Citrix ADC 12.

x Essentials

Citrix Hardware ADC Platforms

Module 3

1 2019 Citrix Authorized Content

©
 • Distinguish the hardware and use cases for Citrix ADC MPX,
VPX, CPX, and SDX.
• Identify the deployment options of Citrix ADC CPX.
• Discuss the multi-tenant structure of Citrix ADC SDX.
Learning
• Illustrate the function and benefits of various SDX interface
Objectives allocation scenarios.
• Identify the Citrix ADC SDX administrative components and
their use.

2 2019 Citrix Authorized Content

©
 Citrix ADC MPX

3 2019 Citrix Authorized Content

©
Citrix ADC MPX Platform
• Citrix ADC MPX appliances are hardened
network appliances that offer up to 160
Gbps performance.
• Citrix ADC MPX is available in a variety of
models to suit the most demanding IT and
business needs.
• If additional throughput is needed, some
models also support Burst Packs and Pay-As-
You-Grow options.

4 2019 Citrix Authorized Content

©
MPX Use Cases
• Managing web applications with gigabits of traffic
• Load balancing for small enterprises
• Ultra high-performance web application security
• Flex tenancy

5 2019 Citrix Authorized Content

©
Hardware Components of Citrix ADC MPX 5550

6 2019 Citrix Authorized Content

©
Hardware Components of Citrix ADC (Front)
MPX 11500, 13500, 14500, 16500, 18500, 20500

7 2019 Citrix Authorized Content

©
Hardware Components of Citrix ADC (Back)
MPX 11500, 13500, 14500, 16500, 18500, 20500

8 2019 Citrix Authorized Content

©
Hardware Components of Citrix ADC (Front)
MPX 22040, 22060,22060, 22080, 22100, 22120

9 2019 Citrix Authorized Content

©
Hardware Components of Citrix ADC (Back)
MPX 22040, 22060,22060, 22080, 22100, 22120

10
© 2019 Citrix Authorized Content
LCD Keypad
• Initial Citrix ADC configuration settings can
be set using the LCD keypad on the front
panel of the appliance.
• The settings are configured in this order: subnet mask,
NSIP, and default gateway (IPv4 only).
• A verification is done to confirm that the default gateway
address is in the NSIP subnet.

• LCD keypad configuration removes

dependency on the console port.
• It quickly provides access to the Citrix ADC
device.

11
© 2019 Citrix Authorized Content
 What is a Citrix ADC Burst Pack?

Lesson
Objective Review

12
© 2019 Citrix Authorized Content
 What is a Citrix ADC Burst Pack?
Answer: A temporary License upgrade.
Lesson A Citrix ADC burst pack is a temporary license upgrade. This
Objective Review allows you to increase the throughput on your device, or
devices, for a set period of time. It can be very useful during
short increases in employee traffic…Audits…Retail holiday
dates…Tax season…or even as a temporary fix for an
unexpected increase in license usage.

13
© 2019 Citrix Authorized Content
 Citrix ADC VPX

14
© 2019 Citrix Authorized Content
Citrix ADC VPX Platform
Citrix ADC VPX virtual appliances run as virtual
machines on a hypervisor or cloud environment,
allowing Citrix ADC instances to be provisioned
on demand.

15
© 2019 Citrix Authorized Content
Citrix ADC VPX Hypervisor Architecture
Citrix ADC VPX is a virtual Citrix ADC appliance
that can be hosted on:
• Citrix XenServer® Citrix ADC
VPX
• VMware ESX or ESXi
• Linux-KVM
• Microsoft Hyper-V
Hypervisor
It can also run on common public cloud
infrastructures.
Hardware

16
© 2019 Citrix Authorized Content
VPX Support
Citrix ADC VPX supports all the features of an MPX/SDX Citrix ADC except:
• Virtual MAC (vMAC) addresses.
• Link aggregation control protocol (LACP).

VLAN tagging is supported on the Citrix ADC virtual appliances hosted on XenServer and
VMware ESX platforms.

Note: All of the functionality above can be configured on the hypervisor.

