1.0"/> <Property oe:key="com.citrix.netscaler.platform" oe:value="ns1000v"/> <Property oe:key="com.citrix.netscaler.orch_env" oe:value="cisco-orch-env"/> <Property oe:key="com.citrix.netscaler.mgmt.ip" oe:value="10.102.38.82"/> <Property oe:key="com.citrix.netscaler.mgmt.netmask" oe:value="255.255.255.0"/>


65

<Property oe:key="com.citrix.netscaler.mgmt.gateway" oe:value="10.102.38.1"/></PropertySection></Environment>

Provisioning the NetScaler 1000V Virtual Appliance byusing OpenStack DashboardYou can provisioning NetScaler in an OpenStack environment using the OpenStackdashboard.

1. Log in to the OpenStack dashboard.

2. In the Project panel on the left hand side of the dashboard, select Instances.

3. In the Instances panel, click Launch Instance to open the Instance LaunchingWizard.

4. In the Launch Instance wizard, fill in the details, like:

a. Instance Name

b. Instance Flavor

c. Instance Count

d. Instance Boot Source

e. Image Name


66

5. Click on the Post Creation tab in the wizard. In the Customization Script, add thecontent of the userdata file. The userdata file contains the IP address, Netmaskand Gateway details of the NetScaler 1000V instance.

6. Click Launch.

Provisioning the NetScaler Virtual Appliance byusing the Virtual Machine Manager

The Virtual Machine Manager is a desktop tool for managing VM Guests. It enables youto create new VM Guests and various types of storage, and manage virtual networks.You can access the graphical console of VM Guests with the built-in VNC viewer andview performance statistics, either locally or remotely.

After installing your preferred Linux distribution, with KVM virtualization enabled, youcan proceed with provisioning virtual machines.

To provision a NetScaler VPX VM by using Virtual Machine Manager

1. Open the Virtual Machine Manager (Application > System Tools > Virtual MachineManager) and enter the logon credentials in the Authenticate window.

2.Click the icon or right-click localhost (QEMU) to create a new NetScaler VPXinstance.


67

3. In the Name text box, enter a name for the new VM (for example, NetScaler-VPX).

4. In the New VM window, under "Choose how you would like to install the operatingsystem," select Import existing disk image, and then and click Forward.


68

5. In the Provide the existing storage path field, navigate the path to the image.Choose the OS type as UNIX and Version as FreeBSD 6.x. Then, click Forward.

6. Under "Choose Memory and CPU settings," select the following settings, and thenclick Forward:

• Memory (RAM)— 2048 MB

• CPUs— 2


69

7. Select the Customize configuration before install check box. Optionally, under"Advanced options," you can you can customize the MAC address. Make sure theVirt Type selected is kvm and the Architecture selected is x86_64. Click Finish.


70

8. Select a NIC and provide the following configuration:

• Source device— ethX macvtap or Bridge

• Device model— virtio

• Source mode— Bridge


71

9. Click Apply, and then click Begin Installation.After you have provisioned the NetScaler VPX on KVM, you can add additionalinterfaces

Adding Additional Interfaces to NetScaler VPX by usingVirtual Machine ManagerAfter you have provisioned the NetScaler VPX on KVM, you can add additionalinterfaces.

To add additional interfaces

1. Shut down the NetScaler VPX instance running on the KVM.

2. Right-click the VPX instance and choose Open from the pop-up menu.

3.Click the icon in the header to view the virtual hardware details.

4. Click Add Hardware. In the Add New Virtual Hardware window, select Networkfrom the navigation menu.


72

5. In Host Device field, select the physical interface type. The host device type canbe either Bridge or MacVTap. In case of MacVTap, four modes possible are VEPA,Bridge, Private and Pass-through.

a. For Bridge

i. Host device— Select the "Specify shared device name" option.

ii. Provide the Bridge name that is configured in the KVM host.

Note: Make sure that you have configured a Linux bridge in the KVMhost, bound the physical interface to the bridge, and put the bridge in theUP state.


73

iii. Device model—virtio.

iv. Click Finish.

b. For MacVTap

i. Host device—Select the physical interface from the menu.

ii. Device model—virtio.


74

iii. Click Finish. You can view the newly added NIC in the navigation pane.


75

iv. Select the newly added NIC and select the Source mode for this NIC. Theavailable modes are VEPA, Bridge, Private, and Passthrough. For moredetails on the interface and modes, see Source Interface and Modes.

v. Click Apply.

6. Start the NetScaler VPX VM.

Provisioning the NetScaler Virtual Appliance byusing the virsh Program

The virsh program is a command line tool for managing VM Guests. Its functionality issimilar to that of Virtual Machine Manager. It enables you to change a VM Guest's status(start, stop, pause, and so on), to set up new Guests and devices, and to edit existingconfigurations. The virsh program is also useful for scripting VM Guest managementoperations.

