WIXLIB

NetScaler SDX Platform UpdateValidated Reference Designand data I/O. This action improves reliability and security through device isolation using hardware assisted remapping,and it improves I/O performance and availability by direct assignment of devices.Additionally, VT-d restricts direct memory access (DMA) to pre-assigned domains or physical memory regions. This isachieved through direct memory access-remapping (DMA-remapping). VT-d DMA-remapping logic in the chipset residesbetween the DMA capable peripheral I/O devices and the computer’s physical memory, and it is programmed by thecomputer system software. In a virtualization environment, that system software is the VMM. In a native environmentwhere there is no virtualization software, the system software is the native operating system. DMA-remapping translatesthe address of incoming DMA requests to the correct physical memory address and performs checks for permissions toaccess the physical address.VT-d also enables the system software to create multiple protection domains. Each protection domain is an isolated environment containing a subset of the host physical memory. Depending on the software usage model, the DMA protectiondomain may represent memory allocated to the virtual machine (VM), or the DMA memory allocated by a guest operating system driver running in a VM, or as part of the VMM itself. The VT-d architecture enables the system software toassign one or more I/O devices to a protection domain. As a result, DMA isolation is achieved by restricting access to theprotection domain’s physical memory from I/O devices not assigned to it (using address-translation tables). This providesthe necessary isolation to assure separation between each virtual machine’s computer resources.SSL Isolation:The NetScaler SDX also leverages SR-IOV support to achieve SSL isolation. This document will address SSL isolation interms of the type of chipset. Since the Cavium Nitrox N2 chipset does not have SR-IOV pass-thru support, it is beyond thescope of this document and will not be addressed.The Cavium Nitrox N3 SSL chipset uses SR-IOV pass-thru support to achieve isolation. Each Nitrox N3 chip has 56 SSLcores. The number of chips per SDX is platform dependent. There are eight (8) virtual functions (VF) per chip, and eachvirtual function is assigned to seven (7) SSL cores. By controlling the assignment of the virtual functions in this manner,SSL isolation is achieved.The Intel Coleto Creek SSL chipset uses SR-IOV pass-thru support to achieve isolation as well. However, the Intel ColetoCreek chipset does not have cores, rather it has crypto engines. As a result, allocation of SSL is done using Crypto CapacityManagement. With the Coleto Creek chipset, there are 32 virtual functions (VF) assigned per chip.As stated previously, allocation of SSL is accomplished using Crypto Capacity Management. Crypto Capacity Managementuses Asymmetric Crypto Units (ACU) and Symmetric Crypto Units (SCU) to allocate SSL capacity. An ACU equals one (1) operation per second (ops) of a specified algorithm (RSA) 2K (2048-bit key size) decryption. SCU equals 1Mbps for a specifiedoperation type (cipher authentication) algorithm (AES-128-CBC SHA256-HMAC) with 1024 bytes buffer size.Crypto Capacity Management uses Crypto Virtual Interfaces to represent basic access to the SSL hardware. When theseCrypto Virtual Interfaces are exhausted, the SSL hardware cannot be further assigned to NetScaler VPX instances. TheseCrypto Virtual Interfaces are also known as virtual functions, and there are 32 available per chip. They are a read-onlyentity, and they are automatically allocated by the NetScaler SDX appliance. In this manner, SSL isolation is achieved onthe Coleto Creek SSL chipset.Memory Isolation:Memory isolation equates to virtualizing the memory and keeping track of it. Memory isolation starts in real hardwarewith actual hardware memory. This memory is also known as the physical memory, and it is divided into 4k-blocks calledphysical frames. Those physical frames are addressed by their physical frame number (pfn). Physical frame numbers usually start at 0 and are contiguous (x86 computers). On x86 computers, a description of which physical frame numbers areavailable for use by memory is in the E820 map, and it is provided by the BIOS to operating systems at boot.Citrix.com Validated Reference Guide for NetScaler SDX Platform Update5