17
© 2019 Citrix Authorized Content
VPX Use Cases
Citrix ADC VPX offers the flexibility, which is most useful in the following use cases:
• Architecting private or public cloud infrastructures
• Utilizing Citrix ADC within test labs, staging environments, and POCs
• Scalable, multi-tenant infrastructures
• Small business

18
© 2019 Citrix Authorized Content
VPX Deployment Requirements
VPX 10, 25, 200, 1000, 3000
• Processor requirements: Dual-core server with Intel® VTx or AMD-V™
• Memory available: 2 GB RAM, 20 GB hard drive
• Hypervisor:
• Citrix Hypervisor 5.6 or later
• VMWare ESX/ESXi 3.5 or later
• Microsoft Hyper-V 2008 R2 and 2012 R1 and R2
• KVM

• Connectivity: 100 Mbps minimum; 1 Gbps recommended

19
© 2019 Citrix Authorized Content
 Citrix ADC CPX

20
© 2019 Citrix Authorized Content
Citrix ADC CPX Basics
• Deploys standalone on Linux Docker host.
• Multiple CPX instances allowed.
C
App App App
• Same Citrix ADC code. P
A B C X
• Same management tools [Citrix Application bin/libs bin/libs bin/libs bin/libs

Delivery Management], but no

administration GUI. Docker Engine

• A Citrix ADC CPX instance operates with one

single IP address that is used for OS
management as well as for data traffic.
Server

21
© 2019 Citrix Authorized Content
Citrix ADC CPX Basics

Editions:
• Citrix ADC Platinum Edition
• Requires license server 11.1 or newer
• Developer Edition
• Free
• Limited performance / SSL key size limit 512 bits
• No license server required
Configuration:
• You can configure a Citrix ADC CPX instance by accessing the CLI prompt through the Linux
Docker host or by using Citrix ADC Nitro APIs. Citrix ADC License Server is free.

22
© 2019 Citrix Authorized Content
CPX Topology
• The default gateway for the CPX instance
is the IP address of the docker0 bridge,
which means that any communication Citrix ADC CPX
Packet Engine
with the Citrix ADC CPX instance is done
through the Docker network. Citrix ADC CPX
Docker Container
• All incoming traffic received from the (172.17.0.4/16)
docker0 bridge is received by the eth0
(eth0)
interface on the CPX instance and
processed by the CPX packet engine.
(veth*)
• This eth0 interface is directly connected Docker0 Bridge
to a virtual interface on (veth) the Linux
docker0 bridge. (172.17.42.1/16)
Docker Host

23
© 2019 Citrix Authorized Content
Installing Citrix ADC CPX

Linux Docker Host Image or Docker File Using the Citrix Application Delivery Management GUI

24
© 2019 Citrix Authorized Content
Installation Prerequisites

libc6-dev:i386
gcc-multilib
g++-multilib
lib32ncurses5-dev Ubuntu version
1 CPU 2 GB RAM Docker
zlib1g-dev:i386 14.04 and later
libssl-dev:i386
build-essential

25
© 2019 Citrix Authorized Content
 Citrix ADC SDX

26
© 2019 Citrix Authorized Content
Citrix ADC SDX
Citrix ADC SDX is a high-density consolidation
platform that combines Xen-based virtualization
and leverages Citrix ADC's MPX architecture to
run as many as 80 Citrix ADC instances
simultaneously.

27
© 2019 Citrix Authorized Content
Citrix ADC SDX
Citrix ADC SDX effectively delivers multiple virtual ADCs by enabling fully isolated and
independent Citrix ADC instances to run on a single appliance.
Many of the MPX models can be upgraded to SDX.

28
© 2019 Citrix Authorized Content
Multi-Tenancy Concepts
• Tenants are isolated groups of end users
with common access and privileges to
resources, for example:
Private Private Shared
• Often a company or division within Tenant 1 Tenant 2 Tenant 3

a company
• Private and Shared Tenants
Citrix ADC
• Single Citrix ADC serves multiple tenants
• Often the single Citrix ADC is an SDX appliance,
which individual VPX instances are allocated to
tenants.
Servers Servers Servers

29
© 2019 Citrix Authorized Content
 How can you upgrade an MPX to an SDX?

Lesson
Objective Review

30
© 2019 Citrix Authorized Content
 How can you upgrade an MPX to an SDX?
Answer: It can be as simple as a license upgrade.
Lesson Many of the MPXs are upgradable to an SDX with a simple
Objective Review license upgrade. Keep this in mind when you are deciding
between MPX editions. Check the Citrix ADC datasheet for
more information.