To provision NetScaler VPX by using the virsh program

1. Use the tar command to untar the the NetScaler VPX package. The NSVPX-KVM-*_nc.tgz package contains following components:


76

• The Domain XML file specifying VPX attributes [NSVPX-KVM-*_nc.xml]

• Check sum of NS-VM Disk Image [Checksum.txt]

• NS-VM Disk Image [NSVPX-KVM-*_nc.raw]

Example:

tar -xvzf NSVPX-KVM-10.1-117_nc.tgzNSVPX-KVM-10.1-117_nc.xmlNSVPX-KVM-10.1-117_nc.rawchecksum.txt

2. Copy the NSVPX-KVM-*_nc.xml XML file to a file named <DomainName>-NSVPX-KVM-*_nc.xml. The <DomainName> is also the name of the virtualmachine.Example:

cp NSVPX-KVM-10.1-117_nc.xml NetScaler-VPX-NSVPX-KVM-10.1-117_nc.xml

3. Edit the <DomainName>-NSVPX-KVM-*_nc.xml file to specify the followingparameters:

• name— Specify the name.

• mac— Specify the MAC address.

Note: The domain name and the MAC address have to be unique.

• sourcefile— Specify the absolute disk-image source path. The file path has to beabsolute. In this example, the disk image is at the following location: /root/NSVPX-KVM-10.1-117_nc.raw.

Example:

<name>NetScaler-VPX</name> <mac address='52:54:00:29:74:b3'/> <source file='/root/NSVPX-KVM-10.1-117_nc.raw'/>

4. Edit the <DomainName>-NSVPX-KVM-*_nc.xml file to configure the networkingdetails:

• source dev— specify the interface.

• mode— specify the mode. The default interface is Macvtap Bridge.

Example:Mode: MacVTap BridgeSet target interface as ethx and mode as bridgeModel type as virtio

<interface type='direct'> <mac address='52:54:00:29:74:b3'/>


77

<source dev='eth0' mode='bridge'/> <target dev='macvtap0'/> <model type='virtio'/> <alias name='net0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface>

Here, eth0 is the physical interface attached to the VM.

5. Define the VM attributes in the <DomainName>-NSVPX-KVM-*_nc.xml file byusing the following command:

virsh define <DomainName>-NSVPX-KVM-*_nc.xmlExample:

virsh define NS-VPX-NSVPX-KVM-10.1-117_nc.xml

6. Start the VM by entering following command:

virsh start [<DomainName> | <DomainUUID>]Example:

virsh start NetScaler-VPX

7. Connect the Guest VM through the console

virsh console [<DomainName> | <DomainUUID> |<DomainID> ]

Example:

virsh console NetScaler-VPX

Adding Additional Interfaces to NetScaler VPX using virshProgramAfter you have provisioned the NetScaler VPX on KVM, you can add additionalinterfaces.

To add additional interfaces

1. Shut down the NetScaler VPX instance running on the KVM.

2. Edit the <DomainName>-NSVPX-KVM-*_nc.xml file using the command:virsh edit [<DomainName> | <DomainUUID>]

3. In the <DomainName>-NSVPX-KVM-*_nc.xml file, append the followingparameters:

a. For MacVTap

w Interface type— Specify the interface type as 'direct'.

w Mac address— Specify the Mac address and make sure the MAC address isunique across the interfaces.


78

w source dev— Specify the interface name.

w mode— Specify the mode; the modes supported are - Bridge, VEPA, Private,and Pass-through

w model type— Specify the model type as virtioExample:

Mode: MacVTap Pass-through

Set target interface as ethx, Mode as bridge, and model type as virtio

<interface type='direct'> <mac address='52:54:00:29:74:b3'/> <source dev='eth1' mode='passthrough'/> <model type='virtio'/> </interface>

Here eth1 is the physical interface attached to the VM.

b. For Bridge Mode

Note: Make sure that you have configured a Linux bridge in the KVM host,bound the physical interface to the bridge, and put the bridge in the UP state.

w Interface type— Specify the interface type as 'bridge'.

w Mac address— Specify the Mac address and make sure the MAC address isunique across the interfaces.

w source bridge— Specify the bridge name.

w model type— Specify the model type as virtioExample: Bridge Mode

<interface type='bridge'> <mac address='52:54:00:2d:43:a4'/> <source bridge='br0'/> <model type='virtio'/> </interface>

Installing NetScaler 1000V Virtual Applianceson VMware ESX

Important: You cannot install standard VMware Tools or upgrade the VMware Toolsversion available on a NetScaler virtual appliance. VMware Tools for a NetScalervirtual appliance are delivered as part of the NetScaler software release.

Before installing NetScaler 1000V virtual appliances on VMware ESX, make sure thatVMware ESX Server is installed on a machine with adequate system resources. To install


79

NetScaler 1000V on VMware ESXi version 5.0 or 5.1, you use VMware vSphere client.The client or tool must be installed on a remote machine that can connect to VMwareESX through the network.

Note: NetScaler 1000V is supported on both the VMware ESX and the VMware ESXihypervisor, and is shipped with virtual hardware version 4.

