netscaler adc tdm presentation

7/26/2019 NetScaler ADC TDM Presentation

1/138

v2 March 2015 Citrix | Confidential

NetScaler ADC TDM


2/138

2015 Citrix | Confidential

Agenda

Introdction

!A and Cl"tering

SD#

Ad$in %artition"

Traffic Manage$ent

SS&

Net'or(ing

)*ti$i+ation

Action Anal,tic"


3/138


The Invinci-le Net'or(

.e"ilient /lexi-le


4/138


%erfor$ance )ffload Secrit,Availa-ilit,

hat i" NetScaler

NetScaler ha" -een *o'ering nter*ri"e and

co$$erce a**lication" "ince 2002

&oad 3alancingAccelerationSecrit,SS&)*ti$i+ationAvaila-ilit


5/138 2015 Citrix | Confidential

The Detail"

%la

M%

di

=%#

SD#

NetScaler

IAAS

=I%

SAAS

gate'a,

S1

S2

S>NetScaler

C< C3

/T%

S?&

!TT%!TT%S

DNSTC%

@D%

AD

"

%')

A1

A2

A>

NetScal

)*ti$i+ation

SS& )ffload

TC% )ffload

TC% 3ffering

Srge %rotection

Co$*re""ion

Caching

e- &ogging

!TT% 20

Client ee*4Alive

SACBNagle"

TC% e"t'ood

Secrit,

SS& )ffload

&:49 AC&

Net'or( AC&"DoS %rotection"

.e'rite .e"*onder

.ate &i$iting

SS& =%N

AAA for A** Traffic

A**lication /ire'all

NetScaler



Scale

Up

Scale Out

ScaleIn

ElasticitywithPay-As-You-Grow

Simplicitywith Many-In One

ow capacity upto 5x$ %o %ew &ardware$'

#(etter &A than &A$ Sc

#60H1*ootprint reduction$ %

Introdcing NetScaler TriScaleTMTechnolog,



!igh Availa-ilit, G Cl"tering



Cl"tering for !igh Availa-ilit,

Need to *grade a "erver or NetScalerJK

L'ith no do'nti$eJ



Traditional !AAn ActiveB%a""ive %air of NetScaler"

NetScaler

NetScaler

%ri$ar,

Secondar,

xternal

Net'or(

Interna

Net'o


10/138


NetScaler !igh Availa-ilit, !AE ""ential"

!A i" onl, ActiveBStand-, TheNetScaler 00> and 5 @D% *ac(et" are "ent ever, "e

Co$$nication )N&; ha**en" -et'een the NSI%" of -oth NetScaler"

3oth NetScaler" $"t -e of "a$e -ild -oth Maor and MinorE for S,nchroni+%ro*agation

!A co$$nication i" on all na-led Interface" Trn 4ha$on )// on all n


11/138


NetScaler !A Ti*" and Tric("

!A Selection Criteria If "tate i" the "a$e7 "elect lo'er I% addre"" a" %ri$ar,

If "tate i" different ie @% v" Not @%E go 'ith @% a" %ri$ar, Best Practice: Add "econdar, node a" Not @* ie have nconnected interface"

!AM)N )NE

&a,er 2 on a /ailover In the event of a fail4over the ne' %ri$ar, 'ill "end a


12/138


h, Cl"teringJ

fficient tili+ation

legant "oltion to "cale * traffic

D,na$ic ca*acit,

a"e of $anage$ent and configration

Sati"fie" "a$e reFire$ent" a" !A Configration re*lication

/alt tolerance

ACTIV

PASSIV

32X

ACTIV


13/138


NetScalerCl"ter

Facts

Cl"ter of NetScaler node"

Can -e for$ed 'ith 2 to >2 node"

Single ","te$ i$age for end "er

3ilt on NetScaler nCore architectre

No Cha""i" or ne' hard'are reFired

D,na$ic change" *er$itted

Benefits

%rovide" &inear Scal

!igher Throgh*t

Configration Scala-

3ilt4in /alt Toleran

Active4Active S**or

Active4Stand-, S**


14/138


Cl"tering

ScaleH

%erfor$ance .edndanc,

An, /or

Cl"ter =%#7

Tre Cl"teringH

Data and Manage$ent %lane

Scale for S*eed

Scale for

.edndanc,

A** A**

A**

A**

A** A**

A**A**

A**

A**

A**A**

A**A**

A** A**

A**

A**

A**

A**A**

A**

A**

A**

A**

A**A**

A**A**

A**

A**

A**

A**

A**

%etScaler

+P,


15/138


Cl"ter logical to*olog,


16/138


CC)H Configration coordinator

S,nc" configration %ro*agate" co$$and" S,nc" file"

CC)

)'ned -, CC) @"ed for $anage$ent

Cl"ter I%


17/138


Cl"tering De*lo,$ent T,*e


18/138


CM%

=I%B>2H N

=I%B>2H N=I%B>2H N

=I%B>2H N

/lo'

receiver /lo'

*roce""or


19/138


C&A

VIP:broadcast

ARP

VIP

->

C&A< M

024004f4cl"ter


20/138


C&A< cont


21/138


&in(Set

ARP request:

CIP:CMAC ->

VIP:broadcast

ARP reply:

VIP:ARP_OWNR_MAC

-> CIP:CMAC


22/138


CM% &in( Set"

@*"trea$ deviceconnectivit,

All node" $"t -econnected It can -e "edin co$-ination 'ith &in(

Set"

Doe" not reFire allnode" to -e connected

Allconnecin co$

@*"trea$ deviceconfigration

;S N)

%ro" 3e"t traffic di"tri-tionTran"*arent to *"trea$

device3ette

Cons.ote" are li$ited to

$axi$$ n$-er"**orted -, roter

%otential -ottlenec(ach =I% i" initiall,

handled -, onl, one node

Numbuse! c

Di"tri-tion Mechani"$" Co$*ari"on"


23/138


Do'nti$e

@*grading the Cl"ter

#ow is that ossib"e$ @*grade one node at

a ti$e

%ou"!n&t that ta'e !own the

c"uster$

No Different ver"ion" canoin the cl"ter

Node re-oot" P "e""ion"

redi"tri-ted Co$$and *ro*agation

di"a-led

Is this !o ;e"

htt*HBB-
http://bit.ly/1QBqbp0http://bit.ly/1QBqbp0http://bit.ly/1QBqbp0


24/138


SD#


25/138


NetScaler SD#

Mlti4tenant NetScaler

@* to 60 in"tance" =er"ion inde*endent

Qero *erfor$ance lo""

C"to$er =ale Net'or( con"olidation

!ard'are "en"i-ilitie"R virtali+ation -enefit"

S**ort for >rd *art, co$*onent"


26/138


%CI DSS validation

When properly deployed

NetScaler SDX will meet the

following PCI DSS version 2!

re"#irements$ incl#dingdeployments with in%scope and o#t%

of%scope &PX instances r#nning on

the same SDX appliance'


27/138


NetScaler SD#

Co$*lete a**liance in"tance

*er tenant Co$*lete C%@7 $e$or,7 and SS&i"olation

Inde*endent entit, "*ace"

Inde*endent ver"ioning

Inde*endent $aintenance "chedle

Co$*lete Net'or( I"olation

No *erfor$ance degradation


28/138


SD# Device4level .e"orce %ool"

Define SD# device re"orce *ool"

Set C%@7 SS&7 Me$or,7 Net'or(

Create *ool ad$ini"trator"

%ool ad$ini"trator" )nl, have acce"" to their *ool"

Can createBdelete in"tance" a" the, "ee fit Can allocate *ool re"orce" a" the, "ee fit

!ave vi"i-ilit, onl, into their *ool"

D t il @


29/138


Detail"

Fu"" A(C Functiona"it)P NetScaler SD# "**ort" 100 *ercent of the ADC fnction

-oth hard'are4-a"ed NetScaler M%# a**liance" and "oft'are4-a"ed NetScaler =%# virena-le" NetScaler SD# to con"olidate all exi"ting ADC de*lo,$ent" 'ithot an, *olic, c

Com"ete A(C Iso"ationP All critical ","te$ re"orce"7 inclding $e$or,7 C%@ anca*acit, are a""igned to individal NetScaler in"tance" Thi" en"re" re"orce de$and

tenant doe" not negativel, i$*act other tenant" *erfor$ance rnning on the "a$e *h,"

provides greater security for each ADC instance by providing full separation of tra

ach NS in"tance on SD# ha" it" i"olation *rovided -, virtali+ation technologie" P e i"olate" C%@7 Me$or,L

/or hard'are acceleration for -oth Net'or(ing and for cr,*to7 'e "e S.I)= technolog,

"i$ilar i"olation in hard'are Cavi$ N> Device"7 dont have Standard Mail-ox for =/4%

-t "e Cavi$ *ro*rietar, $ail-ox $ethod 'hich i$*le$ent" rando$l, generated 15 -

*er =/7 th" $a(ing =/4%/ co$$nication highl, "ecre

Pa)+As+,ou+-rowP The %a,4A"4;o4


30/138


Sim"ifie! Ima.e /.ra!e


31/138


@"er x*erience 4 Initial Configration


32/138


@"er x*erience 4 Ne' Da"h-oard


33/138


@"er x*erience 4 %rovi"ion NetScaler


34/138


Co$*arative "$$ar, of NetScaler Soltion"

NetSca"er

0PX

NetSca"er

VPX

NetSca"er

S(X/or$ /actor !ardened

net'or(a**liance

Soft'are4-a"evirtal a**liance

!ardenednet'or(

a**liance

ADC Den"it, 1 1 @* to 60

%erfor$ance @* to 150


35/138


Ad$in %artition"


36/138


e, @"e Ca"e"

nter*ri"e

I% overla**ing =irtal .oting ntit, "*ace

"e*aration 1 ad$in P $lti*le

%artition" Inter *artition acce"" Athentication

Service %rovider


37/138


NetScaler ithot %artition


38/138


NetScaler ith %artition

A*

5


39/138


C l t S ti


40/138


@"er %lane

Data %lane

Net'or( %lane

Citrix Confidential 4 Do Not

Co$*lete Se*aration

Ad$

in%art

N"conf

Aditlog"

SNM%

De-gging

/ile S,"te$


41/138


Traffic Manage$ent

NetScaler ADC Meet" traditional ADC need"