NetScaler SDX Platform UpdateValidated Reference DesignWhen virtualizing, operators must provide the guest with virtual “physical memory address space.” Virtual“physical address space” is described in the E820 map provided to the guest. These spaces are called guestphysical frame numbers (gpfns). Real hardware backing this guest virtual physical memory address space isknown as machine frames (mfns). Every guest physical frame number has a machine frame number behindit backing it up. As a result, actual hardware memory is virtualized.Next, guest-to-machine memory translation occurs. Guest physical frame numbers have to start at 0 andbe contiguous, but machine frames which back them can come from anywhere in memory. Therefore, arecord must be kept to match the guest physical frame numbers to the machine frames. For this reason,every virtual machine has a physical-to-machine translation table (p2m table) to map guest physical framenumber space to machine frame number space. Each guest physical frame number will have an entry in thetable and every usable bit of RAM will have a machine frame number behind it to back it up. This process isdone by the domain builder in domain 0.After guest-to-machine memory translation occurs, memory is allocated. The guest driver will ask the hostto allocate a free page of memory. After allocating a page, the guest driver will put the page on its list ofpages and find a guest physical frame number for that page. The guest driver will choose one memorypage on its list that it has allocated and ask the host to put some memory behind the guest physical framenumber. If the host determines that the guest is allowed to increase its memory, the host will allocate amachine frame number and put it in the physical-to-machine translation table behind that guest physicalframe number.After memory has been allocated, memory must be released when it is no longer being used. However,there must be a process for memory release. The guest driver will ask the guest operating system (OS) fora free page of memory that it can return to the host. After allocating a page, the guest driver will put it onits list of pages and find the guest physical frame number for that page. The guest driver then tells the hostit can take the memory behind the guest physical frame number back. The host will replace the machineframe number in that guest physical frame number space with “invalid entry” and put the machine framenumber on its own free list. Now, that free memory is potentially available for use by another virtual machine. If the guest were to attempt to read or write this memory now, it would crash; however, it will notbecause the guest OS thinks the page is in use by the memory driver. The memory driver will not touch thememory and the OS will not use it for anything else. Therefore, memory isolation is achieved.Disk Storage Isolation:Disk storage volumes or partitions are created for each virtual machine (VM) or VPX. In the NetScaler SDX,each VPX/VM gets approximately 20GB of storage, but this amount can vary depending on the amountof RAM. The SDX and the XenServer Ecosystem use an underlying Logical Volume Manager Technology(LVM) to manage the storage volumes or partitions that are created for each VPX/VM. The LVM is used toconfigure mirroring and striping of the logical volumes to provide data redundancy and increase I/O performance. File systems are created on logical volumes and logical volume devices are mounted the sameway that these operations are performed on a physical volume. Additionally, the LVM is non-disruptive andtransparent to users. However, the LVM will not allow one VPX/VM to write into the storage file system ofanother VPX/VM. This is how the NetScaler SDX achieves disk storage isolation.SDX UpdateDefault SSL CertificatePrevious to this change, the default SSL certificate on the Service Virtual Machine (SVM) of the NetScalerSDX was set as a 1024-bit key certificate. The purpose of this change is to increase the size of the defaultSSL certificate on the SVM to a 2048-bit key certificate. The user must delete the existing default SSL certificate and restart the SVM in order to have this change take effect. The user must delete the existing defaultcertificate and key from /var/mps/ssl certs and /var/mps/ssl keys respectively.Citrix.com Validated Reference Guide for NetScaler SDX Platform Update6

NetScaler SDX Platform UpdateValidated Reference DesignNew SDX Platform Features:Cluster Link Aggregation (CLAG)SDX can support Cluster Link Aggregation Groups on a per interface basis, so long as there is only onenetwork per SDX interface. This method is rarely used with SDX clustering due to the limitation to only oneVLAN per interface. CLAG is an L2 Channel that can be either Static or Dynamic and the upstream switchsees a single cluster MAC address in the ARP table. CLAG is used to distribute traffic across clusters using afat pipe.CLAG NOTES:1.A separate physical medium is required for Client connection steering and node-to-node communications.2.Cluster Heartbeats cannot be exchanged over the CLAG interfaces.3.Standalone VPX appliances are not supported with CLAG, some ESX and KVM versions can supportCLAG.SDX Platform Improvements:VPX Scaling:The purpose of VPX scaling is to enable hardware (HW) Receive Side Scaling (RSS) for the Intel Fortvilleinterfaces on the NetScaler SDX and to enable users to provision VPX using maximum resources from theSDX. As a result, SVM allows VPX with 16 cores on the 25xxx 40G appliances and 10 cores on the 14xxx 40Gappliances. Additionally, SVM enables VPX to use cores from both of the sockets (each appliance has twosockets). In order to do this, the maximum number of virtual functions (VF) per interface is set at 20 VF.Previously, the maximum number of VF per interface was 32 VF for a 40G interface. Enabling HW RSS andthereby enabling VPX scaling allows maximum throughput per VM of up to 180Gbps on all 16 cores on the25xxx series SDX. Throughput per VM on non-RSS capable SDX appliances is 35Gbps.SNMP Standardization:SNMP standardization allows a standard SNMP (Simple Network Management Protocol) MIB-2 (Management Information Base-II) table walk for interfaces and channel details to be conducted on the NetScalerSDX. Previously, SDX interface details were not exposed through the standard MIB-2 OID (Object Identifier).Channel details were not exposed over SNMP at all. As a result, an SDX admin had to use vendor-specificOID’s to poll SDX interfaces. Now, interface and channel details on the SDX are exposed through the standard SNMP MIB-2 table through OID .1.3.6.1.2.1.2.SNMP Alarm Thresholds and Timeout Options:SNMP alarm thresholds and timeout options were added to the NetScaler SDX configuration to allowSNMP alarm thresholds and timeout frequency to be configured. Previously, alarm thresholds were notconfigurable. An alarm was raised only once until it was cleared, and the timeout frequency was not configurable at all. Now, SDX allows setting a threshold for SNMP alarms. A threshold is configured as a percentage. If a threshold is configured and the current usage for that particular monitor goes above the threshold,then a high event is raised. Once the usage goes below the threshold, a clear event is raised. SDX alsoallows setting the frequency for SNMP alarms. A timeout is configured in minutes. Once an event is raised,the SVM will wait for the configured timeout minutes before repeating that event (if it does not get clearedwithin that time period).Citrix.com Validated Reference Guide for NetScaler SDX Platform Update7