After you install NetScaler 1000V on VMware ESX version 5.0 or 5.1, set up vPath on thenew VM so that it can communicate with the servers. For more information aboutvPATH, see " Setting Up vPath on the NetScaler 1000V."

Prerequisites for Installing NetScaler VirtualAppliances on VMware

Before you begin installing a virtual appliance, do the following:

w Install VMware ESX version 5.0 or later on hardware that meets the minimumrequirements.

w Install VMware Client on a management workstation that meets the minimumsystem requirements.

w Download the NetScaler setup files.

w Label the physical network ports of VMware ESX.

Installing NetScaler 1000V on VMware ESX 5.0 or 5.1After you have installed and configured VMware ESX 5.0 or 5.1, you can use the VMwarevSphere client to install NetScaler 1000V on VMware ESX. The number of virtualappliances that you can install depends on the amount of memory available on thehardware that is running VMware ESX.

To install NetScaler 1000V on VMware ESX 5.0 or 5.1 byusing VMware vSphere Client1. On your workstation, start the VMware vSphere client.

2. In the IP address / Name text box, type the IP address of the VMware ESX serverthat you want to connect to.

3. In the User Name and Password text boxes, type the administrator credentials,and then click Login.


80

4. On the File menu, click Deploy OVF Template.

5. In the Deploy OVF Template dialog box, in Deploy from file, browse to thelocation at which you saved the NetScaler virtual appliance setup files, selectthe .ova file, and click Next.


81

6. Verify the details.


82

7. Specify a name for the virtual appliance.


83

8. Select a virtual disk format.


84

9. Map the networks shown in the OVF template to the networks that you configuredon the ESX host.


85

10. Review settings and select Power on after deployment to power on the virtualappliance.


86

11. Click Finish to start installing the virtual appliance. When installation is complete,a pop-up window informs you of successful installation.

12. Optional: If you did not select Power on after deployment in step 10, right-clickthe virtual appliance, and select Power > Power On.


87

13. Click the Console tab, which emulates a console port, and assign an IP address,subnet mask, and gateway for the virtual appliance. When finished, select 4. Saveand quit.

Verifying NetScaler 1000V Installation on VMware ESXAfter installing NetScaler 1000V, type the NetScaler IP address in a web browser and logon to the NetScaler 1000V virtual appliance. In addition, from the vSphere console,verify that NetScaler 1000V is powered on.

Installing the License and Verifying the ResourcesYou can use NetScaler 1000V without a license for 120 days, with throughput limited to500 Mbps. The trial usage period begins with installation. If you have purchased alicense, install it after verifying that NetScaler 1000V has been correctly installed. Youcan install the license by using the command line interface (CLI) or the configurationutility (GUI).


1. Shutdown the NetScaler 1000V appliance. At the Nexus 1010/1110 console, type:switch (config-vsb-config)# shut.




3. Restart the NetScaler 1000V appliance. At the Nexus 1010/1110 console, type:switch (config-vsb-config)# no shut.


88







> stat cpu


To install the license and verify the resources by using theconfiguration utility











89

Upgrading to a Later Build within ReleaseTo upgrade from an earlier build to a later build on a standalone NetScaler appliance ora high availability pair, you can use the configuration utility or the command lineinterface. You use the same basic procedure to upgrade either a standalone applianceor each appliance in a high availability pair, although additional considerations apply toupgrading a high availability pair.

Upgrading a Standalone NetScaler Appliance to aLater Build

In the following procedure, <targetbuildnumber> is the build number that you areupgrading to within the release. The procedure includes optional steps to avoid losingany updates that are pushed to the /etc directory during the upgrade.

To upgrade a standalone NetScaler appliance runningrelease to a later build by using the command line interface1. Use an SSH client, such as PuTTy, to open an SSH connection to the appliance.

2. Log on to the appliance by using the administrator credentials, and save therunning configuration. At the prompt, type:

save ns config

3. Create a copy of the ns.conf file. At the shell prompt, type:

a. cd /nsconfig

b. cp ns.conf ns.conf.NS<releasenumber><currentbuildnumber>

You should backup the configuration file to another computer.

4. (Optional) If you have modified any of the following files in the /etc directory,and copied them to /nsconfig to maintain persistency, any updates that arepushed to the /etc directory during the upgrade might be lost:

• ttys

• resolv.conf

• sshd_config

• host.conf

• newsyslog.conf

• host.conf

• httpd.conf

• rc.conf

• syslog.conf


90

• crontab

• monitrc

To avoid losing these updates, create a /var/nsconfig_backup directory, and movethe customized files to this directory. That is, move any files that you modifiedin /etc directory and copied to /nsconfig, by running the following command:

mv /nsconfig/<filename> /var/nsconfig_backup

Example:

mv /nsconfig/syslog.conf /var/nsconfig_backup

5. Create a location for the installation package. At the shell prompt, type:

a. cd/var/nsinstall

b. mkdir <releasenumber>nsinstall

c. cd <releasenumber>nsinstall

d. mkdir build_<targetbuildnumber>

e. cd build_<targetbuildnumber>

6. Download or copy the installation package to this directory.

7. Extract the contents of the installation package.Example:

tar –xvzf build_10.1-121.10_nc.tgz

8. Run the installns script to install the new version of the system software.

The script updates the /etc directory.