42/138


&i"h aailaility Geo"raphical *ailoer *or disaster recoery

Secure remote access Increased per*ormance ande.ciency throu"h

serer o/oad0 cachin" and compression

NetScaler ADC P Meet" traditional ADC need"

& d - l i d


43/138


&oad -alancing and


44/138


Proides the intelli"ence to

each re1uest to the ri"ht se

!ontinuously monitors the happlication and we serers

2ayer 3 load alancin"

Present di4erent content to dusers

!an e ased on IP ran"e0 "earea0 lan"ua"e0 or deice us

Serer 2oad (alancin"

!ontent

Switchin"

Aailaility

%etScaler#Air"ap'

&oad3alancing


45/138


g

Source IP

Coo'ie

SS1 Session I(

Serer+I( in /1 4uer)

Customer Serer+I(

To'en 5hea!er or bo!)6

0aintainin. /ser

Sessions

(istributin. Traffic

1east Connections

1owest esonse Time

SN0P+base!

IB0 SASP

#ash+base!

0an) more7

0onitori

#ea"th an!

TCP Connec

#TTPS Conn

E8ten!e! Co

Scritab"e #

TCP an! /(P C"ient e9uests

&9 Content S'itching


46/138


&9ContentS'itching

#TTP e9uests

Anything in request body (eice T)e

1an.ua.e

Coo'ie

Browser Caabi"it)

X01 XPath suort

C"ient Attributes

Any TCP Request#TTP -et

#TTP Post

e9uest

Protoco"e9ues

Any TCPvalue

Any HTTP

value

(omain

%i"!car!

Aailaility


47/138


Operates under same "enera

2oad (alancin" 2oad alance tra.c etween

centers

Ealuate serer health to dist

5or6s ia 7%S

Gloal Serer2oad

(alancin"

8GS2(9Use Case: Maintain usiness continuity durin" site leel disaste

Aailaility


48/138


.e$ote%-lic or%rivate

323

g

%2%

Site B

Site B

Site A

32C

Content S'itching =irtal Server S**ort for


49/138


Content S'itching =irtal Server S**ort for


50/138


NetScaler and S?&

NetScaler allo'" -etter "cala-ilit, P Scale4

Scale4* &o'er co"t" -, "ing $ore7 "$aller "erver"

I$*roved availa-ilit, of data

Intelligent load -alancing and content "'itching P Net

S?&

.edced C%@ "age lo'er licen"e co"t"

NetScaler redce" C%@ "age of S?& Server"

Caching $ean" fe'er reFe"t" need to go to the S?&

NetScaler handle" the encr,*tion7 ta(ing load off the "

I$*roved "er ex*erience fro$ redced

latenc,

DataStrea$


51/138


DataStrea$

A**

Server

A**

Server

A**

Server

A**

Server

A**

Server

A**

Server

A**

Server

A**

Server

A**

Server

A**Server

A**

Server

A**

Server

S

S

SS

S

S

S

S

S

S

1 S?&4intelligent load -alancing

2 )ffload" data-a"e connection"

> @* to 20x increa"e in *erfor$ance: !A and Di"a"ter .ecover,

5 MS S?& Server and M,S?& "**ort

Citrix xcl"ive Co$*etition offer no *olic, control"7 no *

i$*rove$ent"

Delivering Micro"oft A**lication"


52/138


Delivering Micro"oft A**lication"

3"ine"" critical a**lication"

Availa-ilit, i" enhanced throgh lo

UI$*roved "ecrit,

Secre acce"" reFired over SS& P

a" 'ell

A**lication fire'all *rotection

Si$*le de*lo,$ent via te$*late"7

!,*er4=

S$all de*lo,$ent" -enefit fro$ =%

Mo-ile acce"" to e$ail via native a

.edced load on "erver P do $ore

"erver"

h, NetScaler for xchange 201>J


53/138


h, NetScaler for xchange 201>J

Aailaility Per*ormance User ESecurity

.edced&oadonServer"


54/138


Suorts .reater user caacit) an! more as with minima" i

SS&

M%&);S

%A.TN.S

C@ST)M.S

SS& )ffload TC% Mlti*lexing and 3ffering Static and D,na$ic Caching !TT% Co$*re""ion


55/138


SS&

Ato Detection of Certe, ncoding


56/138


Ato Detection of Certe, ncoding

NetScaler can no' ato4detect the encoding t,*e and load the cert

(e, No need to figre ot and give the Pinfor$K o*tion

S**orted /or$at"H %M7 D.7 %/#B%CSV12

/or %/#7 'ith P-ndleK o*tion of add cert(e,K co$$and NetScaler 'ill *ar"e the %/# file

&oad the "erver4cert and "erver4(e, &oad all the Inter$ediate4CA cert" *re"ent in the %/# file

&in( the certificate"

SS& @*co$ing nhance$ent"Ci*herB%rotocol

M%


57/138


* g

T&S 11B12 on -ac(end on =%#

a**liance"

CD!7 AS4


58/138


T&S14AS41264C3C4S!A 0x002

T&S124AS4254S!A25 0x00

T&S124AS41264S!A25 0x00

T&S124AS2546:

T&S124AS12644.C:4MD5 0x000:E

SS&>4.C:4S!A 0x0005E

SS&>4DS4C3C>4S!A 0x000aE

T&S14AS4254C3C4S!A 0x00>5E

T&S14AS41264C3C4S!A 0x002fE

SS&>4D!4DSS4DS4C3C>4S!A 0x001>ET&S14D!4DSS4.C:4S!A 0x00E

T&S14D!4DSS4AS4254C3C4S!A 0x00>6E

LLLL

LLLLLL

LLLLLL26 ci*her"L

Ci*her .e4ordering 3ac(4endE


59/138



60/138

2015 Citrix | Confidential0

Defalt SS& %rofile Convenient addingBre$ovingBreordering ci*her" and ci*her

gro*"

3etter control over SS& *ara$eter"

SS& Certificate $anage$ent i$*rove$ent Mini$$ "te*"R $axi$$ "eca"e coverage

&ea"t *o""i-ilit, of error

eortin. an! (ebu..in. Imroements

SS& N> chi* tili+ation re*orting on M%#

a**liance" T&S 11B12 "e""ion and connection re*orting

Client athentication conter at =I% level

SS& %rofile X


61/138


%rofile P container o-ect 'hich re*re"ent" a co$-ination of "everal SS& attr

All "etting" on SS& v"erver7 glo-al SS& *ara$eter" XEP are availa-le on *rofi

Change" to a *rofile i" directl, reflected to all v"erver it i" -ond to

Ne' Change"H


62/138



63/138


EC(#E oc's

lli*tic Crve

Ci*her

D! e, xchange

%erfect /or'ard

Secrec,

a

3

$ N

$

/

d

c

SNI


64/138


!o"t $lti*le do$ain" on a "ingle I%

Server Na$e Indication allo'" $lti*le

a**lication" to rn on one I% addre"" and*ort

3ind $lti*le certificate" to one "erverR one

for each a**lication

na-le" a "erver to ho"t a gro* of do$ain

na$e"

Client indicate" 'hich ho"tna$e to connect

in client hello

Mo"t -ro'"er" "**ort SNIR it" ti$e for

"erver" no'

Client hello

.eFe"ting "ite1co$

Server hello

Site1 Certificate

SAN


65/138


)ne certificate7 $lti*le do$ain"

S-ect Alternative Na$e" allo'" vario" vale" for

field" 'ithin a certificate

More *o'erfl than 'ildcard certificate"


66/138


VPX Performance Imroement

NetScaler cold read, "oltion7 =%#7 'ill havei$*roved *erfor$ance and -etter SS& T%S

&ate"t SS& *rotocol and ci*her "**ort on

frontend and -ac(end =%# en"re" that all clod

de*lo,$ent 'ill -e $ch $ore "ecre

CD! %erfor$ance I$*rove$ent" in 110


67/138


*

Te"t "cenario P

Ci*her P T&S14CD!4.SA4AS1264S!A

CC Crve P %W25

105 110

>950

6200

>0000 5000

CSoftware e"ease

TPS

;2


68/138


M%#

SD# =%#

M%# 8900B10500B12500B1550

/I%S

Thale" nShield


69/138


SD#

=%#

M%#)amper response mechanisms - mechanismsthat wipe out 6eys and #critical securityparameters' i* the coer is opened or i* physicalproin" is detected

Net'or(4attached hard'are "ecrit, $odle

!SME /I%S 1:042 &evel > and Co$$on Criteria A& :

certified %rotect" and $anage" *rivate (e,"

Identit,4-a"ed athentication $echani"$"

Strong "e*aration of dtie"

FIPS ;>


70/138


htt:??b"o.s*citri8*com?2


71/138


Di"a-le SS& >0 T&S 12 $"t -e ena

.C: ci*her" $"t -e re

I$*le$ent Strict Tran"*ort Secrit,

3oth "erver certificate and i

certificate" "hold -e S!A

Ci*her li"t to *refer CD!

Server" "hold "**

T&SW/A&&3ACWSC

htt*HBB-log"citrixco$BJ*19:211>0


72/138


Net'or(ing

!ighlight"


73/138


/ll *rox, I%v4I%v:

Server &oad

3alancing

/ll featred A/ for

I%v

Static and

.oting

3e"t I%v B I%v:

*erfor$ance ratio

/eatre *arit, 'ith

I%v:

NAT:7 NAT:7

DNS:AC&7 .NAT7 INAT

/ll featred A/

for I%v

Static and

.oting

No additio

fee fo

I%v $an

I%v /eatre" S$$ar,


74/138

2015 Citrix | ConfidentialCitrix Confidential P /or NDA

.oting D,na$ic )S%/7

.I%7 3


75/138


Client" Migration Mix of I%v: and I%v client"

I%v client" acce"" I%v: "erver"

Slo' Server Migration Mix of I%v: and I%v "erver"

I%v: client" acce"" I%v "erver"

Te"t I%v .ead, A**lication" 'ithot *grading the entire infra"trc

I%v

S&3: P Internet dge


76/138


Ma(e ,or I%v: 'e- a**lication" availa-le to external I%v

No change" to exi"ting "erver infra"trctre

%erfor$ance7 Availa-ilit,7 .elia-ilit, and Secrit, of a**licatio

IP

Internet

IP>

Internet

IP>

Networ'