NetScaler SDX Platform UpdateValidated Reference DesignMultiple DNS Servers:Multiple DNS (Domain Name System) Servers allow support for configuring additional DNS servers on the NetScalerSDX. Previously, the SDX supported only a single DNS server on an SVM. If that DNS server became unreachable, then theSVM would not be able to reach any of the configured hosts. This could also lead to a total block on external authentication. SVM now supports configuring as many as two additional DNS servers. This adds redundancy to the DNS configuration on the SDX. The primary (First) server is strictly IPv4 since it is configured on Xen (DOM0), but additional DNS serverscan be a combination of IPv4 and IPv6.Optional Admin User While VPX Provisioning:The SVM on the NetScaler SDX previously created a mandatory admin user account in a VPX while provisioning that VPX. Thisfeature may have been objectionable to enterprises that have tight security policies. Now, the SVM has made creation of the adminaccount optional in a VPX while provisioning. This saves admins the extra step they would have to take to delete this account afterprovisioning.CPU Visualizer:Previously, the CPU layout on the SVM of the NetScaler SDX had a fluid form but its representation was static and tabular. Therewas no visible distinction between committed, shared, reserved, or available CPU cores. The administrator could not determine thenumber of VM’s that could be provisioned in dedicated or shared mode, and load distribution across CPU sockets was not visible.The CPU Visualizer allows users to determine the number of CPU cores committed, shared, reserved, or available. The CPU Visualizerallows users to determine the number of VM’s that can be provisioned in dedicated or shared mode, and it allows users to view loaddistribution across CPU sockets.Clean Install for All Platforms:A clean install for all NetScaler SDX platforms allows a clean install of images for all existing deployed appliances. Previously, a cleaninstall was supported only for newly manufactured SDX platforms (containing a 10GB factory partition). This made the feature unavailable for existing appliances in the field. Now, SVM checks for space on the factory partition in order for clean install preparation.If enough space is found, then a clean install can proceed. Otherwise, the user is informed that insufficient space exists to perform aclean install.Section 2:NetScaler SDXThe Citrix NetScaler SDX appliance is a multitenant platform on which a user can provision and manage multiple virtual NetScalermachines (instances). The SDX appliance addresses cloud computing and multitenancy requirements by allowing a single administrator to configure and manage the appliance and delegate the administration of each hosted instance to tenants. The SDXappliance enables the appliance administrator to provide each tenant the following benefits: One complete instance, with each instance having the following privileges: Dedicated CPU and memory resource A separate space for entities The independence to run the release and build of their choice Lifecycle independence A completely isolated network. Traffic meant for a particular instance is sent only to that instance.The Citrix NetScaler SDX appliance provides a Management Service that is pre-provisioned on the appliance. The Management Service provides a user interface (HTTP and HTTPS modes) and an API to configure, manage, and monitor the appliance, the Management Service, and the instances. A Citrix self-signed certificate is prepackaged for HTTPS support. Citrix recommends that you usethe HTTPS mode to access the Management Service user interface.Citrix.com Validated Reference Guide for NetScaler SDX Platform Update8