9. When prompted, restart the appliance.

10. Optional: (Optional) If you performed step 4, do the following:

a. Manually compare the files in /var/nsconfig_backup and /etc and makeappropriate changes in /etc.

b. To maintain persistency, move the updated files in /etc to /nsconfig.

c. Restart the appliance to put the changes into effect.

Example

To upgrade a standalone NetScaler running release to alater build by using the configuration utility1. In a web browser, type the IP address of the NetScaler, such as http://

10.102.29.50.


91


3. In Deployment Type, select NetScaler ADC.

4. In Start in, select Configuration, and then click Login, as shown in the followingfigure.

5. In the configuration utility, in the navigation pane, click System.

6. In the System Overview page, click Upgrade Wizard.

7. Follow the instructions to upgrade the software.

8. When prompted, select Reboot.

Note: After the upgrade, close all browser instances and clear your computer'scache before accessing the appliance.


92

Upgrading a NetScaler High Availability Pair to aLater Build

To upgrade the system software on NetScaler appliances in a high availability (HA) pair,upgrade the secondary node first, and then upgrade the primary node.

Warning: In certain cases, after you upgrade one of the nodes in an HA pair,synchronization and propagation are automatically disabled until you upgrade theother node. To determine whether synchronization and propagation are disabled, atthe command line interface, type: show ha node

In the following procedure, machine A is the original primary and machine B is theoriginal secondary node, and <targetbuildnumber> is the build number that you areupgrading to within the release.

To upgrade a NetScaler high availability pair to a later buildby using the command line interfaceOn machine B (original secondary node)

1. Follow the procedure for upgrading a standalone node as described in "Upgrading aStandalone NetScaler Appliance to a Later Build". The procedure includes optionalsteps to avoid losing any updates that are pushed to the /etc directory during theupgrade.

2. After the NetScaler restarts, log on by using the administrator credentials andenter the show ha node command to verify that the appliance is a secondarynode.

3. Test the new build by entering the force failover command on the secondary node(machine B). At the command prompt type force failover.

When you do so, machine B becomes the primary node. If machine B does notfunction as expected, enter the force failover command on the new primary node(machine B) forcing it to again become the secondary node, and contact CitrixCustomer Service before proceeding.

4. Enter the show ha node command to verify that machine B is the new primarynode.

On machine A (original primary node)

5. Follow the procedure for upgrading a standalone node as described in "Upgrading aStandalone NetScaler Appliance to a Later Build." The procedure includes optionalsteps to avoid losing any updates that are pushed to the /etc directory during theupgrade.

6. After the appliance restarts, log on by using the administrator credentials andenter the show ha node command to verify that the appliance is a secondary nodeand that synchronization and propagation are enabled.Optionally, enter the show ns runningconfig command on both the nodes andcompare the result to verify that the configuration of machine A has beensynchronized with that of machine B.


93

On machine B (new primary node)

7. Enter the save ns config command to save the current configuration.

On machine A and machine B

8. After successfully upgrading both the nodes, run the show ha node command toverify that synchronization and propagation are enabled.

Example

show ha node Node ID: 0 IP: 10.0.4.2 Node State: UP Master State: Primary...... INC State: DISABLED Sync State: ENABLED Propagation: ENABLED Enabled Interfaces : 1/1 Disabled Interfaces : None HA MON ON Interfaces : 1/1...... Local node information Critical Interfaces: 1/1Done

Show ha node Node ID: 0 IP: 10.0.4.11 Node State: UP Master State: Secondary .. .. INC State: DISABLED Sync State: SUCCESS Propagation: ENABLED Enabled Interfaces : 1/1 Disabled Interfaces : None HA MON ON Interfaces : 1/1 . . . . . . Local node information: Critical Interfaces: 1/1Done

Machine B (original secondary node) is now the primary node and machine A (originalprimary node) is now the secondary node.


94

Downgrading to an Earlier Build within ReleaseYou can downgrade from a later build to an earlier build on a standalone NetScaler or ahigh availability pair. This procedure must be performed by using the command lineinterface.

Warning: Loss in configuration may occur when downgrading. You shouldcompare the configurations before and after the downgrade, and then manually readdany missing entries.

Downgrading a Standalone NetScaler to an EarlierBuild

In the procedure below, <targetbuildnumber> is the build number that you aredowngrading to within the same release.

To downgrade a standalone NetScaler to an earlier build1. Use an SSH client, such as PuTTy, to open an SSH connection to the appliance.

2. Log on to the NetScaler by using the administrator credentials. Save the runningconfiguration. At the prompt, type:

save ns config

Caution: If ns.conf.NS-<targetbuildnumber> does not exist, loss inconfiguration may occur when downgrading to an earlier build. The errors andwarnings appear only on the console. Please watch the console closely for theseerrors and warnings. After the appliance restarts, compare the saved configurationwith the running configuration, and make any adjustments for features and entitiesconfigured before the downgrade. Save the running configuration after making thechanges.