31
© 2019 Citrix Authorized Content
 Multi-Tenant SDX

32
© 2019 Citrix Authorized Content
Traditional Multi-Tenant ADC
• All tenants share a single entity.
• Rate limits, RBA, and ACLs partition the
device.
• Partitions are not fully isolated:

Partition 3

Partition 4
Partition 2
Partition 1
• No CPU or resource isolation
• No version independence
• No lifecycle independence
• No HA independence

ADC

33
© 2019 Citrix Authorized Content
Traditional Multi-Tenancy Using Virtual ADCs
• In the traditional approach, each tenant gets
a virtual ADC. Firewall Firewall Firewall

• This approach achieves partitioning between

tenants and good isolation.

Virtual ADC

Virtual ADC

Virtual ADC

Virtual ADC
• In the hypervisor-based solution, network
performance does not scale.

Hypervisor

Hardware

34
© 2019 Citrix Authorized Content
Bottleneck on the Packet Flow
Receiving Packets:
1
1. NIC receives a packet.
Hypervisor
2. vSwitch forwards the packet to the
destination ADC and the ADC processes the 4
packet.
3 2
Sending Packets:
3. ADC transmits a packet and vSwitch
receives the packet.
Virtual ADC
4. vSwitch transmits the packet on the NIC.

35
© 2019 Citrix Authorized Content
Two Options Compared

Lowest
Appliance
Common
Sprawl
Denominator

36
© 2019 Citrix Authorized Content
SDX Benefits
SDX supports multiple instances on a single
platform with:
• Complete isolation
• Complete independence
• Segmentation within instances

37
© 2019 Citrix Authorized Content
Citrix ADC SDX Platform
True isolation Some instances used for
between instances dedicated customers

PCI DSS compliant Other instances used for

multiple shared customers
38
© 2019 Citrix Authorized Content
SDX: Multi-Tenant Architecture

Service VM Management Plane for the Entire Device

Citrix ADC 1

Citrix ADC 3
Citrix ADC 2
Multiple Management Networks Instances are separate VMs

VSwitch Data Plane uses SR-IOV

Virtualization Layer

0/1 0/2 1/1 1/2 1/3 1/4 1/5 1/6 1/7 1/8 10/1 10/2 10/3 10/4

39
© 2019 Citrix Authorized Content
IO Virtualization
SR-IOV is a PCI standard that provides IO
virtualization using the following functions: VF0 VF1
• PCI SR-IOV, Intel VT-d
• Physical Function (PF) and Virtual Function (VF) RX TX RX TX
Queue Queue Queue Queue
• Assign VF to a VM
• IOMMU MAC & VLAN MAC & VLAN
Filters Filters
• Efficient sharing of resources
• NICs support SR-IOV

SWITCH

NIC

40
© 2019 Citrix Authorized Content
IO Virtualization - NIC
With IO virtualization, each VF gets its own hardware VF0 VF1
RX and TX queues and has direct access to the
hardware with no hypervisor involvement:
RX TX RX TX
• VF Queue Queue Queue Queue
• RX and TX queues
• MAC addresses MAC & VLAN MAC & VLAN
Filters Filters
• VLAN filters

• RX
• MAC filtering – phase 1
SWITCH
• VLAN filtering – phase 2
• Queue the packet if both are passed.
NIC
• TX
• NIC fetches the packet directly from TX queue
and transmits it.
41
© 2019 Citrix Authorized Content
Citrix ADC SDX Components
The fundamental components of the Citrix
ADC SDX: Firewall Firewall Firewall

• Citrix ADC Hardware

Citrix ADC VPX

Citrix ADC VPX

Citrix ADC VPX

Service VM
• Intel Processors
• SR-IOV capable NICs

• Citrix Hypervisor
• CPU Virtualization
• IO Virtualization HYPERVISOR

• Service VM
• Management Console ADC HARDWARE

• Citrix ADC VPX

• Tenant Instances
42
© 2019 Citrix Authorized Content
Resource Isolation

43
© 2019 Citrix Authorized Content
Detailed CPU Allocation

CPU 1
VPX 1
Core 1 Core 9 Core 11
Core 3 Core 5 Core 7

Core 2 Core 6 Core 6 Core 8 Core 10 Core 12

CPU 2
VPX 2
Core 13 Core 19 Core 23
Core 15 Core 17 Core 21

Core 14 Core 16 Core 18 Core 20 Core 22 Core 24

44
© 2019 Citrix Authorized Content
Resource Isolation
• One of the benefits of SDX is resource isolation.
• RAM is a hard allocation – no sharing.
• SSL card is a hard allocation – no sharing.
• Data plane CPU can be a hard allocation.