I%v =I%" ex*o"ed to

I%v "er"

I%v A**lication &oad 3alancing


77/138


S&3 for I%v a**lication" eg Micro"oft DA B @A

Networ'

S**ort $atrix


78/138


C"ient facin.5Virtua" IP6

Serer facin.5SNIP6

I%v: I%v:

I%v I%v:

I%v: I%v

I%v I%v

Citrix Confidential P /or NDA

NAT


79/138


S&3 NAT

&a,er > NAT INAT .NAT %refix -a"ed I%v4I%v: NAT

S&3 NAT


80/138


S&3 NAT i" "ed 'hen "erver re"*on"e" donYtato$aticall, *a"" throgh the NetScaler )ne4Ar$ $ode

Server" and the NetScaler are in different "-net"

S&3 NAT i" *erfor$ed onl, 'hen @SI% i" DISA3

;


81/138


SNI%BMI% "ed a" "orce I% for -ac(end co$$

Net'or( *rofile" "ed for "electing "orce I% SN

Net'or( *rofile" can -e a""ociated 'ith "erviceBv

;


82/138


@"e Sorce I% @SI%E na-led Client I% i" al'a," "ed for -ac(end co$$nication

Net'or( %rofile and @SI% di"a-led Net'or( %rofile -ond to "ervice i" "ed

Net'or( %rofile -ond to "ervicegro* i" "ed

Net'or( %rofile -ond to v"erver i" "ed

Net'or( %rofile and Monitoring Net'or( %rofile -ond to $onitor i" "ed

Net'or( %rofile -ond to "ervice i" "ed

Net'or( %rofile -ond to "ervicegro* i" "ed

Addi N t ( % fil

Net'or( %rofile P Configration


83/138


Adding a Net'or( %rofile add net*rofile "ale"Net%ro 4"rcI* 1010211

Adding Net'or( %rofile 'ith I%ST add net*rofile "ale"Net%ro P"rcI* rangeI%

Setting a Net'or( %rofile "et net*rofile "ale"Net%ro 4"rcI* 1821611

3inding a Net'or( %rofile "et l- v"erver "ale"=" Pnet%rofile "ale"Net%ro

"et "ervice "ale"Svc Pnet%rofile "ale"Net%ro

"et "ervicegro* "ale"Svc


84/138


A**le 'ant to choo"e "orce I% for S,"log traffic

Sorce I% no' can -e "ed to identif, ","log traffic

/ire'all" can -e configred for the "*ecific "orce I%

1 T,*e" of &> NAT P INAT


85/138


INAT

NetScaler re*lace" thede"tination I% addre""

INAT P De"tination NAT


86/138


(estination IP trans"ation

Suorte! ScenariosH

I%v:4I%v: Ma**ing

I%v:4I%v Ma**ing

I%v4I%v: Ma**ing

I%v4I%v Ma**ing

INAT P Sorce I% Selection


87/138


I" @SI%

na-led@"e Client I%

;e"

No

I" %rox, I%

Configred@"e %rox, I%

;e"

No

I" @SNI%

na-led@"e SNI%

;e"

No

I" MI%

Configred J@"e MI%

;e"

No

rror

INAT 4 Configration


88/138


add inat na$eO *-licI%O *rivateI%O Z+tcro8) NA3&D | D

Z+ft NA3&D | DISA3&D E[ Z+usi )N | )// E[ Z+usni )N |

ro8)IP i*Waddr|i*vWaddrO[ Z+tft NA3&D | DISA3&D E[ Z4$o

NA3&D | DISA3&D E[

%-lic I% can -e one of the NS o'ned =I%"

%rivate I% P Tran"lation I% TC% %rox,H @"efl for "ecrit, rea"on" to $itigate DoS B DDoS attac("

Enab"e!H Maintain" the TC% "e""ion "tate

(isab"e!H Doe" not $aintain the TC% "e""ion "tate

r$ inat na$eO

"ho' inat Zna$eO[

2 T,*e" of &> NAT P .NAT

NAT


89/138


NAT

NetScaler re*

the "orce I% a

f f

.NAT P Sorce NAT


90/138


A!!ress base! trans"ation: NATing i" *erfor$ed for all *ac(et" $

addre""

E8ten!e! AC1 base! trans"ation: NATing i" *erfor$ed for all *acthe configred AC&

NAT I% addre"" "ed in tran"lationH SNI% or MI%

@niFe I% configred a" *art of the NAT rle 4nati* o*tionE

.NAT ta(e" *recedence over @SI% $ode if configred

.NAT P Sorce I% Selection


91/138


NATI% i" al'a," "ed 'hen configred

If NATI% i" not configred 3a"ed on the de"tination P "orce I% i" "elected fro$

=I% P If ex*licitl, configred "ing NATI%

SNI% P If @SNI% i" )N

MI% P /or re"t of the ca"e"

/or .NAT in &&3 P "orce I% "election i" -a"ed on the roter Chec

doc$entation for $ore detail"E


.NAT P xa$*le Scenario


92/138


3le Colored /lo'1 %ac(et generat

1821621R D"

2 %ac(et .eceive20020020020

> .e"*on"e fro$

1001001001R

: .e"*on"e rece

1001001001R

.ed Colored /lo'