3. Change directory to /var/nsinstall/nsinstall.

4. Change directory to build_<targetbuildnumber>, or create one if it does notexist.

5. Download or copy the installation package (build-) to this directory and extractthe contents of the installation package.

6. Run the installns script to install the old version of the system software.

The script updates the /etc directory.

7. When prompted, restart the NetScaler.

Example


95

Downgrading a NetScaler High Availability Pair to anEarlier Build

To downgrade the system software on NetScaler units in a high availability pair, youneed to downgrade the software first on the secondary node and then on the primarynode.

Setting Up vPath on the NetScaler 1000V VPXAfter installing the NetScaler 1000V virtual appliance, you must set it up tocommunicate with the servers.

In a NetScaler 1000V deployment, the virtual appliance communicates with serversthrough the Virtual Ethernet Modules (VEMs). A VEM can only interpret packets that areencapsulated with vPath service intelligence. Therefore, you must set up the virtualappliance to apply vPath encapsulation to all packets that are being sent to the server.

vPath uses overlay tunnels to steer traffic to a VSN (for example, a NetScaler virtualappliance), which can be either Layer 2 or Layer 3 adjacent. For detailed informationon vPath, see "Cisco vPath and vServices Reference Guide for VMware vSphere."

Figure 1-7. NetScaler 1000V with Nexus 1000V


96

http://www.cisco.com/en/US/docs/switches/datacenter/vsg/sw/4_2_1_VSG_2_1_1/vpath_vservices/reference/guide/vPath_vService_Reference.html

How vPath WorksThe NetScaler 1000V virtual appliance encapsulates the packets it receives with a vPathheader so that the vPath module can interpret the packets and forward them to theserver.

Figure 1-8. Packet Flow Using vPath

The above figure illustrates the flow of traffic using vPath:

1. Client sends request to the NetScaler virtual appliance.

2. The NetScaler virtual appliance encapsulates the client request with a vPathheader and sends the updated packet to the server that is selected by the loadbalancing algorithm.

3. The VEM (in which the vPath module is embedded) intercepts and decapsulates thepacket and forwards it to the server.

4. Server responds with the required information.

5. The VEM encapsulates the server response with a vPath header and forwards thepacket to the NetScaler virtual appliance.

6. The NetScaler virtual appliance decapsulates the packet and sends the response tothe client.

Step 1: Configuring vPath on a NetScalerAll data transmitted between the NetScaler 1000V virtual appliance and the server isvPath encapsulated. By default, vPath is disabled on the NetScaler 1000V virtualappliance. Therefore, to configure vPath on a NetScaler, you must first enable vPath,and then configure a SNIP address as the source of the vPath packet when the packet isforwarded to the switch.

If, in the return flow, the vPath packet is received at an IP address other than thespecified SNIP address, the appliance drops the packet.


97

To configure vPath on a NetScaler by using the commandline interfaceAt the command prompt, do the following:

1. Enable vPath on the NetScaler 1000V virtual appliance.

enable ns feature vPath

2. Specify the SNIP address to be used as the source IP address of the vPath packet.You can also specify whether the NetScaler must offload to the VEM, sessions forwhich the NetScaler has no matching configurations and hence not interested in.

set vPathParam -srcIP <ip_addr> -offload <ENABLED | DISABLED>

Note:

• When the offload parameter is enabled, the NetScaler adds an extra 24 bytesto the vPath header.

• By default, the NetScaler IP (NSIP) address is configured as the vPath sourceIP address. However, the show vPathParam command shows the source IPaddress as 0.0.0.0.

3. If you have a server that is not configured as a service on the NetScaler, you mustexplicitly enable vPath encapsulation as follows:

add vpath <name> (<destIP> [<netmask>] [<gateway>]) -encapMode L34. Save the configurations.

save ns config

To configure vPath on a NetScaler by using the graphicaluser interface1. Navigate to Configuration > System > Settings.

2. In the details pane, under Modes and Features, click Configure advancedfeatures and select the vPath checkbox.

3. Navigate to Configuration > System > Network.

4. In the details pane, under Settings, click Configure VPath Parameters and selectthe appropriate SNIP address as the source address.

5. To enable vPath encapsulation on a server that is not configured on the NetScaler,navigate to Configuration > System > Network > vPath.

6. In the details pane, click Add and provide the required details.

Step 2: Configuring Load Balancing of BackendServers

When deployed in front of application servers, NetScaler 1000V ensures optimaldistribution of traffic by the way in which it directs client requests. Administrators can


98

segment application traffic according to information in the body of an HTTP or TCPrequest, and on the basis of L4-L7 header information such as URL, application datatype, or cookie.

Numerous load balancing algorithms and extensive server health checks improveapplication availability by ensuring that client requests are directed to the appropriateservers.