45
© 2019 Citrix Authorized Content
Lifecycle Management Isolation
• Each instance of the Lifecycle Management Isolation:
• Has its own Citrix ADC OS kernel.
• These kernels can be upgraded independently.
• For example: when the next version of the Citrix ADC operating system becomes available, some of the instances can be upgraded, while others can be left.

• Version management is done at the instance level, so the VM can be upgraded

independently.
• HA is done at the instance level, which provides added flexibility.

46
© 2019 Citrix Authorized Content
 • Each instance of network isolation is its own kernel,
and each:
Network • Gets its own connection tables.

Isolation • Gets its own routing tables.

• Gets its own IP stack.

• For the data plane, SR-IOV provides:

• Strong isolation of data traffic on data plane.
• Strong isolation of management traffic on management plane.

47
© 2019 Citrix Authorized Content
Data and Management Plane Isolation Summary
• Ability to have multiple management networks that include:
• Separate network for Service VM and NSIPs.
• Separate networks for different NSIPs.

• Very strong data plane isolation options that:

• Dedicate interfaces to instances.
• Share interfaces with VLAN filtering.

48
© 2019 Citrix Authorized Content
Upgradable MPX to SDX hardware
• The hardware is the same for many MPX and SDX platforms, so if you have an MPX you can
upgrade to SDX easily.

49
© 2019 Citrix Authorized Content
 Are you currently using an SDX? If not, do you think your
environment could benefit from an SDX deployment?

Group Discussion

50
© 2019 Citrix Authorized Content
 SDX Administration

65
© 2019 Citrix Authorized Content
 • The Service VM is a pre-provisioned, FreeBSD, 64-bit
Citrix ADC SDX virtual machine.

Service VM • It is used to manage the entire SDX appliance.

• It supports GUI management interfaces using both HTTP
and HTTPS.
• Java, C#, and Rest API are supported.

66
© 2019 Citrix Authorized Content
 • The Service VM sends API calls to the VMs for
Service VM management tasks.
Internals • There is no CLI for the Service VM.
• When utilizing the monitoring capabilities on the Service
VM, it is always aggregated across VMs except the memory
usage.

67
© 2019 Citrix Authorized Content
SDX Device-Level Resource Pools
The SDX allows for creation of device-level
resource pools to isolate management.
• Define SDX device resource pools:
• Set CPU, SSL, memory, and network.
• Create pool administrators.

• Once defined, pool administrators:

• Only have access to their pools.
• Can create and delete instances as they see fit.
• Can allocate pool resources as they see fit.
• Have visibility only into their pools.

68
© 2019 Citrix Authorized Content
 • Administrative Domains allow for creation of virtual
partitions to distribute the hardware resources among
multiple domains.
SDX Device-Level • Each Administrative Domain has its own resource pool,
which includes:
Resource Pools • CPU
• Memory
• SSL

• Administrators only see:

• Resources for their domain
• Instances within their domain
• Events pertaining to their domain

69
© 2019 Citrix Authorized Content
SDX Metering and Bursting
Metering and bursting allows for each
instance to have:
• Guaranteed throughput
• Max burstable throughput
• Relative priority

Exposed through API:

• Configuration
• Time slice for peak throughput
• Billing metrics

70
© 2019 Citrix Authorized Content
 Virtual Machine
Operations
Working with virtual
machines is simple and
intuitive.

71
© 2019 Citrix Authorized Content
SDX Appliance Monitoring

72
© 2019 Citrix Authorized Content
Citrix ADC SDX Dashboard

73
© 2019 Citrix Authorized Content
Provisioning Citrix ADC VPX Instance

Step 1: Determine instance name, IP

address, netmask, gateway, Citrix ADC
VPX version, licensing, admin profile, and
description.
Step 2: Determine resource allocation
settings (default to minimum
requirements).

Step 3: Determine user name and

password for administrator account.
Step 4: Select networking setti ngs for
instance, including interfaces.
Step 5: Determine all VLAN settings for
instance.
Step 6: Summary of all settings before
instance provisioning.

74
© 2019 Citrix Authorized Content
 • There are four different Citrix ADC platforms: MPX, SDX,
CPX, and VPX.
• Citrix ADC SDX combines the hardware performance of an
MPX and the flexibility of the VPX.
Key Takeaways • The SDX management interface is simple and intuitive,
making it easier for administrators to use.

75
© 2019 Citrix Authorized Content
 Work better. Live better.

77
© 2019 Citrix Authorized Content