Admin Partitions vs SDX
- Admin partitions are way
of carving up a NetScaler at the Application configuration and administrative
layer. The Physical resources (CPU, Memory, Disk, NIC’s and the underlying
OS/Firmware are shared across all partitions but the application
configuration is separated and traffic flowing through the partitions can
use their own VLAN’s. This provides the ability for an organisation to run
multiple sets of NetScaler configuration on the same Physical or Virtual
Appliance. Licencing is performed on the ‘default’ partition and the
available features are inherited by all of the ‘sub’ partitions. A
NetScaler firmware upgrade would impact ALL partitions. You do have some
controls on resource utilisation for each partition. For example, you can
limit the amount of memory used by a single partition and you can also
restrict the network bandwidth.
- The SDX platform is a
single physical appliance that provides true multi-tenancy by hosting
multiple separate Virtual instances of NetScaler. The difference with SDX
is that all virtual instances are totally separated at an OS and firmware
perspective. Therefore, each partition can run its own version of
NetScaler firmware independently from other partitions. This is ideal if
you have a test/dev environment that differs from Production. Furthermore,
the Physical resources available on the appliance can be dedicated to individual
instances (CPU, Memory, Network Interfaces. Note, physical disks/SSD’s are
shared but there is complete isolation of data across virtual instances.
One note – It is not possible to use a standalone NetScaler VPX licence on
an SDX virtual instance. SDX virtual instances are licenced by way of the
number of instances purchased with the SDX appliance itself. Also, an SDX
licence contains all NetScaler Platinum features by default.
Some further reading on Admin Partitions and SDX:
Admin Partitions
SDX
Admin Partition Restrictions
There are a few restrictions that you should be aware of
when using Admin partitions:
- Audit Logging - In a partitioned NetScaler, you cannot have specific log servers
for a specific partition. The servers that are defined at the default
partition are applicable across all admin partitions. Therefore, to view
the audit logs for a specific partition, you will have to use the
"show audit messages" command. The users of an admin partition
do not have access to the shell and therefore are not able to access the
log files.
- VRRP - On a partitioned
NetScaler appliance, Virtual Router Redundancy Protocol (VRRP) is
supported on non-shared VLANs only. This protocol is blocked on a shared
VLAN (tagged or untagged) bound to a default or any administrative
partition.
- Networking - With respect of tunnel configuration in a partition,
admin cannot create IPSec tunnels and GRE tunnels with an IPSec profile.
Admin can create IPIP tunnel and GRE tunnel with ‘none’ as ipsec profile.
NetScaler Best Practices
Here is a good document on NetScaler security best practices:
Also, as mentioned in the meeting NetScaler MAS will assess
the configuration of your NetScaler instances and make recommendations. Its
probably best if you download and install it to have a look because the
recommendations are based on your own specific config. To show you an example,
I have taken a screenshot of what it checks against here:
NetScaler Deployment Options
There is a lot of documentation on our main docs site – https://docs.citrix.com including details of
the different deployment topologies we briefly discussed in the meeting (1
armed and inline). See below:
In terms of resiliency, there are 3 main options. Details
below:
Global Server Load Balancing - https://docs.citrix.com/en-us/netscaler/12/global-server-load-balancing/how-gslb-works.html
VPX Resource Requirements
You also asked about resource allocations for VPX
appliances. The datasheet linked below details the required number of vCPU’s
and Memory for each size of VPX:
NetScaler MAS Overview (Management and Analytics
Server)
NetScaler MAS (Management and Analytics System) is something
we are very keen to see our customers using. If you have more than 1 NetScaler,
it’s well within your interests to use MAS. It provides you with the ability to
monitor the health, performance and security of all of your apps, leverage
advanced analytics around the delivery of your apps and manage your individual
NetScaler instances whether they sit on-prem or in the cloud.
You can use the full capabilities for free if you monitor
up-to 30 Vservers. Even above 30 Vservers, all of the ‘fleet management type
functionality remains free. It’s well worth you taking a look at to assess the
potential. It currently runs as a VM on the usual hypervisors and we have very
recently introduced MAS as a service running in Citrix Cloud. You can sign up
for a 30 day free trial by heading to https://cloud.citrix.com
As discussed, MAS would be a great way for you guys to
manage your separate NetScaler appliances across diverse business unit’s from a
single place.
If you want to download and start using the on-prem version,
head to our downloads page at https://www.citrix.com
and log in to access the installer files. Let me know if you require any help
downloading and installing MAS.
Overview of MAS features - https://docs.citrix.com/en-us/netscaler-mas/12/netscaler-mas-overview/features.html
Licencing
There are a couple of new licencing features which you may
be interested in knowing more about as mentioned in the meeting:
Check In Check Out Licencing (CICO)
This is applicable to VPX appliances only. Instead of
applying a licence to an individual VPX instance, you instead load the same
licence file into NetScaler MAS and then use MAS as the licence server to check
in/out licences to your individual VPX instances. The advantage of doing this
is you can manage your licences from a central tool and you can move
licences around as required.
Pooled Capacity
This is a totally new licencing model that would replace the
perpetual licencing model you use today for you existing NetScaler’s. With
Pooled capacity, you buy a pool of capacity and a pool of instances. You can
then allocate capacity to your instances how you see fit. Again, this is all
controlled from the licence server on NetScaler MAS. This model is applicable
across all NetScaler form-factors – MPX, SDX and VPX.
Orchestration – VMware NSX and Cisco ACI
MAS supports integration with a number of SDN controllers.
See below for more details:
No comments:
Post a Comment