To configure load balancing of servers, do the following:

1. Enable the load balancing feature and the use source IP (USIP) mode of theNetScaler.

Navigate to Configuration > System > Settings and under Modes and Features dothe following:

a. Click Configure basic features and select the Load Balancing checkbox.

b. Click Configure modes and select the Use Source IP checkbox.

Note: With vPath integration, Source NAT is not required and server returntraffic is redirected to NetScaler 1000V by vPath service attached to theserver VM port. The original source IP is preserved for all connections.

2. Add the required servers as services on the NetScaler 1000V.

Navigate to Configuration > Traffic Management > Load Balancing > Services,click Add and configure the details (IP address, port, protocol) of each of theservers as services on the NetScaler 1000V.

Note: NetScaler 1000V is tightly integrated with the Nexus 1000V vPatharchitecture, and will not work without a vPath port-profile attached to the servers.Therefore, till the port profile configuration (provided in step 3) is done, the servicestate may appear as Down.

3. Create a virtual server that will bind these services to the virtual server IP address.

Navigate to Configuration > Traffic Management > Load Balancing > VirtualServers, click Add and configure the name, virtual IP address (VIP), protocol, loadbalancing method, and the services to be bound to the virtual server.

4. Save the configurations.Click Save in the upper right hand corner of the interface.

Step 3: Binding Backend Servers to a Port ProfileAfter performing the vPath configurations on the NetScaler and then configuring theload balancing virtual server, you must define the NetScaler as a Virtual Service Node(VSN) and associate it with a port profile. The port profile, which is defined on theVirtual Supervisor Module (VSM), specifies that all traffic reaching the virtual port ofthe server must be redirected to the NetScaler virtual appliance. On the vCenterServer, you must then bind the port profile to the virtual port that is associated withthe virtual machine.


99

Note: Every virtual NIC of a virtual machine has a corresponding virtual port on theNexus 1000V virtual switch. Each virtual port must be associated with a port profilethat specifies the properties of the device.

To bind backend servers to a port profileOn the Nexus 1000V Virtual Supervisor Module (VSM), do the following

1. Configure the NetScaler virtual appliance as a VSN.Example: Create a VSN named "NS1" for a NetScaler with IP address 10.102.38.220.

# vservice node NS1 type adc ip address 10.102.38.220 adjacency l3 fail-mode open

2. Create a port profile for the NetScaler virtual appliance.Example: Create a port profile named "LB-ON-L3" to be used for the NetScalerservices.

# port-profile type vethernet LB-ON-L3 vmware port-group switchport mode access switchport access vlan 1 vservice node NS1 no shutdown system vlan 1 state enabled

3. On the vCenter Server, bind the port profile to the virtual machine as shown in thefollowing image:


100

Note: Repeat this step to bind the required servers to the port profile.

Behavioral Aspects of NetScaler with vPathSome points to note in a NetScaler 1000V deployment with vPath configured:

w The maximum value for the Maximum Segment Size (MSS) of the default TCP profile(nstcp_default_profile) is 1380.

w The MSS used by services and virtual servers is determined as follows:

• A service uses the MSS configured for the default TCP profile(nstcp_default_profile) regardless of the MSS of the TCP profile that is bound tothe service.

• A virtual server uses the MSS that is the lower of the MSS defined for the defaultTCP profile (nstcp_default_profile) and the TCP profile that is bound to thevirtual server.

w Supports pre-fragmentation of vPath encapsulated packets. Even packets with Donot Fragment (DF) bit set are pre-fragmented.

w When encapsulating a full-size packet with vPath information, if the packet exceedsthe MTU, then, if the icmpErrGenerate parameter is set to ENABLED, the NetScalergenerates an ICMP (Type 3,code 4) fragment needed error message.


101

NetScaler Features not Supported on theNetScaler 1000V Virtual Appliance

The following NetScaler features are not supported on NetScaler 1000V hosted on aNexus 1010/1110, VMware ESX appliance, or Linux-KVM platform:

w NetScaler Gateway

w CloudBridge Connector

w AppFlow for ICA

This is not listed as a feature and is disabled in the license. You can verify this byrunning the sh license command on the NetScaler 1000V command-line interface.

w Call Home

w Interface parameter configurations, such as speed, duplex, and auto-negotiation.

w Interface events, such as link UP and DOWN, because the hypervisor host does notreport these events to NetScaler 1000V.

w L2 Mode is not supported on VMware, Nexus, ESX platforms, and Linux-KVMplatform.

w Because interface events are not reported, the following features are notsupported:

• Static link aggregation

• Dynamic route advertisement for connected networks

• Monitored static routes

• Avoiding split brains in a high availability (HA) setup

• Partial failure detection in an HA setup

In addition, some features are not supported in specific operational modes, others arenot supported when vPath encapsulation is used, and others require that vPath beexplicitly enabled.