1 %ac(et generat1821611R D"

2 %ac(et .eceive

20020020020

> .e"*on"e fro$

1001001001R

: .e"*on"e rece

1001001001R

"et rnat I%Addre""O net$a"(O

MI% or SNI% 'ill -e "ed for tran"lation

.NAT Configration


93/138


MI% or SNI% 'ill -e "ed for tran"lation

"et rnat I%Addre"" netMa"(O +nati NATI%Addre""O %rovide a "ingle I% or a range in NATI%Addre""O

NATI% 'ill -e "ed for tran"lation

"et rnat aclna$eO Z+re!irectPort *ortO[ MI% or SNI% 'ill -e "ed for tran"lation for *ac(et" $atching the AC&

rediect%ort P de"tination *ort to 'hich traffic i" redirected

"et rnat aclna$eO Z+re!irectPort *ortO[ +natIP NATI%Addre""O

%rovide a "ingle I% or a range in NATI%Addre""O

NATI% 'ill -e "ed for tran"lation for *ac(et" $atching the AC&

rediect%ort P de"tination *ort to 'hich traffic i" redirected

"ho' rnat


%refix -a"ed I%v4I%v: tran"lation


94/138


Source: 2*;2@*D;*;

Pac'et

I%v to I%v: tran"lation -a"ed on the $atching *refix

De"tination I% i" tran"lated -a"ed on the configred *refix P la"t >2

a" the I%v: addre""

Configration "et i*v Z+natrefi8 i*vWaddr|XO[

"ho' i*v

NAT S$$ar,

Scenario INAT NAT S

1 1 %rovide a %rivate I% %rovide onl, one I% in Co$


95/138


1H1 %rovide a %rivate I%corre"*onding to the

*-lic I%

%rovide onl, one I% inthe rle 'ith

configred NATI%

Addre""

Co$&i"ten%rofi

attach

NH1 %rovide "a$e%rivate I% in

different INAT rle"

%rovide a "-net in the.NAT rle

Net %I%

MHN NA %rovide a "-net in the.NAT rle and a range

in NATI% Addre""e"

Net %roB "-n

to

D,na$ic .oting


96/138


%rotocol" S**orted .oting Infor$ation %rotocol .I%E ver"ion 2

)*en Shorte"t %ath /ir"t )S%/E ver"ion 2 3order


97/138


)S%/4=%N related co$$andCS%/4T related co$$and"i* o"*f re",nc4ti$eot co$$ca*a-ilit, o*aFe co$$andena-le ext4o"*f4$lti4in"t co$

I%v )S%/ )S%/v>E )S%/ Co$$and .eference


98/138


@"e Ca"eA-ilit, to "end acro"" larger fra$e "i+e on net'or( 'hich hel*" 'ith large f

content do'nload "e ca"e"

/eatre .eceiving and tran"$itting $-o fra$e" containing * to 821 -,te" of I%

\$-o /ra$e" "**ort for follo'ing *rotocol" TC%

@D%

!TT%

SI%

.adi"

nCore i" -eing validated in 105

Standard thernet /ra$e v" \$-o /ra$e


99/138


A**lication Data 6500 -,te"E

!

D

.

A**lication

Data

1500 -,te"

!

D

.

A**lication

Data

1500 -,te"

!

D

.

A**lication

Data

1500 -,te"

!

D

.

A**lication

Data

1500 -,te"

!

D

.

A**lication

Data

1500 -,te"

!

D

.A**lication Data

!D. 6500 -,te"

Standard

thernet

/ra$e

\$-o /ra$e

3enefit" of thernet $-o fra$e"

3ig %a,load"


100/138


3ig %a,load"

Increa"ed

Throgh*t and


101/138


=irtali+ation ha" *laced increa"ed de$and" on the *h,"ical net'

infra

=M" $a, -e gro*ed according to their =irtal &AN7 li$it of :08 iinadeFate

Need to ho"t $lti*le tenant"7 each 'ith their o'n i"olated net'or(

do$ain

ach tenant $a, inde*endentl, a""ign $ac4addre""e" and =&AN Need for overla, net'or( 'hich i" "ed to carr, MAC traffic fro$

individal =M" in an enca*"lated for$at over logical tnnelK

Server reacha-ilit, over =#&AN


102/138


add vxlan 10000add i*Tnnel t1 102112 255255255255 X P*rotocol

vxlan

-ind vxlan 10000 Ptnnel t1

-ind vxlan 10000 Pi*Addre"" 18216110

2552552550

C&INTC&INT

=T%

S.=.

=M

=&AN 2 =#&AN 10000

C&INT I% H 12>111=I% H 5111

=T% H 102112

S.=. I% H 182

Server reacha-ilit, over "tretched =&AN

S.=.


103/138


add vxlan 10000 P"an ;810> 255255255255 X P*rotocol

vxlan

-ind vxlan 10000 Ptnnel t1

C&INTC&INT

=T%S.=.