NetScaler SDX Platform UpdateValidated Reference DesignA virtualized multi-tenant ADC should offer datacenter managers the following capabilities: High consolidation density – Enabling a large number of ADC instances to run on a single platform, each with itsown policy, configuration and dedicated system resources.Complete isolation of ADC resources – With 100% isolation of compute, memory and ADC processing resources(including SSL acceleration and data compression) ensuring that the performance of one ADC instance neverimpacts another.Full ADC feature support – Consolidation requires that all existing ADC footprints can be consolidated without aloss of functionality.Pay-As-You-Grow Scalability – Datacenter managers must have the ability to scale overall ADC capacity on-demand without adding additional hardware.NetScaler SDX specifically offers these capabilities because it enables multiple, independent, full-featured NetScalerinstances to run on a single physical appliance. NetScaler SDX is an optimized combination of two proven solutionsin their own right, NetScaler VPX and Citrix XenServer. It enables today’s organizations to reduce their ADC footprintand total cost of ownership (TCO) by pursuing opportunities for both horizontal and vertical consolidation of discrete,standalone ADC devices. NetScaler SDX squarely meets the four fundamental requirements for a natively virtualizedADC consolidation solution: Density – Up to 115 NetScaler ADC instances can run independently on a single NetScaler SDX platform, depending on the SDX platform. This impressive level of density supports the most ambitious consolidation projects.Isolation – All critical system resources, including memory, CPU and SSL processing capacity are assigned toindividual NetScaler instances. This is essential to ensuring that resource demands made by one tenant do notnegatively impact other tenants running on the same physical system. It also provides greater security for eachADC instance by providing full separation of traffic flows.Full ADC Functionality – NetScaler SDX supports 100 percent of the ADC functionality available with bothhardware-based NetScaler MPX appliances and software-based NetScaler VPX virtual appliances. This enablesNetScaler SDX to consolidate all existing ADC deployments with virtually no policy constraints.Pay-As-You-Grow – The Pay-As-You-Grow option delivers on-demand elasticity enabling organizations to easilyscale ADC capacity to keep pace with application traffic growth. Since it leverages a software-based architecture,NetScaler SDX can scale performance and capacity with a simple software key, eliminating expensive hardwarepurchases and upgrades.NetScaler SDX Use CasesFor networking components (such as firewalls and Application Delivery Controllers), support for multi-tenancy hashistorically involved the ability to carve a single device into multiple logical partitions. This approach allows differentsets of policies to be implemented for each tenant without the need for numerous, separate devices. Traditionally, it isseverely limited in terms of the degree of isolation that is achieved.The NetScaler SDX appliance is not subject to the same limitations. In the SDX architecture, each instance runs as aseparate virtual machine (VM) with its own dedicated NetScaler kernel, CPU resources, memory resources, addressspace, and bandwidth allocation. Network I/O (input/output) on the SDX appliance not only maintains aggregate system performance but also enables complete segregation of each tenant's data-plane and management-plane traffic.The management plane includes the 0/x interfaces. The data plane includes the 1/x and 10/x interfaces. A data planecan also be used as a management plane.The most common use cases for an SDX appliance relate to consolidation and reducing the number of networks required while maintaining management isolation. Following are the basic consolidation scenarios or use cases: Consolidation when the Management Service and the NetScaler instances are in the same networkConsolidation when the Management Service and the NetScaler instances are in different networks but all theinstances are in the same networkCitrix.com Validated Reference Guide for NetScaler SDX Platform Update9

NetScaler SDX Platform Update Validated Reference DesignConsolidation across security zones Consolidation with dedicated interfaces for each instance Consolidation with sharing of a physical port by more than one instanceNetScaler SDX:Section 3:Default SSL Certificate Use CasePreviously, the default SSL certificate on the Service Virtual Machine (SVM) of the NetScaler SDX was set asa 1024-bit key certificate. The purpose of this change is to increase the size of the default SSL certificate onthe SVM to a 2048-bit key certificate. The user must delete the existing default SSL certificate and restartthe SVM in order to have this change take effect. The user must delete the existing default certificate andkey from /var/mps/ssl certs and /var/mps/ssl keys respectively.Increases the size of the default SSL certificate on the SVM of the NetScaler SDX to a 2048-bit key certificate.Citrix.com Validated Reference Guide for NetScaler SDX Platform Update10

NetScaler SDX Platform UpdateValidated Reference DesignNew FeaturesCluster Link Aggregation (CLAG) Use CaseSDX can su

Virtual Machine (VM) Isolation: SDX security starts at the hypervisor layer with virtual machine (VM) isolation. This VM isolation begins at the Virtual Machine Monitor (VMM) or Domain 0, which is known as the virtualization layer upon which virtualization architectures are built. The VMM or Domain 0 becomes the primary interface