On a Nexus 1010/1110 appliance, the following NetScaler features are not supported onshared interfaces:

w VLAN Tagging

w LACP

On a VMware ESX appliance, the following NetScaler feature is not supported:

w LACP

A NetScaler VPX setup on the NS 1000V-KVM platform has the following limitations:

w VLAN tagging is not supported on Netscaler-VPX operating on MacVTap-Bridge,MacVTap-Private, MacVTap-VEPA, or MacVTap-Passthrough interface Mode.


102

w LACP is not supported on Netscaler VPX operating in Bridge, MacVTap-Bridge,MacVTap-Private, or MacVTap-VEPA interface mode.

w Live Migration of the Netscaler VPX running on KVM is not supported.

w When a VLAN tagged packet destined for a guest VM is received on an Intel IXGBE10G interface of a KVM host running on Red Hat Enterprise Linux (RHEL) 6.4, theIXGBE driver of this distribution strips the VLAN tag before sending it to the guestVM (in this case, NetScaler VPX). Because of this host behavior, a NetScaler VPXinstance running on RHEL6.4 does not receive the intended VLAN tagged packets.

The following NetScaler features are not supported when using vPath encapsulation:

w Application Layer Gateways (ALGs)

• Active FTP

• RTSP

• TFTP

• SIP

The following NetScaler features are supported only when vPath encapsulation isenabled by executing the add vpath -destIP <ip_addr> command:

w Audit logging (AAA)

w Web logging

w AppFlow

Configuring a NetScaler 1000V VirtualAppliance

The NetScaler 1000V installation procedures include basic configuration. Afterinstallation, you are ready to configure the virtual appliance for your intended use. Forexample:

w To configure your appliance as a traffic manager, see the Citrix NetScaler TrafficManagement Guide.

w To configure your appliance for optimization, see Citrix NetScaler OptimizationGuide.

w To configuration your appliance for data security, see Citrix NetScaler SecurityGuide.

The guides are available at " http://www.cisco.com/en/US/products/ps13296/tsd_products_support_series_home.html."

Note: As described in " NetScaler Features not Supported on the NetScaler 1000VVirtual Appliance on page 102", the NetScaler 1000V virtual appliance does notsupport all NetScaler features.


103

http://www.cisco.com/en/US/products/ps13296/tsd_products_support_series_home.html

http://www.cisco.com/en/US/products/ps13296/tsd_products_support_series_home.html

NetScaler 1000V FAQsGeneral

How can I find out the number of packet engines running on a NetScaler 1000Vvirtual appliance?

At the NetScaler command prompt, type:

stat cpuThe command returns the number of CPUs (packet engines) running on the NetScalervirtual appliance.

Do interfaces on a NetScaler 1000V virtual appliance receive the link events?No. Any change in the operational or administrative state of a physical interface isnot communicated to a NetScaler 1000V virtual appliance.

What interface parameter configurations are blocked on a NetScaler 1000V virtualappliance?

Interface parameters such as speed, duplex, and flow control cannot be set on aNetScaler 1000V virtual appliance.

What is the command for reversing the ACTIVE/STANDBY roles of a high availabilitypair of NetScaler 1000V virtual appliances?

At the NetScaler 1000V command prompt, type:

force failover

How can we access the NetScaler 1000V configuration utility (GUI)?To access NetScaler 1000V GUI, type the NetScaler IP (NSIP) address of NetScaler1000V (http://<NSIP address>) in the address field of any browser.

Can two NetScaler 1000V virtual appliances installed on the same Nexus 1010/1110appliance or on the same VMware ESX appliance be configured in a high availabilitysetup?

Yes, but it is not recommended. A hardware failure would affect both NetScaler1000V virtual appliances.

NetScaler 1000V installed on Cisco Nexus 1010/1110Which NetScaler VSB interface is the management interface?

The management interface of a NetScaler VSB is ns_intf_0 . This interface must bemapped to the Nexus 1010/1110 management-uplink interface.

What is the purpose of the "internal" interface in a NetScaler VSB?The Nexus operating system and NetScaler VSB exchange heartbeat messages throughthe internal interface.


104

How can I map a NetScaler interface (logical) to a Nexus Ethernet interface(physical)?

On the NetScaler VSB, 0/x are management interfaces and 1/x are data interfaces. A1/x interface is represented internally as ns_intf_x. For example, to map NetScalerlogical interface ns_intf_1 to the Nexus physical interface Ethernet2, at the Nexusprompt, type:

switch(config)# interface ns_intf_1 uplink Ethernet2To verify the interface mapping, at the Nexus prompt, type:

sh virtual-service-bladeExample

NEXUS-03# sh virtual-service-blade name vpx_ip6virtual-service-blade vpx_ip6 Description: …… Legends: P - Passthrough -------------------------------------------------------------------------- Interface Type MAC VLAN State Uplink-Int Pri Sec Oper Adm -------------------------------------------------------------------------- VsbEthernet1/1 ns_intf_0 0002.3d70.e102 1 up up Eth1 Eth1 internal NA NA NA up up VsbEthernet1/3 ns_intf_1 0002.3d70.e103 1 up up Eth6 Eth6 VsbEthernet1/4 ns_intf_2 0002.3d70.e104 1 up up Eth2 Eth2 VsbEthernet1/5 ns_intf_3 0002.3d70.e105 1 up up Eth3 Eth3 VsbEthernet1/6 ns_intf_4 0002.3d70.e106 1 up up Eth5 Eth5 VsbEthernet1/7 ns_intf_5 0002.3d70.e107 1 up up Eth4 Eth4 VsbEthernet1/8 ns_intf_6 0002.3d70.e108 1 up up Eth4 Eth4 VsbEthernet1/9 ns_intf_7 0002.3d70.e109 1 up up Eth4 Eth4 HA Role: Primary … …