=M

=&AN 2

S.=. S@N3T H1821610B2:

=&AN 10

C&INT I% H 12>111

=I% H 5111

S.=. I% H 182

=lan 10 "tretched -, =#&AN 10000

3ridging -et'een =&AN and =#&AN


104/138


=T%S.=

=&AN 2=#&AN 20000

S.=. 1

ena-le n" $ode &2

add vxlan 20000 Pvlan 2add i*Tnnel tn1 22:009 255255255255 X 4*rotocol

vxlan

-ind vxlan 20000 Ptnnel tn1

NetScaler =#&AN Ca*a-ilitie"

Server B client reacha-ilit, over =#&AN tnnel"


105/138


Server B client reacha-ilit, over =#&AN tnnel"

3ridge traffic -et'een =&AN and =#&AN "eg$ent"

T'o t,*e" of =#&AN" =#&AN" that "tretch B extend exi"ting =&AN

=#&AN" a" inde*endent &a,er > entitie" 4 "cale -e,ond the li$it of : vlan"

@nica"t and Mltica"t =#&AN tnnel" No "**ort for I configration"

3ridge ta-le learn" =NID7 =T%

NetScaler =#&AN Ca*a-ilitie"


106/138


3ridge ta-le learn" =NID7 =T%

=NID7 =T% configra-le for "tatic A.%BND

AC&7 AC&7 %3.7 %3. *olicie" to $atch =#&AN

%olic, ex*re""ion" to $atch =#&AN

=#&AN" can -e -ond to traffic do$ain"

I%v: B v addre"" can -e -ond to =#&AN"

=#&AN "tat B "n$* "**ort


107/138


)*ti$i+ation

Caching


108/138


ACache

.edce Server 'or(load" -, re$oving

re*eata-le content

Caching allo'" content to -e held on the

NetScaler

%re*o*lation or *olic, driven "hold content

-eco$e *o*lar

I$*roved "er ex*erience

&e"" "train on "erver infra"trctre

Co$*re""ion


109/138


AComress

Advanced co$*re""ion ca*a-ilit, to redce tran"$itted data to

"er

I$*roved "er ex*erience co$-ining co$*re""ion ca*a-ilitie" of

-ro'"er

.edce" "erver overhead"

li$inate" -and'idth -ottlenec(" G i$*rove" a**lication

*erfor$ance "ignificantl,

@"e Ca"eH Add "**ort for high "*eed TC% conge"tion control algo

TC% Conge"tion Control


110/138


@"e Ca"eHAdd "**ort for high "*eed TC% conge"tion control algo

can hel* 'ithH Mini$i+ing -and'idth "tolen

n"re that co4exi"ting flo'" 'ith different .TT are treated fairl,

n"re efficient "age of availa-le -and'idth

/eatreH2 ne' TC% conge"tion control algorith$ "**orted 3IC

C@3IC

3ICH

3IC and C@3IC


111/138


3ICH /oc" i" on !igh S*eed Net'or("7 -and'idth * to 10


112/138


Mo-ileStrea$TM

Intelligent $lti *ath net'or(ing

leverage 'irele"" and celllar c

)*ti$i+ed 'e- content "trea$ido'nload and rendering

%er a** and "er acce"" $ana

end4to4end "ecre deliver,

3ilt4in *rotocol and a** vi"i-ili

co$*liance

xten"i-le *olicie" for $o-ile th

$al'are *rotection

Mlti4la,er a**lication o*ti$i+ation"

'ith granlar "ecrit, and control

NetScaler Mo-ileStrea$]


113/138


Content &a,ot

Avg .e"*o

increa


114/138


11:

3ro'"er and client

cache can -e -etter

tili+ed

\S G I$age

do$inate

*age content

%N< i" "till not$ain"trea$

increa

%age" are

heav

To* 1000 "ite" htt*HBBhtt*archiveorgBintere"ting*

Introdction

\SBCSS and i$age" co$*ri"e $o"t *art of the 'e- content


115/138


115

\SBCSS and i$age" co$*ri"e $o"t *art of the 'e- content

/) foc"e" on fa"ter and efficient 'e- content deliver, -, o*ti$ico$*onent"

Along 'ith thi" 7 /) trie" to leverage the client cache

)*ti$i+ation TechniFe"

Do$ain "hardingCache exten"ion

Initial connectionsetup

Stage" in e- %age Deliver,


116/138

2015 Citrix | Confidential11

xternal Scri*tB"t,le"heet $inificationCSS G \S inliningS$all i$age inlining

Co$-ine CSS

I$age


117/138


2 Client *ar"e" the info7 and "end" a reFe"t for the fir"t e$-edded o-ect

> NS "end" the reFe"t to the "erver7 "erver "end" the *roce""ed content: NS o*ti$i+e" the content7 "ave" it in cache

5 NS "end" the original i$age to client

Subse9uent e9uests:

NetScaler receive" the re"*on"e fro$ the "erver

9 NS *ar"e" the !TM& *age and chec(" for the o*ti$i+ed content and "eno*ti$i+ed content to the client

6 Client "end" a reFe"t to the o*ti$i+ed content

8 NS fetche" the content fro$ the cache and "end" the o*ti$i+ed content

De$o

C)%No4 C)%


118/138



119/138


!TT% 20

%ro-le$ 'ith !TT%B11

S-o*ti$al "e of TC%


120/138


Average n$-er of TC% connection" *er *age "ed in *o*lar "ite"H >9 Slo' Start


121/138

2015 Citrix | Confidential 2015 Citrix | Confidential

n$-er of o-ect" *er *age

%rotocol overhead

%ro-le$ 'ith !TT%B11


122/138


%rotocol overhead D*licate header"