Map the logical and physical interfaces from the above table as follows:


105

NetScaler Interface NetScaler representationof a logical interface (asseen in Nexus)

Nexus Ethernet Interface

0/1 ns_intf_0 Eth1

0/2 internal

1/1 ns_intf_1 Eth6

1/2 ns_intf_2 Eth2

1/3 ns_intf_3 Eth3

1/4 ns_intf_4 Eth5

1/5 ns_intf_5 Eth4

1/6 ns_intf_6 Eth4

1/7 ns_intf_7 Eth4

What is the output of the sh virtual-service-blade command for a NetScalerVSB that has failed and dumped core?

If a NetScaler VSB fails and dumps core, it does not send heartbeat signals to theNexus operating system, and the status of the NetScaler VSB is shown as POWEREDOFF.

NetScaler 1000V installed on VMware ESX 5.0/5.1What VMware versions does NetScaler 1000V support?

NetScaler 1000V supports VMware ESX 5.0 and 5.1, and VMware EXSi 5.0 and 5.1.

For VMware, how many virtual network interfaces can you allocate to a NetScaler1000V virtual appliance?

You can allocate up to 10 virtual network interfaces to a NetScaler 1000V virtualappliance.

From vSphere, how can we access the NetScaler 1000V command line?The VMware vSphere client provides built-in access to the NetScaler 1000V commandline through a console tab. Additionally, you can use any SSH client to access thecommand line. In an SSH client, use the NSIP address of the NetScaler 1000V.

Troubleshooting a NetScaler 1000V installed ona Nexus 1010/1110 appliance

If your NetScaler 1000V virtual appliance installed on a Nexus 1010/1110 does not workas expected, check the following list for a possible solution.


106

The throughput of a logical interface of the NetScaler VSB is less than thethroughput of a physical Ethernet interface on the Nexus 1010/1110 appliance.

1. Identify the logical interface on the NetScaler VSB and the mapped physicalEthernet interface on the Nexus 1010/1110.

2. Verify that the Ethernet interface is configured in pass-through mode. Citrixrecommends pass-through mode for data ports. Shared mode can be used onlyfor the management port.

The NetScaler VSB is not accessible through its NetScaler IP (NSIP) address.

1. Log on to Nexus 1010/1110 management IP address. This is the console for theVSBs.

2. At the Nexus prompt, type:

sh virtual service bladeAll the VSBs provisioned on Nexus 1010/1110 are displayed.

3. Identify the NetScaler VSB by its name and check its power status. If the VSB ispowered off, perform power on. If the VSB is powered on, log on to NetScalerVSB as an administrator from the Nexus console, and diagnose.

4. Map the 0/1 interface on NetScaler VSB to the Ethernet interface on the Nexus1010/1110.

5. Check to see if the Ethernet interface link is UP.

6. Check the configuration elements, such as VLAN, of the Ethernet interface.

The NetScaler VSB does not have the number of packet engines indicated by thelicense.

1. Log on to the Nexus 1100 management IP address. This is the console forNetScaler VSBs.

2. At the Nexus prompt, type:

sh virtual service blade3. Identify the number of vCPUs allocated to the NetSaler VSB.

4. Check the RAM size.

5. Verify that the vCPUs and RAM are allocated according to the license installed onthe NetScaler VSB.

6. If the number of vCPUs or RAM allocated to the NetScaler VSB is less thanindicated by the license, power off the VSB, change the number of vCPUs andthe size of the RAM, and then power on the VSB.

Traffic is not passing through a NetScaler VSB interface, or excessive transmissionoverflow (nic_err_tx_overflow) is occurring on the interface, or the interface isdropping too many (nic_err_tx_dropped) transmissions.

1. Map the logical interface to the physical Ethernet interface on the Nexus1010/1110.


107

2. Check to see if the Ethernet interface link is UP.

3. Check the configuration elements, such as VLAN, of the Ethernet interface.

4. If the Ethernet interface is shared, check from other VSBs sharing it, to see if itis working for those VSBs.

LACP is not working in a NetScaler VSB.LACP works in only pass-through interface mode.

1. Map the logical interface to the physical Ethernet interface on the Nexus1010/1110.

2. Verify that the interface is configured in pass-through mode.


108

citrix netscaler 1000v getting started guide, release 10...getting started with netscaler 1000v the...

Documents