No header co$*re""ion

-ETBfra$e'or("B-arle"FeB26>:Bor-B:B"cri*tBor-Ba*i$in" !TT%B11

#ostH "tatic--cico(

ConnectionH (ee*4alive

AccetH XBX

/ser+A.entH Mo+illaB50 indo'" NT >R ):E

A**lee-itB5>9> !TM&7 li(e 9>

(NTH 1

efererH htt*HBB'''--cco(B

Accet+Enco!in.H g+i*7 deflate7 "dch

Accet+1an.ua.eH en4@S7enRF067neRF0

-ETBlocatorB01189B"cri*tBlocator"

#ostH "tatic--cico(

ConnectionH (ee*4alive

AccetH XBX

/ser+A.entH Mo+illaB50 indo'" N

A**lee-itB5>9> !TM&7 li(e 9>

(NTH 1

efererH htt*HBB'''--cco(B

Accet+Enco!in.H g+i*7 deflate7 "dc

Accet+1an.ua.eH en4@S7enRF06

!TT%B11 Soltion"


123/138


S*riting

Inlining

Concatenation Sharding

!TT%B2H !TT%B11 %rotocol /ix

!TT%B2


124/138


3ac('ard co$*ati-ilit,

!eader co$*re""ion Server *"h

S-"tantiall, and $ea"ra-l, i$*rove end4"er *erceivedlatenc,

Addre"" the ^head of line -loc(ing^ *ro-le$

Not reFire $lti*le connection" to a "erver to ena-le *aralleli"$

i$*roving it" "e of TC%7 e"*eciall, regarding conge"tion control

!TT%B2 "$$ar,

3inar, %rotocol!TT%B2


125/138


)*en" "ingle TC% Connection *er do$ain

Mlti*le reFe"t" are "trea$ed into one connection

Strea$" are Mlti*lexed

%rioriti+ed

flo' controlled

!eader Co$*re""ion

Change in 'ire for$at7 no change in "e$antic"

Tra

T&S

3inar,

%h

Ne

!TT%B2

NetScaler !TT%B2 Architectre

I)N .elea"eH NS "**ort" !TT%B2


126/138


I)N .elea"eH NS "**ort" !TT%B2


127/138


!TT%B2 3ro'"er

Single TC% connection

'ith .eFe"t Mlti*lexing

NetScaler !TT%B2 %rox,

Client %C3

Strea$ Se""ion 1 Server %C

Strea$ Se""ion > Server %C




128/138


Action Anal,tic"

!o' do Action Anal,tic" I$*act the Net'or(J


129/138


D,na

Config

G

/lexi-

/ra$e'or( to collect "tati"tic" of rn ti$e

o-ect"

Action Anal,tic"


130/138


Stati"tic" collected can -e "ed to ta(e rn4ti$edeci"ion"

Stati"tic" collected *er o-ect inclde

Total No of .eFe"t"

3and'idth

.e"*on"e Ti$e Crrent Connection"

1>0

Action Anal,tic"

@"e" rate li$iting fra$e'or( G "trctre" to $ea"re traffic


131/138

2015 Citrix | Confidential1>1

Conter re"lt" are ex*o"ed to the %olic, ngine

T'o co$*onent" to $ea"ring traffic o-ect"H1 Selector

2 Strea$ Identifier

SelectorH Define" a Uclic(

Strea$ IdentifierH Mea"re$ent interval"

Action Anal,tic" P Strea$ Selector

NetScaler co$e" 'ith "o$e *re4defined "elector"


132/138


Action Anal,tic" P Strea$ Identifier

NetScaler co$e" 'ith *redefined


133/138

2015 Citrix | Confidential1>>

Identifier"

Define" the "elector "ed

Ti$e interval in $inte"

Sa$*le .ate

Action Anal,tic" P Strea$ Identifier

To "tart conting7 a No )*erationK re"*onder *olic, $"t -e -on


134/138

2015 Citrix | Confidential1>:

The"e are al"o *redefined

Strea$ Anal,tic" 'ill no' "tart conting

Action Anal,tic" 4 .eFire$ent"

Strea$ Selector ;


135/138


Strea$ Identifier

/eatre %olic, configred G -ond eg

add cache *olic, Cache4To*4@.&S 4rle

^ANA&;TICSST.AM_^To*W@.&_^EISWT)%10E^ 4action CAC!

4"toreIn


136/138


of $o"t freFentl, vie'ed ite$" on "ale

A-ilit, to cache data o-ect" on NetScaler

for fa"ter acce"" and free * "erver

re"orce" for *roce""ing tran"actional

data

.e"ilienc, %erfor$ance /lexi-ilit, Invinc

;or Invinci-le Net'or(


137/138


n"re the highe"t availa-ilit,'ith live cl"ter" P +ero do'n

even dring *grade"

%rovide intelligent o*ti$i+ation for "*erior *erfor$ance

%rotect-"ine"" logic 'ith re"*on"ive7 d,na$ic configra


138/138


or( -etter &ive -etteror( -etter &ive -etter

netscaler adc tdm presentation

Documents